package org.cloudfoundry.identity.uaa.scim.endpoints;

import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.error.ConvertingExceptionView;
import org.cloudfoundry.identity.uaa.error.ExceptionReport;
import org.cloudfoundry.identity.uaa.oauth.approval.Approval;
import org.cloudfoundry.identity.uaa.oauth.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.rest.ResourceMonitor;
import org.cloudfoundry.identity.uaa.rest.SearchResults;
import org.cloudfoundry.identity.uaa.rest.SearchResultsFactory;
import org.cloudfoundry.identity.uaa.rest.SimpleAttributeNameMapper;
import org.cloudfoundry.identity.uaa.scim.ScimCore;
import org.cloudfoundry.identity.uaa.scim.ScimGroup;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMembershipManager;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.ScimException;
import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceConflictException;
import org.cloudfoundry.identity.uaa.scim.validate.PasswordValidator;
import org.cloudfoundry.identity.uaa.util.UaaPagingUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.dao.OptimisticLockingFailureException;
import org.springframework.expression.spel.SpelEvaluationException;
import org.springframework.expression.spel.SpelParseException;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.jmx.export.annotation.ManagedMetric;
import org.springframework.jmx.export.annotation.ManagedResource;
import org.springframework.jmx.support.MetricType;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.servlet.View;

@Controller
@ManagedResource
/* loaded from: input_file:org/cloudfoundry/identity/uaa/scim/endpoints/ScimUserEndpoints.class */
public class ScimUserEndpoints implements InitializingBean {
    private static final String USER_APPROVALS_FILTER_TEMPLATE = "user_id eq \"%s\"";
    public static final String E_TAG = "ETag";
    private ScimUserProvisioning dao;
    private ResourceMonitor<ScimUser> scimUserResourceMonitor;
    private ScimGroupMembershipManager membershipManager;
    private ApprovalStore approvalStore;
    private final Map<String, AtomicInteger> errorCounts = new ConcurrentHashMap();
    private AtomicInteger scimUpdates = new AtomicInteger();
    private AtomicInteger scimDeletes = new AtomicInteger();
    private Map<Class<? extends Exception>, HttpStatus> statuses = new HashMap();
    private HttpMessageConverter<?>[] messageConverters = (HttpMessageConverter[]) new RestTemplate().getMessageConverters().toArray(new HttpMessageConverter[0]);
    private PasswordValidator passwordValidator;
    private static Log logger = LogFactory.getLog(ScimUserEndpoints.class);
    private static final Random passwordGenerator = new SecureRandom();

    public void setMessageConverters(HttpMessageConverter<?>[] httpMessageConverterArr) {
        this.messageConverters = httpMessageConverterArr;
    }

    public void setStatuses(Map<Class<? extends Exception>, HttpStatus> map) {
        this.statuses = map;
    }

    private static String generatePassword() {
        byte[] bArr = new byte[16];
        passwordGenerator.nextBytes(bArr);
        return new String(Hex.encode(bArr));
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "Total Users")
    public int getTotalUsers() {
        return this.scimUserResourceMonitor.getTotalCount();
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "User Account Update Count (Since Startup)")
    public int getUserUpdates() {
        return this.scimUpdates.get();
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "User Account Delete Count (Since Startup)")
    public int getUserDeletes() {
        return this.scimDeletes.get();
    }

    @ManagedMetric(displayName = "Error Counts")
    public Map<String, AtomicInteger> getErrorCounts() {
        return this.errorCounts;
    }

    @RequestMapping(value = {"/Users/{userId}"}, method = {RequestMethod.GET})
    @ResponseBody
    public ScimUser getUser(@PathVariable String str, HttpServletResponse httpServletResponse) {
        ScimUser syncApprovals = syncApprovals(syncGroups((ScimUser) this.dao.retrieve(str)));
        addETagHeader(httpServletResponse, syncApprovals);
        return syncApprovals;
    }

    @RequestMapping(value = {"/Users"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.CREATED)
    @ResponseBody
    public ScimUser createUser(@RequestBody ScimUser scimUser, HttpServletResponse httpServletResponse) {
        if (scimUser.getPassword() == null) {
            scimUser.setPassword(generatePassword());
        } else {
            this.passwordValidator.validate(scimUser.getPassword());
        }
        ScimUser createUser = this.dao.createUser(scimUser, scimUser.getPassword());
        if (scimUser.getApprovals() != null) {
            for (Approval approval : scimUser.getApprovals()) {
                approval.setUserId(createUser.getId());
                this.approvalStore.addApproval(approval);
            }
        }
        ScimUser syncApprovals = syncApprovals(syncGroups(createUser));
        addETagHeader(httpServletResponse, syncApprovals);
        return syncApprovals;
    }

