package org.graylog.security.authservice.rest;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Maps;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.validation.constraints.NotBlank;
import javax.validation.constraints.NotNull;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.BeanParam;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.shiro.authz.annotation.RequiresAuthentication;
import org.apache.shiro.authz.annotation.RequiresGuest;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.graylog.security.SecurityAuditEventTypes;
import org.graylog.security.authservice.AuthServiceBackendDTO;
import org.graylog.security.authservice.AuthServiceBackendUsageCheck;
import org.graylog.security.authservice.DBAuthServiceBackendService;
import org.graylog.security.authservice.GlobalAuthServiceConfig;
import org.graylog.security.events.ActiveAuthServiceBackendChangedEvent;
import org.graylog2.audit.jersey.AuditEvent;
import org.graylog2.database.NotFoundException;
import org.graylog2.database.PaginatedList;
import org.graylog2.plugin.rest.ValidationFailureException;
import org.graylog2.plugin.rest.ValidationResult;
import org.graylog2.rest.MoreMediaTypes;
import org.graylog2.rest.PaginationParameters;
import org.graylog2.rest.models.PaginatedResponse;
import org.graylog2.search.SearchQuery;
import org.graylog2.search.SearchQueryField;
import org.graylog2.search.SearchQueryParser;
import org.graylog2.shared.rest.resources.RestResource;
import org.graylog2.shared.security.RestPermissions;
import org.graylog2.users.PaginatedUserService;
import org.graylog2.users.RoleService;
import org.graylog2.users.UserImpl;
import org.graylog2.users.UserOverviewDTO;

@Api(value = "System/Authentication/Services/Backends", description = "Manage authentication service backends")
@RequiresAuthentication
@Path("/system/authentication/services/backends")
@Consumes({MoreMediaTypes.APPLICATION_JSON})
@Produces({MoreMediaTypes.APPLICATION_JSON})
/* loaded from: input_file:org/graylog/security/authservice/rest/AuthServiceBackendsResource.class */
public class AuthServiceBackendsResource extends RestResource {
    private static final ImmutableMap<String, SearchQueryField> SEARCH_FIELD_MAPPING = ImmutableMap.builder().put("username", SearchQueryField.create("username")).put("full_name", SearchQueryField.create("full_name")).put("email", SearchQueryField.create("email")).build();
    private final DBAuthServiceBackendService dbService;
    private final GlobalAuthServiceConfig globalAuthServiceConfig;
    private final PaginatedUserService userService;
    private final RoleService roleService;
    private final AuthServiceBackendUsageCheck usageCheck;
    private final SearchQueryParser userSearchQueryParser = new SearchQueryParser("full_name", (Map<String, SearchQueryField>) SEARCH_FIELD_MAPPING);

    @Inject
    public AuthServiceBackendsResource(DBAuthServiceBackendService dBAuthServiceBackendService, GlobalAuthServiceConfig globalAuthServiceConfig, PaginatedUserService paginatedUserService, RoleService roleService, AuthServiceBackendUsageCheck authServiceBackendUsageCheck) {
        this.dbService = dBAuthServiceBackendService;
        this.globalAuthServiceConfig = globalAuthServiceConfig;
        this.userService = paginatedUserService;
        this.roleService = roleService;
        this.usageCheck = authServiceBackendUsageCheck;
    }

    @GET
    @RequiresGuest
    @Path("active-backend/type")
    @ApiOperation("Returns type of currently active authentication service backend")
    public Response getActiveType() {
        String str = null;
        AuthServiceBackendDTO orElse = this.globalAuthServiceConfig.getActiveBackendConfig().orElse(null);
        if (orElse != null) {
            str = orElse.config().type();
        }
        return toResponse(str);
    }

    @GET
    @ApiOperation("Returns available authentication service backends")
    public PaginatedResponse<AuthServiceBackendDTO> list(@BeanParam @ApiParam(name = "pagination parameters") PaginationParameters paginationParameters) {
        return PaginatedResponse.create("backends", this.dbService.findPaginated(paginationParameters, this::checkReadPermission), (Map<String, Object>) Collections.singletonMap(ActiveAuthServiceBackendChangedEvent.FIELD_ACTIVE_BACKEND, this.globalAuthServiceConfig.getActiveBackendConfig().filter(this::checkReadPermission).orElse(null)));
    }

    @GET
    @Path("{backendId}")
    @ApiOperation("Returns the authentication service backend for the given ID")
    public Response get(@PathParam("backendId") @NotBlank @ApiParam(name = "backendId", required = true) String str) {
        checkPermission(RestPermissions.AUTH_SERVICE_BACKEND_READ, str);
        return toResponse(loadConfig(str));
    }

    @RequiresPermissions({RestPermissions.AUTH_SERVICE_BACKEND_CREATE})
    @AuditEvent(type = SecurityAuditEventTypes.AUTH_SERVICE_BACKEND_CREATE)
    @ApiOperation("Creates a new authentication service backend")
    @POST
    public Response create(@NotNull @ApiParam(name = "JSON body", required = true) AuthServiceBackendDTO authServiceBackendDTO) {
        validateConfig(authServiceBackendDTO);
        return toResponse(this.dbService.save(authServiceBackendDTO));
    }

