package org.apache.syncope.core.persistence.jpa.dao;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.annotation.Resource;
import javax.persistence.NoResultException;
import javax.persistence.Query;
import javax.persistence.TypedQuery;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.IterableUtils;
import org.apache.commons.collections4.Predicate;
import org.apache.commons.collections4.SetUtils;
import org.apache.commons.collections4.Transformer;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.syncope.common.lib.policy.AccountRuleConf;
import org.apache.syncope.common.lib.policy.PasswordRuleConf;
import org.apache.syncope.common.lib.types.AnyTypeKind;
import org.apache.syncope.common.lib.types.EntityViolationType;
import org.apache.syncope.core.persistence.api.ImplementationLookup;
import org.apache.syncope.core.persistence.api.attrvalue.validation.InvalidEntityException;
import org.apache.syncope.core.persistence.api.dao.AccessTokenDAO;
import org.apache.syncope.core.persistence.api.dao.AccountRule;
import org.apache.syncope.core.persistence.api.dao.GroupDAO;
import org.apache.syncope.core.persistence.api.dao.PasswordRule;
import org.apache.syncope.core.persistence.api.dao.RealmDAO;
import org.apache.syncope.core.persistence.api.dao.RoleDAO;
import org.apache.syncope.core.persistence.api.dao.UserDAO;
import org.apache.syncope.core.persistence.api.entity.AccessToken;
import org.apache.syncope.core.persistence.api.entity.AnyUtils;
import org.apache.syncope.core.persistence.api.entity.Realm;
import org.apache.syncope.core.persistence.api.entity.Role;
import org.apache.syncope.core.persistence.api.entity.group.Group;
import org.apache.syncope.core.persistence.api.entity.policy.AccountPolicy;
import org.apache.syncope.core.persistence.api.entity.policy.PasswordPolicy;
import org.apache.syncope.core.persistence.api.entity.resource.ExternalResource;
import org.apache.syncope.core.persistence.api.entity.user.SecurityQuestion;
import org.apache.syncope.core.persistence.api.entity.user.UMembership;
import org.apache.syncope.core.persistence.api.entity.user.User;
import org.apache.syncope.core.persistence.jpa.entity.JPAAnyUtilsFactory;
import org.apache.syncope.core.persistence.jpa.entity.user.JPAUser;
import org.apache.syncope.core.provisioning.api.event.AnyCreatedUpdatedEvent;
import org.apache.syncope.core.provisioning.api.event.AnyDeletedEvent;
import org.apache.syncope.core.provisioning.api.utils.EntityUtils;
import org.apache.syncope.core.provisioning.api.utils.policy.AccountPolicyException;
import org.apache.syncope.core.provisioning.api.utils.policy.PasswordPolicyException;
import org.apache.syncope.core.spring.ApplicationContextProvider;
import org.apache.syncope.core.spring.security.AuthContextUtils;
import org.apache.syncope.core.spring.security.DelegatedAdministrationException;
import org.apache.syncope.core.spring.security.Encryptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Repository;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

@Repository
/* loaded from: input_file:org/apache/syncope/core/persistence/jpa/dao/JPAUserDAO.class */
public class JPAUserDAO extends AbstractAnyDAO<User> implements UserDAO {
    private static final Pattern USERNAME_PATTERN = Pattern.compile("^[\\p{L}\\p{gc=Mn}\\p{gc=Me}\\p{gc=Mc}\\p{Digit}\\p{gc=Pc} \\-@.]+", 66);
    private static final Encryptor ENCRYPTOR = Encryptor.getInstance();

    @Autowired
    private RoleDAO roleDAO;

    @Autowired
    private AccessTokenDAO accessTokenDAO;

    @Autowired
    private ImplementationLookup implementationLookup;

    @Resource(name = "adminUser")
    private String adminUser;

