package io.datarouter.auth.service;

import io.datarouter.auth.model.dto.RoleApprovalRequirementStatus;
import io.datarouter.auth.model.dto.UserRoleMetadata;
import io.datarouter.auth.model.dto.UserRoleUpdateDto;
import io.datarouter.auth.model.enums.RoleUpdateType;
import io.datarouter.auth.role.Role;
import io.datarouter.auth.role.RoleApprovalType;
import io.datarouter.auth.role.RoleManager;
import io.datarouter.auth.storage.account.DatarouterAccountKey;
import io.datarouter.auth.storage.user.datarouteruser.DatarouterUser;
import io.datarouter.auth.storage.user.datarouteruser.DatarouterUserDao;
import io.datarouter.auth.storage.user.roleapprovals.DatarouterUserRoleApproval;
import io.datarouter.auth.storage.user.roleapprovals.DatarouterUserRoleApprovalDao;
import io.datarouter.auth.storage.user.session.DatarouterSessionDao;
import io.datarouter.auth.storage.user.useraccountmap.BaseDatarouterUserAccountMapDao;
import io.datarouter.auth.storage.user.useraccountmap.DatarouterUserAccountMap;
import io.datarouter.auth.storage.user.useraccountmap.DatarouterUserAccountMapKey;
import io.datarouter.auth.util.PasswordTool;
import io.datarouter.scanner.Scanner;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Instant;
import java.time.ZoneId;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/datarouter/auth/service/DatarouterUserEditService.class */
public class DatarouterUserEditService {
    private static final Logger logger = LoggerFactory.getLogger(DatarouterUserEditService.class);

    @Inject
    private BaseDatarouterUserAccountMapDao userAccountMapDao;

    @Inject
    private DatarouterUserHistoryService userHistoryService;

    @Inject
    private DatarouterSessionDao sessionDao;

    @Inject
    private DatarouterUserService userService;

    @Inject
    private RoleManager roleManager;

    @Inject
    private DatarouterUserRoleApprovalDao userRoleApprovalDao;

    @Inject
    private DatarouterUserDao userDao;

    @Inject
    private PermissionRequestService permissionRequestService;
    private static volatile /* synthetic */ int[] $SWITCH_TABLE$io$datarouter$auth$model$enums$RoleUpdateType;

    /* loaded from: input_file:io/datarouter/auth/service/DatarouterUserEditService$AcquiredRoles.class */
    public static final class AcquiredRoles extends Record {
        private final Set<Role> acquiredRoles;

        public AcquiredRoles(Set<Role> set) {
            this.acquiredRoles = set;
        }

        public Set<Role> acquiredRoles() {
            return this.acquiredRoles;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AcquiredRoles.class), AcquiredRoles.class, "acquiredRoles", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$AcquiredRoles;->acquiredRoles:Ljava/util/Set;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AcquiredRoles.class), AcquiredRoles.class, "acquiredRoles", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$AcquiredRoles;->acquiredRoles:Ljava/util/Set;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AcquiredRoles.class, Object.class), AcquiredRoles.class, "acquiredRoles", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$AcquiredRoles;->acquiredRoles:Ljava/util/Set;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    /* loaded from: input_file:io/datarouter/auth/service/DatarouterUserEditService$EditRolesResult.class */
    public static final class EditRolesResult extends Record {
        private final List<UserRoleMetadata> updatedRoles;
        private final List<UserRoleUpdateDto> failedUpdates;

        public EditRolesResult(List<UserRoleMetadata> list, List<UserRoleUpdateDto> list2) {
            this.updatedRoles = list;
            this.failedUpdates = list2;
        }

        public List<UserRoleMetadata> updatedRoles() {
            return this.updatedRoles;
        }

