package org.sonatype.security.realms.validator;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.PatternSyntaxException;
import javax.enterprise.inject.Typed;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.codehaus.plexus.util.StringUtils;
import org.sonatype.configuration.validation.ValidationMessage;
import org.sonatype.configuration.validation.ValidationRequest;
import org.sonatype.configuration.validation.ValidationResponse;
import org.sonatype.security.model.CPrivilege;
import org.sonatype.security.model.CRole;
import org.sonatype.security.model.CUser;
import org.sonatype.security.model.CUserRoleMapping;
import org.sonatype.security.model.Configuration;
import org.sonatype.security.realms.privileges.PrivilegeDescriptor;
import org.sonatype.sisu.goodies.common.ComponentSupport;

@Singleton
@Typed({SecurityConfigurationValidator.class})
@Named("default")
/* loaded from: input_file:WEB-INF/lib/nexus-security-realms-2.14.10-01.jar:org/sonatype/security/realms/validator/DefaultConfigurationValidator.class */
public class DefaultConfigurationValidator extends ComponentSupport implements SecurityConfigurationValidator {
    private static String DEFAULT_SOURCE = "default";
    private final ConfigurationIdGenerator idGenerator;
    private final List<PrivilegeDescriptor> privilegeDescriptors;

    @Inject
    public DefaultConfigurationValidator(List<PrivilegeDescriptor> list, ConfigurationIdGenerator configurationIdGenerator) {
        this.privilegeDescriptors = list;
        this.idGenerator = configurationIdGenerator;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validateModel(ValidationRequest<Configuration> validationRequest) {
        ValidationResponse validationResponse = new ValidationResponse();
        validationResponse.setContext(new SecurityValidationContext());
        Configuration configuration = validationRequest.getConfiguration();
        SecurityValidationContext securityValidationContext = (SecurityValidationContext) validationResponse.getContext();
        List<CPrivilege> privileges = configuration.getPrivileges();
        if (privileges != null) {
            Iterator<CPrivilege> it = privileges.iterator();
            while (it.hasNext()) {
                validationResponse.append(validatePrivilege(securityValidationContext, it.next(), false));
            }
        }
        List<CRole> roles = configuration.getRoles();
        if (roles != null) {
            Iterator<CRole> it2 = roles.iterator();
            while (it2.hasNext()) {
                validationResponse.append(validateRole(securityValidationContext, it2.next(), false));
            }
        }
        validationResponse.append(validateRoleContainment(securityValidationContext));
        List<CUser> users = configuration.getUsers();
        if (users != null) {
            for (CUser cUser : users) {
                HashSet hashSet = new HashSet();
                for (CUserRoleMapping cUserRoleMapping : configuration.getUserRoleMappings()) {
                    if (cUserRoleMapping.getUserId() != null && cUserRoleMapping.getUserId().equals(cUser.getId()) && DEFAULT_SOURCE.equals(cUserRoleMapping.getSource())) {
                        hashSet.addAll(cUserRoleMapping.getRoles());
                    }
                }
                validationResponse.append(validateUser(securityValidationContext, cUser, hashSet, false));
            }
        }
        List<CUserRoleMapping> userRoleMappings = configuration.getUserRoleMappings();
        if (userRoleMappings != null) {
            Iterator<CUserRoleMapping> it3 = userRoleMappings.iterator();
            while (it3.hasNext()) {
                validationResponse.append(validateUserRoleMapping(securityValidationContext, it3.next(), false));
            }
        }
        if (validationResponse.getValidationErrors().size() > 0 || validationResponse.getValidationWarnings().size() > 0) {
            this.log.error("* * * * * * * * * * * * * * * * * * * * * * * * * *");
            this.log.error("Security configuration has validation errors/warnings");
            this.log.error("* * * * * * * * * * * * * * * * * * * * * * * * * *");
            if (validationResponse.getValidationErrors().size() > 0) {
                this.log.error("The ERRORS:");
                Iterator<ValidationMessage> it4 = validationResponse.getValidationErrors().iterator();
                while (it4.hasNext()) {
                    this.log.error(it4.next().toString());
