package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.KernelTransaction;
import org.neo4j.kernel.api.KernelTransactionHandle;
import org.neo4j.kernel.api.bolt.BoltConnectionTracker;
import org.neo4j.kernel.api.bolt.ManagedBoltStateMachine;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.exception.InvalidArgumentsException;
import org.neo4j.kernel.impl.api.KernelTransactions;
import org.neo4j.kernel.impl.api.security.OverriddenAccessMode;
import org.neo4j.kernel.internal.GraphDatabaseAPI;
import org.neo4j.procedure.Context;
import org.neo4j.procedure.Name;
import org.neo4j.procedure.Procedure;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures.class */
public class AuthProcedures {
    public static final String PERMISSION_DENIED = "Permission denied.";

    @Context
    public AuthSubject authSubject;

    @Context
    public GraphDatabaseAPI graph;

    @Context
    public KernelTransaction tx;

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$ConnectionResult.class */
    public static class ConnectionResult {
        public final String username;
        public final Long connectionCount;

        ConnectionResult(String str, Long l) {
            this.username = str;
            this.connectionCount = l;
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$RoleResult.class */
    public static class RoleResult {
        public final String role;
        public final List<String> users = new ArrayList();

        RoleResult(String str, Set<String> set) {
            this.role = str;
            this.users.addAll(set);
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$StringResult.class */
    public static class StringResult {
        public final String value;

        StringResult(String str) {
            this.value = str;
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$TransactionResult.class */
    public static class TransactionResult {
        public final String username;
        public final Long activeTransactions;

        TransactionResult(String str, Long l) {
            this.username = str;
            this.activeTransactions = l;
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$TransactionTerminationResult.class */
    public static class TransactionTerminationResult {
        public final String username;
        public final Long transactionsTerminated;

        TransactionTerminationResult(String str, Long l) {
            this.username = str;
            this.transactionsTerminated = l;
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProcedures$UserResult.class */
    public static class UserResult {
        public final String username;
        public final List<String> roles = new ArrayList();
        public final List<String> flags;

        UserResult(String str, Set<String> set, Iterable<String> iterable) {
            this.username = str;
            this.roles.addAll(set);
            this.flags = new ArrayList();
            Iterator<String> it = iterable.iterator();
            while (it.hasNext()) {
                this.flags.add(it.next());
            }
        }
    }

    @Procedure(name = "dbms.security.createUser", mode = Procedure.Mode.DBMS)
    public void createUser(@Name("username") String str, @Name("password") String str2, @Name(value = "requirePasswordChange", defaultValue = "true") boolean z) throws InvalidArgumentsException, IOException {
        ensureAdminAuthSubject().getUserManager().newUser(str, str2, z);
    }

    @Procedure(name = "dbms.security.changeUserPassword", mode = Procedure.Mode.DBMS)
    public void changeUserPassword(@Name("username") String str, @Name("newPassword") String str2, @Name(value = "requirePasswordChange", defaultValue = "true") boolean z) throws InvalidArgumentsException, IOException {
        EnterpriseAuthSubject castOrFail = EnterpriseAuthSubject.castOrFail(this.authSubject);
        if (castOrFail.doesUsernameMatch(str)) {
            castOrFail.setPassword(str2, z);
        } else {
            if (!castOrFail.isAdmin()) {
                throw new AuthorizationViolationException(PERMISSION_DENIED);
            }
            castOrFail.getUserManager().setUserPassword(str, str2, z);
            terminateTransactionsForValidUser(str);
            terminateConnectionsForValidUser(str);
        }
    }

    @Procedure(name = "dbms.security.addRoleToUser", mode = Procedure.Mode.DBMS)
    public void addRoleToUser(@Name("roleName") String str, @Name("username") String str2) throws IOException, InvalidArgumentsException {
        ensureAdminAuthSubject().getUserManager().addRoleToUser(str, str2);
    }

    @Procedure(name = "dbms.security.removeRoleFromUser", mode = Procedure.Mode.DBMS)
    public void removeRoleFromUser(@Name("roleName") String str, @Name("username") String str2) throws InvalidArgumentsException, IOException {
        EnterpriseAuthSubject ensureAdminAuthSubject = ensureAdminAuthSubject();
        if (ensureAdminAuthSubject.doesUsernameMatch(str2) && str.equals(PredefinedRolesBuilder.ADMIN)) {
            throw new InvalidArgumentsException("Removing yourself (user '" + str2 + "') from the admin role is not allowed.");
        }
        ensureAdminAuthSubject.getUserManager().removeRoleFromUser(str, str2);
    }