        public List<UserRoleUpdateDto> failedUpdates() {
            return this.failedUpdates;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, EditRolesResult.class), EditRolesResult.class, "updatedRoles;failedUpdates", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->updatedRoles:Ljava/util/List;", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->failedUpdates:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, EditRolesResult.class), EditRolesResult.class, "updatedRoles;failedUpdates", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->updatedRoles:Ljava/util/List;", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->failedUpdates:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, EditRolesResult.class, Object.class), EditRolesResult.class, "updatedRoles;failedUpdates", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->updatedRoles:Ljava/util/List;", "FIELD:Lio/datarouter/auth/service/DatarouterUserEditService$EditRolesResult;->failedUpdates:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    public EditRolesResult editRoles(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, List<UserRoleUpdateDto> list, String str) {
        return editRolesHelper(datarouterUser, datarouterUser2, list, str, Scanner.of(this.userService.getRoleMetadataForUser(datarouterUser, datarouterUser2)).toMap((v0) -> {
            return v0.role();
        }));
    }

    public DatarouterUser requestPermissions(DatarouterUser datarouterUser, Set<Role> set, String str, String str2, Optional<String> optional, Optional<String> optional2) {
        Set<Role> acquiredRoles = attemptPermissionRequestSelfServe(datarouterUser, set, str2).acquiredRoles();
        Scanner of = Scanner.of(set);
        acquiredRoles.getClass();
        Set<Role> set2 = (Set) of.exclude((v1) -> {
            return r1.contains(v1);
        }).collect(HashSet::new);
        if (!set2.isEmpty()) {
            this.permissionRequestService.createPermissionRequest(datarouterUser, set2, str, optional, optional2);
        }
        return datarouterUser;
    }

    public AcquiredRoles attemptPermissionRequestSelfServe(DatarouterUser datarouterUser, Set<Role> set, String str) {
        Map<Role, UserRoleMetadata> map = Scanner.of(this.userService.getRoleMetadataForUser(datarouterUser, datarouterUser)).toMap((v0) -> {
            return v0.role();
        });
        return new AcquiredRoles((Set) Scanner.of(editRolesHelper(datarouterUser, datarouterUser, Scanner.of(set).include(role -> {
            return ((UserRoleMetadata) map.get(role)).editorPrioritizedApprovalType().isPresent();
        }).map(role2 -> {
            return new UserRoleUpdateDto(role2.persistentString(), RoleUpdateType.APPROVE);
        }).list(), str, map).updatedRoles()).include((v0) -> {
            return v0.hasRole();
        }).map((v0) -> {
            return v0.role();
        }).collect(HashSet::new));
    }

    public void resetRoles(DatarouterUser datarouterUser) {
        Collection<Role> rolesIgnoreSaml = datarouterUser.getRolesIgnoreSaml();
        logger.info("Resetting roles for user={} from currentRoles={} to defaultRoles={}", new Object[]{rolesIgnoreSaml, datarouterUser.getRolesIgnoreSaml(), this.roleManager.getDefaultRoles()});
        datarouterUser.setRoles(this.roleManager.getDefaultRoles());
        this.userDao.put(datarouterUser);
        this.userHistoryService.recordRoleReset(datarouterUser, "Reset roles from %s to default roles: %s".formatted(rolesIgnoreSaml, this.roleManager.getDefaultRoles()));
    }

    private EditRolesResult editRolesHelper(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, List<UserRoleUpdateDto> list, String str, Map<Role, UserRoleMetadata> map) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        for (UserRoleUpdateDto userRoleUpdateDto : list) {
            Optional<Role> findRoleFromPersistentString = this.roleManager.findRoleFromPersistentString(userRoleUpdateDto.roleName());
            if (findRoleFromPersistentString.isEmpty()) {
                logger.warn("Role update attempted for {} by {} for unknown role={}", new Object[]{datarouterUser2.getUsername(), datarouterUser.getUsername(), userRoleUpdateDto.roleName()});
            } else {
                Role role = findRoleFromPersistentString.get();
                UserRoleMetadata userRoleMetadata = map.get(role);
                Optional<UserRoleMetadata> attemptRoleUpdate = attemptRoleUpdate(datarouterUser, datarouterUser2, userRoleMetadata, userRoleUpdateDto.updateType());
                if (attemptRoleUpdate.isPresent()) {
                    UserRoleMetadata userRoleMetadata2 = attemptRoleUpdate.get();
                    map.put(role, userRoleMetadata2);
                    arrayList3.add(userRoleMetadata2);
                    arrayList.add(userRoleMetadata2.getChangeString(userRoleMetadata).orElseThrow(() -> {
                        return new IllegalStateException("Failed to generate change string for update: %s => %s".formatted(datarouterUser2.getUsername(), userRoleUpdateDto));
                    }));
                } else {
                    arrayList2.add(userRoleUpdateDto);
                }
            }
        }
        datarouterUser2.setRoles((Collection) map.entrySet().stream().filter(entry -> {
            return ((UserRoleMetadata) entry.getValue()).hasRole();
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toSet()));
        if (!arrayList.isEmpty()) {
            this.userHistoryService.putAndRecordPermissionChange(datarouterUser2, datarouterUser, getRolesChangesString(arrayList), str);
            Scanner each = this.sessionDao.scan().include(datarouterSession -> {
                return datarouterSession.getUserToken().equals(datarouterUser2.getUserToken());
            }).each(datarouterSession2 -> {
                datarouterSession2.setRoles(this.userService.getUserRolesWithSamlGroups(datarouterUser2));
            });
            DatarouterSessionDao datarouterSessionDao = this.sessionDao;
            datarouterSessionDao.getClass();
            each.flush((v1) -> {
                r1.putMulti(v1);
            });
        }
        return new EditRolesResult(arrayList3, arrayList2);
    }

