package org.openmetadata.service.resources.teams;

import at.favre.lib.crypto.bcrypt.BCrypt;
import freemarker.template.TemplateException;
import io.dropwizard.jersey.PATCH;
import io.dropwizard.jersey.errors.ErrorMessage;
import io.swagger.annotations.Api;
import io.swagger.v3.oas.annotations.ExternalDocumentation;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.media.ArraySchema;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.ExampleObject;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.parameters.RequestBody;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import java.io.IOException;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.json.JsonObject;
import javax.json.JsonPatch;
import javax.json.JsonValue;
import javax.validation.Valid;
import javax.validation.constraints.Max;
import javax.validation.constraints.Min;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriInfo;
import org.jetbrains.annotations.Nullable;
import org.openmetadata.schema.EntityInterface;
import org.openmetadata.schema.api.data.RestoreEntity;
import org.openmetadata.schema.api.security.AuthenticationConfiguration;
import org.openmetadata.schema.api.teams.CreateUser;
import org.openmetadata.schema.auth.BasicAuthMechanism;
import org.openmetadata.schema.auth.ChangePasswordRequest;
import org.openmetadata.schema.auth.EmailRequest;
import org.openmetadata.schema.auth.GenerateTokenRequest;
import org.openmetadata.schema.auth.JWTAuthMechanism;
import org.openmetadata.schema.auth.JWTTokenExpiry;
import org.openmetadata.schema.auth.LoginRequest;
import org.openmetadata.schema.auth.LogoutRequest;
import org.openmetadata.schema.auth.PasswordResetRequest;
import org.openmetadata.schema.auth.RegistrationRequest;
import org.openmetadata.schema.auth.RevokeTokenRequest;
import org.openmetadata.schema.auth.SSOAuthMechanism;
import org.openmetadata.schema.auth.TokenRefreshRequest;
import org.openmetadata.schema.email.SmtpSettings;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.entity.teams.User;
import org.openmetadata.schema.type.EntityHistory;
import org.openmetadata.schema.type.EntityReference;
import org.openmetadata.schema.type.Include;
import org.openmetadata.schema.type.MetadataOperation;
import org.openmetadata.schema.type.ProviderType;
import org.openmetadata.schema.type.Relationship;
import org.openmetadata.service.Entity;
import org.openmetadata.service.OpenMetadataApplicationConfig;
import org.openmetadata.service.exception.CatalogExceptionMessage;
import org.openmetadata.service.exception.EntityNotFoundException;
import org.openmetadata.service.jdbi3.CollectionDAO;
import org.openmetadata.service.jdbi3.ListFilter;
import org.openmetadata.service.jdbi3.TokenRepository;
import org.openmetadata.service.jdbi3.UserRepository;
import org.openmetadata.service.resources.Collection;
import org.openmetadata.service.resources.EntityResource;
import org.openmetadata.service.secrets.SecretsManager;
import org.openmetadata.service.secrets.SecretsManagerFactory;
import org.openmetadata.service.security.AuthorizationException;
import org.openmetadata.service.security.Authorizer;
import org.openmetadata.service.security.JwtFilter;
import org.openmetadata.service.security.auth.AuthenticatorHandler;
import org.openmetadata.service.security.auth.BotTokenCache;
import org.openmetadata.service.security.jwt.JWTTokenGenerator;
import org.openmetadata.service.security.policyevaluator.OperationContext;
import org.openmetadata.service.security.policyevaluator.ResourceContext;
import org.openmetadata.service.security.policyevaluator.SubjectCache;
import org.openmetadata.service.security.saml.JwtTokenCacheManager;
import org.openmetadata.service.util.EmailUtil;
import org.openmetadata.service.util.EntityUtil;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.PasswordUtil;
import org.openmetadata.service.util.RestUtil;
import org.openmetadata.service.util.ResultList;
import org.openmetadata.service.util.UserUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Api(value = "User collection", tags = {"User collection"})
@Path("/v1/users")
@Consumes({"application/json"})
@Produces({"application/json"})
@Collection(name = "users", order = 3)
/* loaded from: input_file:org/openmetadata/service/resources/teams/UserResource.class */
public class UserResource extends EntityResource<User, UserRepository> {
    private static final Logger LOG = LoggerFactory.getLogger(UserResource.class);
    public static final String COLLECTION_PATH = "v1/users/";
    public static final String USER_PROTECTED_FIELDS = "authenticationMechanism";
    private final JWTTokenGenerator jwtTokenGenerator;
    private final TokenRepository tokenRepository;
    private boolean isEmailServiceEnabled;
    private AuthenticationConfiguration authenticationConfiguration;
    private final AuthenticatorHandler authHandler;
    static final String FIELDS = "profile,roles,teams,follows,owns";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.openmetadata.service.resources.teams.UserResource$1, reason: invalid class name */
    /* loaded from: input_file:org/openmetadata/service/resources/teams/UserResource$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$openmetadata$schema$entity$teams$AuthenticationMechanism$AuthType = new int[AuthenticationMechanism.AuthType.values().length];

        static {
            try {
                $SwitchMap$org$openmetadata$schema$entity$teams$AuthenticationMechanism$AuthType[AuthenticationMechanism.AuthType.JWT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$openmetadata$schema$entity$teams$AuthenticationMechanism$AuthType[AuthenticationMechanism.AuthType.SSO.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/openmetadata/service/resources/teams/UserResource$UserList.class */
    public static class UserList extends ResultList<User> {
    }

