package org.sonatype.nexus.security.internal.rest;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.sonatype.goodies.common.ComponentSupport;
import org.sonatype.nexus.common.text.Strings2;
import org.sonatype.nexus.rest.Resource;
import org.sonatype.nexus.rest.ValidationErrorsException;
import org.sonatype.nexus.rest.WebApplicationMessageException;
import org.sonatype.nexus.security.SecuritySystem;
import org.sonatype.nexus.security.authz.NoSuchAuthorizationManagerException;
import org.sonatype.nexus.security.config.AdminPasswordFileManager;
import org.sonatype.nexus.security.internal.RealmToSource;
import org.sonatype.nexus.security.role.RoleIdentifier;
import org.sonatype.nexus.security.user.NoSuchUserManagerException;
import org.sonatype.nexus.security.user.User;
import org.sonatype.nexus.security.user.UserNotFoundException;
import org.sonatype.nexus.security.user.UserSearchCriteria;
import org.sonatype.nexus.validation.Validate;

@Produces({"application/json"})
@Consumes({"application/json"})
/* loaded from: input_file:org/sonatype/nexus/security/internal/rest/UserApiResource.class */
public class UserApiResource extends ComponentSupport implements Resource, UserApiResourceDoc {
    public static final String ADMIN_USER_ID = "admin";
    private static final String SAML_SOURCE = "SAML";
    private final SecuritySystem securitySystem;
    private final AdminPasswordFileManager adminPasswordFileManager;

    @Inject
    public UserApiResource(SecuritySystem securitySystem, AdminPasswordFileManager adminPasswordFileManager) {
        this.securitySystem = (SecuritySystem) Preconditions.checkNotNull(securitySystem);
        this.adminPasswordFileManager = (AdminPasswordFileManager) Preconditions.checkNotNull(adminPasswordFileManager);
    }

    @Override // org.sonatype.nexus.security.internal.rest.UserApiResourceDoc
    @GET
    @RequiresAuthentication
    @RequiresPermissions({"nexus:users:read"})
    public Collection<ApiUser> getUsers(@QueryParam("userId") String str, @QueryParam("source") String str2) {
        UserSearchCriteria userSearchCriteria = new UserSearchCriteria(str, null, str2);
        if (!"default".equals(str2)) {
            userSearchCriteria.setLimit(100);
        }
        return (Collection) this.securitySystem.searchUsers(userSearchCriteria).stream().map(this::fromUser).collect(Collectors.toList());
    }

    @Override // org.sonatype.nexus.security.internal.rest.UserApiResourceDoc
    @RequiresAuthentication
    @RequiresPermissions({"nexus:users:create"})
    @POST
    @Validate
    public ApiUser createUser(ApiCreateUser apiCreateUser) {
        if (Strings2.isBlank(apiCreateUser.getPassword())) {
            throw createWebException(Response.Status.BAD_REQUEST, "A non-empty password is required.");
        }
        try {
            return fromUser(this.securitySystem.addUser(apiCreateUser.toUser(), apiCreateUser.getPassword()));
        } catch (NoSuchUserManagerException e) {
            this.log.error("Unable to locate default usermanager.", (Throwable) e);
            throw createNoSuchUserManagerException("default");
        }
    }

    @Override // org.sonatype.nexus.security.internal.rest.UserApiResourceDoc
    @RequiresAuthentication
    @Path("{userId}")
    @RequiresPermissions({"nexus:users:update"})
    @Validate
    @PUT
    public void updateUser(@PathParam("userId") String str, ApiUser apiUser) {
        if (!str.equals(apiUser.getUserId())) {
            this.log.debug("The path userId '{}' does not match the userId supplied in the body '{}'.", str, apiUser.getUserId());
            throw createWebException(Response.Status.BAD_REQUEST, "The path's userId does not match the body");
        }
        try {
            validateRoles(apiUser.getRoles());
            if ("default".equals(apiUser.getSource())) {
                this.securitySystem.updateUser(apiUser.toUser());
            } else {
                this.securitySystem.getUser(str, apiUser.getSource());
                this.securitySystem.setUsersRoles(str, apiUser.getSource(), (Set) apiUser.getRoles().stream().map(str2 -> {
                    return new RoleIdentifier("default", str2);
                }).collect(Collectors.toSet()));
            }
        } catch (NoSuchUserManagerException e) {
            this.log.debug("Unable to locate source: {}", str, apiUser.getSource(), e);
            throw createNoSuchUserManagerException(apiUser.getSource());
        } catch (UserNotFoundException e2) {
            this.log.debug("Unable to locate userId: {}", str, e2);
            throw createUnknownUserException(str);
        }
    }

