package com.datastax.bdp.cassandra.auth;

import com.datastax.dse.byos.shade.com.google.common.base.Preconditions;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.lang.management.ManagementFactory;
import java.time.Duration;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/RolesAuthControl.class */
public class RolesAuthControl implements RolesAuthControlMBean {
    private static final Logger logger;
    protected static final String MAX_ATTEMPTS_OPTION = "unauthorized_access_max_attempts";
    protected static final String LOCKOUT_DURATION_OPTION = "unauthorized_access_lockout_duration_seconds";
    protected static final Long DEFAULT_LOCK_DURATION;
    protected final Duration MAX_LOCKOUT_DURATION;
    protected final Cache<RoleResource, RoleLockoutInfo> rolesLockout;
    public static final String MBEAN_NAME = "org.apache.cassandra.auth:type=RolesAuthControl";
    static final /* synthetic */ boolean $assertionsDisabled;

    public RolesAuthControl() {
        this(DatabaseDescriptor.getRoleLockoutExpireDuration());
        registerMBean();
    }

    protected RolesAuthControl(Duration duration) {
        this.MAX_LOCKOUT_DURATION = duration;
        this.rolesLockout = Caffeine.newBuilder().expireAfterWrite(this.MAX_LOCKOUT_DURATION.getSeconds(), TimeUnit.SECONDS).build();
    }

    protected void registerMBean() {
        try {
            MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
            ObjectName objectName = new ObjectName(MBEAN_NAME);
            if (platformMBeanServer.isRegistered(objectName)) {
                platformMBeanServer.unregisterMBean(objectName);
            }
            platformMBeanServer.registerMBean(this, objectName);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public Optional<RoleLockoutInfo> getRoleLockoutInfo(RoleResource roleResource) {
        RoleLockoutInfo ifPresent = this.rolesLockout.getIfPresent(roleResource);
        if (ifPresent == null) {
            return Optional.empty();
        }
        if (!ifPresent.isExpired()) {
            return Optional.of(ifPresent);
        }
        this.rolesLockout.invalidate(roleResource);
        return Optional.empty();
    }

    public void setRoleLockoutInfo(RoleResource roleResource, Map<String, String> map) {
        Optional<RoleLockoutInfo> readLockoutInfoFromOptions = readLockoutInfoFromOptions(roleResource, map);
        if (readLockoutInfoFromOptions.isPresent()) {
            RoleLockoutInfo roleLockoutInfo = this.rolesLockout.get(roleResource, roleResource2 -> {
                return (RoleLockoutInfo) readLockoutInfoFromOptions.get();
            });
            if (!$assertionsDisabled && roleLockoutInfo == null) {
                throw new AssertionError();
            }
            roleLockoutInfo.updateUnauthorizedAttempts();
        }
    }

    public void removeRoleLockout(RoleResource roleResource) {
        this.rolesLockout.invalidate(roleResource);
    }

    protected Optional<RoleLockoutInfo> readLockoutInfoFromOptions(RoleResource roleResource, Map<String, String> map) {
        long longValue;
        if (!map.containsKey(MAX_ATTEMPTS_OPTION)) {
            return Optional.empty();
        }
        try {
            int parseInt = Integer.parseInt(map.get(MAX_ATTEMPTS_OPTION));
            Preconditions.checkState(parseInt > 0);
            try {
                String str = map.get(LOCKOUT_DURATION_OPTION);
                if (str == null) {
                    longValue = DEFAULT_LOCK_DURATION.longValue();
                } else {
                    longValue = Long.parseLong(str);
                    if (longValue <= 0) {
                        throw new NumberFormatException();
                    }
                }
            } catch (NumberFormatException e) {
                longValue = DEFAULT_LOCK_DURATION.longValue();
                logger.warn("Invalid role option value for {}: '{}'. Role lockout duration will default to {}s for user - {}.", new Object[]{LOCKOUT_DURATION_OPTION, map.get(LOCKOUT_DURATION_OPTION), DEFAULT_LOCK_DURATION, roleResource.getName()});
            }
            Duration ofSeconds = Duration.ofSeconds(longValue);
            if (ofSeconds.compareTo(this.MAX_LOCKOUT_DURATION) > 0) {
                logger.warn("Invalid role option value for {}: '{}'. Role lockout duration will be capped at {} for user - {}.", new Object[]{LOCKOUT_DURATION_OPTION, Long.valueOf(longValue), Long.valueOf(this.MAX_LOCKOUT_DURATION.getSeconds()), roleResource.getRoleName()});
                ofSeconds = this.MAX_LOCKOUT_DURATION;
            }
            return Optional.of(new RoleLockoutInfo(parseInt, ofSeconds));
        } catch (IllegalStateException | NumberFormatException e2) {
            logger.warn("Invalid role option value for {}: '{}'. Role lockout will not be set for user - {}.", new Object[]{MAX_ATTEMPTS_OPTION, map.get(MAX_ATTEMPTS_OPTION), roleResource.getName()});
            return Optional.empty();
        }
    }

    @Override // com.datastax.bdp.cassandra.auth.RolesAuthControlMBean
    public Map<String, RoleLockoutInfo> listRolesLockoutInfo(boolean z) {
        return (Map) this.rolesLockout.asMap().entrySet().stream().filter(entry -> {
            return !z || ((RoleLockoutInfo) entry.getValue()).isLocked();
        }).collect(Collectors.toMap(entry2 -> {
            return ((RoleResource) entry2.getKey()).getRoleName();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    @Override // com.datastax.bdp.cassandra.auth.RolesAuthControlMBean
    public void removeRoleLockout(String str) {
        removeRoleLockout(RoleResource.role(str));
    }

    @Override // com.datastax.bdp.cassandra.auth.RolesAuthControlMBean
    public void clearAllRolesLockout() {
        this.rolesLockout.invalidateAll();
    }

    static {
        $assertionsDisabled = !RolesAuthControl.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(RolesAuthControl.class);
        DEFAULT_LOCK_DURATION = 900L;
    }
}