    @RequestMapping(value = {"/Users/{userId}"}, method = {RequestMethod.PUT})
    @ResponseBody
    public ScimUser updateUser(@RequestBody ScimUser scimUser, @PathVariable String str, @RequestHeader(value = "If-Match", required = false, defaultValue = "NaN") String str2, HttpServletResponse httpServletResponse) {
        if (str2.equals("NaN")) {
            throw new ScimException("Missing If-Match for PUT", HttpStatus.BAD_REQUEST);
        }
        scimUser.setVersion(getVersion(str, str2));
        try {
            ScimUser scimUser2 = (ScimUser) this.dao.update(str, scimUser);
            this.scimUpdates.incrementAndGet();
            ScimUser syncApprovals = syncApprovals(syncGroups(scimUser2));
            addETagHeader(httpServletResponse, syncApprovals);
            return syncApprovals;
        } catch (OptimisticLockingFailureException e) {
            throw new ScimResourceConflictException(e.getMessage());
        }
    }

    @RequestMapping(value = {"/Users/{userId}"}, method = {RequestMethod.DELETE})
    @ResponseBody
    public ScimUser deleteUser(@PathVariable String str, @RequestHeader(value = "If-Match", required = false) String str2, HttpServletResponse httpServletResponse) {
        int version = str2 == null ? -1 : getVersion(str, str2);
        ScimUser user = getUser(str, httpServletResponse);
        this.membershipManager.removeMembersByMemberId(str);
        this.dao.delete(str, version);
        this.scimDeletes.incrementAndGet();
        return user;
    }

    @RequestMapping(value = {"/Users/{userId}/verify"}, method = {RequestMethod.GET})
    @ResponseBody
    public ScimUser verifyUser(@PathVariable String str, @RequestHeader(value = "If-Match", required = false) String str2, HttpServletResponse httpServletResponse) {
        ScimUser verifyUser = this.dao.verifyUser(str, str2 == null ? -1 : getVersion(str, str2));
        this.scimUpdates.incrementAndGet();
        addETagHeader(httpServletResponse, verifyUser);
        return verifyUser;
    }

    private int getVersion(String str, String str2) {
        String str3;
        String trim = str2.trim();
        while (true) {
            str3 = trim;
            if (!str3.startsWith("\"")) {
                break;
            }
            trim = str3.substring(1);
        }
        while (str3.endsWith("\"")) {
            str3 = str3.substring(0, str3.length() - 1);
        }
        if (str3.equals("*")) {
            return ((ScimUser) this.dao.retrieve(str)).getVersion();
        }
        try {
            return Integer.valueOf(str3).intValue();
        } catch (NumberFormatException e) {
            throw new ScimException("Invalid version match header (should be a version number): " + str2, HttpStatus.BAD_REQUEST);
        }
    }

    @RequestMapping(value = {"/Users"}, method = {RequestMethod.GET})
    @ResponseBody
    public SearchResults<?> findUsers(@RequestParam(value = "attributes", required = false) String str, @RequestParam(required = false, defaultValue = "id pr") String str2, @RequestParam(required = false, defaultValue = "created") String str3, @RequestParam(required = false, defaultValue = "ascending") String str4, @RequestParam(required = false, defaultValue = "1") int i, @RequestParam(required = false, defaultValue = "100") int i2) {
        if (i < 1) {
            i = 1;
        }
        ArrayList arrayList = new ArrayList();
        try {
            List query = this.dao.query(str2, str3, str4.equals("ascending"));
            for (ScimUser scimUser : UaaPagingUtils.subList(query, i, i2)) {
                if (str == null || str.matches("(?i)groups") || str.isEmpty()) {
                    syncGroups(scimUser);
                }
                if (str == null || str.matches("(?i)approvals") || str.isEmpty()) {
                    syncApprovals(scimUser);
                }
                arrayList.add(scimUser);
            }
            if (!StringUtils.hasLength(str)) {
                return new SearchResults<>(Arrays.asList(ScimCore.SCHEMAS), arrayList, i, i2, query.size());
            }
            try {
                return SearchResultsFactory.buildSearchResultFrom(arrayList, i, i2, query.size(), str.split(","), new SimpleAttributeNameMapper(Collections.singletonMap("emails\\.(.*)", "emails.![$1]")), Arrays.asList(ScimCore.SCHEMAS));
            } catch (SpelEvaluationException e) {
                throw new ScimException("Invalid attributes: [" + str + "]", HttpStatus.BAD_REQUEST);
            } catch (SpelParseException e2) {
                throw new ScimException("Invalid attributes: [" + str + "]", HttpStatus.BAD_REQUEST);
            }
        } catch (IllegalArgumentException e3) {
            throw new ScimException("Invalid filter expression: [" + str2 + "]", HttpStatus.BAD_REQUEST);
        }
    }

