package org.yamcs.security;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import org.yamcs.InitException;
import org.yamcs.StandardTupleDefinitions;
import org.yamcs.YConfiguration;
import org.yamcs.YamcsServer;
import org.yamcs.logging.Log;
import org.yamcs.security.protobuf.AccountCollection;
import org.yamcs.security.protobuf.AccountRecord;
import org.yamcs.security.protobuf.GroupCollection;
import org.yamcs.security.protobuf.GroupRecord;
import org.yamcs.yarch.ProtobufDatabase;
import org.yamcs.yarch.YarchDatabase;
import org.yamcs.yarch.YarchDatabaseInstance;
import org.yamcs.yarch.YarchException;

/* loaded from: input_file:org/yamcs/security/Directory.class */
public class Directory {
    public static final long ID_START = 5;
    private static final String ACCOUNT_COLLECTION = "accounts";
    private static final String GROUP_COLLECTION = "groups";

    @Deprecated
    private AtomicInteger accountIdSequence = new AtomicInteger(5);

    @Deprecated
    private AtomicInteger groupIdSequence = new AtomicInteger(5);

    @Deprecated
    private Map<String, User> users = new ConcurrentHashMap();

    @Deprecated
    private Map<String, ServiceAccount> serviceAccounts = new ConcurrentHashMap();

    @Deprecated
    private Map<String, Group> groups = new ConcurrentHashMap();
    private Map<String, Role> roles = new ConcurrentHashMap();
    private DirectoryDb db;
    private ProtobufDatabase protobufDatabase;
    private static final Log log = new Log(Directory.class);
    private static final PasswordHasher hasher = new PBKDF2PasswordHasher();

    public Directory() throws InitException {
        try {
            this.db = new DirectoryDb();
            this.protobufDatabase = YarchDatabase.getInstance(YamcsServer.GLOBAL_INSTANCE).getProtobufDatabase();
            if (this.db.listAccounts().isEmpty()) {
                migrateFromProtobufDatabase();
            }
            for (Account account : this.db.listAccounts()) {
                if (account instanceof User) {
                    this.users.put(account.getName(), (User) account);
                    this.accountIdSequence.set((int) Math.max(this.accountIdSequence.get(), account.getId()));
                } else if (account instanceof ServiceAccount) {
                    this.serviceAccounts.put(account.getName(), (ServiceAccount) account);
                    this.accountIdSequence.set((int) Math.max(this.accountIdSequence.get(), account.getId()));
                }
            }
            for (Group group : this.db.listGroups()) {
                this.groups.put(group.getName(), group);
                this.groupIdSequence.set((int) Math.max(this.groupIdSequence.get(), group.getId()));
            }
            loadRoles();
        } catch (IOException | YarchException e) {
            throw new InitException(e);
        }
    }

    private void migrateFromProtobufDatabase() throws IOException {
        YarchDatabaseInstance yarchDatabase = YarchDatabase.getInstance(YamcsServer.GLOBAL_INSTANCE);
        GroupCollection groupCollection = this.protobufDatabase.get(GROUP_COLLECTION, GroupCollection.class);
        if (groupCollection != null) {
            yarchDatabase.getTable(StandardTupleDefinitions.PARAMETER_COL_GROUP).getColumnDefinition("id").getSequence().reset(groupCollection.getSeq() + 1);
            Iterator<GroupRecord> it = groupCollection.getRecordsList().iterator();
            while (it.hasNext()) {
                this.db.addGroup(new Group(it.next()));
            }
        }
        AccountCollection accountCollection = this.protobufDatabase.get(ACCOUNT_COLLECTION, AccountCollection.class);
        if (accountCollection != null) {
            yarchDatabase.getTable("account").getColumnDefinition("id").getSequence().reset(accountCollection.getSeq() + 1);
            for (AccountRecord accountRecord : accountCollection.getRecordsList()) {
                if (accountRecord.hasUserDetail()) {
                    this.db.addAccount(new User(accountRecord));
                } else {
                    if (!accountRecord.hasServiceDetail()) {
                        throw new IllegalStateException("Unexpected account type");
                    }
                    this.db.addAccount(new ServiceAccount(accountRecord));
                }
            }
        }
    }

    public synchronized void addUser(User user) throws IOException {
        verifyDirectoryUser(user);
        String name = user.getName();
        if (this.db.findAccountByName(name) != null) {
            throw new IllegalArgumentException("Name '" + name + "' is already taken");
        }
        if (name.isEmpty() || name.contains(":")) {
            throw new IllegalArgumentException("Invalid username '" + name + "'");
        }
        user.setId(this.accountIdSequence.incrementAndGet());
        for (Role role : this.roles.values()) {
            if (role.isDefaultRole()) {
                user.addRole(role.getName(), false);
            }
        }
        log.info("Saving new user {}", user);
        setUserPrivileges(user);
        this.users.put(user.getName(), user);
        mirrorToProtobufDatabase();
        this.db.addAccount(user);
    }