                }
            }
            if (validationResponse.getValidationWarnings().size() > 0) {
                this.log.error("The WARNINGS:");
                Iterator<ValidationMessage> it5 = validationResponse.getValidationWarnings().iterator();
                while (it5.hasNext()) {
                    this.log.error(it5.next().toString());
                }
            }
            this.log.error("* * * * * * * * * * * * * * * * * * * * *");
        } else {
            this.log.info("Security configuration validated succesfully.");
        }
        return validationResponse;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validatePrivilege(SecurityValidationContext securityValidationContext, CPrivilege cPrivilege, boolean z) {
        ValidationResponse validationResponse = new ValidationResponse();
        if (securityValidationContext != null) {
            validationResponse.setContext(securityValidationContext);
        }
        Iterator<PrivilegeDescriptor> it = this.privilegeDescriptors.iterator();
        while (it.hasNext()) {
            ValidationResponse validatePrivilege = it.next().validatePrivilege(cPrivilege, securityValidationContext, z);
            if (validatePrivilege != null) {
                validationResponse.append(validatePrivilege);
            }
        }
        securityValidationContext.getExistingPrivilegeIds().add(cPrivilege.getId());
        return validationResponse;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validateRoleContainment(SecurityValidationContext securityValidationContext) {
        ValidationResponse validationResponse = new ValidationResponse();
        if (securityValidationContext != null) {
            validationResponse.setContext(securityValidationContext);
        }
        SecurityValidationContext securityValidationContext2 = (SecurityValidationContext) validationResponse.getContext();
        if (securityValidationContext2.getExistingRoleIds() != null) {
            for (String str : securityValidationContext2.getExistingRoleIds()) {
                validationResponse.append(isRecursive(str, str, securityValidationContext));
            }
        }
        return validationResponse;
    }

    private boolean isRoleNameAlreadyInUse(Map<String, String> map, CRole cRole) {
        for (String str : map.keySet()) {
            if (!str.equals(cRole.getId()) && map.get(str).equals(cRole.getName())) {
                return true;
            }
        }
        return false;
    }

    private String getRoleTextForDisplay(String str, SecurityValidationContext securityValidationContext) {
        String str2 = securityValidationContext.getExistingRoleNameMap().get(str);
        return StringUtils.isEmpty(str2) ? str : str2;
    }

    private ValidationResponse isRecursive(String str, String str2, SecurityValidationContext securityValidationContext) {
        ValidationResponse validationResponse = new ValidationResponse();
        Iterator<String> it = securityValidationContext.getRoleContainmentMap().get(str2).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (str.equals(str2) && !securityValidationContext.getExistingRoleIds().contains(str2)) {
                validationResponse.addValidationWarning(new ValidationMessage("roles", "Role '" + getRoleTextForDisplay(str, securityValidationContext) + "' contains an invalid role", "Role cannot contain invalid role '" + getRoleTextForDisplay(str2, securityValidationContext) + "'."));
            }
            if (next.equals(str)) {
                validationResponse.addValidationError(new ValidationMessage("roles", "Role '" + getRoleTextForDisplay(str, securityValidationContext) + "' contains itself through Role '" + getRoleTextForDisplay(str2, securityValidationContext) + "'.  This is not valid.", "Role cannot contain itself recursively (via role '" + getRoleTextForDisplay(str2, securityValidationContext) + "')."));
                break;
            }
            if (securityValidationContext.getExistingRoleIds().contains(next)) {
                validationResponse.append(isRecursive(str, next, securityValidationContext));
            } else if (str.equals(str2)) {
                validationResponse.addValidationWarning(new ValidationMessage("roles", "Role '" + getRoleTextForDisplay(str2, securityValidationContext) + "' contains an invalid role '" + getRoleTextForDisplay(next, securityValidationContext) + "'.", "Role cannot contain invalid role '" + getRoleTextForDisplay(next, securityValidationContext) + "'."));
