package org.craftercms.studio.impl.v2.service.security.internal;

import com.google.common.cache.Cache;
import com.nulabinc.zxcvbn.Zxcvbn;
import java.beans.ConstructorProperties;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.MapUtils;
import org.apache.commons.lang3.StringUtils;
import org.craftercms.commons.crypto.CryptoException;
import org.craftercms.commons.crypto.CryptoUtils;
import org.craftercms.commons.crypto.TextEncryptor;
import org.craftercms.commons.entitlements.exception.EntitlementException;
import org.craftercms.commons.entitlements.model.EntitlementType;
import org.craftercms.commons.entitlements.validator.EntitlementValidator;
import org.craftercms.studio.api.v1.constant.StudioConstants;
import org.craftercms.studio.api.v1.exception.ServiceLayerException;
import org.craftercms.studio.api.v1.exception.SiteNotFoundException;
import org.craftercms.studio.api.v1.exception.security.AuthenticationException;
import org.craftercms.studio.api.v1.exception.security.GroupNotFoundException;
import org.craftercms.studio.api.v1.exception.security.PasswordDoesNotMatchException;
import org.craftercms.studio.api.v1.exception.security.UserAlreadyExistsException;
import org.craftercms.studio.api.v1.exception.security.UserExternallyManagedException;
import org.craftercms.studio.api.v1.exception.security.UserNotFoundException;
import org.craftercms.studio.api.v1.service.GeneralLockService;
import org.craftercms.studio.api.v2.dal.AuditLog;
import org.craftercms.studio.api.v2.dal.AuditLogConstants;
import org.craftercms.studio.api.v2.dal.AuditLogParameter;
import org.craftercms.studio.api.v2.dal.Group;
import org.craftercms.studio.api.v2.dal.QueryParameterNames;
import org.craftercms.studio.api.v2.dal.RetryingDatabaseOperationFacade;
import org.craftercms.studio.api.v2.dal.Site;
import org.craftercms.studio.api.v2.dal.User;
import org.craftercms.studio.api.v2.dal.UserDAO;
import org.craftercms.studio.api.v2.dal.security.NormalizedGroup;
import org.craftercms.studio.api.v2.dal.security.NormalizedRole;
import org.craftercms.studio.api.v2.event.user.UserUpdatedEvent;
import org.craftercms.studio.api.v2.event.user.UsersDeletedEvent;
import org.craftercms.studio.api.v2.exception.PasswordRequirementsFailedException;
import org.craftercms.studio.api.v2.exception.security.ActionsDeniedException;
import org.craftercms.studio.api.v2.service.audit.AuditService;
import org.craftercms.studio.api.v2.service.config.ConfigurationService;
import org.craftercms.studio.api.v2.service.security.GroupService;
import org.craftercms.studio.api.v2.service.security.SecurityService;
import org.craftercms.studio.api.v2.service.security.UserService;
import org.craftercms.studio.api.v2.service.site.SitesService;
import org.craftercms.studio.api.v2.service.system.InstanceService;
import org.craftercms.studio.api.v2.utils.StudioConfiguration;
import org.craftercms.studio.impl.v1.repository.git.GitContentRepositoryConstants;
import org.craftercms.studio.impl.v1.web.security.access.StudioAbstractAccessDecisionVoter;
import org.craftercms.studio.impl.v2.security.password.ForgotPasswordTaskFactory;
import org.craftercms.studio.impl.v2.utils.security.SecurityUtils;
import org.craftercms.studio.model.AuthenticatedUser;
import org.craftercms.studio.model.rest.UserResponse;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.core.task.TaskExecutor;
import org.springframework.lang.NonNull;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionRegistry;

/* loaded from: input_file:org/craftercms/studio/impl/v2/service/security/internal/UserServiceInternalImpl.class */
public class UserServiceInternalImpl implements UserService, ApplicationEventPublisherAware {
    private static final Logger logger = LoggerFactory.getLogger(UserServiceInternalImpl.class);
    private static final String TOKEN_DELIMITER = "|";
    private final UserDAO userDao;
    private final ConfigurationService configurationService;
    private final StudioConfiguration studioConfiguration;
    private final SitesService siteService;
    private final RetryingDatabaseOperationFacade retryingDatabaseOperationFacade;
    private final Cache<String, User> userCache;
    private final Zxcvbn zxcvbn;
    private final AuditService auditService;
    private final EntitlementValidator entitlementValidator;
    private final TaskExecutor taskExecutor;
    private final ObjectFactory<ForgotPasswordTaskFactory> forgotPasswordTaskFactory;
    private final TextEncryptor encryptor;
    private final InstanceService instanceService;
    private final SecurityService securityService;
    private final GeneralLockService generalLockService;
    private final GroupService groupService;
    private final SessionRegistry sessionRegistry;
    private ApplicationEventPublisher eventPublisher;

