package org.sonatype.nexus.security.role.rest;

import com.google.common.base.Preconditions;
import java.util.Comparator;
import java.util.List;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.validation.Valid;
import javax.validation.constraints.NotEmpty;
import javax.validation.constraints.NotNull;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.rest.Resource;
import org.sonatype.nexus.rest.WebApplicationMessageException;
import org.sonatype.nexus.security.SecuritySystem;
import org.sonatype.nexus.security.authz.AuthorizationManager;
import org.sonatype.nexus.security.authz.NoSuchAuthorizationManagerException;
import org.sonatype.nexus.security.privilege.NoSuchPrivilegeException;
import org.sonatype.nexus.security.role.DuplicateRoleException;
import org.sonatype.nexus.security.role.NoSuchRoleException;
import org.sonatype.nexus.security.role.ReadonlyRoleException;
import org.sonatype.nexus.security.role.Role;
import org.sonatype.nexus.security.role.RoleContainsItselfException;

@Produces({"application/json"})
@Consumes({"application/json"})
/* loaded from: input_file:org/sonatype/nexus/security/role/rest/RoleApiResource.class */
public class RoleApiResource extends ComponentSupport implements Resource, RoleApiResourceDoc {
    public static final String SOURCE_NOT_FOUND = "\"Source '%s' not found.\"";
    public static final String ROLE_NOT_FOUND = "\"Role '%s' not found.\"";
    public static final String ROLE_INTERNAL = "\"Role '%s' is internal and cannot be modified or deleted.\"";
    public static final String ROLE_UNIQUE = "\"Role '%s' already exists, use a unique roleId.\"";
    public static final String ROLE_CONFLICT = "\"The Role id '%s' does not match the id used in the path '%s'.\"";
    public static final String CONTAINED_ROLE_NOT_FOUND = "\"Role '%s' contained in role '%s' not found.\"";
    public static final String CONTAINED_PRIV_NOT_FOUND = "\"Privilege '%s' contained in role '%s' not found.\"";
    public static final String ROLE_CONTAINS_ITSELF = "\"Role '%s' cannot contain itself either directly or indirectly through child roles.\"";
    private final SecuritySystem securitySystem;

    @Inject
    public RoleApiResource(SecuritySystem securitySystem) {
        this.securitySystem = (SecuritySystem) Preconditions.checkNotNull(securitySystem);
    }

    @Override // org.sonatype.nexus.security.role.rest.RoleApiResourceDoc
    @GET
    @RequiresAuthentication
    @RequiresPermissions({"nexus:roles:read"})
    public List<RoleXOResponse> getRoles(@QueryParam("source") String str) {
        if (StringUtils.isEmpty(str)) {
            return (List) this.securitySystem.listRoles().stream().map(RoleXOResponse::fromRole).sorted(Comparator.comparing((v0) -> {
                return v0.getId();
            })).collect(Collectors.toList());
        }
        try {
            return (List) this.securitySystem.listRoles(str).stream().map(RoleXOResponse::fromRole).sorted(Comparator.comparing((v0) -> {
                return v0.getId();
            })).collect(Collectors.toList());
        } catch (NoSuchAuthorizationManagerException unused) {
            throw buildBadSourceException(str);
        }
    }

    @Override // org.sonatype.nexus.security.role.rest.RoleApiResourceDoc
    @POST
    @RequiresAuthentication
    @RequiresPermissions({"nexus:roles:create"})
    public RoleXOResponse create(@NotNull @Valid RoleXORequest roleXORequest) {
        try {
            return RoleXOResponse.fromRole(getDefaultAuthorizationManager().addRole(fromXO(roleXORequest)));
        } catch (NoSuchPrivilegeException e) {
            throw buildContainedPrivilegeNotFoundException(e.getPrivilegeId(), roleXORequest.getId());
        } catch (DuplicateRoleException unused) {
            throw buildDuplicateRoleException(roleXORequest.getId());
        } catch (NoSuchRoleException e2) {
            throw buildContainedRoleNotFoundException(e2.getRoleId(), roleXORequest.getId());
        }
    }

    @Override // org.sonatype.nexus.security.role.rest.RoleApiResourceDoc
    @GET
    @RequiresAuthentication
    @Path("/{id}")
    @RequiresPermissions({"nexus:roles:read"})
    public RoleXOResponse getRole(@QueryParam("source") @DefaultValue("default") String str, @PathParam("id") @NotEmpty String str2) {
        try {
            return RoleXOResponse.fromRole(this.securitySystem.getAuthorizationManager(str).getRole(str2));
        } catch (NoSuchAuthorizationManagerException unused) {
            throw buildBadSourceException(str);
        } catch (NoSuchRoleException unused2) {
            throw buildRoleNotFoundException(str2);
        }
    }