            }
        }
        return validationResponse;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validateRole(SecurityValidationContext securityValidationContext, CRole cRole, boolean z) {
        ValidationResponse validationResponse = new ValidationResponse();
        if (securityValidationContext != null) {
            validationResponse.setContext(securityValidationContext);
        }
        SecurityValidationContext securityValidationContext2 = (SecurityValidationContext) validationResponse.getContext();
        List<String> existingRoleIds = securityValidationContext2.getExistingRoleIds();
        if (existingRoleIds == null) {
            securityValidationContext2.addExistingRoleIds();
            existingRoleIds = securityValidationContext2.getExistingRoleIds();
        }
        if (!z && existingRoleIds.contains(cRole.getId())) {
            validationResponse.addValidationError(new ValidationMessage("id", "Role ID must be unique."));
        }
        if (z && !existingRoleIds.contains(cRole.getId())) {
            validationResponse.addValidationError(new ValidationMessage("id", "Role ID cannot be changed."));
        }
        if (!z && (StringUtils.isEmpty(cRole.getId()) || "0".equals(cRole.getId()))) {
            String generateId = this.idGenerator.generateId();
            validationResponse.addValidationWarning("Fixed wrong role ID from '" + cRole.getId() + "' to '" + generateId + "'");
            cRole.setId(generateId);
            validationResponse.setModified(true);
        }
        Map<String, String> existingRoleNameMap = securityValidationContext2.getExistingRoleNameMap();
        if (StringUtils.isEmpty(cRole.getName())) {
            validationResponse.addValidationError(new ValidationMessage("name", "Role ID '" + cRole.getId() + "' requires a name.", "Name is required."));
        } else if (isRoleNameAlreadyInUse(existingRoleNameMap, cRole)) {
            validationResponse.addValidationError(new ValidationMessage("name", "Role ID '" + cRole.getId() + "' can't use the name '" + cRole.getName() + "'.", "Name is already in use."));
        } else {
            existingRoleNameMap.put(cRole.getId(), cRole.getName());
        }
        if (securityValidationContext2.getExistingPrivilegeIds() != null) {
            for (String str : cRole.getPrivileges()) {
                if (!securityValidationContext2.getExistingPrivilegeIds().contains(str)) {
                    validationResponse.addValidationWarning(new ValidationMessage("privileges", "Role ID '" + cRole.getId() + "' Invalid privilege id '" + str + "' found.", "Role cannot contain invalid privilege ID '" + str + "'."));
                }
            }
        }
        List<String> roles = cRole.getRoles();
        List<String> list = securityValidationContext2.getRoleContainmentMap().get(cRole.getId());
        if (list == null) {
            list = new ArrayList();
            securityValidationContext2.getRoleContainmentMap().put(cRole.getId(), list);
        }
        for (String str2 : roles) {
            if (str2.equals(cRole.getId())) {
                validationResponse.addValidationError(new ValidationMessage("roles", "Role ID '" + cRole.getId() + "' cannot contain itself.", "Role cannot contain itself."));
            } else if (securityValidationContext2.getRoleContainmentMap() != null) {
                list.add(str2);
            }
        }
        if (z) {
            validationResponse.append(isRecursive(cRole.getId(), cRole.getId(), securityValidationContext2));
        }
        existingRoleIds.add(cRole.getId());
        return validationResponse;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validateUser(SecurityValidationContext securityValidationContext, CUser cUser, Set<String> set, boolean z) {
        ValidationResponse validationResponse = new ValidationResponse();
        if (securityValidationContext != null) {
            validationResponse.setContext(securityValidationContext);
        }
        SecurityValidationContext securityValidationContext2 = (SecurityValidationContext) validationResponse.getContext();
        List<String> existingUserIds = securityValidationContext2.getExistingUserIds();
        if (existingUserIds == null) {
            securityValidationContext2.addExistingUserIds();
            existingUserIds = securityValidationContext2.getExistingUserIds();
        }
        if (!z && StringUtils.isEmpty(cUser.getId())) {
