package org.graylog2.rest.resources.roles;

import com.google.common.base.MoreObjects;
import com.google.common.base.Optional;
import com.google.common.collect.Sets;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.inject.Inject;
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.graylog2.auditlog.jersey.AuditLog;
import org.graylog2.database.NotFoundException;
import org.graylog2.plugin.database.ValidationException;
import org.graylog2.plugin.database.users.User;
import org.graylog2.rest.models.roles.responses.RoleMembershipResponse;
import org.graylog2.rest.models.roles.responses.RoleResponse;
import org.graylog2.rest.models.roles.responses.RolesResponse;
import org.graylog2.rest.models.users.responses.UserSummary;
import org.graylog2.shared.rest.resources.RestResource;
import org.graylog2.shared.security.RestPermissions;
import org.graylog2.shared.users.Role;
import org.graylog2.users.RoleImpl;
import org.graylog2.users.RoleService;
import org.joda.time.DateTimeZone;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RequiresAuthentication
@Api(value = "Roles", description = "User roles")
@Path("/roles")
@Consumes({"application/json"})
@Produces({"application/json"})
/* loaded from: input_file:org/graylog2/rest/resources/roles/RolesResource.class */
public class RolesResource extends RestResource {
    private static final Logger log = LoggerFactory.getLogger(RolesResource.class);
    private final RoleService roleService;

    @Inject
    public RolesResource(RoleService roleService) {
        this.roleService = roleService;
    }

    @GET
    @RequiresPermissions({RestPermissions.ROLES_READ})
    @ApiOperation(value = "List all roles", notes = "")
    public RolesResponse listAll() throws NotFoundException {
        Set<Role> loadAll = this.roleService.loadAll();
        HashSet newHashSet = Sets.newHashSet();
        for (Role role : loadAll) {
            newHashSet.add(RoleResponse.create(role.getName(), Optional.fromNullable(role.getDescription()), role.getPermissions(), role.isReadOnly()));
        }
        return RolesResponse.create(newHashSet);
    }

    @GET
    @Path("{rolename}")
    @ApiOperation("Retrieve permissions for a single role")
    public RoleResponse read(@PathParam("rolename") @ApiParam(name = "rolename", required = true) String str) throws NotFoundException {
        checkPermission(RestPermissions.ROLES_READ, str);
        Role load = this.roleService.load(str);
        return RoleResponse.create(load.getName(), Optional.fromNullable(load.getDescription()), load.getPermissions(), load.isReadOnly());
    }

    @RequiresPermissions({RestPermissions.ROLES_CREATE})
    @ApiOperation(value = "Create a new role", notes = "")
    @POST
    @AuditLog(object = "role", captureRequestEntity = true, captureResponseEntity = true)
    public Response create(@NotNull @Valid @ApiParam(name = "JSON body", value = "The new role to create", required = true) RoleResponse roleResponse) {
        if (this.roleService.exists(roleResponse.name())) {
            throw new BadRequestException("Role " + roleResponse.name() + " already exists.");
        }
        RoleImpl roleImpl = new RoleImpl();
        roleImpl.setName(roleResponse.name());
        roleImpl.setPermissions(roleResponse.permissions());
        roleImpl.setDescription((String) roleResponse.description().orNull());
        try {
            Role save = this.roleService.save(roleImpl);
            return Response.created(getUriBuilderToSelf().path(RolesResource.class).path("{rolename}").build(new Object[]{save.getName()})).entity(RoleResponse.create(save.getName(), Optional.fromNullable(save.getDescription()), save.getPermissions(), save.isReadOnly())).build();
        } catch (ValidationException e) {
            log.error("Invalid role creation request.");
            throw new BadRequestException(e);
        }
    }

    @Path("{rolename}")
    @ApiOperation("Update an existing role")
    @AuditLog(object = "role", captureRequestEntity = true, captureResponseEntity = true)
    @PUT
    public RoleResponse update(@PathParam("rolename") @ApiParam(name = "rolename", required = true) String str, @ApiParam(name = "JSON Body", value = "The new representation of the role", required = true) RoleResponse roleResponse) throws NotFoundException {
        Role load = this.roleService.load(str);
        if (load.isReadOnly()) {
            throw new BadRequestException("Cannot update read only role " + str);
        }
        load.setName(roleResponse.name());
        load.setDescription((String) roleResponse.description().orNull());
        load.setPermissions(roleResponse.permissions());
        try {
            this.roleService.save(load);
            return RoleResponse.create(load.getName(), Optional.fromNullable(load.getDescription()), load.getPermissions(), roleResponse.readOnly());
        } catch (ValidationException e) {
            throw new BadRequestException(e);
        }
    }