    private String getRolesChangesString(List<String> list) {
        return list.size() == 1 ? "roles updated: [" + ((String) list.getFirst()) + "]" : "roles updated: [" + "\n\t" + String.join(",\n\t", list) + "\n]";
    }

    private Optional<UserRoleMetadata> attemptRoleUpdate(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, UserRoleMetadata userRoleMetadata, RoleUpdateType roleUpdateType) {
        if (userRoleMetadata.isDefaultRole()) {
            throw new IllegalArgumentException("Attempt to %s default role=%s".formatted(roleUpdateType.persistentString, userRoleMetadata.role().persistentString()));
        }
        switch ($SWITCH_TABLE$io$datarouter$auth$model$enums$RoleUpdateType()[roleUpdateType.ordinal()]) {
            case 1:
                return attemptRoleApproval(datarouterUser, datarouterUser2, userRoleMetadata);
            case 2:
                return attemptRoleUnapproval(datarouterUser, datarouterUser2, userRoleMetadata);
            case 3:
                return attemptRoleRevocation(datarouterUser, datarouterUser2, userRoleMetadata);
            default:
                throw new MatchException((String) null, (Throwable) null);
        }
    }

    private Optional<UserRoleMetadata> attemptRoleApproval(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, UserRoleMetadata userRoleMetadata) {
        if (userRoleMetadata.editorPrioritizedApprovalType().isEmpty()) {
            logger.warn("Attempt to approve role={} for user={} which editor={} cannot approve", new Object[]{userRoleMetadata.role(), datarouterUser2.getUsername(), datarouterUser.getUsername()});
            return Optional.empty();
        }
        RoleApprovalType roleApprovalType = userRoleMetadata.editorPrioritizedApprovalType().get();
        if (userRoleMetadata.hasRole()) {
            logger.warn("Attempt to approve already granted role={} for user={} by editor={}", new Object[]{userRoleMetadata.role(), datarouterUser2.getUsername(), datarouterUser.getUsername()});
            return Optional.empty();
        }
        if (userRoleMetadata.requirementStatusByApprovalType().values().stream().anyMatch(roleApprovalRequirementStatus -> {
            return roleApprovalRequirementStatus.currentApprovers().contains(datarouterUser.getUsername());
        })) {
            logger.warn("Attempt to doubly approve role={} for user={} by editor={}", new Object[]{userRoleMetadata.role(), datarouterUser2.getUsername(), datarouterUser.getUsername()});
            return Optional.empty();
        }
        Map map = Scanner.of(userRoleMetadata.requirementStatusByApprovalType().entrySet()).toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return new RoleApprovalRequirementStatus(((RoleApprovalRequirementStatus) entry.getValue()).requiredApprovals(), new HashSet(((RoleApprovalRequirementStatus) entry.getValue()).currentApprovers()));
        });
        ((RoleApprovalRequirementStatus) map.get(roleApprovalType)).currentApprovers().add(datarouterUser.getUsername());
        boolean allMatch = map.values().stream().allMatch(roleApprovalRequirementStatus2 -> {
            return roleApprovalRequirementStatus2.requiredApprovals() == roleApprovalRequirementStatus2.currentApprovers().size();
        });
        UserRoleMetadata userRoleMetadata2 = new UserRoleMetadata(userRoleMetadata.role(), allMatch, userRoleMetadata.isDefaultRole(), map, userRoleMetadata.editorPrioritizedApprovalType(), null, null);
        this.userRoleApprovalDao.put(new DatarouterUserRoleApproval(datarouterUser2.getUsername(), userRoleMetadata.role().persistentString(), datarouterUser.getUsername(), Instant.now(), roleApprovalType.persistentString(), null));
        if (allMatch) {
            this.userRoleApprovalDao.setAllRequirementsMetAtForUserRole(datarouterUser2, userRoleMetadata.role().persistentString());
        }
        return Optional.of(userRoleMetadata2);
    }

