package org.georchestra.console.ws.backoffice.roles;

import java.io.IOException;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javassist.compiler.TokenId;
import javax.servlet.ServletInputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.georchestra.console.dao.AdvancedDelegationDao;
import org.georchestra.console.dao.DelegationDao;
import org.georchestra.console.model.AdminLogType;
import org.georchestra.console.model.DelegationEntry;
import org.georchestra.console.ws.backoffice.utils.RequestUtil;
import org.georchestra.console.ws.backoffice.utils.ResponseUtil;
import org.georchestra.console.ws.utils.LogUtils;
import org.georchestra.ds.DataServiceException;
import org.georchestra.ds.DuplicatedCommonNameException;
import org.georchestra.ds.roles.Role;
import org.georchestra.ds.roles.RoleDao;
import org.georchestra.ds.roles.RoleFactory;
import org.georchestra.ds.roles.RoleSchema;
import org.georchestra.ds.users.Account;
import org.georchestra.ds.users.AccountDao;
import org.georchestra.ds.users.ProtectedUserFilter;
import org.georchestra.ds.users.UserRule;
import org.georchestra.lib.file.FileUtils;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.ldap.NameNotFoundException;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.prepost.PostFilter;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
/* loaded from: input_file:WEB-INF/classes/org/georchestra/console/ws/backoffice/roles/RolesController.class */
public class RolesController {
    private static final Log LOG = LogFactory.getLog(RolesController.class.getName());
    public static final GrantedAuthority ROLE_SUPERUSER = new SimpleGrantedAuthority("ROLE_SUPERUSER");
    private static final String BASE_MAPPING = "/private";
    private static final String BASE_RESOURCE = "roles";
    private static final String REQUEST_MAPPING = "/private/roles";
    private static final String DUPLICATED_COMMON_NAME = "duplicated_common_name";
    private static final String NOT_FOUND = "not_found";
    private static final String USER_NOT_FOUND = "user_not_found";
    private static final String ILLEGAL_CHARACTER = "illegal_character";
    private static final String VIRTUAL_TEMPORARY_ROLE_NAME = "TEMPORARY";
    private static final String VIRTUAL_TEMPORARY_ROLE_DESCRIPTION = "Virtual role that contains all temporary users";
    private static final String VIRTUAL_EXPIRED_ROLE_NAME = "EXPIRED";
    private static final String VIRTUAL_EXPIRED_ROLE_DESCRIPTION = "Virtual role that contains all expired users";

    @Autowired
    private AccountDao accountDao;

    @Autowired
    protected LogUtils logUtils;

    @Autowired
    private AdvancedDelegationDao advancedDelegationDao;

    @Autowired
    private DelegationDao delegationDao;
    private RoleDao roleDao;
    private ProtectedUserFilter filter;

    private String buildErrorResponse(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("success", false);
        hashMap.put("error_message", str);
        return new JSONObject((Map<?, ?>) hashMap).toString();
    }

    @Autowired
    public RolesController(RoleDao roleDao, UserRule userRule) {
        this.roleDao = roleDao;
        this.filter = new ProtectedUserFilter(userRule.getListUidProtected());
    }

    @RequestMapping(value = {REQUEST_MAPPING}, method = {RequestMethod.GET}, produces = {"application/json; charset=utf-8"})
    @PostFilter("hasPermission(filterObject, 'read')")
    @ResponseBody
    public List<Role> findAll() throws DataServiceException {
        List<Role> findAll = this.roleDao.findAll();
        findAll.stream().forEach(role -> {
            role.setUserList(this.filter.filterStringList(role.getUserList()));
        });
        Pair<Role, Role> generateVirtualRoles = generateVirtualRoles();
        findAll.addAll(Arrays.asList(generateVirtualRoles.getLeft(), generateVirtualRoles.getRight()));
        return findAll;
    }

    @RequestMapping(value = {"/private/roles/{cn:.+}"}, method = {RequestMethod.GET}, produces = {"application/json; charset=utf-8"})
    @ResponseBody
    public Role findByCN(@PathVariable String str) throws DataServiceException {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("name is empty");
        }
        Role left = str.equals(VIRTUAL_TEMPORARY_ROLE_NAME) ? generateVirtualRoles().getLeft() : this.roleDao.findByCommonName(str);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!authentication.getAuthorities().contains(ROLE_SUPERUSER)) {
            if (!Arrays.asList(this.delegationDao.findOne(authentication.getName()).getRoles()).contains(str)) {
                throw new AccessDeniedException("Role not under delegation");
            }
            left.getUserList().retainAll(this.advancedDelegationDao.findUsersUnderDelegation(authentication.getName()));
        }
        return left;
    }

    private Pair<Role, Role> generateVirtualRoles() {
        Role create = RoleFactory.create(VIRTUAL_TEMPORARY_ROLE_NAME, VIRTUAL_TEMPORARY_ROLE_DESCRIPTION, false);
        Role create2 = RoleFactory.create(VIRTUAL_EXPIRED_ROLE_NAME, VIRTUAL_EXPIRED_ROLE_DESCRIPTION, false);
        Date time = Calendar.getInstance().getTime();
        this.accountDao.findByShadowExpire().stream().forEach(account -> {
            if (account.getShadowExpire() != null && time.after(account.getShadowExpire())) {
                create2.addUser(account.getUid());
            }
            create.addUser(account.getUid());
        });
        return Pair.of(create, create2);
    }