    @Override // org.sonatype.nexus.security.role.rest.RoleApiResourceDoc
    @RequiresAuthentication
    @Path("/{id}")
    @RequiresPermissions({"nexus:roles:update"})
    @PUT
    public void update(@PathParam("id") @NotEmpty String str, @NotNull @Valid RoleXORequest roleXORequest) {
        try {
            if (!roleXORequest.getId().equals(str)) {
                throw buildRoleConflictException(roleXORequest.getId(), str);
            }
            AuthorizationManager defaultAuthorizationManager = getDefaultAuthorizationManager();
            int version = defaultAuthorizationManager.getRole(str).getVersion();
            Role fromXO = fromXO(roleXORequest);
            fromXO.setRoleId(str);
            fromXO.setVersion(version);
            defaultAuthorizationManager.updateRole(fromXO);
        } catch (NoSuchPrivilegeException e) {
            throw buildContainedPrivilegeNotFoundException(e.getPrivilegeId(), str);
        } catch (NoSuchRoleException e2) {
            if (!e2.getRoleId().equals(str)) {
                throw buildContainedRoleNotFoundException(e2.getRoleId(), str);
            }
            throw buildRoleNotFoundException(e2.getRoleId());
        } catch (ReadonlyRoleException unused) {
            throw buildReadonlyRoleException(str);
        } catch (RoleContainsItselfException e3) {
            throw buildRoleContainsItselfException(e3.getRoleId());
        }
    }

    @Override // org.sonatype.nexus.security.role.rest.RoleApiResourceDoc
    @RequiresAuthentication
    @Path("/{id}")
    @RequiresPermissions({"nexus:roles:delete"})
    @DELETE
    public void delete(@PathParam("id") @NotEmpty String str) {
        try {
            getDefaultAuthorizationManager().deleteRole(str);
        } catch (NoSuchRoleException unused) {
            throw buildRoleNotFoundException(str);
        } catch (ReadonlyRoleException unused2) {
            throw buildReadonlyRoleException(str);
        }
    }

    private WebApplicationMessageException buildBadSourceException(String str) {
        this.log.debug("attempt to use invalid source {}", str);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(SOURCE_NOT_FOUND, str), "application/json");
    }

    private WebApplicationMessageException buildDuplicateRoleException(String str) {
        this.log.debug("attempt to use duplicate role {}", str);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(ROLE_UNIQUE, str), "application/json");
    }

    private WebApplicationMessageException buildReadonlyRoleException(String str) {
        this.log.debug("attempt to modify/delete readonly role {}", str);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(ROLE_INTERNAL, str), "application/json");
    }

    private WebApplicationMessageException buildRoleNotFoundException(String str) {
        this.log.debug("Role {} not found", str);
        return new WebApplicationMessageException(Response.Status.NOT_FOUND, String.format(ROLE_NOT_FOUND, str), "application/json");
    }

    private WebApplicationMessageException buildContainedRoleNotFoundException(String str, String str2) {
        this.log.debug("Role {} in role {} not found", str, str2);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(CONTAINED_ROLE_NOT_FOUND, str, str2), "application/json");
    }

    private WebApplicationMessageException buildContainedPrivilegeNotFoundException(String str, String str2) {
        this.log.debug("Privilege {} in role {} not found", str, str2);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(CONTAINED_PRIV_NOT_FOUND, str, str2), "application/json");
    }

    private WebApplicationMessageException buildRoleConflictException(String str, String str2) {
        this.log.debug("XO id {} and path id {} do not match", str, str2);
        return new WebApplicationMessageException(Response.Status.CONFLICT, String.format(ROLE_CONFLICT, str, str2), "application/json");
    }

    private WebApplicationMessageException buildRoleContainsItselfException(String str) {
        this.log.debug("Role {} cannot contain itself either directly or indirectly.", str);
        return new WebApplicationMessageException(Response.Status.BAD_REQUEST, String.format(ROLE_CONTAINS_ITSELF, str), "application/json");
    }

    private Role fromXO(RoleXORequest roleXORequest) {
        return new Role(roleXORequest.getId(), roleXORequest.getName(), roleXORequest.getDescription(), "default", false, roleXORequest.getRoles(), roleXORequest.getPrivileges());
    }

    private AuthorizationManager getDefaultAuthorizationManager() {
        try {
            return this.securitySystem.getAuthorizationManager("default");
        } catch (NoSuchAuthorizationManagerException e) {
            this.log.error("Unable to retrieve the default authorization manager", (Throwable) e);
            return null;
        }
    }
}
