package org.graylog2.rest.resources.users;

import com.google.common.base.MoreObjects;
import com.google.common.base.Predicates;
import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.wordnik.swagger.annotations.Api;
import com.wordnik.swagger.annotations.ApiOperation;
import com.wordnik.swagger.annotations.ApiParam;
import com.wordnik.swagger.annotations.ApiResponse;
import com.wordnik.swagger.annotations.ApiResponses;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.graylog2.Configuration;
import org.graylog2.plugin.database.ValidationException;
import org.graylog2.plugin.database.users.User;
import org.graylog2.rest.models.users.requests.ChangePasswordRequest;
import org.graylog2.rest.models.users.requests.ChangeUserRequest;
import org.graylog2.rest.models.users.requests.CreateUserRequest;
import org.graylog2.rest.models.users.requests.PermissionEditRequest;
import org.graylog2.rest.models.users.requests.Startpage;
import org.graylog2.rest.models.users.requests.UpdateUserPreferences;
import org.graylog2.rest.models.users.responses.Token;
import org.graylog2.rest.models.users.responses.TokenList;
import org.graylog2.rest.models.users.responses.UserList;
import org.graylog2.rest.models.users.responses.UserSummary;
import org.graylog2.security.AccessToken;
import org.graylog2.security.AccessTokenService;
import org.graylog2.security.InMemoryRolePermissionResolver;
import org.graylog2.shared.rest.resources.RestResource;
import org.graylog2.shared.security.RestPermissions;
import org.graylog2.shared.users.Roles;
import org.graylog2.shared.users.UserService;
import org.graylog2.users.RoleService;
import org.joda.time.DateTimeZone;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RequiresAuthentication
@Path("/users")
@Api(value = "Users", description = "User accounts")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
/* loaded from: input_file:org/graylog2/rest/resources/users/UsersResource.class */
public class UsersResource extends RestResource {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RestResource.class);
    private final UserService userService;
    private final AccessTokenService accessTokenService;
    private final InMemoryRolePermissionResolver inMemoryRolePermissionResolver;
    private final RoleService roleService;
    private final Configuration configuration;

    @Inject
    public UsersResource(UserService userService, AccessTokenService accessTokenService, InMemoryRolePermissionResolver inMemoryRolePermissionResolver, RoleService roleService, Configuration configuration) {
        this.userService = userService;
        this.accessTokenService = accessTokenService;
        this.inMemoryRolePermissionResolver = inMemoryRolePermissionResolver;
        this.roleService = roleService;
        this.configuration = configuration;
    }

    @GET
    @Path("{username}")
    @ApiOperation(value = "Get user details", notes = "The user's permissions are only included if a user asks for his own account or for users with the necessary permissions to edit permissions.")
    @ApiResponses({@ApiResponse(code = 404, message = "The user could not be found.")})
    public UserSummary get(@PathParam("username") @ApiParam(name = "username", value = "The username to return information for.", required = true) String str) {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException();
        }
        return toUserResponse(load, getSubject().getPrincipal().toString().equals(str) || isPermitted(RestPermissions.USERS_PERMISSIONSEDIT, str));
    }

    @GET
    @RequiresPermissions({RestPermissions.USERS_LIST})
    @ApiOperation(value = "List all users", notes = "The permissions assigned to the users are always included.")
    public UserList listUsers() {
        List<User> loadAll = this.userService.loadAll();
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(loadAll.size() + 1);
        newArrayListWithCapacity.add(toUserResponse(this.userService.getAdminUser()));
        Iterator<User> it = loadAll.iterator();
        while (it.hasNext()) {
            newArrayListWithCapacity.add(toUserResponse(it.next()));
        }
        return UserList.create(newArrayListWithCapacity);
    }