    @ConstructorProperties({"userDao", "configurationService", "studioConfiguration", "siteService", "retryingDatabaseOperationFacade", "userCache", "zxcvbn", "auditService", "entitlementValidator", "taskExecutor", "forgotPasswordTaskFactory", "encryptor", "instanceService", "securityService", "generalLockService", "groupService", "sessionRegistry"})
    public UserServiceInternalImpl(UserDAO userDAO, ConfigurationService configurationService, StudioConfiguration studioConfiguration, SitesService sitesService, RetryingDatabaseOperationFacade retryingDatabaseOperationFacade, Cache<String, User> cache, Zxcvbn zxcvbn, AuditService auditService, EntitlementValidator entitlementValidator, TaskExecutor taskExecutor, ObjectFactory<ForgotPasswordTaskFactory> objectFactory, TextEncryptor textEncryptor, InstanceService instanceService, SecurityService securityService, GeneralLockService generalLockService, GroupService groupService, SessionRegistry sessionRegistry) {
        this.userDao = userDAO;
        this.configurationService = configurationService;
        this.studioConfiguration = studioConfiguration;
        this.siteService = sitesService;
        this.retryingDatabaseOperationFacade = retryingDatabaseOperationFacade;
        this.userCache = cache;
        this.zxcvbn = zxcvbn;
        this.auditService = auditService;
        this.entitlementValidator = entitlementValidator;
        this.taskExecutor = taskExecutor;
        this.forgotPasswordTaskFactory = objectFactory;
        this.encryptor = textEncryptor;
        this.instanceService = instanceService;
        this.securityService = securityService;
        this.generalLockService = generalLockService;
        this.groupService = groupService;
        this.sessionRegistry = sessionRegistry;
    }

    protected void invalidateCache(String str) {
        this.userCache.invalidate(str);
    }

    protected void invalidateCache(List<String> list) {
        this.userCache.invalidateAll(list);
    }

