package org.openremote.manager.security;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.BeanParam;
import jakarta.ws.rs.ClientErrorException;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.NotAllowedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.WebApplicationException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Objects;
import org.openremote.container.security.AuthContext;
import org.openremote.container.security.keycloak.KeycloakIdentityProvider;
import org.openremote.container.timer.TimerService;
import org.openremote.manager.map.MapService;
import org.openremote.manager.mqtt.MQTTBrokerService;
import org.openremote.manager.web.ManagerWebResource;
import org.openremote.model.http.RequestParams;
import org.openremote.model.query.UserQuery;
import org.openremote.model.query.filter.RealmPredicate;
import org.openremote.model.query.filter.StringPredicate;
import org.openremote.model.security.ClientRole;
import org.openremote.model.security.Credential;
import org.openremote.model.security.Role;
import org.openremote.model.security.User;
import org.openremote.model.security.UserResource;
import org.openremote.model.security.UserSession;
import org.openremote.model.util.TextUtil;

/* loaded from: input_file:org/openremote/manager/security/UserResourceImpl.class */
public class UserResourceImpl extends ManagerWebResource implements UserResource {
    protected MQTTBrokerService mqttBrokerService;

    public UserResourceImpl(TimerService timerService, ManagerIdentityService managerIdentityService, MQTTBrokerService mQTTBrokerService) {
        super(timerService, managerIdentityService);
        this.mqttBrokerService = mQTTBrokerService;
    }

    public User[] query(RequestParams requestParams, UserQuery userQuery) {
        AuthContext authContext = getAuthContext();
        boolean hasResourceRole = authContext.hasResourceRole(ClientRole.READ_ADMIN.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
        boolean z = !hasResourceRole && authContext.hasResourceRole(ClientRole.READ_USERS.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
        if (!hasResourceRole && !z) {
            throw new ForbiddenException("Insufficient permissions to read users");
        }
        if (userQuery == null) {
            userQuery = new UserQuery();
        }
        if (z) {
            if (userQuery.select == null) {
                userQuery.select = new UserQuery.Select();
            }
            userQuery.select.basic(true);
        }
        if (!authContext.isSuperUser()) {
            userQuery.realm(new RealmPredicate(authContext.getAuthenticatedRealmName()));
            if (userQuery.attributes == null) {
                userQuery.attributes(new UserQuery.AttributeValuePredicate[]{new UserQuery.AttributeValuePredicate(true, new StringPredicate("systemAccount"), (StringPredicate) null)});
            } else {
                ArrayList arrayList = new ArrayList(Arrays.asList(userQuery.attributes));
                arrayList.add(new UserQuery.AttributeValuePredicate(true, new StringPredicate("systemAccount"), (StringPredicate) null));
                userQuery.attributes((UserQuery.AttributeValuePredicate[]) arrayList.toArray(i -> {
                    return new UserQuery.AttributeValuePredicate[i];
                }));
            }
        }
        try {
            return this.identityService.getIdentityProvider().queryUsers(userQuery);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public User get(RequestParams requestParams, String str, String str2) {
        if (!hasResourceRole(ClientRole.READ_ADMIN.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT) && !Objects.equals(getUserId(), str2)) {
            throw new ForbiddenException("Can only retrieve own user info unless you have role '" + String.valueOf(ClientRole.READ_ADMIN) + "'");
        }
        try {
            return this.identityService.getIdentityProvider().getUser(str2);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public User getCurrent(RequestParams requestParams) {
        if (isAuthenticated()) {
            return get(requestParams, getRequestRealmName(), getUserId());
        }
        throw new ForbiddenException("Must be authenticated");
    }

    public User update(RequestParams requestParams, String str, User user) {
        throwIfIllegalMasterAdminUserMutation(requestParams, str, user);
        try {
            return this.identityService.getIdentityProvider().createUpdateUser(str, user, null, true);
        } catch (WebApplicationException e) {
            throw e;
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        } catch (Exception e3) {
            throw new WebApplicationException(e3);
        }
    }

