package org.pentaho.platform.web.http.api.resources.services;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.concurrent.Callable;
import org.apache.commons.lang3.StringUtils;
import org.pentaho.platform.api.engine.IAuthorizationPolicy;
import org.pentaho.platform.api.engine.IConfiguration;
import org.pentaho.platform.api.engine.IPentahoSession;
import org.pentaho.platform.api.engine.ISystemConfig;
import org.pentaho.platform.api.engine.security.userroledao.IPentahoRole;
import org.pentaho.platform.api.engine.security.userroledao.IPentahoUser;
import org.pentaho.platform.api.engine.security.userroledao.IUserRoleDao;
import org.pentaho.platform.api.engine.security.userroledao.NotFoundException;
import org.pentaho.platform.api.engine.security.userroledao.UncategorizedUserRoleDaoException;
import org.pentaho.platform.api.mt.ITenant;
import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.engine.core.system.TenantUtils;
import org.pentaho.platform.engine.security.SecurityHelper;
import org.pentaho.platform.plugin.services.messages.Messages;
import org.pentaho.platform.repository2.userroledao.jackrabbit.security.DefaultPentahoPasswordEncoder;
import org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao;
import org.pentaho.platform.security.policy.rolebased.RoleBindingStruct;
import org.pentaho.platform.web.http.api.resources.LocalizedLogicalRoleName;
import org.pentaho.platform.web.http.api.resources.LogicalRoleAssignment;
import org.pentaho.platform.web.http.api.resources.LogicalRoleAssignments;
import org.pentaho.platform.web.http.api.resources.RoleListWrapper;
import org.pentaho.platform.web.http.api.resources.SystemRolesMap;
import org.pentaho.platform.web.http.api.resources.User;
import org.pentaho.platform.web.http.api.resources.UserListWrapper;
import org.pentaho.platform.web.http.filters.PentahoAwareCharacterEncodingFilter;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:org/pentaho/platform/web/http/api/resources/services/UserRoleDaoService.class */
public class UserRoleDaoService {
    private IUserRoleDao roleDao;
    private IAuthorizationPolicy policy;
    private IRoleAuthorizationPolicyRoleBindingDao roleBindingDao;
    private static final String PASS_VALIDATION_ERROR_WRONG_PASS = "UserRoleDaoService.PassValidationError_WrongPass";
    public static final String PUC_USER_PASSWORD_LENGTH = "PUC_USER_PASSWORD_LENGTH";
    public static final String PUC_USER_PASSWORD_REQUIRE_SPECIAL_CHARACTER = "PUC_USER_PASSWORD_REQUIRE_SPECIAL_CHARACTER";
    private ISystemConfig systemConfig = (ISystemConfig) PentahoSystem.get(ISystemConfig.class);

    /* loaded from: input_file:org/pentaho/platform/web/http/api/resources/services/UserRoleDaoService$ValidationFailedException.class */
    public static class ValidationFailedException extends Exception {
        public ValidationFailedException() {
        }

        public ValidationFailedException(String str) {
            super(str);
        }
    }

    public UserListWrapper getUsers() throws Exception {
        return new UserListWrapper((List<IPentahoUser>) getRoleDao().getUsers());
    }

    public RoleListWrapper getRolesForUser(String str) throws UncategorizedUserRoleDaoException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        return new RoleListWrapper((List<IPentahoRole>) getRoleDao().getUserRoles(TenantUtils.getCurrentTenant(), str));
    }

    public void assignRolesToUser(String str, String str2) throws NotFoundException, UncategorizedUserRoleDaoException, SecurityException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, "\t");
        HashSet hashSet = new HashSet();
        ITenant currentTenant = TenantUtils.getCurrentTenant();
        Iterator it = getRoleDao().getUserRoles(currentTenant, str).iterator();
        while (it.hasNext()) {
            hashSet.add(((IPentahoRole) it.next()).getName());
        }
        while (stringTokenizer.hasMoreTokens()) {
            hashSet.add(stringTokenizer.nextToken());
        }
        getRoleDao().setUserRoles(currentTenant, str, (String[]) hashSet.toArray(new String[hashSet.size()]));
    }

    public void removeRolesFromUser(String str, String str2) throws NotFoundException, UncategorizedUserRoleDaoException, SecurityException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, "\t");
        HashSet hashSet = new HashSet();
        ITenant currentTenant = TenantUtils.getCurrentTenant();
        Iterator it = getRoleDao().getUserRoles(currentTenant, str).iterator();
        while (it.hasNext()) {
            hashSet.add(((IPentahoRole) it.next()).getName());
        }
        while (stringTokenizer.hasMoreTokens()) {
            hashSet.remove(stringTokenizer.nextToken());
        }
        getRoleDao().setUserRoles(currentTenant, str, (String[]) hashSet.toArray(new String[hashSet.size()]));
    }

    public void createRole(String str) throws Exception {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        if (!strNotEmpty(str)) {
            throw new ValidationFailedException();
        }
        ((IUserRoleDao) PentahoSystem.get(IUserRoleDao.class, "userRoleDaoProxy", PentahoSessionHolder.getSession())).createRole((ITenant) null, str, "", new String[0]);
    }