    protected void invalidateCache(Collection<User> collection) {
        invalidateCache((List<String>) collection.stream().map((v0) -> {
            return v0.getUsername();
        }).collect(Collectors.toList()));
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    @NonNull
    public User getUserByIdOrUsername(long j, String str) throws ServiceLayerException, UserNotFoundException {
        HashMap hashMap = new HashMap();
        hashMap.put("userId", Long.valueOf(j));
        hashMap.put("username", str);
        try {
            User userByIdOrUsername = this.userDao.getUserByIdOrUsername(hashMap);
            if (userByIdOrUsername == null) {
                throw new UserNotFoundException("No user found for username '" + str + "' or id '" + j + "'");
            }
            return userByIdOrUsername;
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<User> getUsersByIdOrUsername(List<Long> list, List<String> list2) throws ServiceLayerException, UserNotFoundException {
        LinkedList linkedList = new LinkedList();
        Iterator<Long> it = list.iterator();
        while (it.hasNext()) {
            linkedList.add(getUserByIdOrUsername(it.next().longValue(), StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH));
        }
        for (String str : list2) {
            if (str != null && linkedList.stream().filter(user -> {
                return user.getUsername().equals(str);
            }).findFirst().isEmpty()) {
                linkedList.add(getUserByIdOrUsername(-1L, str));
            }
        }
        return linkedList;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Collection<User> getAllUsersForSite(long j, String str, String str2, int i, int i2, String str3) throws ServiceLayerException {
        try {
            return this.userDao.getAllUsersForSite(this.configurationService.getSiteGroups(str).stream().map((v0) -> {
                return v0.toString();
            }).toList(), str2, i, i2, str3);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Collection<User> getAllUsers(String str, int i, int i2, String str2) throws ServiceLayerException {
        try {
            return this.userDao.getAllUsers(str, i, i2, str2);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public int getAllUsersForSiteTotal(long j, String str, String str2) throws ServiceLayerException {
        try {
            return this.userDao.getAllUsersForSiteTotal(this.configurationService.getSiteGroups(str).stream().map((v0) -> {
                return v0.toString();
            }).toList(), str2);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public int getAllUsersTotal(String str) throws ServiceLayerException {
        try {
            return this.userDao.getAllUsersTotal(str);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public User createUser(User user) throws UserAlreadyExistsException, ServiceLayerException {
        try {
            this.entitlementValidator.validateEntitlement(EntitlementType.USER, 1);
            if (userExists(user.getUsername())) {
                throw new UserAlreadyExistsException(String.format("User '%s' already exists", user.getUsername()));
            }
            if (!user.isExternallyManaged() && !verifyPasswordRequirements(user.getPassword())) {
                throw new PasswordRequirementsFailedException();
            }
            HashMap hashMap = new HashMap();
            hashMap.put("username", user.getUsername());
            hashMap.put(QueryParameterNames.PASSWORD, CryptoUtils.hashPassword(user.getPassword()));
            hashMap.put(QueryParameterNames.FIRST_NAME, user.getFirstName());
            hashMap.put(QueryParameterNames.LAST_NAME, user.getLastName());
            hashMap.put("email", user.getEmail());
            hashMap.put(QueryParameterNames.EXTERNALLY_MANAGED, Integer.valueOf(user.getExternallyManagedAsInt()));
            hashMap.put(QueryParameterNames.TIMEZONE, StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
            hashMap.put("locale", StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
            hashMap.put("enabled", Integer.valueOf(user.getEnabledAsInt()));
            try {
                this.retryingDatabaseOperationFacade.retry(() -> {
                    return Integer.valueOf(this.userDao.createUser(hashMap));
                });
                user.setId(((Long) hashMap.get("id")).longValue());
                Site site = this.siteService.getSite(this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE));
                AuditLog createAuditLogEntry = AuditLog.createAuditLogEntry();
                createAuditLogEntry.setOperation(AuditLogConstants.OPERATION_CREATE);
                createAuditLogEntry.setSiteId(site.getId());
                createAuditLogEntry.setActorId(SecurityUtils.getCurrentUsername());
                createAuditLogEntry.setPrimaryTargetId(user.getUsername());
                createAuditLogEntry.setPrimaryTargetType(AuditLogConstants.TARGET_TYPE_USER);
                createAuditLogEntry.setPrimaryTargetValue(user.getUsername());
                this.auditService.insertAuditLog(createAuditLogEntry);
                return user;
            } catch (Exception e) {
                throw new ServiceLayerException("Unknown database error", e);
            }
        } catch (EntitlementException e2) {
            throw new ServiceLayerException("Unable to complete request due to entitlement limits. Please contact your system administrator.", e2);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean userExists(String str) throws ServiceLayerException {
        return userExists(-1L, str);
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean userExists(long j, String str) throws ServiceLayerException {
        HashMap hashMap = new HashMap();
        hashMap.put("userId", Long.valueOf(j));
        hashMap.put("username", str);
        try {
            return this.userDao.userExists(hashMap).intValue() > 0;
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public void updateUser(User user) throws UserNotFoundException, ServiceLayerException, UserExternallyManagedException {
        User userByIdOrUsername = getUserByIdOrUsername(user.getId(), user.getUsername() != null ? user.getUsername() : StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
        HashMap hashMap = new HashMap();
        hashMap.put("userId", Long.valueOf(userByIdOrUsername.getId()));
        hashMap.put(QueryParameterNames.FIRST_NAME, user.getFirstName());
        hashMap.put(QueryParameterNames.LAST_NAME, user.getLastName());
        hashMap.put("email", user.getEmail());
        hashMap.put("enabled", Boolean.valueOf(user.isEnabled()));
        hashMap.put(QueryParameterNames.TIMEZONE, StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
        hashMap.put("locale", StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
        try {
            this.retryingDatabaseOperationFacade.retry(() -> {
                return Integer.valueOf(this.userDao.updateUser(hashMap));
            });
            invalidateCache(userByIdOrUsername.getUsername());
            this.eventPublisher.publishEvent(new UserUpdatedEvent(userByIdOrUsername.getId()));
            User userByIdOrUsername2 = getUserByIdOrUsername(user.getId(), StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
            Site site = this.siteService.getSite(this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE));
            AuditLog createAuditLogEntry = AuditLog.createAuditLogEntry();
            createAuditLogEntry.setOperation(AuditLogConstants.OPERATION_UPDATE);
            createAuditLogEntry.setSiteId(site.getId());
            createAuditLogEntry.setActorId(SecurityUtils.getCurrentUsername());
            createAuditLogEntry.setPrimaryTargetId(userByIdOrUsername2.getUsername());
            createAuditLogEntry.setPrimaryTargetType(AuditLogConstants.TARGET_TYPE_USER);
            createAuditLogEntry.setPrimaryTargetValue(userByIdOrUsername2.getUsername());
            this.auditService.insertAuditLog(createAuditLogEntry);
        } catch (Exception e) {
            throw new ServiceLayerException("Failed to update user", e);
        }
    }

