package systems.dmx.accountmanagement;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import systems.dmx.accesscontrol.AccessControlService;
import systems.dmx.accesscontrol.AuthorizationMethod;
import systems.dmx.accesscontrol.DeprecatedUserAccountMethods;
import systems.dmx.core.ChildTopics;
import systems.dmx.core.RelatedTopic;
import systems.dmx.core.Topic;
import systems.dmx.core.model.RelatedTopicModel;
import systems.dmx.core.model.SimpleValue;
import systems.dmx.core.model.TopicModel;
import systems.dmx.core.osgi.PluginActivator;
import systems.dmx.core.service.ChangeReport;
import systems.dmx.core.service.CoreService;
import systems.dmx.core.service.Inject;
import systems.dmx.core.service.Transactional;
import systems.dmx.core.service.accesscontrol.Credentials;
import systems.dmx.core.service.accesscontrol.PrivilegedAccess;
import systems.dmx.core.service.accesscontrol.SharingMode;
import systems.dmx.core.service.event.PostDeleteTopic;
import systems.dmx.core.service.event.PostUpdateTopic;
import systems.dmx.core.service.event.PreDeleteTopic;
import systems.dmx.core.service.event.PreUpdateTopic;
import systems.dmx.core.storage.spi.DMXTransaction;
import systems.dmx.workspaces.WorkspacesService;

@Produces({"application/json"})
@Path("/account-management")
@Consumes({"application/json"})
/* loaded from: input_file:systems/dmx/accountmanagement/AccountManagementPlugin.class */
public class AccountManagementPlugin extends PluginActivator implements AccountManagementService, PreDeleteTopic, PreUpdateTopic, PostDeleteTopic, PostUpdateTopic, DeprecatedUserAccountMethods {
    static final Logger logger = Logger.getLogger(AccountManagementPlugin.class.getName());
    private static final String ACCOUNT_MANAGER_NAME = System.getProperty("dmx.accountmanagement.manager", "DMX");
    private static final boolean NEW_ACCOUNTS_ARE_ENABLED = Boolean.parseBoolean(System.getProperty("dmx.security.new_accounts_are_enabled", "true"));
    private static final String SITE_SALT = System.getProperty("dmx.security.site_salt", "");

    @Inject
    WorkspacesService ws;

    @Inject
    AccessControlService accessControlService;
    private final Map<String, AccountManager> accountManagers = new HashMap();

    public void serviceArrived(Object obj) {
        if ((!(obj instanceof AccessControlService) && !(obj instanceof CoreService)) || this.accessControlService == null || this.dmx == null) {
            return;
        }
        registerAccountManager(new DmxAccountManager(this.dmx, this.mf, SITE_SALT));
    }

    public void serviceGone(Object obj) {
        if (obj instanceof AccessControlService) {
            unregisterAccountManager(getAccountManager("DMX"));
        }
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public void registerAccountManager(AccountManager accountManager) {
        this.accountManagers.put(accountManager.name(), accountManager);
        this.accessControlService.registerAuthorizationMethod(accountManager.name(), asAuthorizationMethod(accountManager));
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public void unregisterAccountManager(AccountManager accountManager) {
        this.accessControlService.unregisterAuthorizationMethod(accountManager.name());
        this.accountManagers.remove(accountManager.name());
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public List<String> getAccountManagerNames() {
        return new ArrayList(this.accountManagers.keySet());
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public String getConfiguredAccountManagerName() {
        return ACCOUNT_MANAGER_NAME;
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    @POST
    @Path("/user-account")
    @Transactional
    public Topic createUserAccount(Credentials credentials) {
        try {
            this.accessControlService.checkAdmin();
            return _createUserAccount(credentials);
        } catch (Exception e) {
            throw new RuntimeException("Creating user account \"" + credentials.username + "\" failed", e);
        }
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public Topic _createUserAccount(Credentials credentials) {
        String str = credentials.username;
        String str2 = credentials.methodName != null ? credentials.methodName : ACCOUNT_MANAGER_NAME;
        logger.info(String.format("Creating user account '%s' with method '%s'", str, str2));
        Topic createUsernameAndPrivateWorkspace = createUsernameAndPrivateWorkspace(str, str2);
        getAccountManager(str2).createAccount(credentials);
        return createUsernameAndPrivateWorkspace;
    }

    @Deprecated
    public Topic createUsername(String str) {
        return createUsernameAndPrivateWorkspace(str, "DMX");
    }

    @Override // systems.dmx.accountmanagement.AccountManagementService
    public void changePassword(Credentials credentials, Credentials credentials2) {
        getAccountManagerForUsername(this.dmx.getPrivilegedAccess().getUsernameTopic(credentials2.username)).changePassword(credentials, credentials2);
    }

