package org.graylog2.rest.resources.users;

import com.fasterxml.jackson.annotation.JsonAutoDetect;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.google.common.base.Objects;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import groovy.swing.SwingBuilder;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.inject.Inject;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.realm.text.IniRealm;
import org.graylog2.Configuration;
import org.graylog2.database.ValidationException;
import org.graylog2.rest.documentation.annotations.Api;
import org.graylog2.rest.documentation.annotations.ApiOperation;
import org.graylog2.rest.documentation.annotations.ApiParam;
import org.graylog2.rest.documentation.annotations.ApiResponse;
import org.graylog2.rest.documentation.annotations.ApiResponses;
import org.graylog2.rest.resources.RestResource;
import org.graylog2.rest.resources.users.requests.ChangePasswordRequest;
import org.graylog2.rest.resources.users.requests.CreateRequest;
import org.graylog2.rest.resources.users.requests.PermissionEditRequest;
import org.graylog2.security.AccessToken;
import org.graylog2.security.AccessTokenService;
import org.graylog2.security.RestPermissions;
import org.graylog2.users.User;
import org.graylog2.users.UserImpl;
import org.graylog2.users.UserService;
import org.joda.time.DateTimeZone;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RequiresAuthentication
@Path("/users")
@Consumes({MediaType.APPLICATION_JSON})
@Produces({MediaType.APPLICATION_JSON})
@Api(value = "Users", description = "User accounts")
/* loaded from: input_file:org/graylog2/rest/resources/users/UsersResource.class */
public class UsersResource extends RestResource {
    private static final Logger LOG = LoggerFactory.getLogger(RestResource.class);
    private final UserService userService;
    private final AccessTokenService accessTokenService;
    private final Configuration configuration;

    /* JADX INFO: Access modifiers changed from: private */
    @JsonAutoDetect
    /* loaded from: input_file:org/graylog2/rest/resources/users/UsersResource$Token.class */
    public static class Token {
        private final AccessToken token;

        public Token(AccessToken accessToken) {
            this.token = accessToken;
        }

        @JsonProperty
        public String getName() {
            return this.token.getName();
        }

        @JsonProperty
        public String getToken() {
            return this.token.getToken();
        }

        @JsonProperty
        public Date getLastAccess() {
            return this.token.getLastAccess().toDate();
        }
    }

    @JsonAutoDetect
    /* loaded from: input_file:org/graylog2/rest/resources/users/UsersResource$TokenList.class */
    private static class TokenList {

        @JsonProperty
        private final List<Token> tokens;

        private TokenList() {
            this.tokens = Lists.newArrayList();
        }

        public void addToken(Token token) {
            this.tokens.add(token);
        }
    }

    @Inject
    public UsersResource(UserService userService, AccessTokenService accessTokenService, Configuration configuration) {
        this.userService = userService;
        this.accessTokenService = accessTokenService;
        this.configuration = configuration;
    }

    @GET
    @Path("{username}")
    @ApiOperation(value = "Get user details", notes = "The user's permissions are only included if a user asks for his own account or for users with the necessary permissions to edit permissions.")
    @ApiResponses({@ApiResponse(code = 404, message = "The user could not be found.")})
    public Response get(@PathParam("username") @ApiParam(title = "username", description = "The username to return information for.", required = true) String str) {
        User load = this.userService.load(str);
        if (load == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        return Response.ok().entity(json(toMap(load, getSubject().getPrincipal().toString().equals(str) || isPermitted(RestPermissions.USERS_PERMISSIONSEDIT, str)))).build();
    }

    @GET
    @RequiresPermissions({RestPermissions.USERS_LIST})
    @ApiOperation(value = "List all users", notes = "The permissions assigned to the users are always included.")
    public Response listUsers() {
        List<User> loadAll = this.userService.loadAll();
        ArrayList newArrayList = Lists.newArrayList();
        Iterator<User> it = loadAll.iterator();
        while (it.hasNext()) {
            newArrayList.add(toMap(it.next()));
        }
        newArrayList.add(toMap(this.userService.getAdminUser()));
        HashMap newHashMap = Maps.newHashMap();
        newHashMap.put(IniRealm.USERS_SECTION_NAME, newArrayList);
        return Response.ok(json(newHashMap)).build();
    }