            validationResponse.addValidationError(new ValidationMessage("userId", "User ID is required.", "User ID is required."));
        }
        if (!z && StringUtils.isNotEmpty(cUser.getId()) && existingUserIds.contains(cUser.getId())) {
            validationResponse.addValidationError(new ValidationMessage("userId", "User ID '" + cUser.getId() + "' is already in use.", "User ID '" + cUser.getId() + "' is already in use."));
        }
        if (StringUtils.isNotEmpty(cUser.getId()) && cUser.getId().contains(" ")) {
            validationResponse.addValidationError(new ValidationMessage("userId", "User ID '" + cUser.getId() + "' cannot contain spaces.", "User ID '" + cUser.getId() + "' cannot contain spaces."));
        }
        if (StringUtils.isNotEmpty(cUser.getFirstName())) {
            cUser.setFirstName(cUser.getFirstName());
        }
        if (StringUtils.isNotEmpty(cUser.getLastName())) {
            cUser.setLastName(cUser.getLastName());
        }
        if (StringUtils.isEmpty(cUser.getPassword())) {
            validationResponse.addValidationError(new ValidationMessage("password", "User ID '" + cUser.getId() + "' has no password.  This is a required field.", "Password is required."));
        }
        if (StringUtils.isEmpty(cUser.getEmail())) {
            validationResponse.addValidationError(new ValidationMessage("email", "User ID '" + cUser.getId() + "' has no email address", "Email address is required."));
        } else {
            try {
                if (!cUser.getEmail().matches(".+@.+")) {
                    validationResponse.addValidationError(new ValidationMessage("email", "User ID '" + cUser.getId() + "' has an invalid email address.", "Email address is invalid."));
                }
            } catch (PatternSyntaxException e) {
                throw new IllegalStateException("Regex did not compile: " + e.getMessage(), e);
            }
        }
        if (!"active".equals(cUser.getStatus()) && !"disabled".equals(cUser.getStatus())) {
            validationResponse.addValidationError(new ValidationMessage("status", "User ID '" + cUser.getId() + "' has invalid status '" + cUser.getStatus() + "'.  (Allowed values are: active and disabled)", "Invalid Status selected."));
        }
        if (securityValidationContext2.getExistingRoleIds() != null && securityValidationContext2.getExistingUserRoleMap() != null && set != null && set.size() > 0) {
            for (String str : set) {
                if (!securityValidationContext2.getExistingRoleIds().contains(str)) {
                    validationResponse.addValidationError(new ValidationMessage("roles", "User ID '" + cUser.getId() + "' Invalid role id '" + str + "' found.", "User cannot contain invalid role ID '" + str + "'."));
                }
            }
        }
        if (!StringUtils.isEmpty(cUser.getId())) {
            existingUserIds.add(cUser.getId());
        }
        return validationResponse;
    }

    @Override // org.sonatype.security.realms.validator.SecurityConfigurationValidator
    public ValidationResponse validateUserRoleMapping(SecurityValidationContext securityValidationContext, CUserRoleMapping cUserRoleMapping, boolean z) {
        ValidationResponse validationResponse = new ValidationResponse();
        if (StringUtils.isEmpty(cUserRoleMapping.getUserId())) {
            validationResponse.addValidationError(new ValidationMessage("userId", "UserRoleMapping has no userId.  This is a required field.", "UserId is required."));
        }
        if (StringUtils.isEmpty(cUserRoleMapping.getSource())) {
            validationResponse.addValidationError(new ValidationMessage("source", "User Role Mapping for user '" + cUserRoleMapping.getUserId() + "' has no source.  This is a required field.", "UserId is required."));
        }
        List<String> roles = cUserRoleMapping.getRoles();
        if (securityValidationContext.getExistingRoleIds() != null && securityValidationContext.getExistingUserRoleMap() != null && roles != null && roles.size() > 0) {
            for (String str : roles) {
                if (!securityValidationContext.getExistingRoleIds().contains(str)) {
                    validationResponse.addValidationError(new ValidationMessage("roles", "User Role Mapping for user '" + cUserRoleMapping.getUserId() + "' Invalid role id '" + str + "' found.", "User cannot contain invalid role ID '" + str + "'."));
                }
            }
        }
        return validationResponse;
    }
}