    @Path("{rolename}")
    @DELETE
    @ApiOperation("Remove the named role and dissociate any users from it")
    @AuditLog(object = "role")
    public void delete(@PathParam("rolename") @ApiParam(name = "rolename", required = true) String str) throws NotFoundException {
        checkPermission(RestPermissions.ROLES_DELETE, str);
        Role load = this.roleService.load(str);
        if (load.isReadOnly()) {
            throw new BadRequestException("Cannot delete read only system role " + str);
        }
        this.userService.dissociateAllUsersFromRole(load);
        if (this.roleService.delete(str) == 0) {
            throw new NotFoundException("Couldn't find role " + str);
        }
    }

    @GET
    @Path("{rolename}/members")
    @RequiresPermissions({RestPermissions.USERS_LIST, RestPermissions.ROLES_READ})
    @ApiOperation("Retrieve the role's members")
    public RoleMembershipResponse getMembers(@PathParam("rolename") @ApiParam(name = "rolename", required = true) String str) throws NotFoundException {
        Role load = this.roleService.load(str);
        Collection<User> loadAllForRole = this.userService.loadAllForRole(load);
        HashSet newHashSetWithExpectedSize = Sets.newHashSetWithExpectedSize(loadAllForRole.size());
        for (User user : loadAllForRole) {
            newHashSetWithExpectedSize.add(UserSummary.create(user.getId(), user.getName(), user.getEmail(), user.getFullName(), isPermitted(RestPermissions.USERS_PERMISSIONSEDIT, user.getName()) ? this.userService.getPermissionsForUser(user) : Collections.emptyList(), user.getPreferences(), ((DateTimeZone) MoreObjects.firstNonNull(user.getTimeZone(), DateTimeZone.UTC)).getID(), Long.valueOf(user.getSessionTimeoutMs()), user.isReadOnly(), user.isExternalUser(), user.getStartpage(), this.userService.getRoleNames(user), false, null, null));
        }
        return RoleMembershipResponse.create(load.getName(), newHashSetWithExpectedSize);
    }

    @Path("{rolename}/members/{username}")
    @ApiOperation("Add a user to a role")
    @AuditLog(object = "role membership", captureResponseEntity = true)
    @PUT
    public Response addMember(@PathParam("rolename") @ApiParam(name = "rolename") String str, @PathParam("username") @ApiParam(name = "username") String str2, @ApiParam(name = "JSON Body", value = "Placeholder because PUT requests should have a body. Set to '{}', the content will be ignored.", defaultValue = "{}") String str3) throws NotFoundException {
        checkPermission(RestPermissions.ROLES_EDIT, str2);
        User load = this.userService.load(str2);
        if (load == null) {
            throw new NotFoundException("User " + str2 + " has not been found.");
        }
        Role load2 = this.roleService.load(str);
        HashSet newHashSet = Sets.newHashSet(load.getRoleIds());
        newHashSet.add(load2.getId());
        load.setRoleIds(newHashSet);
        try {
            this.userService.save(load);
            return Response.status(Response.Status.NO_CONTENT).build();
        } catch (ValidationException e) {
            throw new BadRequestException("Validation failed", e);
        }
    }

    @Path("{rolename}/members/{username}")
    @DELETE
    @ApiOperation("Remove a user from a role")
    @AuditLog(object = "role membership")
    public Response removeMember(@PathParam("rolename") @ApiParam(name = "rolename") String str, @PathParam("username") @ApiParam(name = "username") String str2) throws NotFoundException {
        checkPermission(RestPermissions.ROLES_EDIT, str2);
        User load = this.userService.load(str2);
        if (load == null) {
            throw new NotFoundException("User " + str2 + " has not been found.");
        }
        Role load2 = this.roleService.load(str);
        HashSet newHashSet = Sets.newHashSet(load.getRoleIds());
        newHashSet.remove(load2.getId());
        load.setRoleIds(newHashSet);
        try {
            this.userService.save(load);
            return Response.status(Response.Status.NO_CONTENT).build();
        } catch (ValidationException e) {
            throw new BadRequestException("Validation failed", e);
        }
    }
}
