package org.pentaho.platform.web.http.api.resources;

import com.google.gwt.user.server.Base64Utils;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.codehaus.enunciate.Facet;
import org.codehaus.enunciate.jaxrs.ResponseCode;
import org.codehaus.enunciate.jaxrs.StatusCodes;
import org.pentaho.platform.api.engine.IAuthorizationPolicy;
import org.pentaho.platform.api.engine.IPentahoSession;
import org.pentaho.platform.api.engine.security.userroledao.IPentahoRole;
import org.pentaho.platform.api.engine.security.userroledao.IPentahoUser;
import org.pentaho.platform.api.engine.security.userroledao.IUserRoleDao;
import org.pentaho.platform.api.engine.security.userroledao.NotFoundException;
import org.pentaho.platform.api.engine.security.userroledao.UncategorizedUserRoleDaoException;
import org.pentaho.platform.api.mt.ITenant;
import org.pentaho.platform.api.mt.ITenantManager;
import org.pentaho.platform.core.mt.Tenant;
import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao;
import org.pentaho.platform.web.http.api.resources.services.UserRoleDaoService;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

@Path("/userroledao/")
/* loaded from: input_file:org/pentaho/platform/web/http/api/resources/UserRoleDaoResource.class */
public class UserRoleDaoResource extends AbstractJaxRSResource {
    private static final String PUC_VALIDATION_ERROR_MESSAGE = "PUC_VALIDATION_ERROR_MESSAGE";
    private IRoleAuthorizationPolicyRoleBindingDao roleBindingDao;
    private ITenantManager tenantManager;
    private final UserRoleDaoService userRoleDaoService;
    private ArrayList<String> systemRoles;
    private String adminRole;
    private static final Log logger = LogFactory.getLog(UserRoleDaoResource.class);

    public UserRoleDaoResource() {
        this((IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.get(IRoleAuthorizationPolicyRoleBindingDao.class), (ITenantManager) PentahoSystem.get(ITenantManager.class), (ArrayList) PentahoSystem.get(ArrayList.class, "singleTenantSystemAuthorities", PentahoSessionHolder.getSession()), (String) PentahoSystem.get(String.class, "singleTenantAdminAuthorityName", PentahoSessionHolder.getSession()), new UserRoleDaoService());
    }

    public UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao, ITenantManager iTenantManager, ArrayList<String> arrayList, String str) {
        this(iRoleAuthorizationPolicyRoleBindingDao, iTenantManager, arrayList, str, new UserRoleDaoService());
    }

    public UserRoleDaoResource(IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao, ITenantManager iTenantManager, ArrayList<String> arrayList, String str, UserRoleDaoService userRoleDaoService) {
        this.roleBindingDao = null;
        this.tenantManager = null;
        if (iRoleAuthorizationPolicyRoleBindingDao == null) {
            throw new IllegalArgumentException();
        }
        this.roleBindingDao = iRoleAuthorizationPolicyRoleBindingDao;
        this.tenantManager = iTenantManager;
        this.systemRoles = arrayList;
        this.adminRole = str;
        this.userRoleDaoService = userRoleDaoService;
    }

    @Path("/createUser")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully created new user."), @ResponseCode(code = 400, condition = "Provided data has invalid format."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 412, condition = "Unable to create user.")})
    @PUT
    public Response createUser(User user) {
        try {
            user.setPassword(b64DecodePassword(user.getPassword()));
            this.userRoleDaoService.createUser(user);
            return Response.noContent().build();
        } catch (SecurityException e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        } catch (UserRoleDaoService.ValidationFailedException e2) {
            Response.ResponseBuilder status = Response.status(Response.Status.BAD_REQUEST);
            status.header(PUC_VALIDATION_ERROR_MESSAGE, e2.getMessage());
            throw new WebApplicationException(status.build());
        } catch (Exception e3) {
            throw new WebApplicationException(Response.Status.PRECONDITION_FAILED);
        }
    }

    @Path("/deleteUsers")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully deleted the list of users."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "Internal server error prevented the system from properly retrieving either the user or roles.")})
    @PUT
    public Response deleteUsers(@QueryParam("userNames") String str) {
        try {
            this.userRoleDaoService.deleteUsers(str);
            return Response.noContent().build();
        } catch (UncategorizedUserRoleDaoException e) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        } catch (SecurityException e2) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        } catch (NotFoundException e3) {
            throw new WebApplicationException(Response.Status.NOT_FOUND);
        }
    }