    private void auditDeleteUsers(List<User> list) throws SiteNotFoundException {
        Site site = this.siteService.getSite(this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE));
        AuditLog createAuditLogEntry = AuditLog.createAuditLogEntry();
        createAuditLogEntry.setOperation(AuditLogConstants.OPERATION_DELETE);
        createAuditLogEntry.setSiteId(site.getId());
        createAuditLogEntry.setActorId(SecurityUtils.getCurrentUsername());
        createAuditLogEntry.setPrimaryTargetId(site.getSiteId());
        createAuditLogEntry.setPrimaryTargetType(AuditLogConstants.TARGET_TYPE_USER);
        createAuditLogEntry.setPrimaryTargetValue(site.getName());
        ArrayList arrayList = new ArrayList();
        for (User user : list) {
            AuditLogParameter auditLogParameter = new AuditLogParameter();
            auditLogParameter.setTargetId(Long.toString(user.getId()));
            auditLogParameter.setTargetType(AuditLogConstants.TARGET_TYPE_USER);
            auditLogParameter.setTargetValue(user.getUsername());
            arrayList.add(auditLogParameter);
        }
        createAuditLogEntry.setParameters(arrayList);
        this.auditService.insertAuditLog(createAuditLogEntry);
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public void deleteUsers(List<Long> list, List<String> list2) throws UserNotFoundException, ServiceLayerException, AuthenticationException, UserExternallyManagedException {
        AuthenticatedUser currentUser = SecurityUtils.getCurrentUser();
        if (CollectionUtils.containsAny(list, List.of(Long.valueOf(currentUser.getId()))) || CollectionUtils.containsAny(list2, List.of(currentUser.getUsername()))) {
            throw new ServiceLayerException("Cannot delete self.");
        }
        User userByIdOrUsername = getUserByIdOrUsername(-1L, GitContentRepositoryConstants.GIT_REPO_USER_USERNAME);
        if (CollectionUtils.containsAny(list, List.of(Long.valueOf(userByIdOrUsername.getId()))) || CollectionUtils.containsAny(list2, List.of(userByIdOrUsername.getUsername()))) {
            throw new ServiceLayerException("Cannot delete generic Git Repo User.");
        }
        this.generalLockService.lock(StudioConstants.REMOVE_SYSTEM_ADMIN_MEMBER_LOCK);
        try {
            ensureSystemAdminNotEmpty(list, list2);
            List<User> doDeleteUsers = doDeleteUsers(list, list2);
            cleanUpAfterUsersDelete(doDeleteUsers);
            auditDeleteUsers(doDeleteUsers);
            this.generalLockService.unlock(StudioConstants.REMOVE_SYSTEM_ADMIN_MEMBER_LOCK);
        } catch (Throwable th) {
            this.generalLockService.unlock(StudioConstants.REMOVE_SYSTEM_ADMIN_MEMBER_LOCK);
            throw th;
        }
    }

    private void ensureSystemAdminNotEmpty(List<Long> list, List<String> list2) throws ServiceLayerException {
        try {
            List<User> groupMembers = this.groupService.getGroupMembers(this.groupService.getGroupByName("system_admin").getId(), 0, Integer.MAX_VALUE, StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH);
            if (CollectionUtils.isNotEmpty(groupMembers)) {
                LinkedList linkedList = new LinkedList(groupMembers);
                groupMembers.forEach(user -> {
                    if (CollectionUtils.isNotEmpty(list) && list.contains(Long.valueOf(user.getId()))) {
                        linkedList.remove(user);
                    }
                    if (CollectionUtils.isNotEmpty(list2) && list2.contains(user.getUsername())) {
                        linkedList.remove(user);
                    }
                });
                if (CollectionUtils.isEmpty(linkedList)) {
                    throw new ServiceLayerException("Removing all members of the System Admin group is not allowed. We must have at least one system administrator.");
                }
            }
        } catch (GroupNotFoundException e) {
            throw new ServiceLayerException("Failed to delete users. System Admin group not found", e);
        }
    }

    private void cleanUpAfterUsersDelete(List<User> list) {
        logger.debug("Search the current sessions for deleted users '{}'", list);
        ((Set) this.sessionRegistry.getAllPrincipals().stream().map(obj -> {
            return (AuthenticatedUser) obj;
        }).filter(authenticatedUser -> {
            return list.stream().anyMatch(user -> {
                return authenticatedUser.getId() == user.getId();
            });
        }).collect(Collectors.toSet())).forEach(authenticatedUser2 -> {
            this.sessionRegistry.getAllSessions(authenticatedUser2, false).forEach(sessionInformation -> {
                logger.debug("Invalidate the session '{}' for user '{}'", sessionInformation.getSessionId(), authenticatedUser2.getUsername());
                sessionInformation.expireNow();
            });
        });
        logger.debug("Trigger event so tokens are removed for deleted users '{}", list);
        this.eventPublisher.publishEvent(new UsersDeletedEvent(list.stream().map((v0) -> {
            return v0.getId();
        }).toList()));
    }