    @Resource(name = "anonymousUser")
    private String anonymousUser;
    private RealmDAO realmDAO;
    private GroupDAO groupDAO;

    private RealmDAO realmDAO() {
        synchronized (this) {
            if (this.realmDAO == null) {
                this.realmDAO = (RealmDAO) ApplicationContextProvider.getApplicationContext().getBean(RealmDAO.class);
            }
        }
        return this.realmDAO;
    }

    private GroupDAO groupDAO() {
        synchronized (this) {
            if (this.groupDAO == null) {
                this.groupDAO = (GroupDAO) ApplicationContextProvider.getApplicationContext().getBean(GroupDAO.class);
            }
        }
        return this.groupDAO;
    }

    @Override // org.apache.syncope.core.persistence.jpa.dao.AbstractAnyDAO
    protected AnyUtils init() {
        return new JPAAnyUtilsFactory().getInstance(AnyTypeKind.USER);
    }

    @Transactional(readOnly = true)
    public String findKey(String str) {
        return findKey(str, JPAUser.TABLE);
    }

    @Transactional(readOnly = true)
    public Date findLastChange(String str) {
        return findLastChange(str, JPAUser.TABLE);
    }

    public int count() {
        return ((Number) entityManager().createQuery("SELECT COUNT(e) FROM  " + JPAUser.class.getSimpleName() + " e").getSingleResult()).intValue();
    }

    public Map<String, Integer> countByRealm() {
        List<Object[]> resultList = entityManager().createQuery("SELECT e.realm, COUNT(e) FROM  " + JPAUser.class.getSimpleName() + " e GROUP BY e.realm").getResultList();
        HashMap hashMap = new HashMap(resultList.size());
        for (Object[] objArr : resultList) {
            hashMap.put(((Realm) objArr[0]).getFullPath(), Integer.valueOf(((Number) objArr[1]).intValue()));
        }
        return Collections.unmodifiableMap(hashMap);
    }

    public Map<String, Integer> countByStatus() {
        List<Object[]> resultList = entityManager().createQuery("SELECT e.status, COUNT(e) FROM  " + JPAUser.class.getSimpleName() + " e GROUP BY e.status").getResultList();
        HashMap hashMap = new HashMap(resultList.size());
        for (Object[] objArr : resultList) {
            hashMap.put((String) objArr[0], Integer.valueOf(((Number) objArr[1]).intValue()));
        }
        return Collections.unmodifiableMap(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.syncope.core.persistence.jpa.dao.AbstractAnyDAO
    public void securityChecks(final User user) {
        if (AuthContextUtils.getUsername().equals(this.anonymousUser) || AuthContextUtils.getUsername().equals(user.getUsername())) {
            return;
        }
        Set emptyIfNull = SetUtils.emptyIfNull((Set) AuthContextUtils.getAuthorizations().get("USER_READ"));
        boolean matchesAny = IterableUtils.matchesAny(emptyIfNull, new Predicate<String>() { // from class: org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.1
            public boolean evaluate(String str) {
                return user.getRealm().getFullPath().startsWith(str);
            }
        });
        if (!matchesAny) {
            matchesAny = !CollectionUtils.intersection(findDynRealms(user.getKey()), emptyIfNull).isEmpty();
        }
        if (emptyIfNull.isEmpty() || !matchesAny) {
            throw new DelegatedAdministrationException(user.getRealm().getFullPath(), AnyTypeKind.USER.name(), user.getKey());
        }
    }

    public User findByUsername(String str) {
        TypedQuery createQuery = entityManager().createQuery("SELECT e FROM " + JPAUser.class.getSimpleName() + " e WHERE e.username = :username", User.class);
        createQuery.setParameter("username", str);
        User user = null;
        try {
            user = (User) createQuery.getSingleResult();
        } catch (NoResultException e) {
            LOG.debug("No user found with username {}", str, e);
        }
        return user;
    }

    public User findByToken(String str) {
        TypedQuery createQuery = entityManager().createQuery("SELECT e FROM " + JPAUser.class.getSimpleName() + " e WHERE e.token LIKE :token", User.class);
        createQuery.setParameter("token", str);
        User user = null;
        try {
            user = (User) createQuery.getSingleResult();
        } catch (NoResultException e) {
            LOG.debug("No user found with token {}", str, e);
        }
        return user;
    }