    @Override // org.openmetadata.service.resources.EntityResource
    public User addHref(UriInfo uriInfo, User user) {
        Entity.withHref(uriInfo, (List<EntityReference>) user.getTeams());
        Entity.withHref(uriInfo, (List<EntityReference>) user.getRoles());
        Entity.withHref(uriInfo, (List<EntityReference>) user.getInheritedRoles());
        Entity.withHref(uriInfo, (List<EntityReference>) user.getOwns());
        Entity.withHref(uriInfo, (List<EntityReference>) user.getFollows());
        return user;
    }

    public UserResource(CollectionDAO collectionDAO, Authorizer authorizer, AuthenticatorHandler authenticatorHandler) {
        super(User.class, new UserRepository(collectionDAO), authorizer);
        this.jwtTokenGenerator = JWTTokenGenerator.getInstance();
        this.allowedFields.remove(USER_PROTECTED_FIELDS);
        this.tokenRepository = new TokenRepository(collectionDAO);
        this.authHandler = authenticatorHandler;
    }

    @Override // org.openmetadata.service.resources.EntityResource
    public void initialize(OpenMetadataApplicationConfig openMetadataApplicationConfig) {
        this.authenticationConfiguration = openMetadataApplicationConfig.getAuthenticationConfiguration();
        SmtpSettings smtpSettings = openMetadataApplicationConfig.getSmtpSettings();
        this.isEmailServiceEnabled = smtpSettings != null && smtpSettings.getEnableSmtpServer().booleanValue();
        ((UserRepository) this.dao).initializeUsers(openMetadataApplicationConfig);
        SubjectCache.initialize();
    }

    @GET
    @Valid
    @Operation(operationId = "listUsers", summary = "List users", tags = {"users"}, description = "Get a list of users. Use `fields` parameter to get only necessary fields. Use cursor-based pagination to limit the number entries in the list using `limit` and `before` or `after` query params.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = UserList.class))})})
    public ResultList<User> list(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "Fields requested in the returned resource", schema = @Schema(type = "string", example = "profile,roles,teams,follows,owns")) @QueryParam("fields") String str, @Parameter(description = "Filter users by team", schema = @Schema(type = "string", example = "Legal")) @QueryParam("team") String str2, @Max(1000000) @Min(0) @QueryParam("limit") @DefaultValue("10") @Parameter(description = "Limit the number users returned. (1 to 1000000, default = 10)") int i, @Parameter(description = "Returns list of users before this cursor", schema = @Schema(type = "string")) @QueryParam("before") String str3, @Parameter(description = "Returns list of users after this cursor", schema = @Schema(type = "string")) @QueryParam("after") String str4, @Parameter(description = "Returns list of admin users if set to true", schema = @Schema(type = "boolean")) @QueryParam("isAdmin") Boolean bool, @Parameter(description = "Returns list of bot users if set to true", schema = @Schema(type = "boolean")) @QueryParam("isBot") Boolean bool2, @Parameter(description = "Include all, deleted, or non-deleted entities.", schema = @Schema(implementation = Include.class)) @QueryParam("include") @DefaultValue("non-deleted") Include include) throws IOException {
        ListFilter addQueryParam = new ListFilter(include).addQueryParam(Entity.TEAM, str2);
        if (bool != null) {
            addQueryParam.addQueryParam("isAdmin", String.valueOf(bool));
        }
        if (bool2 != null) {
            addQueryParam.addQueryParam(JwtFilter.BOT_CLAIM, String.valueOf(bool2));
        }
        ResultList<User> listInternal = listInternal(uriInfo, securityContext, str, addQueryParam, i, str3, str4);
        listInternal.getData().forEach(user -> {
            decryptOrNullify(securityContext, user);
        });
        return listInternal;
    }

    @GET
    @Path("/{id}/versions")
    @Operation(operationId = "listAllUserVersion", summary = "List user versions", tags = {"users"}, description = "Get a list of all the versions of a user identified by `id`", responses = {@ApiResponse(responseCode = "200", description = "List of user versions", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = EntityHistory.class))})})
    public EntityHistory listVersions(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "user Id", schema = @Schema(type = "string")) @PathParam("id") UUID uuid) throws IOException {
        return super.listVersionsInternal(securityContext, uuid);
    }

    @GET
    @Path("/generateRandomPwd")
    @Operation(operationId = "generateRandomPwd", summary = "generateRandomPwd", tags = {"users"}, description = "Generate a random pwd", responses = {@ApiResponse(responseCode = "200", description = "Random pwd")})
    public Response generateRandomPassword(@Context UriInfo uriInfo, @Context SecurityContext securityContext) {
        this.authorizer.authorizeAdmin(securityContext);
        return Response.status(Response.Status.OK).entity(PasswordUtil.generateRandomPassword()).build();
    }