    @Procedure(name = "dbms.security.deleteUser", mode = Procedure.Mode.DBMS)
    public void deleteUser(@Name("username") String str) throws InvalidArgumentsException, IOException {
        EnterpriseAuthSubject ensureAdminAuthSubject = ensureAdminAuthSubject();
        if (ensureAdminAuthSubject.doesUsernameMatch(str)) {
            throw new InvalidArgumentsException("Deleting yourself (user '" + str + "') is not allowed.");
        }
        ensureAdminAuthSubject.getUserManager().deleteUser(str);
        terminateTransactionsForValidUser(str);
        terminateConnectionsForValidUser(str);
    }

    @Procedure(name = "dbms.security.suspendUser", mode = Procedure.Mode.DBMS)
    public void suspendUser(@Name("username") String str) throws IOException, InvalidArgumentsException {
        EnterpriseAuthSubject ensureAdminAuthSubject = ensureAdminAuthSubject();
        if (ensureAdminAuthSubject.doesUsernameMatch(str)) {
            throw new InvalidArgumentsException("Suspending yourself (user '" + str + "') is not allowed.");
        }
        ensureAdminAuthSubject.getUserManager().suspendUser(str);
        terminateTransactionsForValidUser(str);
        terminateConnectionsForValidUser(str);
    }

    @Procedure(name = "dbms.security.activateUser", mode = Procedure.Mode.DBMS)
    public void activateUser(@Name("username") String str, @Name(value = "requirePasswordChange", defaultValue = "true") boolean z) throws IOException, InvalidArgumentsException {
        EnterpriseAuthSubject ensureAdminAuthSubject = ensureAdminAuthSubject();
        if (ensureAdminAuthSubject.doesUsernameMatch(str)) {
            throw new InvalidArgumentsException("Activating yourself (user '" + str + "') is not allowed.");
        }
        ensureAdminAuthSubject.getUserManager().activateUser(str, z);
    }

    @Procedure(name = "dbms.security.showCurrentUser", mode = Procedure.Mode.DBMS)
    public Stream<UserResult> showCurrentUser() throws InvalidArgumentsException, IOException {
        EnterpriseAuthSubject castOrFail = EnterpriseAuthSubject.castOrFail(this.authSubject);
        EnterpriseUserManager userManager = castOrFail.getUserManager();
        return Stream.of(new UserResult(castOrFail.username(), userManager.getRoleNamesForUser(castOrFail.username()), userManager.getUser(castOrFail.username()).getFlags()));
    }

    @Procedure(name = "dbms.security.listUsers", mode = Procedure.Mode.DBMS)
    public Stream<UserResult> listUsers() throws InvalidArgumentsException, IOException {
        EnterpriseUserManager userManager = ensureAdminAuthSubject().getUserManager();
        Set<String> allUsernames = userManager.getAllUsernames();
        ArrayList arrayList = new ArrayList();
        for (String str : allUsernames) {
            arrayList.add(new UserResult(str, userManager.getRoleNamesForUser(str), userManager.getUser(str).getFlags()));
        }
        return arrayList.stream();
    }

    @Procedure(name = "dbms.security.listRoles", mode = Procedure.Mode.DBMS)
    public Stream<RoleResult> listRoles() throws InvalidArgumentsException, IOException {
        EnterpriseUserManager userManager = ensureAdminAuthSubject().getUserManager();
        Set<String> allRoleNames = userManager.getAllRoleNames();
        ArrayList arrayList = new ArrayList();
        for (String str : allRoleNames) {
            arrayList.add(new RoleResult(str, userManager.getUsernamesForRole(str)));
        }
        return arrayList.stream();
    }

    @Procedure(name = "dbms.security.listRolesForUser", mode = Procedure.Mode.DBMS)
    public Stream<StringResult> listRolesForUser(@Name("username") String str) throws InvalidArgumentsException, IOException {
        return ensureSelfOrAdminAuthSubject(str).getUserManager().getRoleNamesForUser(str).stream().map(StringResult::new);
    }

    @Procedure(name = "dbms.security.listUsersForRole", mode = Procedure.Mode.DBMS)
    public Stream<StringResult> listUsersForRole(@Name("roleName") String str) throws InvalidArgumentsException, IOException {
        return ensureAdminAuthSubject().getUserManager().getUsernamesForRole(str).stream().map(StringResult::new);
    }

    @Procedure(name = "dbms.security.createRole", mode = Procedure.Mode.DBMS)
    public void createRole(@Name("roleName") String str) throws InvalidArgumentsException, IOException {
        ensureAdminAuthSubject().getUserManager().newRole(str, new String[0]);
    }

    @Procedure(name = "dbms.security.deleteRole", mode = Procedure.Mode.DBMS)
    public void deleteRole(@Name("roleName") String str) throws InvalidArgumentsException, IOException {
        ensureAdminAuthSubject().getUserManager().deleteRole(str);
    }