    private List<User> doDeleteUsers(List<Long> list, List<String> list2) throws UserNotFoundException, ServiceLayerException {
        List<User> usersByIdOrUsername = getUsersByIdOrUsername(list, list2);
        List list3 = (List) usersByIdOrUsername.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList());
        HashMap hashMap = new HashMap();
        hashMap.put(QueryParameterNames.USER_IDS, list3);
        try {
            this.retryingDatabaseOperationFacade.retry(() -> {
                return Integer.valueOf(this.userDao.deleteUsers(hashMap));
            });
            invalidateCache(usersByIdOrUsername);
            this.retryingDatabaseOperationFacade.retry(() -> {
                this.userDao.deleteUserPropertiesByUserIds(list3);
            });
            return usersByIdOrUsername;
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<User> enableUsers(List<Long> list, List<String> list2, boolean z) throws ServiceLayerException, UserNotFoundException {
        List<User> usersByIdOrUsername = getUsersByIdOrUsername(list, list2);
        HashMap hashMap = new HashMap();
        hashMap.put(QueryParameterNames.USER_IDS, usersByIdOrUsername.stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList()));
        hashMap.put("enabled", Integer.valueOf(z ? 1 : 0));
        try {
            this.retryingDatabaseOperationFacade.retry(() -> {
                return Integer.valueOf(this.userDao.enableUsers(hashMap));
            });
            invalidateCache(usersByIdOrUsername);
            Site site = this.siteService.getSite(this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE));
            AuditLog createAuditLogEntry = AuditLog.createAuditLogEntry();
            createAuditLogEntry.setSiteId(site.getId());
            if (z) {
                createAuditLogEntry.setOperation(AuditLogConstants.OPERATION_ENABLE);
            } else {
                createAuditLogEntry.setOperation(AuditLogConstants.OPERATION_DISABLE);
            }
            createAuditLogEntry.setActorId(SecurityUtils.getCurrentUsername());
            createAuditLogEntry.setPrimaryTargetId(site.getSiteId());
            createAuditLogEntry.setPrimaryTargetType(AuditLogConstants.TARGET_TYPE_USER);
            createAuditLogEntry.setPrimaryTargetValue(site.getName());
            ArrayList arrayList = new ArrayList();
            for (User user : usersByIdOrUsername) {
                AuditLogParameter auditLogParameter = new AuditLogParameter();
                auditLogParameter.setTargetId(Long.toString(user.getId()));
                auditLogParameter.setTargetType(AuditLogConstants.TARGET_TYPE_USER);
                auditLogParameter.setTargetValue(user.getUsername());
                arrayList.add(auditLogParameter);
            }
            createAuditLogEntry.setParameters(arrayList);
            this.auditService.insertAuditLog(createAuditLogEntry);
            return getUsersByIdOrUsername(list, list2);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<Group> getUserGroups(long j, String str) throws UserNotFoundException, ServiceLayerException {
        return getUserGroups(j, str, false);
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<Group> getUserGroups(long j, String str, boolean z) throws UserNotFoundException, ServiceLayerException {
        if (!userExists(j, str)) {
            throw new UserNotFoundException("No user found for username '" + str + "' or id '" + j + "'");
        }
        HashMap hashMap = new HashMap();
        hashMap.put("userId", Long.valueOf(j));
        hashMap.put("username", str);
        if (z) {
            hashMap.put(QueryParameterNames.EXTERNALLY_MANAGED, true);
        }
        try {
            return this.userDao.getUserGroups(hashMap);
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public UserResponse changePassword(String str, String str2, String str3) throws PasswordDoesNotMatchException, UserExternallyManagedException, ServiceLayerException, AuthenticationException, UserNotFoundException {
        AuthenticatedUser currentUser = SecurityUtils.getCurrentUser();
        if (currentUser == null || !StringUtils.equals(str, currentUser.getUsername())) {
            throw new ActionsDeniedException("Cannot change password: current logged in user does not match provided username");
        }
        try {
            User userByIdOrUsername = getUserByIdOrUsername(-1L, str);
            if (userByIdOrUsername.isExternallyManaged()) {
                throw new UserExternallyManagedException();
            }
            if (!CryptoUtils.matchPassword(userByIdOrUsername.getPassword(), str2)) {
                throw new PasswordDoesNotMatchException();
            }
            if (!verifyPasswordRequirements(str3)) {
                throw new PasswordRequirementsFailedException();
            }
            String hashPassword = CryptoUtils.hashPassword(str3);
            HashMap hashMap = new HashMap();
            hashMap.put("username", str);
            hashMap.put(QueryParameterNames.PASSWORD, hashPassword);
            this.retryingDatabaseOperationFacade.retry(() -> {
                return Integer.valueOf(this.userDao.setUserPassword(hashMap));
            });
            invalidateCache(str);
            return new UserResponse(getUserByIdOrUsername(-1L, str));
        } catch (RuntimeException e) {
            throw new ServiceLayerException("Failed to change user password", e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean resetPassword(String str, String str2) throws UserNotFoundException, ServiceLayerException {
        if (!userExists(str)) {
            throw new UserNotFoundException();
        }
        if (!verifyPasswordRequirements(str2)) {
            throw new PasswordRequirementsFailedException("User password does not fulfill requirements");
        }
        HashMap hashMap = new HashMap();
        hashMap.put("userId", -1);
        hashMap.put("username", str);
        try {
            if (this.userDao.getUserByIdOrUsername(hashMap).isExternallyManaged()) {
                throw new UserExternallyManagedException();
            }
            String hashPassword = CryptoUtils.hashPassword(str2);
            HashMap hashMap2 = new HashMap();
            hashMap2.put("username", str);
            hashMap2.put(QueryParameterNames.PASSWORD, hashPassword);
            this.retryingDatabaseOperationFacade.retry(() -> {
                return Integer.valueOf(this.userDao.setUserPassword(hashMap2));
            });
            invalidateCache(str);
            return true;
        } catch (Exception e) {
            throw new ServiceLayerException("Unknown database error", e);
        }
    }