    public List<User> findBySecurityQuestion(SecurityQuestion securityQuestion) {
        TypedQuery createQuery = entityManager().createQuery("SELECT e FROM " + JPAUser.class.getSimpleName() + " e WHERE e.securityQuestion = :securityQuestion", User.class);
        createQuery.setParameter("securityQuestion", securityQuestion);
        return createQuery.getResultList();
    }

    private List<PasswordPolicy> getPasswordPolicies(User user) {
        ArrayList arrayList = new ArrayList();
        Iterator<ExternalResource> it = findAllResources(user).iterator();
        while (it.hasNext()) {
            PasswordPolicy passwordPolicy = it.next().getPasswordPolicy();
            if (passwordPolicy != null) {
                arrayList.add(passwordPolicy);
            }
        }
        Iterator it2 = realmDAO().findAncestors(user.getRealm()).iterator();
        while (it2.hasNext()) {
            PasswordPolicy passwordPolicy2 = ((Realm) it2.next()).getPasswordPolicy();
            if (passwordPolicy2 != null) {
                arrayList.add(passwordPolicy2);
            }
        }
        return arrayList;
    }

    public List<User> findAll(int i, int i2) {
        TypedQuery createQuery = entityManager().createQuery("SELECT e FROM  " + JPAUser.class.getSimpleName() + " e ORDER BY e.id", User.class);
        createQuery.setFirstResult(i2 * (i <= 0 ? 0 : i - 1));
        createQuery.setMaxResults(i2);
        return createQuery.getResultList();
    }

    private List<AccountPolicy> getAccountPolicies(User user) {
        ArrayList arrayList = new ArrayList();
        Iterator<ExternalResource> it = findAllResources(user).iterator();
        while (it.hasNext()) {
            AccountPolicy accountPolicy = it.next().getAccountPolicy();
            if (accountPolicy != null) {
                arrayList.add(accountPolicy);
            }
        }
        Iterator it2 = realmDAO().findAncestors(user.getRealm()).iterator();
        while (it2.hasNext()) {
            AccountPolicy accountPolicy2 = ((Realm) it2.next()).getAccountPolicy();
            if (accountPolicy2 != null) {
                arrayList.add(accountPolicy2);
            }
        }
        return arrayList;
    }