    @GET
    @Path("/{id}")
    @Valid
    @Operation(operationId = "getUserByID", summary = "Get a user", tags = {"users"}, description = "Get a user by `id`", responses = {@ApiResponse(responseCode = "200", description = "The user", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "404", description = "User for instance {id} is not found")})
    public User get(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("id") UUID uuid, @Parameter(description = "Fields requested in the returned resource", schema = @Schema(type = "string", example = "profile,roles,teams,follows,owns")) @QueryParam("fields") String str, @Parameter(description = "Include all, deleted, or non-deleted entities.", schema = @Schema(implementation = Include.class)) @QueryParam("include") @DefaultValue("non-deleted") Include include) throws IOException {
        return decryptOrNullify(securityContext, getInternal(uriInfo, securityContext, uuid, str, include));
    }

    @GET
    @Path("/name/{name}")
    @Valid
    @Operation(operationId = "getUserByFQN", summary = "Get a user by name", tags = {"users"}, description = "Get a user by `name`.", responses = {@ApiResponse(responseCode = "200", description = "The user", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "404", description = "User for instance {id} is not found")})
    public User getByName(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("name") String str, @Parameter(description = "Fields requested in the returned resource", schema = @Schema(type = "string", example = "profile,roles,teams,follows,owns")) @QueryParam("fields") String str2, @Parameter(description = "Include all, deleted, or non-deleted entities.", schema = @Schema(implementation = Include.class)) @QueryParam("include") @DefaultValue("non-deleted") Include include) throws IOException {
        return decryptOrNullify(securityContext, getByNameInternal(uriInfo, securityContext, str, str2, include));
    }

    @GET
    @Path("/loggedInUser")
    @Valid
    @Operation(operationId = "getCurrentLoggedInUser", summary = "Get current logged in user", tags = {"users"}, description = "Get the user who is authenticated and is currently logged in.", responses = {@ApiResponse(responseCode = "200", description = "The user", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "404", description = "User not found")})
    public User getCurrentLoggedInUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "Fields requested in the returned resource", schema = @Schema(type = "string", example = "profile,roles,teams,follows,owns")) @QueryParam("fields") String str) throws IOException {
        EntityUtil.Fields fields = getFields(str);
        return addHref(uriInfo, ((UserRepository) this.dao).getByName(uriInfo, securityContext.getUserPrincipal().getName(), fields));
    }

    @GET
    @Path("/loggedInUser/groupTeams")
    @Valid
    @Operation(operationId = "getCurrentLoggedInUserGroupTeams", summary = "Get group type of teams for current logged in user", tags = {"users"}, description = "Get the group type of teams of user who is authenticated and is currently logged in.", responses = {@ApiResponse(responseCode = "200", description = "The teams of type 'Group' that a user belongs to", content = {@Content(mediaType = "application/json", array = @ArraySchema(schema = @Schema(implementation = EntityReference.class)))}), @ApiResponse(responseCode = "404", description = "User not found")})
    public List<EntityReference> getCurrentLoggedInUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext) throws IOException {
        return ((UserRepository) this.dao).getGroupTeams(uriInfo, securityContext.getUserPrincipal().getName());
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.time.ZonedDateTime] */
    @POST
    @Path("/logout")
    @Operation(operationId = "logoutUser", summary = "Logout a User(Only called for saml and basic Auth)", tags = {"users"}, description = "Logout a User(Only called for saml and basic Auth)", responses = {@ApiResponse(responseCode = "200", description = "The user "), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response logoutUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid LogoutRequest logoutRequest) {
        JwtTokenCacheManager.getInstance().markLogoutEventForToken(new LogoutRequest().withUsername(securityContext.getUserPrincipal().getName()).withToken(logoutRequest.getToken()).withLogoutTime(Date.from(LocalDateTime.now().atZone(ZoneId.systemDefault()).toInstant())));
        if (isBasicAuth() && logoutRequest.getRefreshToken() != null) {
            this.tokenRepository.deleteToken(logoutRequest.getRefreshToken());
        }
        return Response.status(200).entity("Logout Successful").build();
    }

    @GET
    @Path("/{id}/versions/{version}")
    @Operation(operationId = "getSpecificUserVersion", summary = "Get a version of the user", tags = {"users"}, description = "Get a version of the user by given `id`", responses = {@ApiResponse(responseCode = "200", description = Entity.USER, content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "404", description = "User for instance {id} and version {version} is not found")})
    public User getVersion(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "User Id", schema = @Schema(type = "string")) @PathParam("id") UUID uuid, @Parameter(description = "User version number in the form `major`.`minor`", schema = @Schema(type = "string", example = "0.1 or 1.1")) @PathParam("version") String str) throws IOException {
        return super.getVersionInternal(securityContext, uuid, str);
    }

    @POST
    @Operation(operationId = "createUser", summary = "Create a user", tags = {"users"}, description = "Create a new user.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response createUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreateUser createUser) throws IOException {
        User user = getUser(securityContext, createUser);
        if (Boolean.TRUE.equals(createUser.getIsAdmin())) {
            this.authorizer.authorizeAdmin(securityContext);
        }
        if (Boolean.TRUE.equals(createUser.getIsBot())) {
            addAuthMechanismToBot(user, createUser, uriInfo);
        }
        if (isBasicAuth()) {
            try {
                validateEmailAlreadyExists(createUser.getEmail());
                user.setName(user.getEmail().split("@")[0]);
                if (Boolean.FALSE.equals(createUser.getIsBot()) && createUser.getCreatePasswordType() == CreateUser.CreatePasswordType.ADMIN_CREATE) {
                    addAuthMechanismToUser(user, createUser);
                }
            } catch (RuntimeException e) {
                return Response.status(Response.Status.CONFLICT).type(MediaType.APPLICATION_JSON_TYPE).entity(new ErrorMessage(Response.Status.CONFLICT.getStatusCode(), CatalogExceptionMessage.ENTITY_ALREADY_EXISTS)).build();
            }
        }
        addHref(uriInfo, ((UserRepository) this.dao).create(uriInfo, user));
        if (isBasicAuth() && this.isEmailServiceEnabled) {
            try {
                this.authHandler.sendInviteMailToUser(uriInfo, user, String.format("Welcome to %s", EmailUtil.getInstance().getEmailingEntity()), createUser.getCreatePasswordType(), createUser.getPassword());
            } catch (Exception e2) {
                LOG.error("Error in sending invite to User" + e2.getMessage());
            }
        }
        Response build = Response.created(user.getHref()).entity(user).build();
        decryptOrNullify(securityContext, (User) build.getEntity());
        return build;
    }