    private boolean verifyPasswordRequirements(String str) {
        return this.zxcvbn.measure(str).getScore() >= getPasswordRequirementMinimumComplexity();
    }

    private int getPasswordRequirementMinimumComplexity() {
        return Integer.parseInt(this.studioConfiguration.getProperty(StudioConfiguration.SECURITY_PASSWORD_REQUIREMENTS_MINIMUM_COMPLEXITY));
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public User getUserByGitName(String str) throws ServiceLayerException, UserNotFoundException {
        User userByGitName = this.userDao.getUserByGitName(str);
        if (Objects.isNull(userByGitName)) {
            logger.info("Git user '{}' was not found in the database", str);
            userByGitName = getUserByIdOrUsername(-1L, GitContentRepositoryConstants.GIT_REPO_USER_USERNAME);
        }
        return userByGitName;
    }

    protected Map<String, String> getUserProperties(User user, long j) {
        return (Map) this.userDao.getUserProperties(user.getId(), j).stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    protected String getGlobalSiteName() {
        return this.studioConfiguration.getProperty(StudioConfiguration.CONFIGURATION_GLOBAL_SYSTEM_SITE);
    }

    protected String getActualSiteId(String str) {
        return StringUtils.isEmpty(str) ? getGlobalSiteName() : str;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Map<String, Map<String, String>> getUserProperties(String str) throws ServiceLayerException {
        long id = this.siteService.getSite(getActualSiteId(str)).getId();
        String currentUsername = SecurityUtils.getCurrentUsername();
        try {
            return Collections.singletonMap(str, getUserProperties(getUserByIdOrUsername(0L, currentUsername), id));
        } catch (UserNotFoundException e) {
            logger.error("Failed to get the current user with username '{}' in site '{}'", new Object[]{currentUsername, str, e});
            return null;
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Map<String, String> updateUserProperties(String str, Map<String, String> map) throws ServiceLayerException {
        long id = this.siteService.getSite(getActualSiteId(str)).getId();
        String currentUsername = SecurityUtils.getCurrentUsername();
        try {
            User userByIdOrUsername = getUserByIdOrUsername(0L, currentUsername);
            this.retryingDatabaseOperationFacade.retry(() -> {
                this.userDao.updateUserProperties(userByIdOrUsername.getId(), id, map);
            });
            return getUserProperties(userByIdOrUsername, id);
        } catch (UserNotFoundException e) {
            logger.error("Failed to get the current user with username '{}' in site '{}'", new Object[]{currentUsername, str, e});
            return null;
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Map<String, String> deleteUserProperties(String str, List<String> list) throws ServiceLayerException {
        long id = this.siteService.getSite(getActualSiteId(str)).getId();
        String currentUsername = SecurityUtils.getCurrentUsername();
        try {
            User userByIdOrUsername = getUserByIdOrUsername(0L, currentUsername);
            this.retryingDatabaseOperationFacade.retry(() -> {
                this.userDao.deleteUserProperties(userByIdOrUsername.getId(), id, list);
            });
            return getUserProperties(userByIdOrUsername, id);
        } catch (UserNotFoundException e) {
            logger.error("Failed to get the current user with username '{}' in site '{}'", new Object[]{currentUsername, str, e});
            return null;
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean isSystemAdmin(String str) {
        try {
            Collection<NormalizedRole> userGlobalRoles = getUserGlobalRoles(str);
            boolean z = false;
            if (CollectionUtils.isNotEmpty(userGlobalRoles)) {
                Iterator<NormalizedRole> it = userGlobalRoles.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().equals(StudioConstants.SYSTEM_ADMIN_NORMALIZED_ROLE)) {
                        z = true;
                        break;
                    }
                }
            }
            return z;
        } catch (ServiceLayerException e) {
            logger.warn("Failed to get site membership for user '{}'", str, e);
            return false;
        } catch (UserNotFoundException e2) {
            logger.info("Failed to find user '{}'", str, e2);
            return false;
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Collection<NormalizedRole> getUserGlobalRoles(String str) throws ServiceLayerException, UserNotFoundException {
        List<Group> userGroups = getUserGroups(-1L, str);
        if (CollectionUtils.isEmpty(userGroups)) {
            return Collections.emptyList();
        }
        Map<NormalizedGroup, List<NormalizedRole>> globalRoleMappings = this.configurationService.getGlobalRoleMappings();
        return !MapUtils.isNotEmpty(globalRoleMappings) ? Collections.emptyList() : (Collection) userGroups.stream().flatMap(group -> {
            return ((List) globalRoleMappings.getOrDefault(new NormalizedGroup(group.getGroupName()), Collections.emptyList())).stream();
        }).collect(Collectors.toSet());
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public void forgotPassword(String str) {
        try {
            this.taskExecutor.execute(((ForgotPasswordTaskFactory) this.forgotPasswordTaskFactory.getObject()).prepareTask(str));
