package org.apache.kylin.rest.controller;

import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
import org.apache.commons.lang.StringUtils;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.rest.constant.Constant;
import org.apache.kylin.rest.exception.BadRequestException;
import org.apache.kylin.rest.exception.ForbiddenException;
import org.apache.kylin.rest.request.PasswdChangeRequest;
import org.apache.kylin.rest.response.EnvelopeResponse;
import org.apache.kylin.rest.response.ResponseCode;
import org.apache.kylin.rest.security.ManagedUser;
import org.apache.kylin.rest.service.AccessService;
import org.apache.kylin.rest.service.UserGroupService;
import org.apache.kylin.rest.service.UserService;
import org.apache.kylin.rest.util.AclEvaluate;
import org.apache.kylin.rest.util.PagingUtil;
import org.apache.kylin.shaded.com.google.common.collect.Lists;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;

@RequestMapping({"/user"})
@Controller
/* loaded from: input_file:org/apache/kylin/rest/controller/UserController.class */
public class UserController extends BasicController {
    private static final Logger logger = LoggerFactory.getLogger(UserController.class);
    private static final SimpleGrantedAuthority ALL_USERS_AUTH = new SimpleGrantedAuthority(Constant.GROUP_ALL_USERS);

    @Autowired
    @Qualifier("userService")
    UserService userService;

    @Autowired
    private AclEvaluate aclEvaluate;

    @Autowired
    @Qualifier("accessService")
    private AccessService accessService;

    @Autowired
    @Qualifier("userGroupService")
    private UserGroupService userGroupService;
    private Pattern passwordPattern;
    private Pattern bcryptPattern;
    private BCryptPasswordEncoder pwdEncoder;

    @RequestMapping(value = {"/authentication"}, method = {RequestMethod.POST}, produces = {"application/json"})
    public UserDetails authenticate() {
        UserDetails authenticatedUser = authenticatedUser();
        logger.debug("User login: {}", authenticatedUser);
        return authenticatedUser;
    }

    @RequestMapping(value = {"/authentication"}, method = {RequestMethod.GET}, produces = {"application/json"})
    public UserDetails authenticatedUser() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            logger.debug("authentication is null.");
            return null;
        }
        if (authentication.getPrincipal() instanceof UserDetails) {
            return (UserDetails) authentication.getPrincipal();
        }
        if (authentication.getDetails() instanceof UserDetails) {
            return (UserDetails) authentication.getDetails();
        }
        return null;
    }

    @PostConstruct
    public void init() throws IOException {
        this.passwordPattern = Pattern.compile("^(?=.*\\d)(?=.*[a-zA-Z])(?=.*[~!@#$%^&*(){}|:\"<>?\\[\\];',./`]).{8,}$");
        this.bcryptPattern = Pattern.compile("\\A\\$2a?\\$\\d\\d\\$[./0-9A-Za-z]{53}");
        this.pwdEncoder = new BCryptPasswordEncoder();
    }

    private void checkProfileEditAllowed() {
        String securityProfile = KylinConfig.getInstanceFromEnv().getSecurityProfile();
        if (!"testing".equals(securityProfile) && !"custom".equals(securityProfile)) {
            throw new BadRequestException("Action not allowed!");
        }
    }

    @RequestMapping(value = {"/{userName:.+}"}, method = {RequestMethod.POST}, produces = {"application/json"})
    @ResponseBody
    @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
    public ManagedUser create(@PathVariable("userName") String str, @RequestBody ManagedUser managedUser) {
        checkProfileEditAllowed();
        if (StringUtils.equals(getPrincipal(), managedUser.getUsername()) && managedUser.isDisabled()) {
            throw new ForbiddenException("Action not allowed!");
        }
        checkUserName(str);
        managedUser.setUsername(str);
        managedUser.setPassword(pwdEncode(managedUser.getPassword()));
        logger.info("Creating {}", managedUser);
        completeAuthorities(managedUser);
        this.userService.createUser(managedUser);
        return get(str);
    }

    @RequestMapping(value = {"/{userName:.+}"}, method = {RequestMethod.PUT}, produces = {"application/json"})
    @ResponseBody
    @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN)
    public ManagedUser save(@PathVariable("userName") String str, @RequestBody ManagedUser managedUser) {
        checkProfileEditAllowed();
        if (StringUtils.equals(getPrincipal(), managedUser.getUsername()) && managedUser.isDisabled()) {
            throw new ForbiddenException("Action not allowed!");
        }
        checkUserName(str);
        managedUser.setUsername(str);
        try {
            ManagedUser managedUser2 = get(str);
            if (managedUser2 != null) {
                if (managedUser.getPassword() == null) {
                    managedUser.setPassword(managedUser2.getPassword());
                }
                if (managedUser.m34getAuthorities() == null || managedUser.m34getAuthorities().isEmpty()) {
                    managedUser.setGrantedAuthorities(managedUser2.m34getAuthorities());
                }
            }
        } catch (UsernameNotFoundException e) {
        }
        logger.info("Saving {}", managedUser);
        managedUser.setPassword(pwdEncode(managedUser.getPassword()));
        completeAuthorities(managedUser);
        this.userService.updateUser(managedUser);
        return get(str);
    }