    public User create(RequestParams requestParams, String str, User user) {
        try {
            return this.identityService.getIdentityProvider().createUpdateUser(str, user, null, false);
        } catch (ClientErrorException e) {
            throw new WebApplicationException(e.getCause(), e.getResponse().getStatus());
        } catch (Exception e2) {
            throw new WebApplicationException(e2);
        } catch (WebApplicationException e3) {
            throw e3;
        }
    }

    public void delete(RequestParams requestParams, String str, String str2) {
        throwIfIllegalMasterAdminUserDeletion(requestParams, str, str2);
        try {
            this.identityService.getIdentityProvider().deleteUser(str, str2);
        } catch (WebApplicationException e) {
            throw e;
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        } catch (Exception e3) {
            throw new WebApplicationException(e3);
        }
    }

    public void resetPassword(@BeanParam RequestParams requestParams, String str, String str2, Credential credential) {
        try {
            this.identityService.getIdentityProvider().resetPassword(str, str2, credential);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public String resetSecret(RequestParams requestParams, String str, String str2) {
        try {
            return this.identityService.getIdentityProvider().resetSecret(str, str2, null);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public Role[] getCurrentUserRoles(RequestParams requestParams) {
        return getCurrentUserClientRoles(requestParams, ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
    }

    public Role[] getCurrentUserClientRoles(RequestParams requestParams, String str) {
        if (isAuthenticated()) {
            return getUserClientRoles(requestParams, getRequestRealmName(), getUserId(), str);
        }
        throw new ForbiddenException("Must be authenticated");
    }

    public Role[] getCurrentUserRealmRoles(RequestParams requestParams) {
        if (isAuthenticated()) {
            return getUserRealmRoles(requestParams, getRequestRealmName(), getUserId());
        }
        throw new ForbiddenException("Must be authenticated");
    }

    public Role[] getUserRoles(RequestParams requestParams, String str, String str2) {
        return getUserClientRoles(requestParams, str, str2, ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
    }

    public Role[] getUserClientRoles(@BeanParam RequestParams requestParams, String str, String str2, String str3) {
        if (!hasResourceRole(ClientRole.READ_ADMIN.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT) && !Objects.equals(getUserId(), str2)) {
            throw new ForbiddenException("Can only retrieve own user roles unless you have role '" + String.valueOf(ClientRole.READ_ADMIN) + "'");
        }
        try {
            return this.identityService.getIdentityProvider().getUserRoles(str, str2, str3);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public Role[] getUserRealmRoles(RequestParams requestParams, String str, String str2) {
        if (!hasResourceRole(ClientRole.READ_ADMIN.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT) && !Objects.equals(getUserId(), str2)) {
            throw new ForbiddenException("Can only retrieve own user roles unless you have role '" + String.valueOf(ClientRole.READ_ADMIN) + "'");
        }
        try {
            return this.identityService.getIdentityProvider().getUserRealmRoles(str, str2);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public void updateUserRoles(RequestParams requestParams, String str, String str2, Role[] roleArr) {
        updateUserClientRoles(requestParams, str, str2, roleArr, ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
    }

    public void updateUserClientRoles(@BeanParam RequestParams requestParams, String str, String str2, Role[] roleArr, String str3) {
        try {
            this.identityService.getIdentityProvider().updateUserRoles(str, str2, str3, (String[]) Arrays.stream(roleArr).filter((v0) -> {
                return v0.isAssigned();
            }).map((v0) -> {
                return v0.getName();
            }).toArray(i -> {
                return new String[i];
            }));
        } catch (ClientErrorException e) {
            e.printStackTrace(System.out);
            throw new WebApplicationException(e.getCause(), e.getResponse().getStatus());
        } catch (Exception e2) {
            throw new WebApplicationException(e2);
        }
    }