    @RequiresPermissions({RestPermissions.USERS_CREATE})
    @ApiOperation("Create a new user account.")
    @POST
    @ApiResponses({@ApiResponse(code = 400, message = "Missing or invalid user details.")})
    public Response create(@ApiParam(title = "JSON body", description = "Must contain username, full_name, email, password and a list of permissions.", required = true) String str) {
        if (str == null || str.isEmpty()) {
            LOG.error("Missing parameters. Returning HTTP 400.");
            throw new WebApplicationException(400);
        }
        CreateRequest createRequest = getCreateRequest(str);
        if (this.userService.load(createRequest.username) != null) {
            LOG.error("Cannot create user {}: username is already taken.", createRequest.username);
            return Response.status(Response.Status.BAD_REQUEST).build();
        }
        User create = this.userService.create();
        create.setName(createRequest.username);
        create.setPassword(createRequest.password, this.configuration.getPasswordSecret());
        create.setFullName(createRequest.fullname);
        create.setEmail(createRequest.email);
        create.setPermissions(createRequest.permissions);
        if (createRequest.timezone != null) {
            create.setTimeZone(createRequest.timezone);
        }
        if (createRequest.session_timeout_ms != null) {
            create.setSessionTimeoutMs(createRequest.session_timeout_ms.longValue());
        }
        try {
            String save = this.userService.save(create);
            HashMap newHashMap = Maps.newHashMap();
            newHashMap.put(SwingBuilder.DEFAULT_DELEGATE_PROPERTY_OBJECT_ID, save);
            return Response.status(Response.Status.CREATED).entity(json(newHashMap)).build();
        } catch (ValidationException e) {
            LOG.error("Validation error.", (Throwable) e);
            throw new WebApplicationException(e, Response.Status.BAD_REQUEST);
        }
    }

    @Path("{username}")
    @ApiOperation("Modify user details.")
    @ApiResponses({@ApiResponse(code = 400, message = "Attempted to modify a read only user account (e.g. built-in or LDAP users)."), @ApiResponse(code = 400, message = "Missing or invalid user details.")})
    @PUT
    public Response changeUser(@PathParam("username") @ApiParam(title = "username", description = "The name of the user to modify.", required = true) String str, @ApiParam(title = "JSON body", description = "Updated user information.", required = true) String str2) {
        if (str2 == null || str2.isEmpty()) {
            throw new BadRequestException("Missing request body.");
        }
        checkPermission(RestPermissions.USERS_EDIT, str);
        CreateRequest createRequest = getCreateRequest(str2);
        User load = this.userService.load(str);
        if (load == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        if (load.isReadOnly()) {
            throw new BadRequestException("Cannot modify readonly user " + str);
        }
        if (createRequest.email != null) {
            load.setEmail(createRequest.email);
        }
        if (createRequest.fullname != null) {
            load.setFullName(createRequest.fullname);
        }
        if (isPermitted(RestPermissions.USERS_PERMISSIONSEDIT, load.getName()) && createRequest.permissions != null) {
            load.setPermissions(createRequest.permissions);
        }
        if (createRequest.timezone == null) {
            load.setTimeZone((String) null);
        } else {
            try {
                if (createRequest.timezone.isEmpty()) {
                    load.setTimeZone((String) null);
                } else {
                    load.setTimeZone(DateTimeZone.forID(createRequest.timezone));
                }
            } catch (IllegalArgumentException e) {
                LOG.error("Invalid timezone '{}', ignoring it for user {}.", createRequest.timezone, str);
            }
        }
        if (createRequest.startpage != null) {
            load.setStartpage(createRequest.startpage.type, createRequest.startpage.id);
        }
        if (isPermitted("*") && createRequest.session_timeout_ms != null && createRequest.session_timeout_ms.longValue() != 0) {
            load.setSessionTimeoutMs(createRequest.session_timeout_ms.longValue());
        }
        try {
            this.userService.save(load);
            return Response.noContent().build();
        } catch (ValidationException e2) {
            LOG.error("Validation error.", (Throwable) e2);
            throw new BadRequestException("Validation error for " + str, e2);
        }
    }