    @RequestMapping(value = {"/password"}, method = {RequestMethod.PUT}, produces = {"application/json"})
    @ResponseBody
    public EnvelopeResponse save(@RequestBody PasswdChangeRequest passwdChangeRequest) {
        checkProfileEditAllowed();
        if (!isAdmin() && !StringUtils.equals(getPrincipal(), passwdChangeRequest.getUsername())) {
            throw new ForbiddenException("Permission Denied");
        }
        ManagedUser managedUser = get(passwdChangeRequest.getUsername());
        checkUserName(passwdChangeRequest.getUsername());
        checkNewPwdRule(passwdChangeRequest.getNewPassword());
        if (managedUser != null) {
            if (!isAdmin() && !this.pwdEncoder.matches(passwdChangeRequest.getPassword(), managedUser.getPassword())) {
                throw new BadRequestException("pwd update error");
            }
            managedUser.setPassword(pwdEncode(passwdChangeRequest.getNewPassword()));
            managedUser.setDefaultPassword(false);
            logger.info("update password for user {}", passwdChangeRequest);
            completeAuthorities(managedUser);
            this.userService.updateUser(managedUser);
            if (StringUtils.equals(getPrincipal(), passwdChangeRequest.getUsername())) {
                UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(managedUser, passwdChangeRequest.getNewPassword(), managedUser.m34getAuthorities());
                usernamePasswordAuthenticationToken.setDetails(SecurityContextHolder.getContext().getAuthentication().getDetails());
                SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
            }
        }
        return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, get(passwdChangeRequest.getUsername()), "");
    }

    private String pwdEncode(String str) {
        return this.bcryptPattern.matcher(str).matches() ? str : this.pwdEncoder.encode(str);
    }

    private void checkUserName(String str) {
        if (str == null || str.isEmpty()) {
            throw new BadRequestException("empty user name");
        }
    }

    private void checkNewPwdRule(String str) {
        if (!checkPasswordLength(str)) {
            throw new BadRequestException("password length need more then 8 chars");
        }
        if (!checkPasswordCharacter(str)) {
            throw new BadRequestException("pwd update error");
        }
    }

    private boolean checkPasswordLength(String str) {
        return str != null && str.length() >= 8;
    }

    private boolean checkPasswordCharacter(String str) {
        return this.passwordPattern.matcher(str).matches();
    }

    @RequestMapping(value = {"/{userName:.+}"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @ResponseBody
    public EnvelopeResponse getUser(@PathVariable("userName") String str) {
        if (isAdmin() || StringUtils.equals(getPrincipal(), str)) {
            return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, get(str), "");
        }
        throw new ForbiddenException("...");
    }

    private ManagedUser get(@Nullable String str) {
        checkUserName(str);
        UserDetails loadUserByUsername = this.userService.loadUserByUsername(str);
        if (loadUserByUsername == null) {
            return null;
        }
        return (ManagedUser) loadUserByUsername;
    }

    @RequestMapping(value = {"/users"}, method = {RequestMethod.GET}, produces = {"application/json"})
    @ResponseBody
    public EnvelopeResponse listAllUsers(@RequestParam(value = "project", required = false) String str, @RequestParam(value = "name", required = false) String str2, @RequestParam(value = "groupName", required = false) String str3, @RequestParam(value = "isFuzzMatch", required = false) boolean z, @RequestParam(value = "offset", required = false, defaultValue = "0") Integer num, @RequestParam(value = "limit", required = false, defaultValue = "10") Integer num2) throws IOException {
        if (str == null) {
            this.aclEvaluate.checkIsGlobalAdmin();
        } else {
            this.aclEvaluate.checkProjectAdminPermission(str);
        }
        HashMap hashMap = new HashMap();
        List<ManagedUser> listUsers = this.userService.listUsers(str2, str3, Boolean.valueOf(z));
        List cutPage = PagingUtil.cutPage(listUsers, num.intValue(), num2.intValue());
        Iterator it = cutPage.iterator();
        while (it.hasNext()) {
            this.userService.completeUserInfo((ManagedUser) it.next());
        }
        hashMap.put("users", cutPage);
        hashMap.put("size", Integer.valueOf(listUsers.size()));
        return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, hashMap, "");
    }

    @RequestMapping(value = {"/{userName:.+}"}, method = {RequestMethod.DELETE}, produces = {"application/json"})
    @ResponseBody
    public EnvelopeResponse delete(@PathVariable("userName") String str) throws IOException {
        checkProfileEditAllowed();
        if (StringUtils.equals(getPrincipal(), str)) {
            throw new ForbiddenException("...");
        }
        this.accessService.revokeProjectPermission(str, Constant.IDENTITY_USER);
        checkUserName(str);
        this.userService.deleteUser(str);
        return new EnvelopeResponse(ResponseCode.CODE_SUCCESS, str, "");
    }

    private void completeAuthorities(ManagedUser managedUser) {
        ArrayList<SimpleGrantedAuthority> newArrayList = Lists.newArrayList(managedUser.m34getAuthorities());
        for (SimpleGrantedAuthority simpleGrantedAuthority : newArrayList) {
            try {
            } catch (IOException e) {
                logger.error("Get user group error: {}", e.getMessage());
            }
            if (!this.userGroupService.exists(simpleGrantedAuthority.getAuthority())) {
                throw new BadRequestException(String.format(Locale.ROOT, "user's authority:%s is not found in user group", simpleGrantedAuthority.getAuthority()));
                break;
            }
        }
        if (!newArrayList.contains(ALL_USERS_AUTH)) {
            newArrayList.add(ALL_USERS_AUTH);
        }
        managedUser.setGrantedAuthorities(newArrayList);
    }

    private String getPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            return null;
        }
        Object principal = authentication.getPrincipal();
        return principal instanceof UserDetails ? ((UserDetails) principal).getUsername() : authentication.getDetails() instanceof UserDetails ? ((UserDetails) authentication.getDetails()).getUsername() : principal.toString();
    }
}
