package org.apache.druid.security.basic.authorization.db.cache;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
import com.google.inject.Inject;
import com.google.inject.Injector;
import java.io.File;
import java.io.IOException;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import org.apache.druid.client.coordinator.Coordinator;
import org.apache.druid.concurrent.LifecycleLock;
import org.apache.druid.discovery.DruidLeaderClient;
import org.apache.druid.guice.ManageLifecycle;
import org.apache.druid.guice.annotations.Smile;
import org.apache.druid.java.util.common.FileUtils;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.common.RetryUtils;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.concurrent.Execs;
import org.apache.druid.java.util.common.concurrent.ScheduledExecutors;
import org.apache.druid.java.util.common.lifecycle.LifecycleStart;
import org.apache.druid.java.util.common.lifecycle.LifecycleStop;
import org.apache.druid.java.util.emitter.EmittingLogger;
import org.apache.druid.java.util.http.client.response.BytesFullResponseHandler;
import org.apache.druid.java.util.http.client.response.BytesFullResponseHolder;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.joda.time.Duration;

@ManageLifecycle
/* loaded from: input_file:org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.class */
public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAuthorizerCacheManager {
    private static final EmittingLogger LOG = new EmittingLogger(CoordinatorPollingBasicAuthorizerCacheManager.class);
    private final Injector injector;
    private final ObjectMapper objectMapper;
    private final DruidLeaderClient druidLeaderClient;
    private final BasicAuthCommonCacheConfig commonCacheConfig;
    private final LifecycleLock lifecycleLock = new LifecycleLock();
    private final ScheduledExecutorService exec = Execs.scheduledSingleThreaded("CoordinatorPollingBasicAuthorizerCacheManager-Exec--%d");
    private final ConcurrentHashMap<String, Map<String, BasicAuthorizerUser>> cachedUserMaps = new ConcurrentHashMap<>();
    private final ConcurrentHashMap<String, Map<String, BasicAuthorizerRole>> cachedRoleMaps = new ConcurrentHashMap<>();
    private final ConcurrentHashMap<String, Map<String, BasicAuthorizerGroupMapping>> cachedGroupMappingMaps = new ConcurrentHashMap<>();
    private final ConcurrentHashMap<String, Map<String, BasicAuthorizerRole>> cachedGroupMappingRoleMaps = new ConcurrentHashMap<>();
    private final Set<String> authorizerPrefixes = new HashSet();

    @Inject
    public CoordinatorPollingBasicAuthorizerCacheManager(Injector injector, BasicAuthCommonCacheConfig basicAuthCommonCacheConfig, @Smile ObjectMapper objectMapper, @Coordinator DruidLeaderClient druidLeaderClient) {
        this.injector = injector;
        this.commonCacheConfig = basicAuthCommonCacheConfig;
        this.objectMapper = objectMapper;
        this.druidLeaderClient = druidLeaderClient;
    }

