package com.floragunn.searchguard.authc.session.backend;

import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.floragunn.searchsupport.cstate.metrics.Meter;
import com.floragunn.searchsupport.cstate.metrics.TimeAggregation;
import java.time.Duration;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.bulk.BulkItemResponse;
import org.elasticsearch.action.bulk.BulkRequest;
import org.elasticsearch.action.bulk.BulkResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.search.SearchScrollRequest;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.action.update.UpdateRequest;
import org.elasticsearch.common.Strings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.index.engine.VersionConflictEngineException;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.builder.SearchSourceBuilder;
import org.elasticsearch.threadpool.ThreadPool;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/floragunn/searchguard/authc/session/backend/SessionActivityTracker.class */
public class SessionActivityTracker {
    private static final Logger log = LogManager.getLogger(SessionActivityTracker.class);
    private final String indexName;
    private final SessionService sessionService;
    private final PrivilegedConfigClient privilegedConfigClient;
    private final ThreadPool threadPool;
    private Duration inactivityTimeout;
    private long inactivityBeforeExpiryMillis;
    private Duration flushInterval;
    private final SessionFlushThread sessionFlushThread;
    private final Map<String, Long> lastAccess = new ConcurrentHashMap();
    private Duration minFlushInterval = Duration.ofSeconds(10);
    private final ComponentState componentState = new ComponentState(1, (String) null, "session_activity_tracker", SessionActivityTracker.class).initialized();
    private final TimeAggregation flushMetrics = new TimeAggregation.Milliseconds();
    private volatile long lastComponentStateUpdate = -1;
    private WriteRequest.RefreshPolicy indexRefreshPolicy = WriteRequest.RefreshPolicy.NONE;
    private Random random = new Random(System.currentTimeMillis() + hashCode());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/searchguard/authc/session/backend/SessionActivityTracker$SessionFlushThread.class */
    public class SessionFlushThread extends Thread {
        private Instant nextFlush;

        SessionFlushThread() {
            super("sg_session_activity_flusher");
            setDaemon(true);
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (true) {
                try {
                    synchronized (this) {
                        if (this.nextFlush == null) {
                            this.nextFlush = Instant.now().plus((TemporalAmount) SessionActivityTracker.this.flushInterval).minusMillis(SessionActivityTracker.this.random.nextInt(2000));
                        }
                        long epochMilli = this.nextFlush.toEpochMilli() - System.currentTimeMillis();
                        if (epochMilli > 0) {
                            wait(epochMilli + 10);
                            if (System.currentTimeMillis() < this.nextFlush.toEpochMilli()) {
                            }
                        }
                        this.nextFlush = Instant.now().plus((TemporalAmount) SessionActivityTracker.this.flushInterval);
                        if (SessionActivityTracker.log.isDebugEnabled()) {
                            SessionActivityTracker.log.debug("Flushing sessions now; next scheduled flush is at " + String.valueOf(this.nextFlush));
                        }
                        SessionActivityTracker.this.flush("schedule");
                    }
                } catch (Exception e) {
                    SessionActivityTracker.log.error("Error in sg_session_activity_flusher", e);
                }
            }
        }

        synchronized void setEarlyFlushTime(Instant instant) {
            if (this.nextFlush == null || this.nextFlush.isAfter(instant)) {
                this.nextFlush = instant;
                notifyAll();
            }
        }

        synchronized void setEarlyFlushTimeIfNecessary(long j) {
            if (this.nextFlush == null || this.nextFlush.toEpochMilli() - 10000 > j) {
                this.nextFlush = Instant.ofEpochMilli(j - 10000);
                if (SessionActivityTracker.log.isTraceEnabled()) {
                    SessionActivityTracker.log.trace("Earlier flushing necessary. Now flushing at " + String.valueOf(this.nextFlush));
                }
                notifyAll();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionActivityTracker(Duration duration, SessionService sessionService, String str, PrivilegedConfigClient privilegedConfigClient, ThreadPool threadPool) {
        this.indexName = str;
        this.sessionService = sessionService;
        this.privilegedConfigClient = privilegedConfigClient;
        this.threadPool = threadPool;
        setInactivityTimeout(duration);
        this.componentState.addMetrics("flush", this.flushMetrics);
        this.sessionFlushThread = new SessionFlushThread();
        this.sessionFlushThread.start();
    }