    @Path("/user")
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully changed password."), @ResponseCode(code = 400, condition = "Provided data has invalid format."), @ResponseCode(code = 403, condition = "Provided user name or password is incorrect."), @ResponseCode(code = 412, condition = "An error occurred in the platform.")})
    @PUT
    public Response changeUserPassword(ChangePasswordUser changePasswordUser) {
        try {
            changePasswordUser.setNewPassword(b64DecodePassword(changePasswordUser.getNewPassword()));
            changePasswordUser.setOldPassword(b64DecodePassword(changePasswordUser.getOldPassword()));
            this.userRoleDaoService.changeUserPassword(changePasswordUser.getUserName(), changePasswordUser.getNewPassword(), changePasswordUser.getOldPassword());
            return Response.noContent().build();
        } catch (SecurityException e) {
            Response.ResponseBuilder status = Response.status(Response.Status.FORBIDDEN);
            status.header(PUC_VALIDATION_ERROR_MESSAGE, e.getMessage());
            throw new WebApplicationException(status.build());
        } catch (UserRoleDaoService.ValidationFailedException e2) {
            Response.ResponseBuilder status2 = Response.status(Response.Status.BAD_REQUEST);
            status2.header(PUC_VALIDATION_ERROR_MESSAGE, e2.getMessage());
            throw new WebApplicationException(status2.build());
        } catch (Exception e3) {
            throw new WebApplicationException(Response.Status.PRECONDITION_FAILED);
        }
    }

    private String b64DecodePassword(String str) {
        return (StringUtils.isEmpty(str) || !str.startsWith("ENC:")) ? str : new String(Base64Utils.fromBase64(str.substring(4)), StandardCharsets.UTF_8);
    }

    @GET
    @Path("/users")
    @Produces({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully returned the list of users."), @ResponseCode(code = 500, condition = "An error occurred in the platform while trying to access the list of users.")})
    public UserListWrapper getUsers() throws WebApplicationException {
        try {
            return this.userRoleDaoService.getUsers();
        } catch (Exception e) {
            logger.warn(e.getMessage(), e);
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @GET
    @Path("/userRoles")
    @Produces({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully retrieved the list of roles."), @ResponseCode(code = 500, condition = "Invalid user parameter.")})
    public RoleListWrapper getRolesForUser(@QueryParam("userName") String str) throws Exception {
        try {
            return this.userRoleDaoService.getRolesForUser(str);
        } catch (UncategorizedUserRoleDaoException e) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Path("/assignRoleToUser")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully append the roles to the user."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "Internal server error prevented the system from properly retrieving either the user or roles.")})
    @PUT
    public Response assignRolesToUser(@QueryParam("userName") String str, @QueryParam("roleNames") String str2) {
        try {
            this.userRoleDaoService.assignRolesToUser(str, str2);
            if (str.equals(getSession().getName())) {
                updateRolesForCurrentSession();
            }
            return Response.noContent().build();
        } catch (SecurityException e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        } catch (NotFoundException e2) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        } catch (UncategorizedUserRoleDaoException e3) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @Path("/removeRoleFromUser")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully removed the roles from the user."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "Internal server error prevented the system from properly retrieving either the user or roles.")})
    @PUT
    public Response removeRolesFromUser(@QueryParam("userName") String str, @QueryParam("roleNames") String str2) {
        try {
            this.userRoleDaoService.removeRolesFromUser(str, str2);
            if (str.equals(getSession().getName())) {
                updateRolesForCurrentSession();
            }
            return Response.noContent().build();
        } catch (UncategorizedUserRoleDaoException e) {
            throw new WebApplicationException(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(e.getLocalizedMessage()).build());
        } catch (NotFoundException e2) {
            throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(e2.getLocalizedMessage()).build());
        } catch (SecurityException e3) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(e3.getLocalizedMessage()).build());
        }
    }

    @Path("/createRole")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully created new role."), @ResponseCode(code = 400, condition = "Provided data has invalid format."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 412, condition = "Unable to create role objects.")})
    @PUT
    public Response createRole(@QueryParam("roleName") String str) {
        try {
            this.userRoleDaoService.createRole(str);
            return Response.noContent().build();
        } catch (SecurityException e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        } catch (UserRoleDaoService.ValidationFailedException e2) {
            throw new WebApplicationException(Response.Status.BAD_REQUEST);
        } catch (Exception e3) {
            throw new WebApplicationException(Response.Status.PRECONDITION_FAILED);
        }
    }

    @Path("/deleteRoles")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully deleted the list of roles."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "The system was unable to delete the roles passed in.")})
    @PUT
    public Response deleteRoles(@QueryParam("roleNames") String str) {
        try {
            this.userRoleDaoService.deleteRoles(str);
            updateRolesForCurrentSession();
            return Response.noContent().build();
        } catch (SecurityException e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        } catch (UncategorizedUserRoleDaoException e2) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @GET
    @Path("/roles")
    @Produces({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully retrieved the list of roles."), @ResponseCode(code = 500, condition = "The system was not able to return the list of roles.")})
    public RoleListWrapper getRoles() throws Exception {
        try {
            return this.userRoleDaoService.getRoles();
        } catch (UncategorizedUserRoleDaoException e) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    @GET
    @Path("/roleMembers")
    @Produces({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully retrieved the list of Users."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "The system was not able to return the list of users.")})
    public UserListWrapper getRoleMembers(@QueryParam("roleName") String str) throws Exception {
        try {
            return this.userRoleDaoService.getRoleMembers(str);
        } catch (UncategorizedUserRoleDaoException e) {
            throw new WebApplicationException(Response.Status.INTERNAL_SERVER_ERROR);
        } catch (SecurityException e2) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
    }