    public RoleListWrapper getRoles() throws UncategorizedUserRoleDaoException {
        return new RoleListWrapper((List<IPentahoRole>) getRoleDao().getRoles());
    }

    public UserListWrapper getRoleMembers(String str) throws UncategorizedUserRoleDaoException, SecurityException {
        if (canAdminister()) {
            return new UserListWrapper((List<IPentahoUser>) getRoleDao().getRoleMembers(TenantUtils.getCurrentTenant(), str));
        }
        throw new SecurityException();
    }

    private boolean containsReservedChars(String str) {
        return StringUtils.containsAny(str, new FileService().doGetReservedChars());
    }

    private boolean strNotEmpty(String str) {
        return str != null && str.length() > 0;
    }

    private boolean userValid(User user) {
        String userName = user.getUserName();
        return (strNotEmpty(userName) && !containsReservedChars(userName)) && strNotEmpty(user.getPassword());
    }

    private String decode(String str) {
        try {
            return URLDecoder.decode(str.replace("+", "%2B"), PentahoAwareCharacterEncodingFilter.DEFAULT_CHAR_ENCODING);
        } catch (UnsupportedEncodingException e) {
            return str;
        }
    }

    public void createUser(User user) throws Exception {
        if (!canAdminister()) {
            throw new SecurityException(Messages.getInstance().getString(PASS_VALIDATION_ERROR_WRONG_PASS));
        }
        if (!userValid(user)) {
            throw new ValidationFailedException();
        }
        String decode = decode(user.getUserName());
        String password = user.getPassword();
        ValidationFailedException validatePasswordFormat = validatePasswordFormat(password);
        if (validatePasswordFormat != null) {
            throw validatePasswordFormat;
        }
        ((IUserRoleDao) PentahoSystem.get(IUserRoleDao.class, "userRoleDaoProxy", PentahoSessionHolder.getSession())).createUser((ITenant) null, decode, password, "", new String[0]);
    }

    private boolean inputValid(String str, String str2, String str3) {
        return (str != null && str.length() > 0) && (str2 != null && str2.length() > 0) && (str3 != null && str3.length() > 0);
    }

    private ValidationFailedException validatePasswordFormat(String str) {
        int i = 0;
        boolean z = false;
        IConfiguration configuration = this.systemConfig.getConfiguration("security");
        try {
            String property = configuration.getProperties().getProperty(PUC_USER_PASSWORD_LENGTH);
            if (!StringUtils.isEmpty(property)) {
                i = Integer.parseInt(property);
            }
            String property2 = configuration.getProperties().getProperty(PUC_USER_PASSWORD_REQUIRE_SPECIAL_CHARACTER);
            if (!StringUtils.isEmpty(property2)) {
                z = Boolean.parseBoolean(property2);
            }
            ArrayList arrayList = new ArrayList();
            if (i > 0) {
                arrayList.add(Messages.getInstance().getString("UserRoleDaoService.PassValidationError_Length", new Object[]{Integer.toString(i)}));
            }
            if (z) {
                arrayList.add(Messages.getInstance().getString("UserRoleDaoService.PassValidationError_SpecChar"));
            }
            String str2 = "New password must: " + String.join(", ", arrayList) + ".";
            if (str.length() < i || (z && !str.matches("((?=.*[@#$%!]).{0,100})"))) {
                return new ValidationFailedException(str2);
            }
            return null;
        } catch (IOException e) {
            return new ValidationFailedException(Messages.getInstance().getString("UserRoleDaoService.PassValidationError_ReadingSecProperties"));
        }
    }

    private boolean credentialValid(IPentahoUser iPentahoUser, String str) {
        if (iPentahoUser != null) {
            return new DefaultPentahoPasswordEncoder().isPasswordValid(iPentahoUser.getPassword(), str, (Object) null);
        }
        return false;
    }

    public void changeUserPassword(final String str, final String str2, String str3) throws Exception {
        if (!inputValid(str, str2, str3)) {
            throw new ValidationFailedException();
        }
        ValidationFailedException validatePasswordFormat = validatePasswordFormat(str2);
        if (validatePasswordFormat != null) {
            throw validatePasswordFormat;
        }
        IPentahoSession session = PentahoSessionHolder.getSession();
        if (!canAdminister() && (null == session || !str.equals(session.getName()))) {
            throw new SecurityException(Messages.getInstance().getString(PASS_VALIDATION_ERROR_WRONG_PASS));
        }
        final IUserRoleDao iUserRoleDao = (IUserRoleDao) PentahoSystem.get(IUserRoleDao.class, "userRoleDaoProxy", session);
        if (!credentialValid(iUserRoleDao.getUser((ITenant) null, str), str3)) {
            throw new SecurityException(Messages.getInstance().getString(PASS_VALIDATION_ERROR_WRONG_PASS));
        }
        SecurityHelper.getInstance().runAsSystem(new Callable<Void>() { // from class: org.pentaho.platform.web.http.api.resources.services.UserRoleDaoService.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                iUserRoleDao.setPassword((ITenant) null, str, str2);
                return null;
            }
        });
    }