    private boolean isBasicAuth() {
        return this.authenticationConfiguration.getProvider().equals(SSOAuthMechanism.SsoServiceType.BASIC.toString());
    }

    @PUT
    @Operation(summary = "Update user", tags = {"users"}, description = "Create or Update a user.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = CreateUser.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response createOrUpdateUser(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid CreateUser createUser) throws IOException {
        User user = getUser(securityContext, createUser);
        ResourceContext resourceContextByName = getResourceContextByName(user.getFullyQualifiedName());
        ((UserRepository) this.dao).prepareInternal(user);
        if (Boolean.TRUE.equals(createUser.getIsAdmin()) || Boolean.TRUE.equals(createUser.getIsBot())) {
            this.authorizer.authorizeAdmin(securityContext);
        } else if (!securityContext.getUserPrincipal().getName().equals(user.getName())) {
            this.authorizer.authorize(securityContext, new OperationContext(this.entityType, EntityUtil.createOrUpdateOperation(resourceContextByName)), resourceContextByName);
        }
        if (Boolean.TRUE.equals(createUser.getIsBot())) {
            return createOrUpdateBot(user, createUser, uriInfo, securityContext);
        }
        RestUtil.PutResponse<User> createOrUpdate = ((UserRepository) this.dao).createOrUpdate(uriInfo, user);
        addHref(uriInfo, createOrUpdate.getEntity());
        return createOrUpdate.toResponse();
    }

    @Path("/generateToken/{id}")
    @PUT
    @Operation(operationId = "generateJWTTokenForBotUser", summary = "Generate JWT Token for a Bot User", tags = {"users"}, description = "Generate JWT Token for a Bot User.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = JWTTokenExpiry.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response generateToken(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("id") UUID uuid, @Valid GenerateTokenRequest generateTokenRequest) throws IOException {
        this.authorizer.authorizeAdmin(securityContext);
        User user = ((UserRepository) this.dao).get(uriInfo, uuid, ((UserRepository) this.dao).getFieldsWithUserAuth("*"));
        user.setAuthenticationMechanism(new AuthenticationMechanism().withConfig(this.jwtTokenGenerator.generateJWTToken(user, generateTokenRequest.getJWTTokenExpiry())).withAuthType(AuthenticationMechanism.AuthType.JWT));
        return Response.status(Response.Status.OK).entity((JWTAuthMechanism) JsonUtils.convertValue(((UserRepository) this.dao).createOrUpdate(uriInfo, user).getEntity().getAuthenticationMechanism().getConfig(), JWTAuthMechanism.class)).build();
    }

    @Path("/revokeToken")
    @PUT
    @Operation(operationId = "revokeJWTTokenForBotUser", summary = "Revoke JWT Token for a Bot User", tags = {"users"}, description = "Revoke JWT Token for a Bot User.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = JWTAuthMechanism.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response revokeToken(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RevokeTokenRequest revokeTokenRequest) throws IOException {
        this.authorizer.authorizeAdmin(securityContext);
        User user = ((UserRepository) this.dao).get(uriInfo, revokeTokenRequest.getId(), ((UserRepository) this.dao).getFieldsWithUserAuth("*"));
        if (!user.getIsBot().booleanValue()) {
            throw new IllegalStateException(CatalogExceptionMessage.INVALID_BOT_USER);
        }
        user.setAuthenticationMechanism(new AuthenticationMechanism().withConfig(new JWTAuthMechanism().withJWTToken(BotTokenCache.EMPTY_STRING)).withAuthType(AuthenticationMechanism.AuthType.JWT));
        RestUtil.PutResponse<User> createOrUpdate = ((UserRepository) this.dao).createOrUpdate(uriInfo, user);
        addHref(uriInfo, createOrUpdate.getEntity());
        BotTokenCache.getInstance().invalidateToken(user.getName());
        return createOrUpdate.toResponse();
    }