    @Path("/roleAssignments")
    @Consumes({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully applied the logical role assignment."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method.")})
    @PUT
    public Response setLogicalRoles(LogicalRoleAssignments logicalRoleAssignments) {
        try {
            this.userRoleDaoService.setLogicalRoles(logicalRoleAssignments);
            return Response.noContent().build();
        } catch (SecurityException e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
    }

    @GET
    @Path("/logicalRoleMap")
    @Produces({"application/xml", "application/json"})
    @StatusCodes({@ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method.")})
    public SystemRolesMap getRoleBindingStruct(@QueryParam("locale") String str) {
        try {
            return this.userRoleDaoService.getRoleBindingStruct(str);
        } catch (Exception e) {
            throw new WebApplicationException(Response.Status.FORBIDDEN);
        }
    }

    @Path("/assignAllRolesToUser")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response assignAllRolesToUser(@QueryParam("tenant") String str, @QueryParam("userName") String str2) {
        IUserRoleDao userRoleDao = getUserRoleDao();
        HashSet hashSet = new HashSet();
        Iterator it = userRoleDao.getRoles(getTenant(str)).iterator();
        while (it.hasNext()) {
            hashSet.add(((IPentahoRole) it.next()).getName());
        }
        userRoleDao.setUserRoles(getTenant(str), str2, (String[]) hashSet.toArray(new String[0]));
        if (str2.equals(getSession().getName())) {
            updateRolesForCurrentSession();
        }
        return Response.noContent().build();
    }

    @Path("/removeAllRolesFromUser")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response removeAllRolesFromUser(@QueryParam("tenant") String str, @QueryParam("userName") String str2) {
        if (!canAdminister()) {
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        try {
            getUserRoleDao().setUserRoles(getTenant(str), str2, new String[0]);
            if (str2.equals(getSession().getName())) {
                updateRolesForCurrentSession();
            }
            return Response.noContent().build();
        } catch (Throwable th) {
            return processErrorResponse(th.getLocalizedMessage());
        }
    }

    @Path("/assignUserToRole")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response assignUserToRole(@QueryParam("tenant") String str, @QueryParam("userNames") String str2, @QueryParam("roleName") String str3) {
        if (!canAdminister()) {
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        IUserRoleDao userRoleDao = getUserRoleDao();
        StringTokenizer stringTokenizer = new StringTokenizer(str2, "\t");
        HashSet hashSet = new HashSet();
        Iterator it = userRoleDao.getRoleMembers(getTenant(str), str3).iterator();
        while (it.hasNext()) {
            hashSet.add(((IPentahoUser) it.next()).getUsername());
        }
        while (stringTokenizer.hasMoreTokens()) {
            hashSet.add(stringTokenizer.nextToken());
        }
        try {
            userRoleDao.setRoleMembers(getTenant(str), str3, (String[]) hashSet.toArray(new String[0]));
            if (hashSet.contains(getSession().getName())) {
                updateRolesForCurrentSession();
            }
            return Response.noContent().build();
        } catch (Throwable th) {
            return processErrorResponse(th.getLocalizedMessage());
        }
    }

    @Path("/removeUserFromRole")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response removeUserFromRole(@QueryParam("tenant") String str, @QueryParam("userNames") String str2, @QueryParam("roleName") String str3) {
        if (!canAdminister()) {
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        try {
            IUserRoleDao userRoleDao = getUserRoleDao();
            StringTokenizer stringTokenizer = new StringTokenizer(str2, "\t");
            HashSet hashSet = new HashSet();
            Iterator it = userRoleDao.getRoleMembers(getTenant(str), str3).iterator();
            while (it.hasNext()) {
                hashSet.add(((IPentahoUser) it.next()).getUsername());
            }
            while (stringTokenizer.hasMoreTokens()) {
                hashSet.remove(stringTokenizer.nextToken());
            }
            userRoleDao.setRoleMembers(getTenant(str), str3, (String[]) hashSet.toArray(new String[0]));
            if (hashSet.contains(getSession().getName())) {
                updateRolesForCurrentSession();
            }
            return Response.noContent().build();
        } catch (Throwable th) {
            return processErrorResponse(th.getLocalizedMessage());
        }
    }