    public void preUpdateTopic(Topic topic, TopicModel topicModel) {
        if (topic.getTypeUri().equals(Constants.USER_ACCOUNT)) {
            RelatedTopicModel topicOrNull = topicModel.getChildTopics().getTopicOrNull(Constants.USERNAME);
            if (topicOrNull != null) {
                String simpleValue = topicOrNull.getSimpleValue().toString();
                String simpleValue2 = topic.getChildTopics().getTopic(Constants.USERNAME).getSimpleValue().toString();
                if (!simpleValue.equals(simpleValue2)) {
                    throw new RuntimeException("A Username can't be changed (tried \"" + simpleValue2 + "\" -> \"" + simpleValue + "\")");
                }
            }
            RelatedTopicModel topicOrNull2 = topicModel.getChildTopics().getTopicOrNull(Constants.PASSWORD);
            if (topicOrNull2 != null) {
                if (topicOrNull2.getSimpleValue().toString().equals("")) {
                    throw new RuntimeException("Password can't be empty");
                }
                long id = this.accessControlService.getPrivateWorkspace().getId();
                topicOrNull2.getChildTopics().setRef("dmx.workspaces.workspace#dmx.workspaces.workspace_assignment", id);
                topicOrNull2.getRelatingAssoc().getChildTopics().setRef("dmx.workspaces.workspace#dmx.workspaces.workspace_assignment", id);
            }
        }
    }

    public void preDeleteTopic(Topic topic) {
        if (topic.getTypeUri().equals(Constants.USERNAME)) {
            getAccountManagerForUsername(topic).onUsernameDeleted(topic.getSimpleValue().toString());
        }
    }

    public void postDeleteTopic(TopicModel topicModel) {
        if (topicModel.getTypeUri().equals(Constants.USERNAME)) {
            String simpleValue = topicModel.getSimpleValue().toString();
            Collection workspacesByOwner = this.accessControlService.getWorkspacesByOwner(simpleValue);
            String username = this.accessControlService.getUsername();
            logger.info("### Transferring ownership of " + workspacesByOwner.size() + " workspaces from \"" + simpleValue + "\" -> \"" + username + "\"");
            Iterator it = workspacesByOwner.iterator();
            while (it.hasNext()) {
                this.accessControlService.setWorkspaceOwner((Topic) it.next(), username);
            }
        }
    }

    public void postUpdateTopic(Topic topic, ChangeReport changeReport, TopicModel topicModel) {
        if (topic.getTypeUri().equals(Constants.USER_ACCOUNT)) {
            ChildTopics childTopics = topic.getChildTopics();
            RelatedTopic topic2 = childTopics.getTopic(Constants.PASSWORD);
            if (changeReport.getChanges(Constants.PASSWORD) != null) {
                this.dmx.getPrivilegedAccess().storePasswordHash(new Credentials(childTopics.getTopic(Constants.USERNAME).getSimpleValue().toString(), topic2.getSimpleValue().toString()), topic2.getModel());
            }
        }
    }

    private AuthorizationMethod asAuthorizationMethod(AccountManager accountManager) {
        return credentials -> {
            CheckCredentialsResult checkCredentials = accountManager.checkCredentials(credentials);
            if (!checkCredentials.success) {
                logger.info(String.format("Credentials check failed for %s", credentials.username));
                return null;
            }
            if (checkCredentials.usernameTopic != null) {
                logger.info(String.format("Credentials check successful and username topic present for %s", credentials.username));
                return checkCredentials.usernameTopic;
            }
            logger.info(String.format("Credentials check successful but lookup or creation required for %s", credentials.username));
            return lookupOrCreateUsernameTopic(credentials.username, accountManager.name());
        };
    }

    private Topic lookupOrCreateUsernameTopic(String str, String str2) {
        Topic usernameTopic = this.accessControlService.getUsernameTopic(str);
        if (usernameTopic != null) {
            return usernameTopic;
        }
        DMXTransaction beginTx = this.dmx.beginTx();
        try {
            Topic createUsernameAndPrivateWorkspace = createUsernameAndPrivateWorkspace(str, str2);
            beginTx.success();
            beginTx.finish();
            return createUsernameAndPrivateWorkspace;
        } catch (Throwable th) {
            beginTx.finish();
            throw th;
        }
    }

    private Topic createUsernameAndPrivateWorkspace(String str, String str2) {
        try {
            logger.info("Creating username topic \"" + str + "\"");
            PrivilegedAccess privilegedAccess = this.dmx.getPrivilegedAccess();
            if (this.dmx.getPrivilegedAccess().getUsernameTopic(str) != null) {
                throw new RuntimeException("Username \"" + str + "\" exists already");
            }
            Topic topic = (Topic) privilegedAccess.runInWorkspaceContext(-1L, () -> {
                return this.dmx.createTopic(this.mf.newTopicModel(Constants.USERNAME, new SimpleValue(str)));
            });
            this.accessControlService.setWorkspaceOwner(this.ws.createWorkspace(AccountManagementService.DEFAULT_PRIVATE_WORKSPACE_NAME, (String) null, SharingMode.PRIVATE), str);
            privilegedAccess.assignToWorkspace(topic, privilegedAccess.getSystemWorkspaceId());
            topic.setProperty("dmx.accountmanager.name", str2, true);
            return topic;
        } catch (Exception e) {
            throw new RuntimeException("Creating username topic \"" + str + "\" failed", e);
        }
    }

    private AccountManager getAccountManager(String str) {
        return this.accountManagers.get(this.accountManagers.containsKey(str) ? str : "DMX");
    }

    private AccountManager getAccountManagerForUsername(Topic topic) {
        return getAccountManager(topic.hasProperty("dmx.accountmanager.name") ? topic.getProperty("dmx.accountmanager.name").toString() : "DMX");
    }

    static {
        logger.info("Security config:\n  dmx.security.new_accounts_are_enabled = " + NEW_ACCOUNTS_ARE_ENABLED);
    }
}