    @LifecycleStart
    public void start() {
        if (!this.lifecycleLock.canStart()) {
            throw new ISE("can't start.", new Object[0]);
        }
        LOG.info("Starting CoordinatorPollingBasicAuthorizerCacheManager.", new Object[0]);
        try {
            initUserMaps();
            ScheduledExecutors.scheduleWithFixedDelay(this.exec, new Duration(this.commonCacheConfig.getPollingPeriod()), new Duration(this.commonCacheConfig.getPollingPeriod()), () -> {
                try {
                    long nextLong = ThreadLocalRandom.current().nextLong(0L, this.commonCacheConfig.getMaxRandomDelay());
                    LOG.debug("Inserting random polling delay of [%s] ms", new Object[]{Long.valueOf(nextLong)});
                    Thread.sleep(nextLong);
                    LOG.debug("Scheduled userMap cache poll is running", new Object[0]);
                    for (String str : this.authorizerPrefixes) {
                        UserAndRoleMap fetchUserAndRoleMapFromCoordinator = fetchUserAndRoleMapFromCoordinator(str, false);
                        if (fetchUserAndRoleMapFromCoordinator != null) {
                            this.cachedUserMaps.put(str, fetchUserAndRoleMapFromCoordinator.getUserMap());
                            this.cachedRoleMaps.put(str, fetchUserAndRoleMapFromCoordinator.getRoleMap());
                        }
                    }
                    LOG.debug("Scheduled userMap cache poll is done", new Object[0]);
                } catch (Throwable th) {
                    LOG.makeAlert(th, "Error occurred while polling for cachedUserMaps.", new Object[0]).emit();
                }
            });
            ScheduledExecutors.scheduleWithFixedDelay(this.exec, new Duration(this.commonCacheConfig.getPollingPeriod()), new Duration(this.commonCacheConfig.getPollingPeriod()), () -> {
                try {
                    long nextLong = ThreadLocalRandom.current().nextLong(0L, this.commonCacheConfig.getMaxRandomDelay());
                    LOG.debug("Inserting random polling delay of [%s] ms", new Object[]{Long.valueOf(nextLong)});
                    Thread.sleep(nextLong);
                    LOG.debug("Scheduled groupMappingMap cache poll is running", new Object[0]);
                    for (String str : this.authorizerPrefixes) {
                        GroupMappingAndRoleMap fetchGroupAndRoleMapFromCoordinator = fetchGroupAndRoleMapFromCoordinator(str, false);
                        if (fetchGroupAndRoleMapFromCoordinator != null) {
                            this.cachedGroupMappingMaps.put(str, fetchGroupAndRoleMapFromCoordinator.getGroupMappingMap());
                            this.cachedGroupMappingRoleMaps.put(str, fetchGroupAndRoleMapFromCoordinator.getRoleMap());
                        }
                    }
                    LOG.debug("Scheduled groupMappingMap cache poll is done", new Object[0]);
                } catch (Throwable th) {
                    LOG.makeAlert(th, "Error occurred while polling for cachedGroupMappingMaps.", new Object[0]).emit();
                }
            });
            this.lifecycleLock.started();
            LOG.info("Started CoordinatorPollingBasicAuthorizerCacheManager.", new Object[0]);
        } finally {
            this.lifecycleLock.exitStart();
        }
    }

    @LifecycleStop
    public void stop() {
        if (!this.lifecycleLock.canStop()) {
            throw new ISE("can't stop.", new Object[0]);
        }
        LOG.info("CoordinatorPollingBasicAuthorizerCacheManager is stopping.", new Object[0]);
        this.exec.shutdown();
        LOG.info("CoordinatorPollingBasicAuthorizerCacheManager is stopped.", new Object[0]);
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public void handleAuthorizerUserUpdate(String str, byte[] bArr) {
        LOG.debug("Received userMap cache update for authorizer [%s].", new Object[]{str});
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        try {
            UserAndRoleMap userAndRoleMap = (UserAndRoleMap) this.objectMapper.readValue(bArr, BasicAuthUtils.AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE);
            this.cachedUserMaps.put(str, userAndRoleMap.getUserMap());
            this.cachedRoleMaps.put(str, userAndRoleMap.getRoleMap());
            if (this.commonCacheConfig.getCacheDirectory() != null) {
                writeUserMapToDisk(str, bArr);
            }
        } catch (Exception e) {
            LOG.makeAlert(e, "Could not deserialize user/role map received from coordinator", new Object[0]).emit();
        }
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public void handleAuthorizerGroupMappingUpdate(String str, byte[] bArr) {
        LOG.debug("Received groupMappingMap cache update for authorizer [%s].", new Object[]{str});
        Preconditions.checkState(this.lifecycleLock.awaitStarted(1L, TimeUnit.MILLISECONDS));
        try {
            GroupMappingAndRoleMap groupMappingAndRoleMap = (GroupMappingAndRoleMap) this.objectMapper.readValue(bArr, BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE);
            this.cachedGroupMappingMaps.put(str, groupMappingAndRoleMap.getGroupMappingMap());
            this.cachedGroupMappingRoleMaps.put(str, groupMappingAndRoleMap.getRoleMap());
            if (this.commonCacheConfig.getCacheDirectory() != null) {
                writeGroupMappingMapToDisk(str, bArr);
            }
        } catch (Exception e) {
            LOG.makeAlert(e, "Could not deserialize groupMapping/role map received from coordinator.", new Object[0]).emit();
        }
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public Map<String, BasicAuthorizerUser> getUserMap(String str) {
        return this.cachedUserMaps.get(str);
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public Map<String, BasicAuthorizerRole> getRoleMap(String str) {
        return this.cachedRoleMaps.get(str);
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap(String str) {
        return this.cachedGroupMappingMaps.get(str);
    }