    public void deleteUsers(String str) throws NotFoundException, UncategorizedUserRoleDaoException, SecurityException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str, "\t");
        while (stringTokenizer.hasMoreTokens()) {
            IPentahoUser user = getRoleDao().getUser((ITenant) null, stringTokenizer.nextToken());
            if (user != null) {
                getRoleDao().deleteUser(user);
            }
        }
    }

    public void deleteRoles(String str) throws SecurityException, UncategorizedUserRoleDaoException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str, "\t");
        while (stringTokenizer.hasMoreTokens()) {
            IPentahoRole role = getRoleDao().getRole((ITenant) null, stringTokenizer.nextToken());
            if (role != null) {
                getRoleDao().deleteRole(role);
            }
        }
    }

    public SystemRolesMap getRoleBindingStruct(String str) throws SecurityException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        RoleBindingStruct roleBindingStruct = getRoleBindingDao().getRoleBindingStruct(str);
        SystemRolesMap systemRolesMap = new SystemRolesMap();
        for (Map.Entry entry : roleBindingStruct.logicalRoleNameMap.entrySet()) {
            systemRolesMap.getLocalizedRoleNames().add(new LocalizedLogicalRoleName((String) entry.getKey(), (String) entry.getValue()));
        }
        for (Map.Entry entry2 : roleBindingStruct.bindingMap.entrySet()) {
            systemRolesMap.getAssignments().add(new LogicalRoleAssignment((String) entry2.getKey(), (List) entry2.getValue(), roleBindingStruct.immutableRoles.contains(entry2.getKey())));
        }
        return systemRolesMap;
    }

    public void setLogicalRoles(LogicalRoleAssignments logicalRoleAssignments) throws SecurityException {
        if (!canAdminister()) {
            throw new SecurityException();
        }
        Iterator<LogicalRoleAssignment> it = logicalRoleAssignments.getAssignments().iterator();
        while (it.hasNext()) {
            LogicalRoleAssignment next = it.next();
            getRoleBindingDao().setRoleBindings(next.getRoleName(), next.getLogicalRoles());
        }
    }

    public void updatePassword(User user, String str) throws ValidationFailedException {
        IPentahoSession session = PentahoSessionHolder.getSession();
        AuthenticationProvider authenticationProvider = (AuthenticationProvider) PentahoSystem.get(AuthenticationProvider.class, session);
        if (authenticationProvider == null) {
            throw new SecurityException("Authentication Provider not found, can not re-authenticate logged-in user");
        }
        try {
            if (!authenticationProvider.authenticate(new UsernamePasswordAuthenticationToken(session.getName(), str)).isAuthenticated()) {
                throw new SecurityException("Logged-in user re-authentication failed");
            }
            updatePassword(user);
        } catch (ValidationFailedException e) {
            throw e;
        } catch (AuthenticationException e2) {
            throw new SecurityException("Logged-in user re-authentication failed", e2);
        }
    }

    public void updatePassword(User user) throws ValidationFailedException {
        if (!canAdminister()) {
            throw new SecurityException("Logged-in user is not authorized to change password");
        }
        String decode = decode(user.getUserName());
        String password = user.getPassword();
        ValidationFailedException validatePasswordFormat = validatePasswordFormat(password);
        if (validatePasswordFormat != null) {
            throw validatePasswordFormat;
        }
        IUserRoleDao iUserRoleDao = (IUserRoleDao) PentahoSystem.get(IUserRoleDao.class, "userRoleDaoProxy", PentahoSessionHolder.getSession());
        if (iUserRoleDao.getUser((ITenant) null, decode) == null) {
            throw new SecurityException("User not found");
        }
        iUserRoleDao.setPassword((ITenant) null, decode, password);
    }

    private boolean canAdminister() {
        return getPolicy().isAllowed("org.pentaho.repository.read") && getPolicy().isAllowed("org.pentaho.repository.create") && getPolicy().isAllowed("org.pentaho.security.administerSecurity");
    }

    private IRoleAuthorizationPolicyRoleBindingDao getRoleBindingDao() {
        if (this.roleBindingDao == null) {
            this.roleBindingDao = (IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.get(IRoleAuthorizationPolicyRoleBindingDao.class);
        }
        return this.roleBindingDao;
    }

    private IAuthorizationPolicy getPolicy() {
        if (this.policy == null) {
            this.policy = (IAuthorizationPolicy) PentahoSystem.get(IAuthorizationPolicy.class);
        }
        return this.policy;
    }

    private IUserRoleDao getRoleDao() {
        if (this.roleDao == null) {
            this.roleDao = (IUserRoleDao) PentahoSystem.get(IUserRoleDao.class);
        }
        return this.roleDao;
    }

    @VisibleForTesting
    protected void setSystemConfig(ISystemConfig iSystemConfig) {
        this.systemConfig = iSystemConfig;
    }
}