    @GET
    @Path("/token/{id}")
    @Operation(operationId = "getJWTTokenForBotUser", summary = "Get JWT Token for a Bot User", tags = {"users"}, description = "Get JWT Token for a Bot User.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = JWTAuthMechanism.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public JWTAuthMechanism getToken(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("id") UUID uuid) throws IOException {
        User user = ((UserRepository) this.dao).get(uriInfo, uuid, new EntityUtil.Fields(List.of(USER_PROTECTED_FIELDS)));
        if (!Boolean.TRUE.equals(user.getIsBot())) {
            throw new IllegalArgumentException("JWT token is only supported for bot users");
        }
        decryptOrNullify(securityContext, user);
        this.authorizer.authorizeAdmin(securityContext);
        AuthenticationMechanism authenticationMechanism = user.getAuthenticationMechanism();
        return (authenticationMechanism == null || authenticationMechanism.getConfig() == null || authenticationMechanism.getAuthType() != AuthenticationMechanism.AuthType.JWT) ? new JWTAuthMechanism() : (JWTAuthMechanism) JsonUtils.convertValue(authenticationMechanism.getConfig(), JWTAuthMechanism.class);
    }

    @GET
    @Path("/auth-mechanism/{id}")
    @Operation(operationId = "getAuthenticationMechanismBotUser", summary = "Get Authentication Mechanism for a Bot User", tags = {"users"}, description = "Get Authentication Mechanism for a Bot User.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = AuthenticationMechanism.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public AuthenticationMechanism getAuthenticationMechanism(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("id") UUID uuid) throws IOException {
        User user = ((UserRepository) this.dao).get(uriInfo, uuid, new EntityUtil.Fields(List.of(USER_PROTECTED_FIELDS)));
        if (!Boolean.TRUE.equals(user.getIsBot())) {
            throw new IllegalArgumentException("JWT token is only supported for bot users");
        }
        decryptOrNullify(securityContext, user);
        this.authorizer.authorizeAdmin(securityContext);
        return user.getAuthenticationMechanism();
    }

    @Path("/{id}")
    @PATCH
    @Consumes({"application/json-patch+json"})
    @Operation(operationId = "patchUser", summary = "Update a user", tags = {"users"}, description = "Update an existing user using JsonPatch.", externalDocs = @ExternalDocumentation(description = "JsonPatch RFC", url = "https://tools.ietf.org/html/rfc6902"))
    public Response patch(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @PathParam("id") UUID uuid, @RequestBody(description = "JsonPatch with array of operations", content = {@Content(mediaType = "application/json-patch+json", examples = {@ExampleObject("[{op:remove, path:/a},{op:add, path: /b, value: val}]")})}) JsonPatch jsonPatch) throws IOException {
        Iterator it = jsonPatch.toJsonArray().iterator();
        while (it.hasNext()) {
            JsonObject asJsonObject = ((JsonValue) it.next()).asJsonObject();
            if (asJsonObject.containsKey("path") && asJsonObject.containsKey("value")) {
                String string = asJsonObject.getString("path");
                if (string.equals("/isAdmin") || string.equals("/isBot")) {
                    this.authorizer.authorizeAdmin(securityContext);
                }
                if (asJsonObject.containsKey("op") && asJsonObject.getString("op").equals("add") && string.startsWith("/teams/")) {
                    JsonObject jsonObject = null;
                    try {
                        jsonObject = asJsonObject.getJsonObject("value");
                    } catch (Exception e) {
                    }
                    if (jsonObject != null) {
                        String string2 = jsonObject.getString("id");
                        ((UserRepository) this.dao).validateTeamAddition(uuid, UUID.fromString(string2));
                        if (!((UserRepository) this.dao).isTeamJoinable(string2)) {
                            this.authorizer.authorizeAdmin(securityContext);
                        }
                    }
                }
            }
        }
        return patchInternal(uriInfo, securityContext, uuid, jsonPatch);
    }

    @Path("/{id}")
    @DELETE
    @Operation(operationId = "deleteUser", summary = "Delete a user", tags = {"users"}, description = "Users can't be deleted but are soft-deleted.", responses = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "User for instance {id} is not found")})
    public Response delete(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "Hard delete the entity. (Default = `false`)") @QueryParam("hardDelete") @DefaultValue("false") boolean z, @Parameter(description = "User Id", schema = @Schema(type = "UUID")) @PathParam("id") UUID uuid) throws IOException {
        Response delete = delete(uriInfo, securityContext, uuid, false, z);
        decryptOrNullify(securityContext, (User) delete.getEntity());
        return delete;
    }

    @Path("/name/{name}")
    @DELETE
    @Operation(operationId = "deleteUserByName", summary = "Delete a user", tags = {"users"}, description = "Users can't be deleted but are soft-deleted.", responses = {@ApiResponse(responseCode = "200", description = "OK"), @ApiResponse(responseCode = "404", description = "User for instance {name} is not found")})
    public Response delete(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Parameter(description = "Hard delete the entity. (Default = `false`)") @QueryParam("hardDelete") @DefaultValue("false") boolean z, @Parameter(description = "Name of the user", schema = @Schema(type = "string")) @PathParam("name") String str) throws IOException {
        return deleteByName(uriInfo, securityContext, str, false, z);
    }

    @Path("/restore")
    @PUT
    @Operation(operationId = "restore", summary = "Restore a soft deleted User.", tags = {"users"}, description = "Restore a soft deleted User.", responses = {@ApiResponse(responseCode = "200", description = "Successfully restored the User ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))})})
    public Response restoreTable(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid RestoreEntity restoreEntity) throws IOException {
        return restoreEntity(uriInfo, securityContext, restoreEntity.getId());
    }