    @Override // org.sonatype.nexus.security.internal.rest.UserApiResourceDoc
    @RequiresAuthentication
    @Path("{userId}")
    @RequiresPermissions({"nexus:users:delete"})
    @DELETE
    public void deleteUser(@PathParam("userId") String str, @QueryParam("realm") String str2) {
        User user;
        User user2 = null;
        try {
            if (str2 == null) {
                user = this.securitySystem.getUser(str);
                if (!"default".equals(user.getSource()) && !SAML_SOURCE.equals(user.getSource())) {
                    throw createWebException(Response.Status.BAD_REQUEST, "Non-local user cannot be deleted.");
                }
            } else {
                if (!this.securitySystem.isValidRealm(str2)) {
                    throw createWebException(Response.Status.BAD_REQUEST, "Invalid or empty realm name.");
                }
                user = this.securitySystem.getUser(str, RealmToSource.getSource(str2));
            }
            this.securitySystem.deleteUser(str, user.getSource());
        } catch (NoSuchUserManagerException e) {
            String source = user2.getSource() != null ? user2.getSource() : "";
            this.log.error("Unable to locate source: {} for userId: {}", source, str, e);
            throw createNoSuchUserManagerException(source);
        } catch (UserNotFoundException e2) {
            this.log.debug("Unable to locate userId: {}", str, e2);
            throw createUnknownUserException(str);
        }
    }

    @Override // org.sonatype.nexus.security.internal.rest.UserApiResourceDoc
    @RequiresAuthentication
    @RequiresPermissions({"nexus:*"})
    @Path("{userId}/change-password")
    @Consumes({"text/plain"})
    @Validate
    @PUT
    public void changePassword(@PathParam("userId") String str, String str2) {
        if (StringUtils.isBlank(str2)) {
            throw createWebException(Response.Status.BAD_REQUEST, "Password must be supplied.");
        }
        try {
            this.securitySystem.changePassword(str, str2);
            if (ADMIN_USER_ID.equals(str)) {
                this.adminPasswordFileManager.removeFile();
            }
        } catch (UserNotFoundException e) {
            this.log.debug("Request to change password for invalid user '{}'.", str);
            throw createUnknownUserException(str);
        }
    }

    private boolean isReadOnly(User user) {
        try {
            return !this.securitySystem.getUserManager(user.getSource()).supportsWrite();
        } catch (NoSuchUserManagerException e) {
            this.log.debug("Unable to locate user manager: {}", user.getSource(), e);
            return true;
        }
    }

    @VisibleForTesting
    ApiUser fromUser(User user) {
        Predicate<? super RoleIdentifier> predicate = roleIdentifier -> {
            return "default".equals(roleIdentifier.getSource());
        };
        return new ApiUser(user.getUserId(), user.getFirstName(), user.getLastName(), user.getEmailAddress(), user.getSource(), ApiUserStatus.convert(user.getStatus()), isReadOnly(user), (Set) user.getRoles().stream().filter(predicate).map((v0) -> {
            return v0.getRoleId();
        }).collect(Collectors.toSet()), (Set) user.getRoles().stream().filter(predicate.negate()).map((v0) -> {
            return v0.getRoleId();
        }).collect(Collectors.toSet()));
    }

    private void validateRoles(Set<String> set) {
        ValidationErrorsException validationErrorsException = new ValidationErrorsException();
        try {
            Set set2 = (Set) this.securitySystem.listRoles("default").stream().map((v0) -> {
                return v0.getRoleId();
            }).collect(Collectors.toSet());
            for (String str : set) {
                if (!set2.contains(str)) {
                    validationErrorsException.withError("roles", "Unable to locate roleId: " + str);
                }
            }
            if (validationErrorsException.hasValidationErrors()) {
                throw validationErrorsException;
            }
        } catch (NoSuchAuthorizationManagerException e) {
            this.log.error("Unable to locate default user manager", (Throwable) e);
            throw createWebException(Response.Status.INTERNAL_SERVER_ERROR, "Unable to locate default user manager");
        }
    }

    private WebApplicationMessageException createNoSuchUserManagerException(String str) {
        return createWebException(Response.Status.NOT_FOUND, "Unable to locate source: " + str);
    }

    private WebApplicationMessageException createUnknownUserException(String str) {
        return createWebException(Response.Status.NOT_FOUND, "User '" + str + "' not found.");
    }

    private WebApplicationMessageException createWebException(Response.Status status, String str) {
        return new WebApplicationMessageException(status, "\"" + str + "\"", "application/json");
    }
}
