package org.apache.cassandra.auth;

import com.google.common.annotations.VisibleForTesting;
import java.net.InetAddress;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.apache.cassandra.auth.ICIDRAuthorizer;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.utils.MonotonicClock;
import org.apache.cassandra.utils.NoSpamLogger;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/CassandraCIDRAuthorizer.class */
public class CassandraCIDRAuthorizer extends AbstractCIDRAuthorizer {
    private static final Logger logger = LoggerFactory.getLogger(AuthenticatedUser.class);
    private static final NoSpamLogger noSpamLogger = NoSpamLogger.getLogger(logger, 1, TimeUnit.MINUTES);
    protected static CIDRPermissionsCache cidrPermissionsCache;
    protected static CIDRGroupsMappingCache cidrGroupsMappingCache;

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public void setup() {
        commonSetup();
        cidrPermissionsCache = new CIDRPermissionsCache(this::getCidrPermissionsForRole, bulkLoadCidrPermsCache(), this::requireAuthorization);
        cidrGroupsMappingCache = new CIDRGroupsMappingCache(cidrGroupsMappingManager, cidrAuthorizerMetrics);
    }

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public void initCaches() {
        AuthCacheService.instance.register(cidrPermissionsCache);
        loadCidrGroupsCache();
    }

    private CIDRPermissions getCidrPermissionsForRole(RoleResource roleResource) {
        return cidrPermissionsManager.getCidrPermissionsForRole(roleResource);
    }

    private Supplier<Map<RoleResource, CIDRPermissions>> bulkLoadCidrPermsCache() {
        return cidrPermissionsManager.bulkLoader();
    }

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public boolean invalidateCidrPermissionsCache(String str) {
        if (str != null && !str.isEmpty()) {
            return cidrPermissionsCache.invalidateCidrPermissions(str);
        }
        cidrPermissionsCache.invalidate();
        return true;
    }

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public void loadCidrGroupsCache() {
        cidrGroupsMappingCache.loadCidrGroupsCache();
    }

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public Set<String> lookupCidrGroupsForIp(InetAddress inetAddress) {
        return cidrGroupsMappingCache.lookupCidrGroupsForIp(inetAddress);
    }

    @VisibleForTesting
    protected boolean isMonitorMode() {
        return DatabaseDescriptor.getCidrAuthorizerMode() == ICIDRAuthorizer.CIDRAuthorizerMode.MONITOR;
    }

    private boolean hasCidrAccess(RoleResource roleResource, InetAddress inetAddress) {
        CIDRPermissions cIDRPermissions = cidrPermissionsCache.get(roleResource);
        if (!cIDRPermissions.restrictsAccess() && !isMonitorMode()) {
            return true;
        }
        Set<String> lookupCidrGroupsForIp = lookupCidrGroupsForIp(inetAddress);
        if (isMonitorMode()) {
            if (lookupCidrGroupsForIp == null || cIDRPermissions.canAccessFrom(lookupCidrGroupsForIp)) {
                noSpamLogger.info("Role {} accessed from IP {}, CIDR group {}", roleResource.getRoleName(), inetAddress.getHostAddress(), lookupCidrGroupsForIp);
            } else {
                noSpamLogger.warn("Role {} accessed from unauthorized IP {}, CIDR group {}", roleResource.getRoleName(), inetAddress.getHostAddress(), lookupCidrGroupsForIp);
            }
            cidrAuthorizerMetrics.incrAcceptedAccessCount(lookupCidrGroupsForIp);
            return true;
        }
        if (lookupCidrGroupsForIp == null || lookupCidrGroupsForIp.isEmpty() || !cIDRPermissions.canAccessFrom(lookupCidrGroupsForIp)) {
            cidrAuthorizerMetrics.incrRejectedAccessCount(lookupCidrGroupsForIp);
            return false;
        }
        cidrAuthorizerMetrics.incrAcceptedAccessCount(lookupCidrGroupsForIp);
        return true;
    }

    @Override // org.apache.cassandra.auth.ICIDRAuthorizer
    public boolean hasAccessFromIp(RoleResource roleResource, InetAddress inetAddress) {
        long now = MonotonicClock.Global.approxTime.now();
        boolean hasCidrAccess = hasCidrAccess(roleResource, inetAddress);
        cidrAuthorizerMetrics.cidrChecksLatency.update(MonotonicClock.Global.approxTime.now() - now, TimeUnit.NANOSECONDS);
        return hasCidrAccess;
    }
}