    @Path("/assignAllUsersToRole")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response assignAllUsersToRole(@QueryParam("tenant") String str, @QueryParam("roleName") String str2) {
        IUserRoleDao userRoleDao = getUserRoleDao();
        HashSet hashSet = new HashSet();
        Iterator it = userRoleDao.getUsers(getTenant(str)).iterator();
        while (it.hasNext()) {
            hashSet.add(((IPentahoUser) it.next()).getUsername());
        }
        userRoleDao.setRoleMembers(getTenant(str), str2, (String[]) hashSet.toArray(new String[0]));
        if (hashSet.contains(getSession().getName())) {
            updateRolesForCurrentSession();
        }
        return Response.noContent().build();
    }

    @Path("/removeAllUsersFromRole")
    @Consumes({"*/*"})
    @PUT
    @Facet(name = "Unsupported")
    public Response removeAllUsersFromRole(@QueryParam("tenant") String str, @QueryParam("roleName") String str2) {
        if (!canAdminister()) {
            return Response.status(Response.Status.UNAUTHORIZED).build();
        }
        try {
            getUserRoleDao().setRoleMembers(getTenant(str), str2, new String[0]);
            updateRolesForCurrentSession();
            return Response.noContent().build();
        } catch (Throwable th) {
            return processErrorResponse(th.getLocalizedMessage());
        }
    }

    @Path("/updatePassword")
    @Consumes({"*/*"})
    @StatusCodes({@ResponseCode(code = 200, condition = "Successfully deleted the list of users."), @ResponseCode(code = 403, condition = "Only users with administrative privileges can access this method."), @ResponseCode(code = 500, condition = "Internal server error prevented the system from properly retrieving either the user or roles.")})
    @PUT
    public Response updatePassword(UserChangePasswordDTO userChangePasswordDTO) {
        try {
            userChangePasswordDTO.setPassword(b64DecodePassword(userChangePasswordDTO.getPassword()));
            userChangePasswordDTO.setAdministratorPassword(b64DecodePassword(userChangePasswordDTO.getAdministratorPassword()));
            this.userRoleDaoService.updatePassword(userChangePasswordDTO, userChangePasswordDTO.getAdministratorPassword());
            return Response.noContent().build();
        } catch (SecurityException e) {
            Response.ResponseBuilder status = Response.status(Response.Status.FORBIDDEN);
            status.header(PUC_VALIDATION_ERROR_MESSAGE, e.getMessage());
            throw new WebApplicationException(status.build());
        } catch (UserRoleDaoService.ValidationFailedException e2) {
            Response.ResponseBuilder status2 = Response.status(Response.Status.BAD_REQUEST);
            status2.header(PUC_VALIDATION_ERROR_MESSAGE, e2.getMessage());
            throw new WebApplicationException(status2.build());
        }
    }

    protected ITenant getTenant(String str) throws com.sun.jersey.api.NotFoundException {
        ITenant iTenant = null;
        if (str != null) {
            iTenant = this.tenantManager.getTenant(str);
            if (iTenant == null) {
                throw new com.sun.jersey.api.NotFoundException("Tenant not found.");
            }
        } else {
            String str2 = (String) getSession().getAttribute("org.pentaho.tenantId");
            if (str2 != null) {
                iTenant = new Tenant(str2, true);
            }
        }
        return iTenant;
    }

    private HashSet<String> tokenToString(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, "\t");
        HashSet<String> hashSet = new HashSet<>();
        while (stringTokenizer.hasMoreTokens()) {
            hashSet.add(stringTokenizer.nextToken());
        }
        return hashSet;
    }

    private Response processErrorResponse(String str) {
        return Response.ok(str).build();
    }

    protected boolean canAdminister() {
        IAuthorizationPolicy iAuthorizationPolicy = (IAuthorizationPolicy) PentahoSystem.get(IAuthorizationPolicy.class);
        return iAuthorizationPolicy.isAllowed("org.pentaho.repository.read") && iAuthorizationPolicy.isAllowed("org.pentaho.repository.create") && iAuthorizationPolicy.isAllowed("org.pentaho.security.administerSecurity");
    }

    protected void updateRolesForCurrentSession() {
        List<String> roles = this.userRoleDaoService.getRolesForUser(getSession().getName()).getRoles();
        ArrayList arrayList = new ArrayList();
        roles.forEach(str -> {
            arrayList.add(new SimpleGrantedAuthority(str));
        });
        getSession().setAttribute("roles", arrayList);
    }

    protected IPentahoSession getSession() {
        return PentahoSessionHolder.getSession();
    }

    protected IUserRoleDao getUserRoleDao() {
        return (IUserRoleDao) PentahoSystem.get(IUserRoleDao.class, "userRoleDaoProxy", getSession());
    }
}