    @Override // org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager
    public Map<String, BasicAuthorizerRole> getGroupMappingRoleMap(String str) {
        return this.cachedGroupMappingRoleMaps.get(str);
    }

    private String getUserRoleMapFilename(String str) {
        return StringUtils.format("%s.authorizer.userRole.cache", new Object[]{str});
    }

    private String getGroupMappingRoleMapFilename(String str) {
        return StringUtils.format("%s.authorizer.groupMappingRole.cache", new Object[]{str});
    }

    @Nullable
    private UserAndRoleMap loadUserAndRoleMapFromDisk(String str) throws IOException {
        File file = new File(this.commonCacheConfig.getCacheDirectory(), getUserRoleMapFilename(str));
        if (file.exists()) {
            return (UserAndRoleMap) this.objectMapper.readValue(file, BasicAuthUtils.AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE);
        }
        return null;
    }

    @Nullable
    private GroupMappingAndRoleMap loadGroupMappingAndRoleMapFromDisk(String str) throws IOException {
        File file = new File(this.commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(str));
        if (file.exists()) {
            return (GroupMappingAndRoleMap) this.objectMapper.readValue(file, BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE);
        }
        return null;
    }

    private void writeUserMapToDisk(String str, byte[] bArr) throws IOException {
        FileUtils.mkdirp(new File(this.commonCacheConfig.getCacheDirectory()));
        FileUtils.writeAtomically(new File(this.commonCacheConfig.getCacheDirectory(), getUserRoleMapFilename(str)), outputStream -> {
            outputStream.write(bArr);
            return null;
        });
    }

    private void writeGroupMappingMapToDisk(String str, byte[] bArr) throws IOException {
        FileUtils.mkdirp(new File(this.commonCacheConfig.getCacheDirectory()));
        FileUtils.writeAtomically(new File(this.commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(str)), outputStream -> {
            outputStream.write(bArr);
            return null;
        });
    }

    @Nullable
    private UserAndRoleMap fetchUserAndRoleMapFromCoordinator(String str, boolean z) {
        try {
            return (UserAndRoleMap) RetryUtils.retry(() -> {
                return tryFetchUserMapsFromCoordinator(str);
            }, th -> {
                return true;
            }, this.commonCacheConfig.getMaxSyncRetries());
        } catch (Exception e) {
            LOG.makeAlert(e, "Encountered exception while fetching user and role map for authorizer [%s]", new Object[]{str}).emit();
            if (!z || this.commonCacheConfig.getCacheDirectory() == null) {
                return null;
            }
            try {
                LOG.info("Attempting to load user map snapshot from disk.", new Object[0]);
                return loadUserAndRoleMapFromDisk(str);
            } catch (Exception e2) {
                e2.addSuppressed(e);
                LOG.makeAlert(e2, "Encountered exception while loading user-role map snapshot for authorizer [%s]", new Object[]{str}).emit();
                return null;
            }
        }
    }