    @Path("{username}")
    @RequiresPermissions({RestPermissions.USERS_EDIT})
    @ApiOperation("Removes a user account.")
    @DELETE
    @ApiResponses({@ApiResponse(code = 400, message = "When attempting to remove a read only user (e.g. built-in or LDAP user).")})
    public Response deleteUser(@PathParam("username") @ApiParam(title = "username", description = "The name of the user to delete.", required = true) String str) {
        User load = this.userService.load(str);
        if (load == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        if (load.isReadOnly()) {
            throw new BadRequestException("Cannot delete readonly user " + str);
        }
        this.userService.destroy(load);
        return Response.noContent().build();
    }

    @Path("{username}/permissions")
    @RequiresPermissions({RestPermissions.USERS_PERMISSIONSEDIT})
    @ApiOperation("Update a user's permission set.")
    @ApiResponses({@ApiResponse(code = 400, message = "Missing or invalid permission data.")})
    @PUT
    public Response editPermissions(@PathParam("username") @ApiParam(title = "username", description = "The name of the user to modify.", required = true) String str, @ApiParam(title = "JSON body", description = "The list of permissions to assign to the user.", required = true) String str2) {
        try {
            PermissionEditRequest permissionEditRequest = (PermissionEditRequest) this.objectMapper.readValue(str2, PermissionEditRequest.class);
            User load = this.userService.load(str);
            if (load == null) {
                return Response.status(Response.Status.NOT_FOUND).build();
            }
            load.setPermissions(permissionEditRequest.permissions);
            try {
                this.userService.save(load);
                return Response.noContent().build();
            } catch (ValidationException e) {
                LOG.error("Validation error.", (Throwable) e);
                throw new BadRequestException("Validation error for " + str, e);
            }
        } catch (IOException e2) {
            throw new BadRequestException(e2);
        }
    }

    @Path("{username}/permissions")
    @RequiresPermissions({RestPermissions.USERS_PERMISSIONSEDIT})
    @ApiOperation("Revoke all permissions for a user without deleting the account.")
    @DELETE
    @ApiResponses({@ApiResponse(code = 500, message = "When saving the user failed.")})
    public Response deletePermissions(@PathParam("username") @ApiParam(title = "username", description = "The name of the user to modify.", required = true) String str) {
        User load = this.userService.load(str);
        if (load == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        load.setPermissions(Lists.newArrayList());
        try {
            this.userService.save(load);
            return Response.status(Response.Status.NO_CONTENT).build();
        } catch (ValidationException e) {
            throw new InternalServerErrorException(e);
        }
    }

    @Path("{username}/password")
    @ApiOperation("Update the password for a user.")
    @ApiResponses({@ApiResponse(code = 201, message = "The password was successfully updated. Subsequent requests must be made with the new password."), @ApiResponse(code = 400, message = "If the old or new password is missing."), @ApiResponse(code = 403, message = "If the requesting user has insufficient privileges to update the password for the given user or the old password was wrong."), @ApiResponse(code = 404, message = "If the user does not exist.")})
    @PUT
    public Response changePassword(@PathParam("username") @ApiParam(title = "username", description = "The name of the user whose password to change.", required = true) String str, @ApiParam(title = "JSON body", description = "The old and new passwords.", required = true) String str2) {
        if (str2 == null || str2.isEmpty()) {
            throw new BadRequestException("Missing request body.");
        }
        try {
            ChangePasswordRequest changePasswordRequest = (ChangePasswordRequest) this.objectMapper.readValue(str2, ChangePasswordRequest.class);
            User load = this.userService.load(str);
            if (load == null) {
                return Response.status(Response.Status.NOT_FOUND).build();
            }
            if (!getSubject().isPermitted("users:passwordchange:" + load.getName())) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            if (load.isExternalUser()) {
                LOG.error("Cannot change password for LDAP user.");
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            boolean z = true;
            if (getSubject().isPermitted("users:passwordchange:*")) {
                if (str.equals(getSubject().getPrincipal())) {
                    LOG.debug("User {} is allowed to change the password of any user, but attempts to change own password. Must supply the old password.", getSubject().getPrincipal());
                    z = true;
                } else {
                    LOG.debug("User {} is allowed to change the password for any user, including {}, ignoring old password", getSubject().getPrincipal(), str);
                    z = false;
                }
            }
            boolean z2 = false;
            String passwordSecret = this.configuration.getPasswordSecret();
            if (!z) {
                z2 = true;
            } else {
                if (changePasswordRequest.old_password == null) {
                    LOG.info("Changing password for user {} must supply the old password.", str);
                    return Response.status(Response.Status.BAD_REQUEST).build();
                }
                if (load.isUserPassword(changePasswordRequest.old_password, passwordSecret)) {
                    z2 = true;
                }
            }
            if (!z2) {
                return Response.status(Response.Status.FORBIDDEN).build();
            }
            load.setPassword(changePasswordRequest.password, passwordSecret);
            try {
                this.userService.save(load);
                return Response.noContent().build();
            } catch (ValidationException e) {
                throw new BadRequestException("Validation error for " + str, e);
            }
        } catch (IOException e2) {
            LOG.error("Error while parsing JSON", (Throwable) e2);
            throw new WebApplicationException(e2, Response.Status.BAD_REQUEST);
        }
    }