        } catch (Exception e) {
            logger.error("Failed to get forgot password task for username '{}'", str, e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public String getForgotPasswordToken(String str) throws ServiceLayerException {
        long currentTimeMillis = System.currentTimeMillis() + TimeUnit.MINUTES.toMillis(Long.parseLong(this.studioConfiguration.getProperty(StudioConfiguration.SECURITY_FORGOT_PASSWORD_TOKEN_TIMEOUT)));
        return encryptToken(StringUtils.joinWith(TOKEN_DELIMITER, new Object[]{str, this.instanceService.getInstanceId(), Long.valueOf(currentTimeMillis), this.studioConfiguration.getProperty(StudioConfiguration.SECURITY_CIPHER_SALT)}));
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<String> getCurrentUserSitePermissions(String str) throws ServiceLayerException, UserNotFoundException, ExecutionException {
        String currentUsername = SecurityUtils.getCurrentUsername();
        return this.securityService.getUserPermission(str, currentUsername, getUserSiteRoles(-1L, currentUsername, str));
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<NormalizedRole> getUserSiteRoles(long j, String str, String str2) throws ServiceLayerException, UserNotFoundException {
        List<Group> userGroups = getUserGroups(j, str);
        if (CollectionUtils.isEmpty(userGroups)) {
            return Collections.emptyList();
        }
        Map<NormalizedGroup, List<NormalizedRole>> roleMappings = this.configurationService.getRoleMappings(str2);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (MapUtils.isEmpty(roleMappings)) {
            return Collections.emptyList();
        }
        if (isSystemAdmin(str)) {
            Iterator<List<NormalizedRole>> it = roleMappings.values().iterator();
            while (it.hasNext()) {
                linkedHashSet.addAll(it.next());
            }
        } else {
            Iterator<Group> it2 = userGroups.iterator();
            while (it2.hasNext()) {
                List<NormalizedRole> list = roleMappings.get(new NormalizedGroup(it2.next().getGroupName()));
                if (CollectionUtils.isNotEmpty(list)) {
                    linkedHashSet.addAll(list);
                }
            }
        }
        return new ArrayList(linkedHashSet);
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<org.craftercms.studio.model.Site> getCurrentUserSites() throws AuthenticationException, ServiceLayerException {
        Authentication authentication = SecurityUtils.getAuthentication();
        if (authentication == null) {
            throw new AuthenticationException("User should be authenticated");
        }
        try {
            return getUserSites(-1L, authentication.getName());
        } catch (UserNotFoundException e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<String> getCurrentUserSiteRoles(String str) throws AuthenticationException, ServiceLayerException, UserNotFoundException {
        Authentication authentication = SecurityUtils.getAuthentication();
        if (authentication == null) {
            throw new AuthenticationException("User should be authenticated");
        }
        return getUserSiteRoles(-1L, authentication.getName(), str).stream().map((v0) -> {
            return v0.toString();
        }).toList();
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Map<String, Boolean> hasCurrentUserSitePermissions(String str, Collection<String> collection) throws ServiceLayerException, UserNotFoundException, ExecutionException {
        HashMap hashMap = new HashMap();
        List<String> currentUserSitePermissions = getCurrentUserSitePermissions(str);
        collection.forEach(str2 -> {
            hashMap.put(str2, Boolean.valueOf(currentUserSitePermissions.contains(str2)));
        });
        return hashMap;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<String> getCurrentUserGlobalPermissions() throws ServiceLayerException, UserNotFoundException, ExecutionException {
        String currentUsername = SecurityUtils.getCurrentUsername();
        return this.securityService.getUserPermission(StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH, currentUsername, getUserGlobalRoles(currentUsername));
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public Map<String, Boolean> hasCurrentUserGlobalPermissions(List<String> list) throws ServiceLayerException, UserNotFoundException, ExecutionException {
        HashMap hashMap = new HashMap();
        List<String> currentUserGlobalPermissions = getCurrentUserGlobalPermissions();
        list.forEach(str -> {
            hashMap.put(str, Boolean.valueOf(currentUserGlobalPermissions.contains(str)));
        });
        return hashMap;
    }

    protected String encryptToken(String str) throws ServiceLayerException {
        try {
            return Base64.getEncoder().encodeToString(this.encryptor.encrypt(str).getBytes(StandardCharsets.UTF_8));
        } catch (CryptoException e) {
            logger.error("Failed to encrypt the forgot password token", e);
            throw new ServiceLayerException("Failed to encrypt the forgot password token", e);
        }
    }

    protected String decryptToken(String str) {
        try {
            return this.encryptor.decrypt(new String(Base64.getDecoder().decode(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8));
        } catch (CryptoException e) {
            logger.error("Failed to decrypt the forgot password token", e);
            return null;
        }
    }

