package alluxio.security.authentication;

import alluxio.conf.AlluxioConfiguration;
import alluxio.conf.PropertyKey;
import alluxio.exception.status.UnauthenticatedException;
import alluxio.grpc.ChannelAuthenticationScheme;
import alluxio.grpc.SaslAuthenticationServiceGrpc;
import alluxio.grpc.SaslMessage;
import alluxio.security.authentication.plain.SaslServerHandlerPlain;
import alluxio.shaded.client.io.grpc.Status;
import alluxio.shaded.client.io.grpc.StatusRuntimeException;
import alluxio.shaded.client.io.grpc.stub.StreamObserver;
import alluxio.shaded.client.javax.annotation.concurrent.ThreadSafe;
import alluxio.util.ThreadFactoryUtils;
import java.time.LocalTime;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.security.sasl.SaslException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:alluxio/security/authentication/DefaultAuthenticationServer.class */
public class DefaultAuthenticationServer extends SaslAuthenticationServiceGrpc.SaslAuthenticationServiceImplBase implements AuthenticationServer {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthenticationServer.class);
    protected final ConcurrentHashMap<UUID, AuthenticatedChannelInfo> mChannels;
    protected final ScheduledExecutorService mScheduler;
    protected final String mHostName;
    protected final long mCleanupIntervalMs;
    protected final AlluxioConfiguration mConfiguration;
    private final ImpersonationAuthenticator mImpersonationAuthenticator;

    /* loaded from: input_file:alluxio/security/authentication/DefaultAuthenticationServer$AuthenticatedChannelInfo.class */
    class AuthenticatedChannelInfo {
        private LocalTime mLastAccessTime = LocalTime.now();
        private AuthenticatedUserInfo mUserInfo;
        private AuthenticatedChannelServerDriver mSaslServerDriver;

        public AuthenticatedChannelInfo(AuthenticatedUserInfo authenticatedUserInfo, AuthenticatedChannelServerDriver authenticatedChannelServerDriver) {
            this.mUserInfo = authenticatedUserInfo;
            this.mSaslServerDriver = authenticatedChannelServerDriver;
        }

        private synchronized void updateLastAccessTime() {
            this.mLastAccessTime = LocalTime.now();
        }

        public synchronized LocalTime getLastAccessTime() {
            return this.mLastAccessTime;
        }

        public AuthenticatedUserInfo getUserInfo() {
            updateLastAccessTime();
            return this.mUserInfo;
        }

        public AuthenticatedChannelServerDriver getSaslServerDriver() {
            updateLastAccessTime();
            return this.mSaslServerDriver;
        }
    }

    public DefaultAuthenticationServer(String str, AlluxioConfiguration alluxioConfiguration) {
        this.mHostName = str;
        this.mConfiguration = alluxioConfiguration;
        this.mCleanupIntervalMs = alluxioConfiguration.getMs(PropertyKey.AUTHENTICATION_INACTIVE_CHANNEL_REAUTHENTICATE_PERIOD);
        checkSupported((AuthType) alluxioConfiguration.getEnum(PropertyKey.SECURITY_AUTHENTICATION_TYPE, AuthType.class));
        this.mChannels = new ConcurrentHashMap<>();
        this.mScheduler = Executors.newScheduledThreadPool(1, ThreadFactoryUtils.build("auth-cleanup", true));
        this.mScheduler.scheduleAtFixedRate(this::cleanupStaleClients, this.mCleanupIntervalMs, this.mCleanupIntervalMs, TimeUnit.MILLISECONDS);
        this.mImpersonationAuthenticator = new ImpersonationAuthenticator(alluxioConfiguration);
    }

    @Override // alluxio.grpc.SaslAuthenticationServiceGrpc.SaslAuthenticationServiceImplBase
    public StreamObserver<SaslMessage> authenticate(StreamObserver<SaslMessage> streamObserver) {
        AuthenticatedChannelServerDriver authenticatedChannelServerDriver = new AuthenticatedChannelServerDriver(this);
        authenticatedChannelServerDriver.setClientObserver(streamObserver);
        return authenticatedChannelServerDriver;
    }

    @Override // alluxio.security.authentication.AuthenticationServer
    public void registerChannel(UUID uuid, AuthenticatedUserInfo authenticatedUserInfo, AuthenticatedChannelServerDriver authenticatedChannelServerDriver) {
        LOG.debug("Registering new channel:{} for user:{}", uuid, authenticatedUserInfo);
        if (null != this.mChannels.putIfAbsent(uuid, new AuthenticatedChannelInfo(authenticatedUserInfo, authenticatedChannelServerDriver))) {
            throw new RuntimeException(String.format("Channel: %s already exists in authentication registry for user: %s.", uuid.toString(), this.mChannels.remove(uuid).getUserInfo()));
        }
    }

    @Override // alluxio.security.authentication.AuthenticationServer
    public AuthenticatedUserInfo getUserInfoForChannel(UUID uuid) throws UnauthenticatedException {
        AuthenticatedChannelInfo authenticatedChannelInfo = this.mChannels.get(uuid);
        if (authenticatedChannelInfo != null) {
            return authenticatedChannelInfo.getUserInfo();
        }
        throw new UnauthenticatedException(String.format("Channel:%s needs to be authenticated", uuid.toString()));
    }

    @Override // alluxio.security.authentication.AuthenticationServer
    public void unregisterChannel(UUID uuid) {
        LOG.debug("Unregistering channel: {}", uuid);
        this.mChannels.remove(uuid);
    }

    @Override // alluxio.security.authentication.AuthenticationServer
    public SaslServerHandler createSaslHandler(ChannelAuthenticationScheme channelAuthenticationScheme) throws SaslException {
        switch (channelAuthenticationScheme) {
            case SIMPLE:
            case CUSTOM:
                return new SaslServerHandlerPlain(this.mHostName, this.mConfiguration, this.mImpersonationAuthenticator);
            default:
                throw new StatusRuntimeException(Status.UNAUTHENTICATED.augmentDescription(String.format("Authentication scheme:%s is not supported", channelAuthenticationScheme)));
        }
    }

    @Override // alluxio.security.authentication.AuthenticationServer, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        for (Map.Entry<UUID, AuthenticatedChannelInfo> entry : this.mChannels.entrySet()) {
            try {
                entry.getValue().getSaslServerDriver().close();
            } catch (Exception e) {
                LOG.debug("Failed closing authentication session for channel:{}. Error:{}", entry.getKey(), e);
            }
        }
    }

    private void cleanupStaleClients() {
        LocalTime now = LocalTime.now();
        LOG.debug("Starting cleanup authentication registry at {}", now);
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<UUID, AuthenticatedChannelInfo> entry : this.mChannels.entrySet()) {
            if (entry.getValue().getLastAccessTime().plusSeconds(this.mCleanupIntervalMs / 1000).isBefore(now)) {
                arrayList.add(entry.getKey());
            }
        }
        LOG.debug("Found {} stale channels for cleanup.", Integer.valueOf(arrayList.size()));
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            this.mChannels.remove((UUID) it2.next()).getSaslServerDriver().close();
        }
        LOG.debug("Finished state channel cleanup at {}", LocalTime.now());
    }

    protected void checkSupported(AuthType authType) {
        switch (authType) {
            case NOSASL:
            case SIMPLE:
            case CUSTOM:
                return;
            default:
                throw new RuntimeException("Authentication type not supported:" + authType.name());
        }
    }
}
