package io.preboot.auth.core.rest;

import io.preboot.auth.api.UserAccountManagementApi;
import io.preboot.auth.api.dto.CreateInactiveUserAccountRequest;
import io.preboot.auth.api.dto.TenantUserAssignRequest;
import io.preboot.auth.api.dto.UserAccountInfo;
import io.preboot.auth.api.exception.UserAccountNotFoundException;
import io.preboot.auth.api.guard.TenantAdminRoleAccessGuard;
import io.preboot.auth.api.resolver.TenantResolver;
import io.preboot.auth.core.service.TenantUserService;
import io.preboot.auth.core.spring.SessionAwareAuthentication;
import io.preboot.query.SearchParams;
import io.preboot.query.web.SearchRequest;
import jakarta.validation.Valid;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import lombok.Generated;
import org.springframework.data.domain.Page;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.server.ResponseStatusException;

@RequestMapping({"/api/tenant/users"})
@RestController
/* loaded from: input_file:io/preboot/auth/core/rest/TenantUserAdminController.class */
public class TenantUserAdminController {
    private final UserAccountManagementApi userAccountManagementApi;
    private final TenantResolver tenantResolver;
    private final TenantUserService tenantUserService;

    @PostMapping({"/search"})
    @TenantAdminRoleAccessGuard
    public Page<UserAccountInfo> searchUsers(@Valid @RequestBody SearchRequest searchRequest) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        if (currentTenant == null) {
            throw new IllegalStateException("Current tenant ID is null. Make sure you are authenticated and have selected a tenant.");
        }
        return this.userAccountManagementApi.getUserAccountsInfo(SearchParams.builder().page(searchRequest.page()).size(searchRequest.size()).sortField(searchRequest.sortField()).sortDirection(searchRequest.sortDirection()).filters(searchRequest.filters()).unpaged(searchRequest.unpaged()).build(), currentTenant);
    }

    @GetMapping({"/{userId}"})
    @TenantAdminRoleAccessGuard
    public UserAccountInfo getUser(@PathVariable UUID uuid) {
        return this.userAccountManagementApi.getUserAccount(uuid, this.tenantResolver.getCurrentTenant());
    }

    @PostMapping
    @TenantAdminRoleAccessGuard
    @ResponseStatus(HttpStatus.CREATED)
    public UserAccountInfo createUser(@Valid @RequestBody CreateInactiveUserAccountRequest createInactiveUserAccountRequest) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        this.tenantUserService.validateRoles(createInactiveUserAccountRequest.roles());
        return this.userAccountManagementApi.createUserAccountForTenant(new CreateInactiveUserAccountRequest(createInactiveUserAccountRequest.username(), createInactiveUserAccountRequest.email(), createInactiveUserAccountRequest.language(), createInactiveUserAccountRequest.timezone(), createInactiveUserAccountRequest.roles(), createInactiveUserAccountRequest.permissions(), currentTenant));
    }

    @PutMapping({"/{userId}/roles"})
    @TenantAdminRoleAccessGuard
    public UserAccountInfo updateUserRoles(@PathVariable UUID uuid, @Valid @RequestBody TenantUserAssignRequest tenantUserAssignRequest) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        this.tenantUserService.verifyUserExistsInTenant(uuid, currentTenant);
        if (uuid.equals(getCurrentUserId()) && !tenantUserAssignRequest.roles().contains("ADMIN")) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Cannot remove your own ADMIN role");
        }
        this.tenantUserService.validateRoles(tenantUserAssignRequest.roles());
        UserAccountInfo userAccount = this.userAccountManagementApi.getUserAccount(uuid, currentTenant);
        userAccount.roles().forEach(str -> {
            this.userAccountManagementApi.removeRole(uuid, currentTenant, str);
        });
        UserAccountInfo userAccountInfo = userAccount;
        Iterator it = tenantUserAssignRequest.roles().iterator();
        while (it.hasNext()) {
            userAccountInfo = this.userAccountManagementApi.addRole(uuid, currentTenant, (String) it.next());
        }
        return userAccountInfo;
    }

    @DeleteMapping({"/{userId}"})
    @TenantAdminRoleAccessGuard
    @ResponseStatus(HttpStatus.NO_CONTENT)
    public void removeUser(@PathVariable UUID uuid) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        if (uuid.equals(getCurrentUserId())) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Cannot remove yourself from the tenant");
        }
        this.userAccountManagementApi.removeUser(uuid, currentTenant);
    }

    @PostMapping({"/{userId}/roles/{roleName}"})
    @TenantAdminRoleAccessGuard
    public UserAccountInfo addRole(@PathVariable UUID uuid, @PathVariable String str) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        this.tenantUserService.verifyUserExistsInTenant(uuid, currentTenant);
        this.tenantUserService.validateRoles(Set.of(str));
        return this.userAccountManagementApi.addRole(uuid, currentTenant, str);
    }

    @DeleteMapping({"/{userId}/roles/{roleName}"})
    @TenantAdminRoleAccessGuard
    public UserAccountInfo removeRole(@PathVariable UUID uuid, @PathVariable String str) {
        UUID currentTenant = this.tenantResolver.getCurrentTenant();
        if (uuid.equals(getCurrentUserId()) && "ADMIN".equals(str)) {
            throw new ResponseStatusException(HttpStatus.FORBIDDEN, "Cannot remove your own ADMIN role");
        }
        this.tenantUserService.verifyUserExistsInTenant(uuid, currentTenant);
        return this.userAccountManagementApi.removeRole(uuid, currentTenant, str);
    }

    private UUID getCurrentUserId() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof SessionAwareAuthentication) {
            return ((UserAccountInfo) authentication.getPrincipal()).uuid();
        }
        throw new IllegalStateException("Unable to determine current user");
    }

    @ExceptionHandler({UserAccountNotFoundException.class})
    public ResponseEntity<String> handleUserAccountNotFoundException(UserAccountNotFoundException userAccountNotFoundException) {
        return ResponseEntity.status(HttpStatus.NOT_FOUND).body(userAccountNotFoundException.getMessage());
    }

    @Generated
    public TenantUserAdminController(UserAccountManagementApi userAccountManagementApi, TenantResolver tenantResolver, TenantUserService tenantUserService) {
        this.userAccountManagementApi = userAccountManagementApi;
        this.tenantResolver = tenantResolver;
        this.tenantUserService = tenantUserService;
    }
}