    private Optional<UserRoleMetadata> attemptRoleUnapproval(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, UserRoleMetadata userRoleMetadata) {
        if (userRoleMetadata.hasRole()) {
            logger.warn("Attempt to unapprove already granted role={} for {} by {}", new Object[]{userRoleMetadata.role(), datarouterUser2.getUsername(), datarouterUser.getUsername()});
            return Optional.empty();
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        Map map = (Map) userRoleMetadata.requirementStatusByApprovalType().entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            Set set = (Set) ((RoleApprovalRequirementStatus) entry.getValue()).currentApprovers().stream().filter(str -> {
                return !datarouterUser.getUsername().equals(str);
            }).collect(Collectors.toSet());
            if (!set.equals(((RoleApprovalRequirementStatus) entry.getValue()).currentApprovers())) {
                atomicBoolean.set(true);
            }
            return new RoleApprovalRequirementStatus(((RoleApprovalRequirementStatus) entry.getValue()).requiredApprovals(), set);
        }));
        if (atomicBoolean.get()) {
            this.userRoleApprovalDao.deleteOutstandingApprovals(datarouterUser2, userRoleMetadata.role().persistentString(), datarouterUser);
            return Optional.of(new UserRoleMetadata(userRoleMetadata.role(), false, userRoleMetadata.isDefaultRole(), map, userRoleMetadata.editorPrioritizedApprovalType(), null, null));
        }
        logger.warn("Attempt to unapprove role={} for user={} by editor={} where no approval had previously been given", new Object[]{userRoleMetadata.role(), datarouterUser2.getUsername(), datarouterUser.getUsername()});
        return Optional.empty();
    }

    private Optional<UserRoleMetadata> attemptRoleRevocation(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, UserRoleMetadata userRoleMetadata) {
        if (userRoleMetadata.hasRole()) {
            return Optional.of(new UserRoleMetadata(userRoleMetadata.role(), false, userRoleMetadata.isDefaultRole(), new HashMap(), userRoleMetadata.editorPrioritizedApprovalType(), null, null));
        }
        logger.warn("Attempt by editor={} to revoke role={} which user={} did not have", new Object[]{datarouterUser.getUsername(), userRoleMetadata.role(), datarouterUser2.getUsername()});
        return Optional.empty();
    }

    public void editAccounts(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, Map<String, Boolean> map, String str) {
        this.userHistoryService.putAndRecordPermissionChange(datarouterUser2, datarouterUser, handleAccountChanges(datarouterUser2, (Set) Scanner.of(map.entrySet()).include((v0) -> {
            return v0.getValue();
        }).map((v0) -> {
            return v0.getKey();
        }).map(DatarouterAccountKey::new).collect(HashSet::new)).orElseThrow(), str);
    }