    @RequiresPermissions({RestPermissions.USERS_CREATE})
    @ApiOperation("Create a new user account.")
    @ApiResponses({@ApiResponse(code = 400, message = "Missing or invalid user details.")})
    @POST
    public Response create(@NotNull @ApiParam(name = "JSON body", value = "Must contain username, full_name, email, password and a list of permissions.", required = true) @Valid CreateUserRequest createUserRequest) throws ValidationException {
        if (this.userService.load(createUserRequest.username()) != null) {
            String str = "Cannot create user " + createUserRequest.username() + ". Username is already taken.";
            LOG.error(str);
            throw new BadRequestException(str);
        }
        User create = this.userService.create();
        create.setName(createUserRequest.username());
        create.setPassword(createUserRequest.password(), this.configuration.getPasswordSecret());
        create.setFullName(createUserRequest.fullName());
        create.setEmail(createUserRequest.email());
        create.setPermissions(createUserRequest.permissions());
        setUserRoles(createUserRequest.roles(), create);
        if (createUserRequest.timezone() != null) {
            create.setTimeZone(createUserRequest.timezone());
        }
        Long sessionTimeoutMs = createUserRequest.sessionTimeoutMs();
        if (sessionTimeoutMs != null) {
            create.setSessionTimeoutMs(sessionTimeoutMs.longValue());
        }
        Startpage startpage = createUserRequest.startpage();
        if (startpage != null) {
            create.setStartpage(startpage.type(), startpage.id());
        }
        LOG.debug("Saved user {} with id {}", create.getName(), this.userService.save(create));
        return Response.created(getUriBuilderToSelf().path(UsersResource.class).path("{username}").build(create.getName())).build();
    }

    private void setUserRoles(@Nullable List<String> list, User user) {
        if (list != null) {
            try {
                user.setRoleIds(Sets.newHashSet(Iterables.transform(list, Roles.roleNameToIdFunction(this.roleService.loadAllLowercaseNameMap()))));
            } catch (org.graylog2.database.NotFoundException e) {
                throw new InternalServerErrorException(e);
            }
        }
    }

    @Path("{username}")
    @ApiOperation("Modify user details.")
    @ApiResponses({@ApiResponse(code = 400, message = "Attempted to modify a read only user account (e.g. built-in or LDAP users)."), @ApiResponse(code = 400, message = "Missing or invalid user details.")})
    @PUT
    public void changeUser(@PathParam("username") @ApiParam(name = "username", value = "The name of the user to modify.", required = true) String str, @NotNull @ApiParam(name = "JSON body", value = "Updated user information.", required = true) @Valid ChangeUserRequest changeUserRequest) throws ValidationException {
        Long sessionTimeoutMs;
        checkPermission(RestPermissions.USERS_EDIT, str);
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException();
        }
        if (load.isReadOnly()) {
            throw new BadRequestException("Cannot modify readonly user " + str);
        }
        if (changeUserRequest.email() != null) {
            load.setEmail(changeUserRequest.email());
        }
        if (changeUserRequest.fullName() != null) {
            load.setFullName(changeUserRequest.fullName());
        }
        if (isPermitted(RestPermissions.USERS_PERMISSIONSEDIT, load.getName()) && changeUserRequest.permissions() != null) {
            load.setPermissions(changeUserRequest.permissions());
        }
        if (isPermitted(RestPermissions.USERS_ROLESEDIT, load.getName())) {
            setUserRoles(changeUserRequest.roles(), load);
        }
        String timezone = changeUserRequest.timezone();
        if (timezone == null) {
            load.setTimeZone((String) null);
        } else {
            try {
                if (timezone.isEmpty()) {
                    load.setTimeZone((String) null);
                } else {
                    load.setTimeZone(DateTimeZone.forID(timezone));
                }
            } catch (IllegalArgumentException e) {
                LOG.error("Invalid timezone '{}', ignoring it for user {}.", timezone, str);
            }
        }
        Startpage startpage = changeUserRequest.startpage();
        if (startpage != null) {
            load.setStartpage(startpage.type(), startpage.id());
        }
        if (isPermitted("*") && (sessionTimeoutMs = changeUserRequest.sessionTimeoutMs()) != null && sessionTimeoutMs.longValue() != 0) {
            load.setSessionTimeoutMs(sessionTimeoutMs.longValue());
        }
        this.userService.save(load);
    }

