package com.atlassian.elasticsearch.buckler.security;

import com.atlassian.elasticsearch.buckler.config.BruteForceProtectionSettings;
import com.atlassian.elasticsearch.buckler.config.BucklerConfig;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ConcurrentSkipListSet;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.inject.Inject;
import org.elasticsearch.common.inject.Singleton;
import org.elasticsearch.common.logging.ESLoggerFactory;

@Singleton
/* loaded from: input_file:com/atlassian/elasticsearch/buckler/security/AuthRateLimiter.class */
public class AuthRateLimiter {
    private static final Logger log = ESLoggerFactory.getLogger(AuthRateLimiter.class.getName());
    private final BruteForceProtectionSettings bruteForceConfig;
    private final TimeProvider timeProvider;
    private final Set<String> trustedHosts = new ConcurrentSkipListSet();
    private final ConcurrentMap<String, AuthRecord> authenticationRecords = new ConcurrentHashMap();
    private volatile boolean globalLockout = false;

    @Inject
    public AuthRateLimiter(BucklerConfig bucklerConfig, TimeProvider timeProvider) {
        this.timeProvider = timeProvider;
        this.bruteForceConfig = bucklerConfig.getBruteForceProtectionSettings();
    }

    public void addTrustedRequest(RequestIdentifier requestIdentifier) {
        if (requestIdentifier.isAnonymous()) {
            return;
        }
        log.debug("{} has been added as a trusted host", requestIdentifier.getIdentifier());
        this.trustedHosts.add(requestIdentifier.getIdentifier());
    }

    public boolean isRequestAllowed(RequestIdentifier requestIdentifier) {
        return (this.bruteForceConfig.isBruteForceProtectionEnabled() && !isTrustedHost(requestIdentifier) && ((this.bruteForceConfig.isClientLockoutEnabled() && isClientLockedOut(requestIdentifier)) || (this.bruteForceConfig.isGlobalLockoutEnabled() && isGlobalLockout()))) ? false : true;
    }

    public void registerFailure(RequestIdentifier requestIdentifier) {
        String identifier = requestIdentifier.getIdentifier();
        AuthRecord authRecord = new AuthRecord();
        AuthRecord putIfAbsent = this.authenticationRecords.putIfAbsent(identifier, authRecord);
        if (putIfAbsent == null) {
            putIfAbsent = authRecord;
        }
        putIfAbsent.newAttempt();
        log.debug("{} has registered as an authentication failure. This is the {} time. They will be locked at {}", identifier, Integer.valueOf(putIfAbsent.getFailureCount()), Integer.valueOf(this.bruteForceConfig.getMaxClientFailures()));
        if (putIfAbsent.getFailureCount() <= this.bruteForceConfig.getMaxClientFailures() || !this.trustedHosts.remove(identifier)) {
            return;
        }
        log.debug("{} has been removed from the trusted clients list due to numerous failures", requestIdentifier);
    }

    private boolean isClientLockedOut(RequestIdentifier requestIdentifier) {
        AuthRecord authRecord = this.authenticationRecords.get(requestIdentifier.getIdentifier());
        if (authRecord == null || authRecord.getFailureCount() < this.bruteForceConfig.getMaxClientFailures()) {
            return false;
        }
        log.debug("{} has been locked from making a request due to too many failures recently", requestIdentifier.getIdentifier());
        return true;
    }

    private boolean isGlobalLockout() {
        performRecordClean();
        int i = 0;
        Iterator<AuthRecord> it = this.authenticationRecords.values().iterator();
        while (it.hasNext()) {
            i += it.next().getFailureCount();
        }
        if (i < this.bruteForceConfig.getMaxGlobalFailures()) {
            this.globalLockout = false;
            return false;
        }
        if (!this.globalLockout) {
            log.debug("Global lockout has started for all non-trusted hosts due to suspected password brute forcing");
        }
        this.globalLockout = true;
        return true;
    }

    private boolean isTrustedHost(RequestIdentifier requestIdentifier) {
        if (requestIdentifier.isAnonymous() || !this.trustedHosts.contains(requestIdentifier.getIdentifier())) {
            return false;
        }
        log.debug("{} is trusted, therefore can continue with request", requestIdentifier.getIdentifier());
        return true;
    }

    private void performRecordClean() {
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(this.timeProvider.getCurrentTime());
        calendar.add(12, -this.bruteForceConfig.getTimeoutPeriod());
        Date time = calendar.getTime();
        Iterator<AuthRecord> it = this.authenticationRecords.values().iterator();
        while (it.hasNext()) {
            if (it.next().getLastFailure().before(time)) {
                it.remove();
            }
        }
    }
}