    @GET
    @Path("{username}/tokens")
    @RequiresPermissions({RestPermissions.USERS_TOKENLIST})
    @ApiOperation("Retrieves the list of access tokens for a user")
    public TokenList listTokens(@PathParam("username") @ApiParam(title = "username", required = true) String str) {
        User _tokensCheckAndLoadUser = _tokensCheckAndLoadUser(str);
        TokenList tokenList = new TokenList();
        Iterator<AccessToken> it = this.accessTokenService.loadAll(_tokensCheckAndLoadUser.getName()).iterator();
        while (it.hasNext()) {
            tokenList.addToken(new Token(it.next()));
        }
        return tokenList;
    }

    @Path("{username}/tokens/{name}")
    @RequiresPermissions({RestPermissions.USERS_TOKENCREATE})
    @ApiOperation("Generates a new access token for a user")
    @POST
    public Token generateNewToken(@PathParam("username") @ApiParam(title = "username", required = true) String str, @PathParam("name") @ApiParam(title = "name", description = "Descriptive name for this token (e.g. 'cronjob') ", required = true) String str2) {
        return new Token(this.accessTokenService.create(_tokensCheckAndLoadUser(str).getName(), str2));
    }

    @RequiresPermissions({RestPermissions.USERS_TOKENREMOVE})
    @Path("{username}/tokens/{token}")
    @ApiOperation("Removes a token for a user")
    @DELETE
    public Response revokeToken(@PathParam("username") @ApiParam(title = "username", required = true) String str, @PathParam("token") @ApiParam(title = "access token", required = true) String str2) {
        _tokensCheckAndLoadUser(str);
        AccessToken load = this.accessTokenService.load(str2);
        if (load == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        this.accessTokenService.destroy(load);
        return Response.noContent().build();
    }

    private User _tokensCheckAndLoadUser(String str) {
        User load = this.userService.load(str);
        if (load == null) {
            throw new NotFoundException("Unknown user " + str);
        }
        if (getSubject().getPrincipal().equals(str)) {
            return load;
        }
        throw new ForbiddenException("Cannot access other people's tokens.");
    }

    private HashMap<String, Object> toMap(User user) {
        return toMap(user, true);
    }

    private HashMap<String, Object> toMap(User user, boolean z) {
        HashMap<String, Object> newHashMap = Maps.newHashMap();
        newHashMap.put(SwingBuilder.DEFAULT_DELEGATE_PROPERTY_OBJECT_ID, Objects.firstNonNull(user.getId(), ""));
        newHashMap.put("username", user.getName());
        newHashMap.put(UserImpl.EMAIL, user.getEmail());
        newHashMap.put(UserImpl.FULL_NAME, user.getFullName());
        if (z) {
            newHashMap.put(UserImpl.PERMISSIONS, user.getPermissions());
        }
        if (user.getTimeZone() != null) {
            newHashMap.put(UserImpl.TIMEZONE, user.getTimeZone().getID());
        }
        newHashMap.put(UserImpl.SESSION_TIMEOUT, Long.valueOf(user.getSessionTimeoutMs()));
        newHashMap.put("read_only", Boolean.valueOf(user.isReadOnly()));
        newHashMap.put("external", Boolean.valueOf(user.isExternalUser()));
        newHashMap.put("startpage", user.getStartpage());
        return newHashMap;
    }

    private CreateRequest getCreateRequest(String str) {
        try {
            return (CreateRequest) this.objectMapper.readValue(str, CreateRequest.class);
        } catch (IOException e) {
            LOG.error("Error while parsing JSON", (Throwable) e);
            throw new WebApplicationException(e, Response.Status.BAD_REQUEST);
        }
    }
}