    @Nullable
    private GroupMappingAndRoleMap fetchGroupAndRoleMapFromCoordinator(String str, boolean z) {
        try {
            return (GroupMappingAndRoleMap) RetryUtils.retry(() -> {
                return tryFetchGroupMappingMapsFromCoordinator(str);
            }, th -> {
                return true;
            }, this.commonCacheConfig.getMaxSyncRetries());
        } catch (Exception e) {
            LOG.makeAlert(e, "Encountered exception while fetching group and role map for authorizer [%s]", new Object[]{str}).emit();
            if (!z || this.commonCacheConfig.getCacheDirectory() == null) {
                return null;
            }
            try {
                LOG.info("Attempting to load group map snapshot from disk.", new Object[0]);
                return loadGroupMappingAndRoleMapFromDisk(str);
            } catch (Exception e2) {
                e2.addSuppressed(e);
                LOG.makeAlert(e2, "Encountered exception while loading group-role map snapshot for authorizer [%s]", new Object[]{str}).emit();
                return null;
            }
        }
    }

    private UserAndRoleMap tryFetchUserMapsFromCoordinator(String str) throws Exception {
        byte[] content = this.druidLeaderClient.go(this.druidLeaderClient.makeRequest(HttpMethod.GET, StringUtils.format("/druid-ext/basic-security/authorization/db/%s/cachedSerializedUserMap", new Object[]{str})), new BytesFullResponseHandler()).getContent();
        UserAndRoleMap userAndRoleMap = (UserAndRoleMap) this.objectMapper.readValue(content, BasicAuthUtils.AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE);
        if (userAndRoleMap != null && this.commonCacheConfig.getCacheDirectory() != null) {
            writeUserMapToDisk(str, content);
        }
        return userAndRoleMap;
    }

    private GroupMappingAndRoleMap tryFetchGroupMappingMapsFromCoordinator(String str) throws Exception {
        BytesFullResponseHolder go = this.druidLeaderClient.go(this.druidLeaderClient.makeRequest(HttpMethod.GET, StringUtils.format("/druid-ext/basic-security/authorization/db/%s/cachedSerializedGroupMappingMap", new Object[]{str})), new BytesFullResponseHandler());
        if (go.getStatus().equals(HttpResponseStatus.NOT_FOUND)) {
            LOG.warn("cachedSerializedGroupMappingMap is not available from the coordinator, skipping fetch of group mappings for now.", new Object[0]);
            return null;
        }
        byte[] content = go.getContent();
        GroupMappingAndRoleMap groupMappingAndRoleMap = (GroupMappingAndRoleMap) this.objectMapper.readValue(content, BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE);
        if (groupMappingAndRoleMap != null && this.commonCacheConfig.getCacheDirectory() != null) {
            writeGroupMappingMapToDisk(str, content);
        }
        return groupMappingAndRoleMap;
    }

    private void initUserMaps() {
        AuthorizerMapper authorizerMapper = (AuthorizerMapper) this.injector.getInstance(AuthorizerMapper.class);
        if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
            return;
        }
        for (Map.Entry entry : authorizerMapper.getAuthorizerMap().entrySet()) {
            if (((Authorizer) entry.getValue()) instanceof BasicRoleBasedAuthorizer) {
                String str = (String) entry.getKey();
                this.authorizerPrefixes.add(str);
                UserAndRoleMap fetchUserAndRoleMapFromCoordinator = fetchUserAndRoleMapFromCoordinator(str, true);
                if (fetchUserAndRoleMapFromCoordinator != null) {
                    this.cachedUserMaps.put(str, fetchUserAndRoleMapFromCoordinator.getUserMap());
                    this.cachedRoleMaps.put(str, fetchUserAndRoleMapFromCoordinator.getRoleMap());
                }
                GroupMappingAndRoleMap fetchGroupAndRoleMapFromCoordinator = fetchGroupAndRoleMapFromCoordinator(str, true);
                if (fetchGroupAndRoleMapFromCoordinator != null) {
                    this.cachedGroupMappingMaps.put(str, fetchGroupAndRoleMapFromCoordinator.getGroupMappingMap());
                    this.cachedGroupMappingRoleMaps.put(str, fetchGroupAndRoleMapFromCoordinator.getRoleMap());
                }
            }
        }
    }
}