    @RequestMapping(value = {REQUEST_MAPPING}, method = {RequestMethod.POST})
    @PreAuthorize("hasRole('SUPERUSER')")
    public void create(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        try {
            Role createRoleFromRequestBody = createRoleFromRequestBody(httpServletRequest.getInputStream());
            this.roleDao.insert(createRoleFromRequestBody);
            ResponseUtil.buildResponse(httpServletResponse, new RoleResponse(createRoleFromRequestBody, this.filter).asJsonString(), 200);
            this.logUtils.createLog(createRoleFromRequestBody.getName(), AdminLogType.ROLE_CREATED, null);
        } catch (IllegalArgumentException e) {
            ResponseUtil.buildResponse(httpServletResponse, ResponseUtil.buildResponseMessage(Boolean.FALSE, ILLEGAL_CHARACTER), 409);
        } catch (DataServiceException e2) {
            LOG.error(e2.getMessage());
            ResponseUtil.buildResponse(httpServletResponse, buildErrorResponse(e2.getMessage()), TokenId.BadToken);
            throw new IOException(e2);
        } catch (DuplicatedCommonNameException e3) {
            ResponseUtil.buildResponse(httpServletResponse, ResponseUtil.buildResponseMessage(Boolean.FALSE, DUPLICATED_COMMON_NAME), 409);
        }
    }

    @RequestMapping(value = {"/private/roles/{cn:.+}"}, method = {RequestMethod.DELETE})
    @PreAuthorize("hasRole('SUPERUSER')")
    public void delete(HttpServletResponse httpServletResponse, @PathVariable String str) throws IOException {
        try {
            for (DelegationEntry delegationEntry : this.advancedDelegationDao.findByRole(str)) {
                delegationEntry.removeRole(str);
                this.delegationDao.save((DelegationDao) delegationEntry);
            }
            this.roleDao.delete(str);
            this.logUtils.createLog(str, AdminLogType.ROLE_DELETED, null);
            ResponseUtil.writeSuccess(httpServletResponse);
        } catch (DataServiceException e) {
            LOG.error(e.getMessage());
            ResponseUtil.buildResponse(httpServletResponse, buildErrorResponse(e.getMessage()), TokenId.Identifier);
        } catch (NameNotFoundException e2) {
            LOG.error(e2.getMessage());
            ResponseUtil.buildResponse(httpServletResponse, buildErrorResponse(e2.getMessage()), TokenId.FloatConstant);
        } catch (Exception e3) {
            LOG.error(e3.getMessage());
            ResponseUtil.buildResponse(httpServletResponse, buildErrorResponse(e3.getMessage()), TokenId.BadToken);
            throw new IOException(e3);
        }
    }

    @RequestMapping(value = {"/private/roles/{cn:.+}"}, method = {RequestMethod.PUT})
    @PreAuthorize("hasRole('SUPERUSER')")
    public void update(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @PathVariable String str) throws IOException {
        try {
            Role findByCommonName = this.roleDao.findByCommonName(str);
            try {
                this.roleDao.update(str, modifyRole(findByCommonName, httpServletRequest.getInputStream()));
                ResponseUtil.buildResponse(httpServletResponse, new RoleResponse(findByCommonName, this.filter).asJsonString(), 200);
                ResponseUtil.writeSuccess(httpServletResponse);
            } catch (DataServiceException e) {
                LOG.error(e.getMessage());
                ResponseUtil.buildResponse(httpServletResponse, buildErrorResponse(e.getMessage()), TokenId.BadToken);
                throw new IOException(e);
            } catch (DuplicatedCommonNameException e2) {
                ResponseUtil.buildResponse(httpServletResponse, ResponseUtil.buildResponseMessage(Boolean.FALSE, DUPLICATED_COMMON_NAME), 409);
            } catch (NameNotFoundException e3) {
                ResponseUtil.buildResponse(httpServletResponse, ResponseUtil.buildResponseMessage(Boolean.FALSE, NOT_FOUND), TokenId.FloatConstant);
            }
        } catch (DataServiceException e4) {
            httpServletResponse.setStatus(TokenId.BadToken);
            throw new IOException(e4);
        } catch (NameNotFoundException e5) {
            ResponseUtil.writeError(httpServletResponse, NOT_FOUND);
        }
    }