    void trackAccess(SessionToken sessionToken) {
        long currentTimeMillis = System.currentTimeMillis();
        this.lastAccess.put(sessionToken.getId(), Long.valueOf(currentTimeMillis + this.inactivityBeforeExpiryMillis));
        this.sessionFlushThread.setEarlyFlushTimeIfNecessary(sessionToken.getDynamicExpiryTime().toEpochMilli());
        if (this.lastComponentStateUpdate + 10000 < currentTimeMillis) {
            this.lastComponentStateUpdate = currentTimeMillis;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkExpiryAndTrackAccess(SessionToken sessionToken, Consumer<Boolean> consumer, Consumer<Exception> consumer2, Meter meter) {
        Instant now = Instant.now();
        if (sessionToken.getDynamicExpiryTime().isAfter(now)) {
            if (log.isTraceEnabled()) {
                log.trace("Checked timeout of " + sessionToken.getId() + "; token is not timed out. Expiry: " + String.valueOf(sessionToken.getDynamicExpiryTime()) + " (" + String.valueOf(sessionToken.getDynamicExpiryTime().atZone(ZoneOffset.systemDefault())) + ")");
            }
            trackAccess(sessionToken);
            consumer.accept(Boolean.TRUE);
            return;
        }
        Long l = this.lastAccess.get(sessionToken.getId());
        if (l == null || l.longValue() <= now.toEpochMilli()) {
            if (log.isTraceEnabled()) {
                log.trace("The token " + sessionToken.getId() + " seems to have expired; re-checking with fresh index data. Expiry: " + String.valueOf(sessionToken.getDynamicExpiryTime()) + " (" + String.valueOf(sessionToken.getDynamicExpiryTime().atZone(ZoneOffset.systemDefault())) + ")");
            }
            this.sessionService.getByIdFromIndex(sessionToken.getId(), sessionToken2 -> {
                if (!sessionToken2.getDynamicExpiryTime().isAfter(now)) {
                    if (log.isInfoEnabled()) {
                        log.info("The auth token " + sessionToken.getId() + " is expired. Expiry: " + String.valueOf(sessionToken2.getDynamicExpiryTime()) + " (" + String.valueOf(sessionToken2.getDynamicExpiryTime().atZone(ZoneOffset.systemDefault())) + ")");
                    }
                    consumer.accept(Boolean.FALSE);
                } else {
                    if (log.isTraceEnabled()) {
                        log.trace("Checked timeout of " + sessionToken.getId() + "; token is not timed out (needed index recheck). Expiry: " + String.valueOf(sessionToken2.getDynamicExpiryTime()) + " (" + String.valueOf(sessionToken2.getDynamicExpiryTime().atZone(ZoneOffset.systemDefault())) + ")");
                    }
                    trackAccess(sessionToken);
                    consumer.accept(Boolean.TRUE);
                }
            }, noSuchSessionException -> {
                consumer.accept(Boolean.FALSE);
            }, consumer2, meter);
        } else {
            if (log.isTraceEnabled()) {
                log.trace("Checked timeout of " + sessionToken.getId() + "; token is not timed out (needed cache recheck). Expiry: " + String.valueOf(sessionToken.getDynamicExpiryTime()) + " (" + String.valueOf(sessionToken.getDynamicExpiryTime().atZone(ZoneOffset.systemDefault())) + ")");
            }
            trackAccess(sessionToken);
            consumer.accept(Boolean.TRUE);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Duration getInactivityTimeout() {
        return this.inactivityTimeout;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void setInactivityTimeout(Duration duration) {
        if (this.inactivityTimeout == null || !duration.equals(this.inactivityTimeout)) {
            this.inactivityTimeout = duration;
            this.inactivityBeforeExpiryMillis = duration.toMillis();
            Duration minusSeconds = duration.minusSeconds(120L);
            if (minusSeconds.compareTo(this.minFlushInterval) < 0) {
                minusSeconds = this.minFlushInterval;
            }
            this.flushInterval = minusSeconds;
            if (this.sessionFlushThread != null) {
                this.sessionFlushThread.setEarlyFlushTime(Instant.now().plus((TemporalAmount) minusSeconds).minusMillis(this.random.nextInt(2000)));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setIndexRefreshPolicy(WriteRequest.RefreshPolicy refreshPolicy) {
        this.indexRefreshPolicy = refreshPolicy;
    }