    @POST
    @Path("/signup")
    @Operation(operationId = "registerUser", summary = "Register User", tags = {"users"}, description = "Register a new User", responses = {@ApiResponse(responseCode = "200", description = "The user "), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response registerNewUser(@Context UriInfo uriInfo, @Valid RegistrationRequest registrationRequest) throws IOException {
        User registerUser = this.authHandler.registerUser(registrationRequest);
        this.authHandler.sendEmailVerification(uriInfo, registerUser);
        return Response.status(Response.Status.CREATED.getStatusCode(), "User Registration Successful.").entity(registerUser).build();
    }

    @Path("/registrationConfirmation")
    @PUT
    @Operation(operationId = "confirmUserEmail", summary = "Confirm User Email", tags = {"users"}, description = "Confirm User Email", responses = {@ApiResponse(responseCode = "200", description = "The user "), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response confirmUserEmail(@Context UriInfo uriInfo, @Parameter(description = "Token sent for Email Confirmation", schema = @Schema(type = "string")) @QueryParam("token") String str) throws IOException {
        this.authHandler.confirmEmailRegistration(uriInfo, str);
        return Response.status(Response.Status.OK).entity("Email Verified Successfully").build();
    }

    @Path("/resendRegistrationToken")
    @PUT
    @Operation(operationId = "resendRegistrationToken", summary = "Resend Registration Token", tags = {"users"}, description = "Resend Registration Token", responses = {@ApiResponse(responseCode = "200", description = "The user "), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response resendRegistrationToken(@Context UriInfo uriInfo, @Parameter(description = "Token sent for Email Confirmation Earlier", schema = @Schema(type = "string")) @QueryParam("user") String str) throws IOException {
        User byName = ((UserRepository) this.dao).getByName(uriInfo, str, getFields("isEmailVerified"));
        if (Boolean.TRUE.equals(byName.getIsEmailVerified())) {
            return Response.status(Response.Status.OK).entity("Email Already Verified.").build();
        }
        this.authHandler.resendRegistrationToken(uriInfo, byName);
        return Response.status(Response.Status.OK).entity("Email Verification Mail Sent. Please check your Mailbox.").build();
    }

    @POST
    @Path("/generatePasswordResetLink")
    @Operation(operationId = "generatePasswordResetLink", summary = "Generate Password Reset Link", tags = {"users"}, description = "Generate Password Reset Link", responses = {@ApiResponse(responseCode = "200", description = "The user "), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response generateResetPasswordLink(@Context UriInfo uriInfo, @Valid EmailRequest emailRequest) {
        try {
            try {
                this.authHandler.sendPasswordResetLink(uriInfo, ((UserRepository) this.dao).getByName(uriInfo, emailRequest.getEmail().split("@")[0], new EntityUtil.Fields(List.of(USER_PROTECTED_FIELDS), USER_PROTECTED_FIELDS)), EmailUtil.getInstance().getPasswordResetSubject(), EmailUtil.PASSWORD_RESET_TEMPLATE_FILE);
                return Response.status(Response.Status.OK).entity("Please check your mail to for Reset Password Link.").build();
            } catch (Exception e) {
                LOG.error("Error in sending mail for reset password" + e.getMessage());
                return Response.status(424).entity(new ErrorMessage(424, CatalogExceptionMessage.EMAIL_SENDING_ISSUE)).build();
            }
        } catch (IOException e2) {
            throw new BadRequestException("Email is not valid.");
        }
    }

    @POST
    @Path("/password/reset")
    @Operation(operationId = "resetUserPassword", summary = "Reset Password For User", tags = {"users"}, description = "Reset User Password", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response resetUserPassword(@Context UriInfo uriInfo, @Valid PasswordResetRequest passwordResetRequest) throws IOException {
        this.authHandler.resetUserPasswordWithToken(uriInfo, passwordResetRequest);
        return Response.status(200).entity("Password Changed Successfully").build();
    }

    @Path("/changePassword")
    @PUT
    @Operation(operationId = "changeUserPassword", summary = "Change Password For User", tags = {"users"}, description = "Create a new user.", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = User.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response changeUserPassword(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid ChangePasswordRequest changePasswordRequest) throws IOException {
        if (changePasswordRequest.getRequestType() == ChangePasswordRequest.RequestType.SELF) {
            this.authHandler.changeUserPwdWithOldPwd(uriInfo, securityContext.getUserPrincipal().getName(), changePasswordRequest);
        } else {
            this.authorizer.authorizeAdmin(securityContext);
            this.authHandler.changeUserPwdWithOldPwd(uriInfo, changePasswordRequest.getUsername(), changePasswordRequest);
        }
        return Response.status(Response.Status.OK).entity("Password Updated Successfully").build();
    }

    @POST
    @Path("/checkEmailInUse")
    @Operation(operationId = "checkEmailInUse", summary = "Check if a mail is already in use", tags = {"users"}, description = "Check if a mail is already in use", responses = {@ApiResponse(responseCode = "200", description = "Return true or false", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = Boolean.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response checkEmailInUse(@Valid EmailRequest emailRequest) {
        return Response.status(Response.Status.OK).entity(Boolean.valueOf(((UserRepository) this.dao).checkEmailAlreadyExists(emailRequest.getEmail()))).build();
    }