    @RequestMapping(value = {"/private/roles_users"}, method = {RequestMethod.POST})
    public void updateUsers(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AccessDeniedException, IOException, JSONException, DataServiceException {
        JSONObject jSONObject = new JSONObject(FileUtils.asString(httpServletRequest.getInputStream()));
        List<String> createUserList = createUserList(jSONObject, "users");
        List<String> createUserList2 = createUserList(jSONObject, "PUT");
        List<String> createUserList3 = createUserList(jSONObject, "DELETE");
        List<Account> list = (List) createUserList.stream().map(str -> {
            try {
                return this.accountDao.findByUID(str);
            } catch (DataServiceException e) {
                LOG.debug(e.getMessage());
                return null;
            }
        }).filter(account -> {
            return null != account;
        }).collect(Collectors.toList());
        if (createUserList2.contains("ORGADMIN") || createUserList3.contains("ORGADMIN")) {
            throw new IllegalArgumentException("ORGADMIN role cannot be add or delete");
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!authentication.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_SUPERUSER"))) {
            checkAuthorization(authentication.getName(), createUserList, createUserList2, createUserList3);
        }
        this.roleDao.addUsersInRoles(createUserList2, list);
        this.roleDao.deleteUsersInRoles(createUserList3, list);
        this.logUtils.logRolesUsersAction(createUserList2, createUserList3, list);
        ResponseUtil.writeSuccess(httpServletResponse);
    }

    public void checkAuthorization(String str, List<String> list, List<String> list2, List<String> list3) throws AccessDeniedException {
        if (!this.advancedDelegationDao.findUsersUnderDelegation(str).containsAll(list)) {
            throw new AccessDeniedException("Some users are not under delegation");
        }
        DelegationEntry findOne = this.delegationDao.findOne(str);
        if (!Arrays.asList(findOne.getRoles()).containsAll(list2)) {
            throw new AccessDeniedException("Some roles are not under delegation (put)");
        }
        if (!Arrays.asList(findOne.getRoles()).containsAll(list3)) {
            throw new AccessDeniedException("Some roles are not under delegation (delete)");
        }
    }

    private List<String> createUserList(JSONObject jSONObject, String str) throws IOException {
        try {
            LinkedList linkedList = new LinkedList();
            JSONArray jSONArray = jSONObject.getJSONArray(str);
            for (int i = 0; i < jSONArray.length(); i++) {
                linkedList.add(jSONArray.getString(i));
            }
            return linkedList;
        } catch (Exception e) {
            LOG.error(e.getMessage());
            throw new IOException(e);
        }
    }

    private Role modifyRole(Role role, ServletInputStream servletInputStream) throws IOException {
        try {
            JSONObject jSONObject = new JSONObject(FileUtils.asString(servletInputStream));
            String fieldValue = RequestUtil.getFieldValue(jSONObject, "cn");
            if (fieldValue != null) {
                role.setName(fieldValue);
            }
            String fieldValue2 = RequestUtil.getFieldValue(jSONObject, "description");
            if (fieldValue2 != null) {
                role.setDescription(fieldValue2);
            }
            Boolean booleanFieldValue = RequestUtil.getBooleanFieldValue(jSONObject, RoleSchema.FAVORITE_JSON_KEY);
            if (booleanFieldValue != null) {
                role.setFavorite(booleanFieldValue.booleanValue());
            }
            return role;
        } catch (JSONException e) {
            LOG.error(e.getMessage());
            throw new IOException(e);
        }
    }

    private Role createRoleFromRequestBody(ServletInputStream servletInputStream) throws IOException, IllegalArgumentException {
        try {
            JSONObject jSONObject = new JSONObject(FileUtils.asString(servletInputStream));
            String fieldValue = RequestUtil.getFieldValue(jSONObject, "cn");
            if (fieldValue == null) {
                throw new IllegalArgumentException("cn is required");
            }
            String upperCase = fieldValue.toUpperCase();
            if (Pattern.compile("[A-Z0-9_-]+").matcher(upperCase).matches()) {
                return RoleFactory.create(upperCase, RequestUtil.getFieldValue(jSONObject, "description"), RequestUtil.getBooleanFieldValue(jSONObject, RoleSchema.FAVORITE_JSON_KEY));
            }
            throw new IllegalArgumentException("cn should only contain uppercased letters, digits, dashes and underscores");
        } catch (IllegalArgumentException e) {
            throw e;
        } catch (Exception e2) {
            LOG.error(e2.getMessage());
            throw new IOException(e2);
        }
    }

    public void setRoleDao(RoleDao roleDao) {
        this.roleDao = roleDao;
    }

    public void setAccountDao(AccountDao accountDao) {
        this.accountDao = accountDao;
    }

    public AdvancedDelegationDao getAdvancedDelegationDao() {
        return this.advancedDelegationDao;
    }

    public void setAdvancedDelegationDao(AdvancedDelegationDao advancedDelegationDao) {
        this.advancedDelegationDao = advancedDelegationDao;
    }

    public DelegationDao getDelegationDao() {
        return this.delegationDao;
    }

    public void setDelegationDao(DelegationDao delegationDao) {
        this.delegationDao = delegationDao;
    }
}