    private void flushWithJitter(String str, int i) {
        if (this.lastAccess.isEmpty()) {
            if (log.isTraceEnabled()) {
                log.trace("Not running flush because lastAccess is empty");
            }
        } else if (this.flushInterval.toMillis() < 120000) {
            this.threadPool.scheduleUnlessShuttingDown(TimeValue.timeValueMillis(this.random.nextInt(1000) + (i * 1000)), this.threadPool.generic(), () -> {
                flush(str);
            });
        } else {
            this.threadPool.scheduleUnlessShuttingDown(TimeValue.timeValueSeconds(this.random.nextInt(20) + i), this.threadPool.generic(), () -> {
                flush(str);
            });
        }
    }

    private void flush(String str) {
        final Meter basic = Meter.basic(this.sessionService.getMetricsLevel(), this.flushMetrics);
        final Meter basic2 = basic.basic(str);
        try {
            final HashMap hashMap = new HashMap(this.lastAccess);
            if (log.isDebugEnabled()) {
                log.debug("Flushing " + hashMap.size() + " dynamic_expires entries; reason: " + str + "\n" + String.valueOf(hashMap.keySet()));
            }
            if (log.isTraceEnabled()) {
                log.trace(hashMap);
            }
            this.lastAccess.entrySet().removeIf(entry -> {
                return hashMap.get(entry.getKey()) == entry.getValue();
            });
            final BoolQueryBuilder boolQueryBuilder = new BoolQueryBuilder();
            boolQueryBuilder.minimumShouldMatch(1);
            for (Map.Entry entry2 : hashMap.entrySet()) {
                boolQueryBuilder.should(new BoolQueryBuilder().must(QueryBuilders.idsQuery().addIds(new String[]{(String) entry2.getKey()})).must(QueryBuilders.rangeQuery(SessionToken.DYNAMIC_EXPIRES_AT).lt(entry2.getValue())));
            }
            final ActionListener<SearchResponse> actionListener = new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.authc.session.backend.SessionActivityTracker.1
                public void onResponse(SearchResponse searchResponse) {
                    if (searchResponse.getHits().getHits().length == 0) {
                        if (SessionActivityTracker.log.isDebugEnabled()) {
                            SessionActivityTracker.log.debug("No updates for dynamic_expires needed; Flushed in total " + hashMap.size() + " dynamic_expires entries");
                        }
                        SessionActivityTracker.this.componentState.setState(ComponentState.State.INITIALIZED, "Flushed " + hashMap.size() + " dynamic_expires entries");
                        basic2.close();
                        basic.close();
                        return;
                    }
                    if (SessionActivityTracker.log.isDebugEnabled()) {
                        SessionActivityTracker.log.debug("Got response for dynamic_expires search. Must update " + searchResponse.getHits().getHits().length + " tokens");
                    }
                    BulkRequest bulkRequest = new BulkRequest(SessionActivityTracker.this.indexName);
                    bulkRequest.setRefreshPolicy(SessionActivityTracker.this.indexRefreshPolicy);
                    ArrayList arrayList = new ArrayList(searchResponse.getHits().getHits().length);
                    for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                        Long l = (Long) hashMap.get(searchHit.getId());
                        if (l != null) {
                            UpdateRequest updateRequest = new UpdateRequest(SessionActivityTracker.this.indexName, searchHit.getId());
                            arrayList.add(searchHit.getId());
                            updateRequest.setIfPrimaryTerm(searchHit.getPrimaryTerm());
                            updateRequest.setIfSeqNo(searchHit.getSeqNo());
                            updateRequest.doc(new Object[]{SessionToken.DYNAMIC_EXPIRES_AT, l});
                            bulkRequest.add(updateRequest);
                        }
                    }
                    if (SessionActivityTracker.log.isTraceEnabled()) {
                        SessionActivityTracker.log.trace("Tokens for update " + String.valueOf(arrayList));
                    }
                    if (bulkRequest.numberOfActions() != 0) {
                        final Meter basic3 = basic2.basic("update");
                        SessionActivityTracker.this.privilegedConfigClient.bulk(bulkRequest, new ActionListener<BulkResponse>() { // from class: com.floragunn.searchguard.authc.session.backend.SessionActivityTracker.1.1
                            public void onResponse(BulkResponse bulkResponse) {
                                basic3.close();
                                int i = 0;
                                int i2 = 0;
                                ArrayList arrayList2 = new ArrayList();
                                for (BulkItemResponse bulkItemResponse : bulkResponse.getItems()) {
                                    if (!bulkItemResponse.isFailed()) {
                                        i++;
                                    } else if (bulkItemResponse.getFailure().getCause() instanceof VersionConflictEngineException) {
                                        i2++;
                                    } else {
                                        arrayList2.add(Strings.toString(bulkItemResponse.getFailure()));
                                        SessionActivityTracker.this.lastAccess.putIfAbsent(bulkItemResponse.getId(), (Long) hashMap.get(bulkItemResponse.getId()));
                                    }
                                }
                                if (arrayList2.isEmpty()) {
                                    if (SessionActivityTracker.log.isDebugEnabled()) {
                                        SessionActivityTracker.log.debug("Writing auth token activity bulk request finished. Updated: " + i + "; Conflicts: " + i2);
                                    }
                                } else {
                                    SessionActivityTracker.log.error("Error while writing auth token activity:\n" + String.valueOf(arrayList2));
                                    SessionActivityTracker.this.componentState.addLastException("session activity update", new Exception(arrayList2.toString()));
                                    SessionActivityTracker.this.flushWithJitter("retry after error", 30);
                                }
                            }