    @POST
    @Path("/checkEmailVerified")
    @Operation(operationId = "checkEmailIsVerified", summary = "Check if a mail is verified", tags = {"users"}, description = "Check if a mail is already in use", responses = {@ApiResponse(responseCode = "200", description = "Return true or false", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = Boolean.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response checkEmailVerified(@Context UriInfo uriInfo, @Valid EmailRequest emailRequest) throws IOException {
        return Response.status(Response.Status.OK).entity(((UserRepository) this.dao).getByName(uriInfo, emailRequest.getEmail().split("@")[0], getFields("isEmailVerified")).getIsEmailVerified()).build();
    }

    @POST
    @Path("/login")
    @Operation(operationId = "loginUserWithPwd", summary = "Login User by Password", tags = {"users"}, description = "Login a user with Password", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = JWTTokenExpiry.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response loginUserWithPassword(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid LoginRequest loginRequest) throws IOException, TemplateException {
        loginRequest.withPassword(new String(Base64.getDecoder().decode(loginRequest.getPassword())));
        return Response.status(Response.Status.OK).entity(this.authHandler.loginUser(loginRequest)).build();
    }

    @POST
    @Path("/refresh")
    @Operation(operationId = "refreshToken", summary = "Provide access token to User with refresh token", tags = {"users"}, description = "Provide access token to User with refresh token", responses = {@ApiResponse(responseCode = "200", description = "The user ", content = {@Content(mediaType = "application/json", schema = @Schema(implementation = JWTTokenExpiry.class))}), @ApiResponse(responseCode = "400", description = "Bad request")})
    public Response refreshToken(@Context UriInfo uriInfo, @Context SecurityContext securityContext, @Valid TokenRefreshRequest tokenRefreshRequest) throws IOException {
        return Response.status(Response.Status.OK).entity(this.authHandler.getNewAccessToken(tokenRefreshRequest)).build();
    }

    private User getUser(SecurityContext securityContext, CreateUser createUser) {
        return new User().withId(UUID.randomUUID()).withName(createUser.getName()).withFullyQualifiedName(createUser.getName()).withEmail(createUser.getEmail()).withDescription(createUser.getDescription()).withDisplayName(createUser.getDisplayName()).withIsBot(createUser.getIsBot()).withIsAdmin(createUser.getIsAdmin()).withProfile(createUser.getProfile()).withTimezone(createUser.getTimezone()).withUpdatedBy(securityContext.getUserPrincipal().getName()).withUpdatedAt(Long.valueOf(System.currentTimeMillis())).withTeams(EntityUtil.toEntityReferences(createUser.getTeams(), Entity.TEAM)).withRoles(EntityUtil.toEntityReferences(createUser.getRoles(), Entity.ROLE));
    }

    public void validateEmailAlreadyExists(String str) {
        if (((UserRepository) this.dao).checkEmailAlreadyExists(str)) {
            throw new RuntimeException("User with Email Already Exists");
        }
    }

    private Response createOrUpdateBot(User user, CreateUser createUser, UriInfo uriInfo, SecurityContext securityContext) throws IOException {
        User retrieveBotUser = retrieveBotUser(user, uriInfo);
        String botName = createUser.getBotName();
        EntityInterface retrieveBot = retrieveBot(botName);
        if (!botHasRelationshipWithUser(retrieveBot, retrieveBotUser) && retrieveBotUser != null && userHasRelationshipWithAnyBot(retrieveBotUser, retrieveBot)) {
            throw new IllegalArgumentException(CatalogExceptionMessage.userAlreadyBot(user.getName(), Entity.getEntityRepository(Entity.BOT).get(null, retrieveBotRelationshipsFor(retrieveBotUser).stream().findFirst().orElseThrow().getId(), EntityUtil.Fields.EMPTY_FIELDS).getName()));
        }
        if (retrieveBotUser != null) {
            user.setRoles(retrieveBotUser.getRoles());
        } else if (retrieveBot != null && ProviderType.SYSTEM.equals(retrieveBot.getProvider())) {
            user.setRoles(UserUtil.getRoleForBot(botName));
        }
        addAuthMechanismToBot(user, createUser, uriInfo);
        RestUtil.PutResponse<User> createOrUpdate = ((UserRepository) this.dao).createOrUpdate(uriInfo, user);
        decryptOrNullify(securityContext, createOrUpdate.getEntity());
        return createOrUpdate.toResponse();
    }

    private EntityInterface retrieveBot(String str) {
        try {
            return Entity.getEntityRepository(Entity.BOT).getByName(null, str, EntityUtil.Fields.EMPTY_FIELDS);
        } catch (Exception e) {
            return null;
        }
    }

    private boolean userHasRelationshipWithAnyBot(User user, EntityInterface entityInterface) {
        List<CollectionDAO.EntityRelationshipRecord> retrieveBotRelationshipsFor = retrieveBotRelationshipsFor(user);
        return !retrieveBotRelationshipsFor.isEmpty() && (entityInterface == null || retrieveBotRelationshipsFor.stream().anyMatch(entityRelationshipRecord -> {
            return !entityRelationshipRecord.getId().equals(entityInterface.getId());
        }));
    }

    private List<CollectionDAO.EntityRelationshipRecord> retrieveBotRelationshipsFor(User user) {
        return ((UserRepository) this.dao).findFrom(user.getId(), Entity.USER, Relationship.CONTAINS, Entity.BOT);
    }