    @Transactional(readOnly = true)
    public Pair<Boolean, Boolean> enforcePolicies(User user) {
        AccountRule accountRule;
        PasswordRule passwordRule;
        LOG.debug("Password Policy enforcement");
        try {
            try {
                int i = 0;
                for (PasswordPolicy passwordPolicy : getPasswordPolicies(user)) {
                    if (user.getPassword() == null && !passwordPolicy.isAllowNullPassword()) {
                        throw new PasswordPolicyException("Password mandatory");
                    }
                    for (PasswordRuleConf passwordRuleConf : passwordPolicy.getRuleConfs()) {
                        Class passwordRuleClass = this.implementationLookup.getPasswordRuleClass(passwordRuleConf.getClass());
                        if (passwordRuleClass == null) {
                            LOG.warn("Could not find matching password rule for {}", passwordRuleConf.getClass());
                        } else {
                            if (ApplicationContextProvider.getBeanFactory().containsSingleton(passwordRuleClass.getName())) {
                                passwordRule = (PasswordRule) ApplicationContextProvider.getBeanFactory().getSingleton(passwordRuleClass.getName());
                            } else {
                                passwordRule = (PasswordRule) ApplicationContextProvider.getBeanFactory().createBean(passwordRuleClass, 2, false);
                                ApplicationContextProvider.getBeanFactory().registerSingleton(passwordRuleClass.getName(), passwordRule);
                            }
                            passwordRule.enforce(passwordRuleConf, user);
                        }
                    }
                    boolean z = false;
                    if (passwordPolicy.getHistoryLength() > 0) {
                        List passwordHistory = user.getPasswordHistory();
                        Iterator it = passwordHistory.subList(passwordPolicy.getHistoryLength() >= passwordHistory.size() ? 0 : passwordHistory.size() - passwordPolicy.getHistoryLength(), passwordHistory.size()).iterator();
                        while (it.hasNext()) {
                            z |= ENCRYPTOR.verify(user.getClearPassword(), user.getCipherAlgorithm(), (String) it.next());
                        }
                    }
                    if (z) {
                        throw new PasswordPolicyException("Password value was used in the past: not allowed");
                    }
                    if (passwordPolicy.getHistoryLength() > i) {
                        i = passwordPolicy.getHistoryLength();
                    }
                }
                if (i > 0 && user.getPassword() != null) {
                    user.getPasswordHistory().add(user.getPassword());
                }
                if (i < user.getPasswordHistory().size()) {
                    for (int i2 = 0; i2 < user.getPasswordHistory().size() - i; i2++) {
                        user.getPasswordHistory().remove(i2);
                    }
                }
                LOG.debug("Account Policy enforcement");
                boolean z2 = false;
                boolean z3 = false;
                try {
                    if (user.getUsername() == null) {
                        throw new AccountPolicyException("Null username");
                    }
                    if (this.adminUser.equals(user.getUsername()) || this.anonymousUser.equals(user.getUsername())) {
                        throw new AccountPolicyException("Not allowed: " + user.getUsername());
                    }
                    if (!USERNAME_PATTERN.matcher(user.getUsername()).matches()) {
                        throw new AccountPolicyException("Character(s) not allowed");
                    }
                    for (AccountPolicy accountPolicy : getAccountPolicies(user)) {
                        for (AccountRuleConf accountRuleConf : accountPolicy.getRuleConfs()) {
                            Class accountRuleClass = this.implementationLookup.getAccountRuleClass(accountRuleConf.getClass());
                            if (accountRuleClass == null) {
                                LOG.warn("Could not find matching account rule for {}", accountRuleConf.getClass());
                            } else {
                                if (ApplicationContextProvider.getBeanFactory().containsSingleton(accountRuleClass.getName())) {
                                    accountRule = (AccountRule) ApplicationContextProvider.getBeanFactory().getSingleton(accountRuleClass.getName());
                                } else {
                                    accountRule = (AccountRule) ApplicationContextProvider.getBeanFactory().createBean(accountRuleClass, 2, false);
                                    ApplicationContextProvider.getBeanFactory().registerSingleton(accountRuleClass.getName(), accountRule);
                                }
                                accountRule.enforce(accountRuleConf, user);
                            }
                        }
                        z2 |= user.getFailedLogins() != null && accountPolicy.getMaxAuthenticationAttempts() > 0 && user.getFailedLogins().intValue() > accountPolicy.getMaxAuthenticationAttempts() && !user.isSuspended().booleanValue();
                        z3 |= accountPolicy.isPropagateSuspension();
                    }
                    return ImmutablePair.of(Boolean.valueOf(z2), Boolean.valueOf(z3));
                } catch (Exception e) {
                    LOG.error("Invalid username for {}", user, e);
                    throw new InvalidEntityException(User.class, EntityViolationType.InvalidUsername, e.getMessage());
                }
            } catch (Exception e2) {
                LOG.error("Invalid password for {}", user, e2);
                throw new InvalidEntityException(User.class, EntityViolationType.InvalidPassword, e2.getMessage());
            }
        } finally {
            user.removeClearPassword();
        }
    }

    private Pair<User, Pair<Set<String>, Set<String>>> doSave(User user) {
        String clearPassword = user.getClearPassword();
        User user2 = (User) super.save((JPAUserDAO) user);
        entityManager().flush();
        ((JPAUser) JPAUser.class.cast(user2)).setClearPassword(clearPassword);
        try {
            enforcePolicies(user2);
            this.publisher.publishEvent(new AnyCreatedUpdatedEvent(this, user2, AuthContextUtils.getDomain()));
            this.roleDAO.refreshDynMemberships(user2);
            Pair refreshDynMemberships = groupDAO().refreshDynMemberships(user2);
            dynRealmDAO().refreshDynMemberships(user2);
            return Pair.of(user2, refreshDynMemberships);
        } catch (InvalidEntityException e) {
            entityManager().remove(user2);
            throw e;
        }
    }