    @Path("{username}")
    @RequiresPermissions({RestPermissions.USERS_EDIT})
    @DELETE
    @ApiOperation("Removes a user account.")
    @ApiResponses({@ApiResponse(code = 400, message = "When attempting to remove a read only user (e.g. built-in or LDAP user).")})
    public void deleteUser(@PathParam("username") @ApiParam(name = "username", value = "The name of the user to delete.", required = true) String str) {
        if (this.userService.delete(str) == 0) {
            throw new NotFoundException();
        }
    }

    @Path("{username}/permissions")
    @RequiresPermissions({RestPermissions.USERS_PERMISSIONSEDIT})
    @ApiOperation("Update a user's permission set.")
    @ApiResponses({@ApiResponse(code = 400, message = "Missing or invalid permission data.")})
    @PUT
    public void editPermissions(@PathParam("username") @ApiParam(name = "username", value = "The name of the user to modify.", required = true) String str, @NotNull @ApiParam(name = "JSON body", value = "The list of permissions to assign to the user.", required = true) @Valid PermissionEditRequest permissionEditRequest) throws ValidationException {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException();
        }
        load.setPermissions(permissionEditRequest.permissions());
        this.userService.save(load);
    }

    @Path("{username}/preferences")
    @ApiOperation("Update a user's preferences set.")
    @ApiResponses({@ApiResponse(code = 400, message = "Missing or invalid permission data.")})
    @PUT
    public void savePreferences(@PathParam("username") @ApiParam(name = "username", value = "The name of the user to modify.", required = true) String str, @ApiParam(name = "JSON body", value = "The map of preferences to assign to the user.", required = true) UpdateUserPreferences updateUserPreferences) throws ValidationException {
        User load = this.userService.load(str);
        checkPermission(RestPermissions.USERS_EDIT, str);
        if (load == null) {
            throw new NotFoundException();
        }
        load.setPreferences(updateUserPreferences.preferences());
        this.userService.save(load);
    }

    @Path("{username}/permissions")
    @RequiresPermissions({RestPermissions.USERS_PERMISSIONSEDIT})
    @DELETE
    @ApiOperation("Revoke all permissions for a user without deleting the account.")
    @ApiResponses({@ApiResponse(code = 500, message = "When saving the user failed.")})
    public void deletePermissions(@PathParam("username") @ApiParam(name = "username", value = "The name of the user to modify.", required = true) String str) throws ValidationException {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException();
        }
        load.setPermissions(Collections.emptyList());
        this.userService.save(load);
    }

    @Path("{username}/password")
    @ApiOperation("Update the password for a user.")
    @ApiResponses({@ApiResponse(code = 204, message = "The password was successfully updated. Subsequent requests must be made with the new password."), @ApiResponse(code = 400, message = "If the old or new password is missing."), @ApiResponse(code = 403, message = "If the requesting user has insufficient privileges to update the password for the given user or the old password was wrong."), @ApiResponse(code = 404, message = "If the user does not exist.")})
    @PUT
    public void changePassword(@PathParam("username") @ApiParam(name = "username", value = "The name of the user whose password to change.", required = true) String str, @ApiParam(name = "JSON body", value = "The old and new passwords.", required = true) @Valid ChangePasswordRequest changePasswordRequest) throws ValidationException {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException();
        }
        if (!getSubject().isPermitted("users:passwordchange:" + load.getName())) {
            throw new ForbiddenException();
        }
        if (load.isExternalUser()) {
            LOG.error("Cannot change password for LDAP user.");
            throw new ForbiddenException("Cannot change password for LDAP user.");
        }
        boolean z = true;
        if (getSubject().isPermitted("users:passwordchange:*")) {
            if (str.equals(getSubject().getPrincipal())) {
                LOG.debug("User {} is allowed to change the password of any user, but attempts to change own password. Must supply the old password.", getSubject().getPrincipal());
                z = true;
            } else {
                LOG.debug("User {} is allowed to change the password for any user, including {}, ignoring old password", getSubject().getPrincipal(), str);
                z = false;
            }
        }
        boolean z2 = false;
        String passwordSecret = this.configuration.getPasswordSecret();
        if (!z) {
            z2 = true;
        } else if (load.isUserPassword(changePasswordRequest.oldPassword(), passwordSecret)) {
            z2 = true;
        }
        if (!z2) {
            throw new ForbiddenException();
        }
        load.setPassword(changePasswordRequest.password(), passwordSecret);
        this.userService.save(load);
    }