    private Optional<String> handleAccountChanges(DatarouterUser datarouterUser, Set<DatarouterAccountKey> set) {
        Set set2 = (Set) this.userAccountMapDao.scanKeysWithPrefix(new DatarouterUserAccountMapKey(datarouterUser.getId(), null)).collect(HashSet::new);
        Set set3 = (Set) set2.stream().filter(datarouterUserAccountMapKey -> {
            return !set.contains(datarouterUserAccountMapKey.getDatarouterAccountKey());
        }).collect(Collectors.toSet());
        Set set4 = (Set) set.stream().map(datarouterAccountKey -> {
            return new DatarouterUserAccountMap(datarouterUser.getId(), datarouterAccountKey.getAccountName());
        }).filter(datarouterUserAccountMap -> {
            return !set2.contains(datarouterUserAccountMap.getKey());
        }).collect(Collectors.toSet());
        if (set3.isEmpty() && set4.isEmpty()) {
            return Optional.empty();
        }
        if (!set3.isEmpty()) {
            this.userAccountMapDao.deleteMulti(set3);
        }
        if (!set4.isEmpty()) {
            this.userAccountMapDao.putMulti(set4);
        }
        return Optional.of(changeList("account", (Set) Scanner.of(set2).map((v0) -> {
            return v0.getDatarouterAccountKey();
        }).map((v0) -> {
            return v0.getAccountName();
        }).collect(HashSet::new), (Set) Scanner.of(set).map((v0) -> {
            return v0.getAccountName();
        }).collect(HashSet::new)));
    }

    public void updateTimeZone(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, String str) {
        Optional<ZoneId> zoneId = datarouterUser2.getZoneId();
        ZoneId of = ZoneId.of(str);
        if (zoneId.isPresent() && zoneId.get().equals(of)) {
            logger.warn("Attempt to update time zone with same time zone");
        } else {
            datarouterUser2.setZoneId(of);
            this.userHistoryService.putAndRecordTimezoneUpdate(datarouterUser2, datarouterUser, change("timezone", zoneId.map((v0) -> {
                return v0.getId();
            }).orElse(""), of.getId()));
        }
    }

    public void changePassword(DatarouterUser datarouterUser, DatarouterUser datarouterUser2, String str, String str2) {
        updateUserPassword(datarouterUser, str);
        this.userHistoryService.putAndRecordPasswordChange(datarouterUser, datarouterUser2, str2);
    }

    public static String changeList(String str, Set<String> set, Set<String> set2) {
        Scanner of = Scanner.of(set2);
        set.getClass();
        List list = of.exclude((v1) -> {
            return r1.contains(v1);
        }).sort().list();
        Scanner of2 = Scanner.of(set);
        set2.getClass();
        String str2 = generateChangeOutput(list, str, "added") + generateChangeOutput(of2.exclude((v1) -> {
            return r1.contains(v1);
        }).sort().list(), str, "removed");
        return str2.isEmpty() ? "No changes" : str2.trim();
    }

    private static String generateChangeOutput(List<String> list, String str, String str2) {
        if (list.isEmpty()) {
            return "";
        }
        return str + (list.size() > 1 ? "s" : "") + " " + str2 + ": [" + String.join(", ", list) + "] ";
    }

    private void updateUserPassword(DatarouterUser datarouterUser, String str) {
        String generateSalt = PasswordTool.generateSalt();
        String digest = PasswordTool.digest(generateSalt, str);
        datarouterUser.setPasswordSalt(generateSalt);
        datarouterUser.setPasswordDigest(digest);
    }

    private static String change(String str, Object obj, Object obj2) {
        return str + ": " + String.valueOf(obj) + " => " + String.valueOf(obj2);
    }

    static /* synthetic */ int[] $SWITCH_TABLE$io$datarouter$auth$model$enums$RoleUpdateType() {
        int[] iArr = $SWITCH_TABLE$io$datarouter$auth$model$enums$RoleUpdateType;
        if (iArr != null) {
            return iArr;
        }
        int[] iArr2 = new int[RoleUpdateType.valuesCustom().length];
        try {
            iArr2[RoleUpdateType.APPROVE.ordinal()] = 1;
        } catch (NoSuchFieldError unused) {
        }
        try {
            iArr2[RoleUpdateType.REVOKE.ordinal()] = 3;
        } catch (NoSuchFieldError unused2) {
        }
        try {
            iArr2[RoleUpdateType.UNAPPROVE.ordinal()] = 2;
        } catch (NoSuchFieldError unused3) {
        }
        $SWITCH_TABLE$io$datarouter$auth$model$enums$RoleUpdateType = iArr2;
        return iArr2;
    }
}
