package org.cloudfoundry.identity.uaa.scim.bootstrap;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import javax.validation.constraints.NotNull;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.audit.event.EntityDeletedEvent;
import org.cloudfoundry.identity.uaa.authentication.SystemAuthentication;
import org.cloudfoundry.identity.uaa.authentication.manager.AuthEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.ExternalGroupAuthorizationEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.InvitedUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.authentication.manager.NewUserAuthenticatedEvent;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.scim.ScimGroup;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMembershipManager;
import org.cloudfoundry.identity.uaa.scim.ScimGroupProvisioning;
import org.cloudfoundry.identity.uaa.scim.ScimUser;
import org.cloudfoundry.identity.uaa.scim.ScimUserProvisioning;
import org.cloudfoundry.identity.uaa.scim.exception.InvalidPasswordException;
import org.cloudfoundry.identity.uaa.scim.exception.MemberAlreadyExistsException;
import org.cloudfoundry.identity.uaa.scim.exception.MemberNotFoundException;
import org.cloudfoundry.identity.uaa.scim.exception.ScimResourceNotFoundException;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.hsqldb.Tokens;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.ApplicationListener;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.1.0.jar:org/cloudfoundry/identity/uaa/scim/bootstrap/ScimUserBootstrap.class */
public class ScimUserBootstrap implements InitializingBean, ApplicationListener<ApplicationEvent>, ApplicationEventPublisherAware {
    private static final Log logger = LogFactory.getLog(ScimUserBootstrap.class);
    private final ScimUserProvisioning scimUserProvisioning;
    private final ScimGroupProvisioning scimGroupProvisioning;
    private final ScimGroupMembershipManager membershipManager;
    private boolean override = false;
    private final Collection<UaaUser> users;
    private List<String> usersToDelete;
    private ApplicationEventPublisher publisher;

    public void setOverride(boolean z) {
        this.override = z;
    }

    public boolean isOverride() {
        return this.override;
    }

    public ScimUserBootstrap(ScimUserProvisioning scimUserProvisioning, ScimGroupProvisioning scimGroupProvisioning, ScimGroupMembershipManager scimGroupMembershipManager, Collection<UaaUser> collection) {
        Assert.notNull(scimUserProvisioning, "scimUserProvisioning cannot be null");
        Assert.notNull(scimGroupProvisioning, "scimGroupProvisioning cannont be null");
        Assert.notNull(scimGroupMembershipManager, "memberShipManager cannot be null");
        Assert.notNull(collection, "users list cannot be null");
        this.scimUserProvisioning = scimUserProvisioning;
        this.scimGroupProvisioning = scimGroupProvisioning;
        this.membershipManager = scimGroupMembershipManager;
        this.users = Collections.unmodifiableCollection(collection);
    }

    public void setUsersToDelete(List<String> list) {
        this.usersToDelete = list;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        LinkedList linkedList = new LinkedList((Collection) Optional.ofNullable(this.users).orElse(Collections.emptyList()));
        List list = (List) Optional.ofNullable(this.usersToDelete).orElse(Collections.emptyList());
        linkedList.removeIf(uaaUser -> {
            return list.contains(uaaUser.getUsername());
        });
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            addUser((UaaUser) it.next());
        }
    }

    public void deleteUsers(@NotNull List<String> list) throws Exception {
        if (list.size() == 0) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        for (int size = list.size() - 1; size >= 0; size--) {
            sb.append("username eq \"");
            sb.append(list.get(size));
            sb.append("\"");
            if (size > 0) {
                sb.append(" or ");
            }
        }
        Iterator<ScimUser> it = this.scimUserProvisioning.query("origin eq \"uaa\" and (" + sb.toString() + Tokens.T_CLOSEBRACKET).iterator();
        while (it.hasNext()) {
            publish(new EntityDeletedEvent(it.next(), SystemAuthentication.SYSTEM_AUTHENTICATION));
        }
    }

    protected ScimUser getScimUser(UaaUser uaaUser) {
        List<ScimUser> query = this.scimUserProvisioning.query("userName eq \"" + uaaUser.getUsername() + "\" and origin eq \"" + (uaaUser.getOrigin() == null ? OriginKeys.UAA : uaaUser.getOrigin()) + "\"");
        if (query.isEmpty() && StringUtils.hasText(uaaUser.getId())) {
            try {
                query = Arrays.asList(this.scimUserProvisioning.retrieve(uaaUser.getId()));
            } catch (ScimResourceNotFoundException e) {
                logger.debug("Unable to find scim user based on ID:" + uaaUser.getId());
            }
        }
        if (query.isEmpty()) {
            return null;
        }
        return query.get(0);
    }

    protected void addUser(UaaUser uaaUser) {
        ScimUser scimUser = getScimUser(uaaUser);
        if (scimUser != null) {
            if (this.override) {
                updateUser(scimUser, uaaUser);
                return;
            } else {
                logger.debug("Override flag not set. Not registering existing user: " + uaaUser);
                return;
            }
        }
        if (StringUtils.isEmpty(uaaUser.getPassword()) && uaaUser.getOrigin().equals(OriginKeys.UAA)) {
            logger.debug("User's password cannot be empty");
            throw new InvalidPasswordException("Password cannot be empty", HttpStatus.BAD_REQUEST);
        }
        createNewUser(uaaUser);
    }

    private void updateUser(ScimUser scimUser, UaaUser uaaUser) {
        updateUser(scimUser, uaaUser, true);
    }