    @Override // org.apache.syncope.core.persistence.jpa.dao.AbstractAnyDAO
    public User save(User user) {
        return (User) doSave(user).getLeft();
    }

    public Pair<Set<String>, Set<String>> saveAndGetDynGroupMembs(User user) {
        return (Pair) doSave(user).getRight();
    }

    public void delete(User user) {
        this.roleDAO.removeDynMemberships(user.getKey());
        groupDAO().removeDynMemberships(user);
        dynRealmDAO().removeDynMemberships(user.getKey());
        AccessToken findByOwner = this.accessTokenDAO.findByOwner(user.getUsername());
        if (findByOwner != null) {
            this.accessTokenDAO.delete(findByOwner);
        }
        entityManager().remove(user);
        this.publisher.publishEvent(new AnyDeletedEvent(this, AnyTypeKind.USER, user.getKey(), AuthContextUtils.getDomain()));
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public Collection<Role> findAllRoles(User user) {
        return CollectionUtils.union(user.getRoles(), findDynRoles(user.getKey()));
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public List<Role> findDynRoles(String str) {
        Query createNativeQuery = entityManager().createNativeQuery("SELECT role_id FROM DynRoleMembers WHERE any_id=?");
        createNativeQuery.setParameter(1, str);
        ArrayList arrayList = new ArrayList();
        for (Object obj : createNativeQuery.getResultList()) {
            String str2 = obj instanceof Object[] ? (String) ((Object[]) obj)[0] : (String) obj;
            Role find = this.roleDAO.find(str2);
            if (find == null) {
                LOG.error("Could not find role with id {}, even though returned by the native query", str2);
            } else if (!arrayList.contains(find)) {
                arrayList.add(find);
            }
        }
        return arrayList;
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public List<Group> findDynGroups(String str) {
        Query createNativeQuery = entityManager().createNativeQuery("SELECT group_id FROM UDynGroupMembers WHERE any_id=?");
        createNativeQuery.setParameter(1, str);
        ArrayList arrayList = new ArrayList();
        for (Object obj : createNativeQuery.getResultList()) {
            String str2 = obj instanceof Object[] ? (String) ((Object[]) obj)[0] : (String) obj;
            Group find = groupDAO().find(str2);
            if (find == null) {
                LOG.error("Could not find group with id {}, even though returned by the native query", str2);
            } else if (!arrayList.contains(find)) {
                arrayList.add(find);
            }
        }
        return arrayList;
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public Collection<Group> findAllGroups(User user) {
        return CollectionUtils.union(CollectionUtils.collect(user.getMemberships(), new Transformer<UMembership, Group>() { // from class: org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.2
            public Group transform(UMembership uMembership) {
                return uMembership.getRightEnd();
            }
        }, new ArrayList()), findDynGroups(user.getKey()));
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public Collection<String> findAllGroupKeys(User user) {
        return CollectionUtils.collect(findAllGroups(user), EntityUtils.keyTransformer());
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public Collection<String> findAllGroupNames(User user) {
        return CollectionUtils.collect(findAllGroups(user), new Transformer<Group, String>() { // from class: org.apache.syncope.core.persistence.jpa.dao.JPAUserDAO.3
            public String transform(Group group) {
                return group.getName();
            }
        });
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW, readOnly = true)
    public Collection<ExternalResource> findAllResources(User user) {
        HashSet hashSet = new HashSet();
        hashSet.addAll(user.getResources());
        Iterator<Group> it = findAllGroups(user).iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getResources());
        }
        return hashSet;
    }

    @Transactional(readOnly = true)
    public Collection<String> findAllResourceKeys(String str) {
        return CollectionUtils.collect(findAllResources(authFind(str)), EntityUtils.keyTransformer());
    }
}