    @Procedure(name = "dbms.security.listTransactions", mode = Procedure.Mode.DBMS)
    public Stream<TransactionResult> listTransactions() throws InvalidArgumentsException, IOException {
        ensureAdminAuthSubject();
        return countTransactionByUsername(getActiveTransactions().stream().filter(kernelTransactionHandle -> {
            return !kernelTransactionHandle.terminationReason().isPresent();
        }).map(kernelTransactionHandle2 -> {
            return OverriddenAccessMode.getUsernameFromAccessMode(kernelTransactionHandle2.mode());
        }));
    }

    @Procedure(name = "dbms.security.terminateTransactionsForUser", mode = Procedure.Mode.DBMS)
    public Stream<TransactionTerminationResult> terminateTransactionsForUser(@Name("username") String str) throws InvalidArgumentsException, IOException {
        ensureSelfOrAdminAuthSubject(str);
        return terminateTransactionsForValidUser(str);
    }

    @Procedure(name = "dbms.security.listConnections", mode = Procedure.Mode.DBMS)
    public Stream<ConnectionResult> listConnections() {
        ensureAdminAuthSubject();
        return countConnectionsByUsername(getBoltConnectionTracker().getActiveConnections().stream().filter(managedBoltStateMachine -> {
            return !managedBoltStateMachine.hasTerminated();
        }).map((v0) -> {
            return v0.owner();
        }));
    }

    @Procedure(name = "dbms.security.terminateConnectionsForUser", mode = Procedure.Mode.DBMS)
    public Stream<ConnectionResult> terminateConnectionsForUser(@Name("username") String str) throws InvalidArgumentsException {
        EnterpriseAuthSubject castOrFail = EnterpriseAuthSubject.castOrFail(this.authSubject);
        if (!castOrFail.isAdmin() && !castOrFail.doesUsernameMatch(str)) {
            throw new AuthorizationViolationException(PERMISSION_DENIED);
        }
        castOrFail.getUserManager().getUser(str);
        return terminateConnectionsForValidUser(str);
    }

    private Stream<TransactionTerminationResult> terminateTransactionsForValidUser(String str) {
        long j = 0;
        for (KernelTransactionHandle kernelTransactionHandle : getActiveTransactions()) {
            if (OverriddenAccessMode.getUsernameFromAccessMode(kernelTransactionHandle.mode()).equals(str) && !kernelTransactionHandle.isUnderlyingTransaction(this.tx) && kernelTransactionHandle.markForTermination(Status.Transaction.Terminated)) {
                j++;
            }
        }
        return Stream.of(new TransactionTerminationResult(str, Long.valueOf(j)));
    }

    private Stream<ConnectionResult> terminateConnectionsForValidUser(String str) {
        Long l = 0L;
        Iterator it = getBoltConnectionTracker().getActiveConnections(str).iterator();
        while (it.hasNext()) {
            ((ManagedBoltStateMachine) it.next()).terminate();
            l = Long.valueOf(l.longValue() + 1);
        }
        return Stream.of(new ConnectionResult(str, l));
    }

    private Set<KernelTransactionHandle> getActiveTransactions() {
        return ((KernelTransactions) this.graph.getDependencyResolver().resolveDependency(KernelTransactions.class)).activeTransactions();
    }

    private BoltConnectionTracker getBoltConnectionTracker() {
        return (BoltConnectionTracker) this.graph.getDependencyResolver().resolveDependency(BoltConnectionTracker.class);
    }

    private Stream<TransactionResult> countTransactionByUsername(Stream<String> stream) {
        return ((Map) stream.collect(Collectors.groupingBy(Function.identity(), Collectors.counting()))).entrySet().stream().map(entry -> {
            return new TransactionResult((String) entry.getKey(), (Long) entry.getValue());
        });
    }

    private Stream<ConnectionResult> countConnectionsByUsername(Stream<String> stream) {
        return ((Map) stream.collect(Collectors.groupingBy(Function.identity(), Collectors.counting()))).entrySet().stream().map(entry -> {
            return new ConnectionResult((String) entry.getKey(), (Long) entry.getValue());
        });
    }

    private EnterpriseAuthSubject ensureAdminAuthSubject() {
        EnterpriseAuthSubject castOrFail = EnterpriseAuthSubject.castOrFail(this.authSubject);
        if (castOrFail.isAdmin()) {
            return castOrFail;
        }
        throw new AuthorizationViolationException(PERMISSION_DENIED);
    }

    private EnterpriseAuthSubject ensureSelfOrAdminAuthSubject(String str) throws InvalidArgumentsException {
        EnterpriseAuthSubject castOrFail = EnterpriseAuthSubject.castOrFail(this.authSubject);
        castOrFail.getUserManager().getUser(str);
        if (castOrFail.isAdmin() || castOrFail.doesUsernameMatch(str)) {
            return castOrFail;
        }
        throw new AuthorizationViolationException(PERMISSION_DENIED);
    }
}