    @GET
    @Path("{username}/tokens")
    @RequiresPermissions({RestPermissions.USERS_TOKENLIST})
    @ApiOperation("Retrieves the list of access tokens for a user")
    public TokenList listTokens(@PathParam("username") @ApiParam(name = "username", required = true) String str) {
        User _tokensCheckAndLoadUser = _tokensCheckAndLoadUser(str);
        ImmutableList.Builder builder = ImmutableList.builder();
        for (AccessToken accessToken : this.accessTokenService.loadAll(_tokensCheckAndLoadUser.getName())) {
            builder.add((ImmutableList.Builder) Token.create(accessToken.getName(), accessToken.getToken(), accessToken.getLastAccess()));
        }
        return TokenList.create(builder.build());
    }

    @Path("{username}/tokens/{name}")
    @RequiresPermissions({RestPermissions.USERS_TOKENCREATE})
    @ApiOperation("Generates a new access token for a user")
    @POST
    public Token generateNewToken(@PathParam("username") @ApiParam(name = "username", required = true) String str, @PathParam("name") @ApiParam(name = "name", value = "Descriptive name for this token (e.g. 'cronjob') ", required = true) String str2) {
        AccessToken create = this.accessTokenService.create(_tokensCheckAndLoadUser(str).getName(), str2);
        return Token.create(create.getName(), create.getToken(), create.getLastAccess());
    }

    @RequiresPermissions({RestPermissions.USERS_TOKENREMOVE})
    @Path("{username}/tokens/{token}")
    @DELETE
    @ApiOperation("Removes a token for a user")
    public void revokeToken(@PathParam("username") @ApiParam(name = "username", required = true) String str, @PathParam("token") @ApiParam(name = "access token", required = true) String str2) {
        _tokensCheckAndLoadUser(str);
        AccessToken load = this.accessTokenService.load(str2);
        if (load == null) {
            throw new NotFoundException();
        }
        this.accessTokenService.destroy(load);
    }

    private User _tokensCheckAndLoadUser(String str) {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException("Unknown user " + str);
        }
        if (getSubject().getPrincipal().equals(str)) {
            return load;
        }
        throw new ForbiddenException("Cannot access other people's tokens.");
    }

    private UserSummary toUserResponse(User user) {
        return toUserResponse(user, true);
    }

    private UserSummary toUserResponse(User user, boolean z) {
        List emptyList;
        Set<String> roleIds = user.getRoleIds();
        Set emptySet = Collections.emptySet();
        if (!roleIds.isEmpty()) {
            try {
                emptySet = Sets.newHashSet(Iterables.filter(Collections2.transform(roleIds, Roles.roleIdToNameFunction(this.roleService.loadAllIdMap())), Predicates.notNull()));
            } catch (org.graylog2.database.NotFoundException e) {
                LOG.error("Unable to load roles", (Throwable) e);
                throw new InternalServerErrorException("Unable to load roles", e);
            }
        }
        if (z) {
            HashSet newHashSet = Sets.newHashSet(user.getPermissions());
            Iterator<String> it = roleIds.iterator();
            while (it.hasNext()) {
                newHashSet.addAll(this.inMemoryRolePermissionResolver.resolveStringPermission(it.next()));
            }
            emptyList = Lists.newArrayList(newHashSet);
        } else {
            emptyList = Collections.emptyList();
        }
        return UserSummary.create(user.getId(), user.getName(), user.getEmail(), user.getFullName(), emptyList, user.getPreferences(), ((DateTimeZone) MoreObjects.firstNonNull(user.getTimeZone(), DateTimeZone.UTC)).getID(), Long.valueOf(user.getSessionTimeoutMs()), user.isReadOnly(), user.isExternalUser(), user.getStartpage(), emptySet);
    }
}