                            public void onFailure(Exception exc) {
                                basic3.close();
                                SessionActivityTracker.log.error("Error while writing session activity: " + String.valueOf(boolQueryBuilder), exc);
                                SessionActivityTracker.this.componentState.addLastException("session activity update", exc);
                                SessionActivityTracker.this.restoreLastAccess(hashMap);
                            }
                        });
                    }
                    final Meter basic4 = basic2.basic("index_search");
                    SessionActivityTracker.this.privilegedConfigClient.searchScroll(new SearchScrollRequest(searchResponse.getScrollId()), new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.authc.session.backend.SessionActivityTracker.1.2
                        public void onResponse(SearchResponse searchResponse2) {
                            basic4.close();
                            this.onResponse(searchResponse2);
                        }

                        public void onFailure(Exception exc) {
                            basic4.close();
                            this.onFailure(exc);
                        }
                    });
                }

                public void onFailure(Exception exc) {
                    SessionActivityTracker.log.error("Error while writing auth token activity: " + String.valueOf(boolQueryBuilder), exc);
                    SessionActivityTracker.this.restoreLastAccess(hashMap);
                    basic2.close();
                    basic.close();
                }
            };
            this.componentState.setState(ComponentState.State.INITIALIZED, "Flushing " + hashMap.size() + " dynamic_expires entries");
            final Meter basic3 = basic2.basic("index_search");
            this.privilegedConfigClient.search(new SearchRequest(new String[]{this.indexName}).source(new SearchSourceBuilder().query(boolQueryBuilder).size(1000)).scroll(new TimeValue(10000L)), new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.authc.session.backend.SessionActivityTracker.2
                public void onResponse(SearchResponse searchResponse) {
                    basic3.close();
                    actionListener.onResponse(searchResponse);
                }

                public void onFailure(Exception exc) {
                    basic3.close();
                    actionListener.onFailure(exc);
                }
            });
        } catch (Exception e) {
            log.error("Exception during flush(" + str + ")", e);
            basic.close();
            basic2.close();
        }
    }

    private void restoreLastAccess(Map<String, Long> map) {
        for (Map.Entry<String, Long> entry : map.entrySet()) {
            this.lastAccess.putIfAbsent(entry.getKey(), entry.getValue());
        }
        flushWithJitter("restoreLastAccess", 30);
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