    protected boolean validateDecryptedToken(String str) throws UserNotFoundException, ServiceLayerException, UserExternallyManagedException {
        StringTokenizer stringTokenizer = new StringTokenizer(str, TOKEN_DELIMITER);
        if (stringTokenizer.countTokens() != 4) {
            logger.warn("Failed to validate forgot password token. Found '{}' elements when expecting 4.", Integer.valueOf(stringTokenizer.countTokens()));
            return false;
        }
        String nextToken = stringTokenizer.nextToken();
        if (getUserByIdOrUsername(-1L, nextToken).isExternallyManaged()) {
            logger.warn("Failed to validate forgot password token. User '{}' is externally managed and therefore the password is not managed by us.", nextToken);
            throw new UserExternallyManagedException();
        }
        String nextToken2 = stringTokenizer.nextToken();
        if (!StringUtils.equals(nextToken2, this.instanceService.getInstanceId())) {
            logger.warn("Failed to validate forgot password token. Token's Studio instance ID is '{}' and does not match the current value '{}'", nextToken2, this.instanceService.getInstanceId());
            return false;
        }
        long parseLong = Long.parseLong(stringTokenizer.nextToken());
        boolean z = parseLong < System.currentTimeMillis();
        if (z) {
            logger.info("Failed to validate forgot password token. The token timestamp '{}' is in the past.", Long.valueOf(parseLong));
        }
        return !z;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public UserResponse setPassword(String str, String str2) throws UserNotFoundException, UserExternallyManagedException, ServiceLayerException {
        if (!validateToken(str)) {
            return null;
        }
        String usernameFromToken = getUsernameFromToken(str);
        if (!StringUtils.isNotEmpty(usernameFromToken)) {
            throw new UserNotFoundException("User not found");
        }
        User userByIdOrUsername = getUserByIdOrUsername(-1L, usernameFromToken);
        if (userByIdOrUsername.isEnabled() && resetPassword(usernameFromToken, str2)) {
            return new UserResponse(userByIdOrUsername);
        }
        return null;
    }

    private String getUsernameFromToken(String str) {
        String str2 = StudioAbstractAccessDecisionVoter.DEFAULT_PERMISSION_VOTER_PATH;
        String decryptToken = decryptToken(str);
        if (StringUtils.isNotEmpty(decryptToken)) {
            StringTokenizer stringTokenizer = new StringTokenizer(decryptToken, TOKEN_DELIMITER);
            if (stringTokenizer.countTokens() == 4) {
                str2 = stringTokenizer.nextToken();
            }
        }
        return str2;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean validateToken(String str) throws UserNotFoundException, UserExternallyManagedException, ServiceLayerException {
        String decryptToken = decryptToken(str);
        if (!StringUtils.isEmpty(decryptToken)) {
            return validateDecryptedToken(decryptToken);
        }
        logger.warn("Failed to validate forgot password token. The decrypted token is empty.");
        return false;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public List<org.craftercms.studio.model.Site> getUserSites(long j, String str) throws ServiceLayerException, UserNotFoundException {
        ArrayList arrayList = new ArrayList();
        List<Site> allSites = this.siteService.getAllSites();
        List<Group> userGroups = getUserGroups(j, str);
        boolean isSystemAdmin = isSystemAdmin(str);
        for (Site site : allSites) {
            List<NormalizedGroup> siteGroups = this.configurationService.getSiteGroups(site.getSiteId());
            if (!isSystemAdmin) {
                Stream map = userGroups.stream().map((v0) -> {
                    return v0.getGroupName();
                }).map(NormalizedGroup::new);
                Objects.requireNonNull(siteGroups);
                if (map.anyMatch((v1) -> {
                    return r1.contains(v1);
                })) {
                }
            }
            arrayList.add(new org.craftercms.studio.model.Site(site));
        }
        return arrayList;
    }

    @Override // org.craftercms.studio.api.v2.service.security.UserService
    public boolean isSiteMember(String str, String str2) {
        try {
            if (isSystemAdmin(str)) {
                return true;
            }
            List<Group> userGroups = getUserGroups(-1L, str);
            List<NormalizedGroup> siteGroups = this.configurationService.getSiteGroups(str2);
            Stream<R> map = userGroups.stream().map(group -> {
                return new NormalizedGroup(group.getGroupName());
            });
            Objects.requireNonNull(siteGroups);
            return map.anyMatch((v1) -> {
                return r1.contains(v1);
            });
        } catch (ServiceLayerException | UserNotFoundException e) {
            logger.error("Failed to check the groups for user '{}' in site '{}'", new Object[]{SecurityUtils.getAuthentication().getName(), str2, e});
            return false;
        }
    }

    public void setApplicationEventPublisher(@NotNull ApplicationEventPublisher applicationEventPublisher) {
        this.eventPublisher = applicationEventPublisher;
    }
}
