package org.cloudfoundry.identity.uaa.scim.endpoints;

import com.unboundid.scim.sdk.SCIMException;
import com.unboundid.scim.sdk.SCIMFilter;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.resources.SearchResults;
import org.cloudfoundry.identity.uaa.scim.ScimCore;
import org.cloudfoundry.identity.uaa.scim.exception.ScimException;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.servlet.View;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.12.0.jar:org/cloudfoundry/identity/uaa/scim/endpoints/UserIdConversionEndpoints.class */
public class UserIdConversionEndpoints implements InitializingBean {
    private ScimUserEndpoints scimUserEndpoints;
    private IdentityProviderProvisioning provisioning;
    private final Log logger = LogFactory.getLog(getClass());
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private boolean enabled = true;

    public UserIdConversionEndpoints(IdentityProviderProvisioning identityProviderProvisioning) {
        this.provisioning = identityProviderProvisioning;
    }

    void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    public void setScimUserEndpoints(ScimUserEndpoints scimUserEndpoints) {
        this.scimUserEndpoints = scimUserEndpoints;
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    @RequestMapping({"/ids/Users"})
    @ResponseBody
    public SearchResults<?> findUsers(@RequestParam(required = true, defaultValue = "") String str, @RequestParam(required = false, defaultValue = "ascending") String str2, @RequestParam(required = false, defaultValue = "1") int i, @RequestParam(required = false, defaultValue = "100") int i2, @RequestParam(required = false, defaultValue = "false") boolean z) {
        if (!this.enabled) {
            this.logger.warn("Request from user " + this.securityContextAccessor.getAuthenticationInfo() + " received at disabled Id translation endpoint with filter:" + str);
            throw new ScimException("Illegal operation.", HttpStatus.BAD_REQUEST);
        }
        String trim = str.trim();
        checkFilter(trim);
        List<IdentityProvider> retrieveActive = this.provisioning.retrieveActive(IdentityZoneHolder.get().getId());
        if (!z) {
            if (retrieveActive.isEmpty()) {
                return new SearchResults<>(Arrays.asList(ScimCore.SCHEMAS), new ArrayList(), i, i2, 0);
            }
            trim = trim + " AND (" + ((String) retrieveActive.stream().map(identityProvider -> {
                return "".concat("origin eq \"" + identityProvider.getOriginKey() + "\"");
            }).collect(Collectors.joining(" OR "))) + " )";
        }
        return this.scimUserEndpoints.findUsers("id,userName,origin", trim, "userName", str2, i, i2);
    }

    @ExceptionHandler
    public View handleException(Exception exc, HttpServletRequest httpServletRequest) throws ScimException {
        return this.scimUserEndpoints.handleException(exc, httpServletRequest);
    }

    @ExceptionHandler({UnsupportedOperationException.class})
    @ResponseStatus(HttpStatus.NOT_FOUND)
    public void handleException() {
    }

    private void checkFilter(String str) {
        if (str.isEmpty()) {
            throw new ScimException("a 'filter' parameter is required", HttpStatus.BAD_REQUEST);
        }
        try {
            if (checkFilter(SCIMFilter.parse(str))) {
            } else {
                throw new ScimException("Invalid filter attribute.", HttpStatus.BAD_REQUEST);
            }
        } catch (SCIMException e) {
            this.logger.debug("/ids/Users received an invalid filter [" + str + "]", e);
            throw new ScimException("Invalid filter '" + str + "'", HttpStatus.BAD_REQUEST);
        }
    }

    private boolean checkFilter(SCIMFilter sCIMFilter) {
        switch (sCIMFilter.getFilterType()) {
            case AND:
            case OR:
                return checkFilter(sCIMFilter.getFilterComponents().get(0)) | checkFilter(sCIMFilter.getFilterComponents().get(1));
            case EQUALITY:
                String attributeName = sCIMFilter.getFilterAttribute().getAttributeName();
                if ("id".equalsIgnoreCase(attributeName) || "userName".equalsIgnoreCase(attributeName)) {
                    return true;
                }
                if ("origin".equalsIgnoreCase(attributeName)) {
                    return false;
                }
                throw new ScimException("Invalid filter attribute.", HttpStatus.BAD_REQUEST);
            case PRESENCE:
            case STARTS_WITH:
            case CONTAINS:
                throw new ScimException("Wildcards are not allowed in filter.", HttpStatus.BAD_REQUEST);
            case GREATER_THAN:
            case GREATER_OR_EQUAL:
            case LESS_THAN:
            case LESS_OR_EQUAL:
                throw new ScimException("Invalid operator.", HttpStatus.BAD_REQUEST);
            default:
                return false;
        }
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.scimUserEndpoints, "ScimUserEndpoints must be set");
    }
}