    public void updateUserRealmRoles(RequestParams requestParams, String str, String str2, Role[] roleArr) {
        try {
            this.identityService.getIdentityProvider().updateUserRealmRoles(str, str2, (String[]) Arrays.stream(roleArr).filter((v0) -> {
                return v0.isAssigned();
            }).map((v0) -> {
                return v0.getName();
            }).toArray(i -> {
                return new String[i];
            }));
        } catch (ClientErrorException e) {
            e.printStackTrace(System.out);
            throw new WebApplicationException(e.getCause(), e.getResponse().getStatus());
        } catch (Exception e2) {
            throw new WebApplicationException(e2);
        }
    }

    public Role[] getRoles(RequestParams requestParams, String str) {
        return getClientRoles(requestParams, str, ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
    }

    public Role[] getClientRoles(RequestParams requestParams, String str, String str2) {
        try {
            return this.identityService.getIdentityProvider().getRoles(str, str2);
        } catch (Exception e) {
            throw new WebApplicationException(e);
        } catch (ClientErrorException e2) {
            throw new WebApplicationException(e2.getCause(), e2.getResponse().getStatus());
        }
    }

    public void updateRoles(RequestParams requestParams, String str, Role[] roleArr) {
        updateClientRoles(requestParams, str, roleArr, ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT);
    }

    public void updateClientRoles(RequestParams requestParams, String str, Role[] roleArr, String str2) {
        try {
            this.identityService.getIdentityProvider().updateClientRoles(str, str2, roleArr);
        } catch (ClientErrorException e) {
            e.printStackTrace(System.out);
            throw new WebApplicationException(e.getCause(), e.getResponse().getStatus());
        } catch (Exception e2) {
            throw new NotFoundException(e2);
        }
    }

    public void updateCurrentUserLocale(RequestParams requestParams, String str) {
        String replaceAll = str.replaceAll("\"", MapService.OR_PATH_PREFIX_DEFAULT);
        if (TextUtil.isNullOrEmpty(replaceAll)) {
            throw new BadRequestException("Locale cannot be empty");
        }
        User current = getCurrent(requestParams);
        if (current == null) {
            throw new NotFoundException("User not found");
        }
        current.setAttribute("locale", replaceAll);
        update(requestParams, getRequestRealmName(), current);
    }

    public UserSession[] getUserSessions(RequestParams requestParams, String str, String str2) {
        if (hasResourceRole(ClientRole.READ_ADMIN.getValue(), ManagerKeycloakIdentityProvider.DEFAULT_REALM_KEYCLOAK_THEME_DEFAULT) || Objects.equals(getUserId(), str2)) {
            return (UserSession[]) this.mqttBrokerService.getUserConnections(str2).stream().map(remotingConnection -> {
                return new UserSession(MQTTBrokerService.getConnectionIDString(remotingConnection), remotingConnection.getSubject() != null ? KeycloakIdentityProvider.getSubjectName(remotingConnection.getSubject()) : str2, remotingConnection.getCreationTime(), remotingConnection.getRemoteAddress());
            }).toArray(i -> {
                return new UserSession[i];
            });
        }
        throw new ForbiddenException("Can only retrieve own user sessions unless you have role '" + String.valueOf(ClientRole.READ_ADMIN) + "'");
    }

    public void disconnectUserSession(RequestParams requestParams, String str, String str2) {
        if (!this.mqttBrokerService.disconnectSession(str2)) {
            throw new NotFoundException("User session not found");
        }
    }

    protected void throwIfIllegalMasterAdminUserDeletion(RequestParams requestParams, String str, String str2) throws WebApplicationException {
        if (str.equals("master") && this.identityService.getIdentityProvider().isMasterRealmAdmin(str2)) {
            throw new NotAllowedException("The master realm admin user cannot be deleted", new String[0]);
        }
    }

    protected void throwIfIllegalMasterAdminUserMutation(RequestParams requestParams, String str, User user) throws WebApplicationException {
        if (str.equals("master") && this.identityService.getIdentityProvider().isMasterRealmAdmin(user.getId())) {
            if (user.getEnabled() == null || !user.getEnabled().booleanValue()) {
                throw new NotAllowedException("The master realm admin user cannot be disabled", new String[0]);
            }
        }
    }
}