    private void updateUser(ScimUser scimUser, UaaUser uaaUser, boolean z) {
        String id = scimUser.getId();
        logger.debug("Updating user account: " + uaaUser + " with SCIM Id: " + id);
        if (z) {
            logger.debug("Removing existing group memberships ...");
            Iterator<ScimGroup> it = this.membershipManager.getGroupsWithMember(id, true).iterator();
            while (it.hasNext()) {
                removeFromGroup(id, it.next().getDisplayName());
            }
        }
        ScimUser convertToScimUser = convertToScimUser(uaaUser);
        convertToScimUser.setVersion(scimUser.getVersion());
        this.scimUserProvisioning.update(id, convertToScimUser);
        if (OriginKeys.UAA.equals(convertToScimUser.getOrigin()) && StringUtils.hasText(uaaUser.getPassword())) {
            this.scimUserProvisioning.changePassword(id, null, uaaUser.getPassword());
        }
        if (z) {
            Collection<String> convertToGroups = convertToGroups(uaaUser.getAuthorities());
            logger.debug("Adding new groups " + convertToGroups);
            addGroups(id, convertToGroups);
        }
    }

    private void createNewUser(UaaUser uaaUser) {
        logger.debug("Registering new user account: " + uaaUser);
        addGroups(this.scimUserProvisioning.createUser(convertToScimUser(uaaUser), uaaUser.getPassword()).getId(), convertToGroups(uaaUser.getAuthorities()));
    }

    private void addGroups(String str, Collection<String> collection) {
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            addToGroup(str, it.next());
        }
    }

    @Override // org.springframework.context.ApplicationListener
    public void onApplicationEvent(ApplicationEvent applicationEvent) {
        if (applicationEvent instanceof AuthEvent) {
            onApplicationEvent((AuthEvent) applicationEvent);
        } else if (applicationEvent instanceof ContextRefreshedEvent) {
            try {
                deleteUsers((List) Optional.ofNullable(this.usersToDelete).orElse(Collections.emptyList()));
            } catch (Exception e) {
                logger.warn("Unable to delete users from manifest.", e);
                throw new RuntimeException(e);
            }
        }
    }

    public void onApplicationEvent(AuthEvent authEvent) {
        if (authEvent instanceof InvitedUserAuthenticatedEvent) {
            updateUser(getScimUser(authEvent.getUser()), authEvent.getUser(), false);
            return;
        }
        if (!(authEvent instanceof ExternalGroupAuthorizationEvent)) {
            if (authEvent instanceof NewUserAuthenticatedEvent) {
                addUser(authEvent.getUser());
                return;
            }
            return;
        }
        ExternalGroupAuthorizationEvent externalGroupAuthorizationEvent = (ExternalGroupAuthorizationEvent) authEvent;
        String origin = externalGroupAuthorizationEvent.getUser().getOrigin();
        if (!OriginKeys.UAA.equals(origin)) {
            this.membershipManager.delete("member_id eq \"" + authEvent.getUser().getId() + "\" and origin eq \"" + origin + "\"");
        }
        Iterator<? extends GrantedAuthority> it = externalGroupAuthorizationEvent.getExternalAuthorities().iterator();
        while (it.hasNext()) {
            addToGroup(externalGroupAuthorizationEvent.getUser().getId(), it.next().getAuthority(), externalGroupAuthorizationEvent.getUser().getOrigin(), externalGroupAuthorizationEvent.isAddGroups());
        }
        if (authEvent.isUserModified()) {
            updateUser(getScimUser(authEvent.getUser()), authEvent.getUser(), false);
        }
    }

    private void addToGroup(String str, String str2) {
        addToGroup(str, str2, OriginKeys.UAA, true);
    }

    private void addToGroup(String str, String str2, String str3, boolean z) {
        if (StringUtils.hasText(str2)) {
            logger.debug("Adding to group: " + str2);
            List<ScimGroup> query = this.scimGroupProvisioning.query(String.format("displayName eq \"%s\"", str2));
            if ((query == null || query.isEmpty()) && !z) {
                logger.debug("No group found with name:" + str2 + ". Group membership will not be added.");
                return;
            }
            ScimGroup create = (query == null || query.isEmpty()) ? this.scimGroupProvisioning.create(new ScimGroup(null, str2, IdentityZoneHolder.get().getId())) : query.get(0);
            try {
                ScimGroupMember scimGroupMember = new ScimGroupMember(str);
                scimGroupMember.setOrigin(str3);
                this.membershipManager.addMember(create.getId(), scimGroupMember);
            } catch (MemberAlreadyExistsException e) {
            }
        }
    }

    private void removeFromGroup(String str, String str2) {
        if (StringUtils.hasText(str2)) {
            logger.debug("Removing membership of group: " + str2);
            List<ScimGroup> query = this.scimGroupProvisioning.query(String.format("displayName eq \"%s\"", str2));
            if (query == null || query.isEmpty()) {
                return;
            }
            try {
                this.membershipManager.removeMemberById(query.get(0).getId(), str);
            } catch (MemberNotFoundException e) {
            }
        }
    }

    private ScimUser convertToScimUser(UaaUser uaaUser) {
        ScimUser scimUser = new ScimUser(uaaUser.getId(), uaaUser.getUsername(), uaaUser.getGivenName(), uaaUser.getFamilyName());
        scimUser.addPhoneNumber(uaaUser.getPhoneNumber());
        scimUser.addEmail(uaaUser.getEmail());
        scimUser.setOrigin(uaaUser.getOrigin());
        scimUser.setExternalId(uaaUser.getExternalId());
        scimUser.setVerified(true);
        return scimUser;
    }

    private Collection<String> convertToGroups(List<? extends GrantedAuthority> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<? extends GrantedAuthority> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().toString());
        }
        return arrayList;
    }

    public void publish(ApplicationEvent applicationEvent) {
        if (this.publisher != null) {
            this.publisher.publishEvent(applicationEvent);
        }
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.publisher = applicationEventPublisher;
    }
}