    private ScimUser syncGroups(ScimUser scimUser) {
        if (scimUser == null) {
            return scimUser;
        }
        Set<ScimGroup> groupsWithMember = this.membershipManager.getGroupsWithMember(scimUser.getId(), false);
        Set<ScimGroup> groupsWithMember2 = this.membershipManager.getGroupsWithMember(scimUser.getId(), true);
        groupsWithMember2.removeAll(groupsWithMember);
        HashSet hashSet = new HashSet();
        for (ScimGroup scimGroup : groupsWithMember) {
            hashSet.add(new ScimUser.Group(scimGroup.getId(), scimGroup.getDisplayName(), ScimUser.Group.Type.DIRECT));
        }
        for (ScimGroup scimGroup2 : groupsWithMember2) {
            hashSet.add(new ScimUser.Group(scimGroup2.getId(), scimGroup2.getDisplayName(), ScimUser.Group.Type.INDIRECT));
        }
        scimUser.setGroups(hashSet);
        return scimUser;
    }

    private ScimUser syncApprovals(ScimUser scimUser) {
        if (scimUser == null || this.approvalStore == null) {
            return scimUser;
        }
        HashSet<Approval> hashSet = new HashSet(this.approvalStore.getApprovals(String.format(USER_APPROVALS_FILTER_TEMPLATE, scimUser.getId())));
        Set<Approval> hashSet2 = new HashSet<>(hashSet);
        for (Approval approval : hashSet) {
            if (!approval.isCurrentlyActive()) {
                hashSet2.remove(approval);
            }
        }
        scimUser.setApprovals(hashSet2);
        return scimUser;
    }

    @ExceptionHandler
    public View handleException(Exception exc, HttpServletRequest httpServletRequest) throws ScimException {
        logger.error("Unhandled exception in SCIM user endpoints.", exc);
        ScimException scimException = new ScimException("Unexpected error", exc, HttpStatus.INTERNAL_SERVER_ERROR);
        if (!(exc instanceof ScimException)) {
            Class<?> cls = exc.getClass();
            Iterator<Class<? extends Exception>> it = this.statuses.keySet().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Class<? extends Exception> next = it.next();
                if (next.isAssignableFrom(cls)) {
                    scimException = new ScimException(exc.getMessage(), exc, this.statuses.get(next));
                    break;
                }
            }
        } else {
            scimException = (ScimException) exc;
        }
        incrementErrorCounts(scimException);
        return new ConvertingExceptionView(new ResponseEntity(new ExceptionReport(scimException, (httpServletRequest.getParameter("trace") == null || httpServletRequest.getParameter("trace").equals("false")) ? false : true, scimException.getExtraInfo()), scimException.getStatus()), this.messageConverters);
    }

    private void incrementErrorCounts(ScimException scimException) {
        String errorName = UaaStringUtils.getErrorName(scimException);
        AtomicInteger atomicInteger = this.errorCounts.get(errorName);
        if (atomicInteger == null) {
            synchronized (this.errorCounts) {
                atomicInteger = this.errorCounts.get(errorName);
                if (atomicInteger == null) {
                    atomicInteger = new AtomicInteger();
                    this.errorCounts.put(errorName, atomicInteger);
                }
            }
        }
        atomicInteger.incrementAndGet();
    }

    public void setScimUserProvisioning(ScimUserProvisioning scimUserProvisioning) {
        this.dao = scimUserProvisioning;
    }

    public void setScimGroupMembershipManager(ScimGroupMembershipManager scimGroupMembershipManager) {
        this.membershipManager = scimGroupMembershipManager;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.dao, "ScimUserProvisioning must be set");
        Assert.notNull(this.membershipManager, "ScimGroupMembershipManager must be set");
        Assert.notNull(this.approvalStore, "ApprovalStore must be set");
    }

    private void addETagHeader(HttpServletResponse httpServletResponse, ScimUser scimUser) {
        httpServletResponse.setHeader("ETag", "\"" + scimUser.getVersion() + "\"");
    }

    public void setScimUserResourceMonitor(ResourceMonitor<ScimUser> resourceMonitor) {
        this.scimUserResourceMonitor = resourceMonitor;
    }

    public void setPasswordValidator(PasswordValidator passwordValidator) {
        this.passwordValidator = passwordValidator;
    }
}