    private boolean botHasRelationshipWithUser(EntityInterface entityInterface, User user) {
        if (entityInterface == null || user == null) {
            return false;
        }
        List<CollectionDAO.EntityRelationshipRecord> retrieveBotRelationshipsFor = retrieveBotRelationshipsFor(entityInterface);
        return !retrieveBotRelationshipsFor.isEmpty() && retrieveBotRelationshipsFor.get(0).getId().equals(user.getId());
    }

    private List<CollectionDAO.EntityRelationshipRecord> retrieveBotRelationshipsFor(EntityInterface entityInterface) {
        return ((UserRepository) this.dao).findTo(entityInterface.getId(), Entity.BOT, Relationship.CONTAINS, Entity.USER);
    }

    private void addAuthMechanismToBot(User user, @Valid CreateUser createUser, UriInfo uriInfo) {
        if (!Boolean.TRUE.equals(user.getIsBot())) {
            throw new IllegalArgumentException("Authentication mechanism change is only supported for bot users");
        }
        if (!isValidAuthenticationMechanism(createUser)) {
            throw new IllegalArgumentException(String.format("Authentication mechanism is empty bot user: [%s]", user.getName()));
        }
        AuthenticationMechanism authenticationMechanism = createUser.getAuthenticationMechanism();
        AuthenticationMechanism.AuthType authType = authenticationMechanism.getAuthType();
        switch (AnonymousClass1.$SwitchMap$org$openmetadata$schema$entity$teams$AuthenticationMechanism$AuthType[authType.ordinal()]) {
            case 1:
                User retrieveBotUser = retrieveBotUser(user, uriInfo);
                if (retrieveBotUser != null && hasAJWTAuthMechanism(retrieveBotUser.getAuthenticationMechanism())) {
                    authenticationMechanism = retrieveBotUser.getAuthenticationMechanism();
                    break;
                } else {
                    authenticationMechanism.setConfig(this.jwtTokenGenerator.generateJWTToken(user, ((JWTAuthMechanism) JsonUtils.convertValue(authenticationMechanism.getConfig(), JWTAuthMechanism.class)).getJWTTokenExpiry()));
                    break;
                }
                break;
            case 2:
                authenticationMechanism.setConfig((SSOAuthMechanism) JsonUtils.convertValue(authenticationMechanism.getConfig(), SSOAuthMechanism.class));
                break;
            default:
                throw new IllegalArgumentException(String.format("Not supported authentication mechanism type: [%s]", authType.value()));
        }
        user.setAuthenticationMechanism(authenticationMechanism);
    }

    @Nullable
    private User retrieveBotUser(User user, UriInfo uriInfo) {
        User user2;
        try {
            user2 = ((UserRepository) this.dao).getByName(uriInfo, user.getFullyQualifiedName(), ((UserRepository) this.dao).getFieldsWithUserAuth("*"));
        } catch (IOException | EntityNotFoundException e) {
            LOG.debug(String.format("User not found when adding auth mechanism for: [%s]", user.getName()));
            user2 = null;
        }
        return user2;
    }

    private void addAuthMechanismToUser(User user, @Valid CreateUser createUser) {
        if (!createUser.getPassword().equals(createUser.getConfirmPassword())) {
            throw new IllegalArgumentException("Password and Confirm Password should be same.");
        }
        PasswordUtil.validatePassword(createUser.getPassword());
        user.setAuthenticationMechanism(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.BASIC).withConfig(new BasicAuthMechanism().withPassword(BCrypt.withDefaults().hashToString(12, createUser.getPassword().toCharArray()))));
    }

    private boolean hasAJWTAuthMechanism(AuthenticationMechanism authenticationMechanism) {
        JWTAuthMechanism jWTAuthMechanism;
        return (authenticationMechanism == null || !AuthenticationMechanism.AuthType.JWT.equals(authenticationMechanism.getAuthType()) || (jWTAuthMechanism = (JWTAuthMechanism) JsonUtils.convertValue(authenticationMechanism.getConfig(), JWTAuthMechanism.class)) == null || jWTAuthMechanism.getJWTToken() == null || BotTokenCache.EMPTY_STRING.equals(jWTAuthMechanism.getJWTToken())) ? false : true;
    }

    private boolean isValidAuthenticationMechanism(CreateUser createUser) {
        if (createUser.getAuthenticationMechanism() == null) {
            return false;
        }
        if (createUser.getAuthenticationMechanism().getConfig() == null || createUser.getAuthenticationMechanism().getAuthType() == null) {
            throw new IllegalArgumentException(String.format("Incomplete authentication mechanism parameters for bot user: [%s]", createUser.getName()));
        }
        return true;
    }

    private User decryptOrNullify(SecurityContext securityContext, User user) {
        SecretsManager secretsManager = SecretsManagerFactory.getSecretsManager();
        if (Boolean.TRUE.equals(user.getIsBot()) && user.getAuthenticationMechanism() != null) {
            try {
                this.authorizer.authorize(securityContext, new OperationContext(this.entityType, MetadataOperation.VIEW_ALL), getResourceContextById(user.getId()));
                user.withAuthenticationMechanism(secretsManager.encryptOrDecryptAuthenticationMechanism(user.getName(), user.getAuthenticationMechanism(), false));
            } catch (IOException | AuthorizationException e) {
                user.getAuthenticationMechanism().setConfig((Object) null);
                return user;
            }
        }
        return user;
    }
}