    @Path("{backendId}")
    @AuditEvent(type = SecurityAuditEventTypes.AUTH_SERVICE_BACKEND_UPDATE)
    @ApiOperation("Updates an existing authentication service backend")
    @PUT
    public Response update(@PathParam("backendId") @NotBlank @ApiParam(name = "backendId", required = true) String str, @NotNull @ApiParam(name = "JSON body", required = true) AuthServiceBackendDTO authServiceBackendDTO) {
        checkPermission(RestPermissions.AUTH_SERVICE_BACKEND_EDIT, str);
        validateConfig(authServiceBackendDTO);
        return toResponse(this.dbService.save(authServiceBackendDTO.withId(loadConfig(str).id())));
    }

    @Path("{backendId}")
    @AuditEvent(type = SecurityAuditEventTypes.AUTH_SERVICE_BACKEND_DELETE)
    @DELETE
    @ApiOperation("Delete authentication service backend")
    public void delete(@PathParam("backendId") @NotBlank @ApiParam(name = "backendId", required = true) String str) {
        checkPermission(RestPermissions.AUTH_SERVICE_BACKEND_DELETE, str);
        AuthServiceBackendDTO loadConfig = loadConfig(str);
        if (this.usageCheck.isAuthServiceInUse(str)) {
            throw new BadRequestException("Authentication service backend <" + str + "> is still in use");
        }
        this.dbService.delete(loadConfig.id());
    }

    @GET
    @Path("{backendId}/users")
    @RequiresPermissions({RestPermissions.AUTH_SERVICE_GLOBAL_CONFIG_READ, RestPermissions.USERS_READ})
    @ApiOperation("Get paginated users for an authentication service backend")
    public PaginatedResponse<UserOverviewDTO> getUsers(@QueryParam("page") @ApiParam(name = "page") @DefaultValue("1") int i, @QueryParam("per_page") @ApiParam(name = "per_page") @DefaultValue("50") int i2, @QueryParam("query") @ApiParam(name = "query") @DefaultValue("") String str, @QueryParam("sort") @ApiParam(name = "sort", value = "The field to sort the result on", required = true, allowableValues = "username,full_name,email") @DefaultValue("full_name") String str2, @QueryParam("order") @ApiParam(name = "order", value = "The sort direction", allowableValues = "asc, desc") @DefaultValue("asc") String str3, @PathParam("backendId") @NotBlank @ApiParam(name = "backendId", required = true) String str4) {
        PaginatedList<UserOverviewDTO> findPaginatedByAuthServiceBackend = this.userService.findPaginatedByAuthServiceBackend(parseSearchQuery(str), i, i2, str2, str3, loadConfig(str4).id());
        return PaginatedResponse.create(UserImpl.COLLECTION_NAME, findPaginatedByAuthServiceBackend, str, Collections.singletonMap(UserImpl.ROLES, createRoleContext(findPaginatedByAuthServiceBackend.m372delegate())));
    }

    private Map<String, Object> createRoleContext(List<UserOverviewDTO> list) {
        Set<String> set = (Set) list.stream().flatMap(userOverviewDTO -> {
            return userOverviewDTO.roles().stream();
        }).collect(Collectors.toSet());
        try {
            return (Map) this.roleService.findIdMap(set).values().stream().map(role -> {
                return Maps.immutableEntry(role.getId(), Collections.singletonMap("title", isPermitted(RestPermissions.ROLES_READ, role.getId()) ? role.getName() : "unknown"));
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
        } catch (NotFoundException e) {
            throw new javax.ws.rs.NotFoundException("Couldn't find roles: " + set);
        }
    }

    private SearchQuery parseSearchQuery(String str) {
        try {
            return this.userSearchQueryParser.parse(str);
        } catch (IllegalArgumentException e) {
            throw new BadRequestException("Invalid argument in search query: " + e.getMessage());
        }
    }

    private boolean checkReadPermission(AuthServiceBackendDTO authServiceBackendDTO) {
        return isPermitted(RestPermissions.AUTH_SERVICE_BACKEND_READ, authServiceBackendDTO.id());
    }

    private AuthServiceBackendDTO loadConfig(String str) {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "backendId cannot be null or empty");
        return this.dbService.get(str).orElseThrow(() -> {
            return new javax.ws.rs.NotFoundException("Couldn't find auth service backend " + str);
        });
    }

    private void validateConfig(AuthServiceBackendDTO authServiceBackendDTO) {
        ValidationResult validate = authServiceBackendDTO.validate();
        if (validate.failed()) {
            throw new ValidationFailureException(validate);
        }
    }

    private Response toResponse(Object obj) {
        return Response.ok(Collections.singletonMap("backend", obj)).build();
    }
}