    public synchronized void updateUserProperties(User user) {
        if (user.isBuiltIn()) {
            throw new UnsupportedOperationException();
        }
        setUserPrivileges(user);
        this.users.put(user.getName(), user);
        mirrorToProtobufDatabase();
        this.db.updateAccount(user);
    }

    private void setUserPrivileges(User user) {
        user.clearDirectoryPrivileges();
        Iterator<String> it = user.getRoles().iterator();
        while (it.hasNext()) {
            Role role = getRole(it.next());
            if (role != null) {
                Iterator<SystemPrivilege> it2 = role.getSystemPrivileges().iterator();
                while (it2.hasNext()) {
                    user.addSystemPrivilege(it2.next(), false);
                }
                Iterator<ObjectPrivilege> it3 = role.getObjectPrivileges().iterator();
                while (it3.hasNext()) {
                    user.addObjectPrivilege(it3.next(), false);
                }
            }
        }
    }

    public synchronized void deleteUser(User user) throws IOException {
        verifyDirectoryUser(user);
        log.info("Removing user {}", user);
        for (Group group : this.db.listGroups()) {
            if (group.removeMember(user.getId())) {
                this.db.updateGroup(group);
            }
        }
        this.users.remove(user.getName());
        mirrorToProtobufDatabase();
        this.db.deleteAccount(user);
    }

    public synchronized void addGroup(Group group) {
        String name = group.getName();
        if (this.db.findGroupByName(name) != null) {
            throw new IllegalArgumentException("Group '" + name + "' already exists");
        }
        group.setId(this.groupIdSequence.incrementAndGet());
        log.info("Saving new group {}", group);
        this.groups.put(group.getName(), group);
        mirrorToProtobufDatabase();
        this.db.addGroup(group);
    }

    public synchronized void renameGroup(String str, String str2) {
        if (this.db.findGroupByName(str2) != null) {
            throw new IllegalArgumentException("Group '" + str2 + "' already exists");
        }
        Group findGroupByName = this.db.findGroupByName(str);
        findGroupByName.setName(str2);
        this.groups.remove(str);
        this.groups.put(str2, findGroupByName);
        mirrorToProtobufDatabase();
        this.db.updateGroup(findGroupByName);
    }

    public synchronized void updateGroupProperties(Group group) {
        this.groups.put(group.getName(), group);
        mirrorToProtobufDatabase();
        this.db.updateGroup(group);
    }

    public synchronized void deleteGroup(Group group) {
        this.groups.remove(group.getName());
        mirrorToProtobufDatabase();
        this.db.deleteGroup(group);
    }

    public synchronized ApplicationCredentials addServiceAccount(ServiceAccount serviceAccount) throws IOException {
        String name = serviceAccount.getName();
        if (this.db.findAccountByName(name) != null) {
            throw new IllegalArgumentException("Name '" + name + "' is already taken");
        }
        serviceAccount.setId(this.accountIdSequence.incrementAndGet());
        String uuid = UUID.randomUUID().toString();
        String generateRandomPassword = CryptoUtils.generateRandomPassword(10);
        String createHash = hasher.createHash(generateRandomPassword.toCharArray());
        serviceAccount.setApplicationId(uuid);
        serviceAccount.setApplicationHash(createHash);
        log.info("Saving new service account {}", serviceAccount);
        this.serviceAccounts.put(serviceAccount.getName(), serviceAccount);
        mirrorToProtobufDatabase();
        this.db.addAccount(serviceAccount);
        return new ApplicationCredentials(uuid, generateRandomPassword);
    }

    public synchronized void deleteServiceAccount(ServiceAccount serviceAccount) {
        this.serviceAccounts.remove(serviceAccount.getName());
        mirrorToProtobufDatabase();
        this.db.deleteAccount(serviceAccount);
    }

    public synchronized void updateApplicationProperties(ServiceAccount serviceAccount) {
        this.serviceAccounts.put(serviceAccount.getName(), serviceAccount);
        mirrorToProtobufDatabase();
        this.db.updateAccount(serviceAccount);
    }

    private void verifyDirectoryUser(User user) {
        if (user.isBuiltIn()) {
            throw new IllegalArgumentException("Not a directory user");
        }
    }

    private void loadRoles() {
        if (YConfiguration.isDefined("roles")) {
            Map<String, Object> root = YConfiguration.getConfiguration("roles").getRoot();
            for (String str : root.keySet()) {
                Role role = new Role(str);
                if (!YConfiguration.isNull(root, str)) {
                    YConfiguration.getMap(root, str).forEach((str2, obj) -> {
                        if (str2.equals("System")) {
                            Iterator it = ((List) obj).iterator();
                            while (it.hasNext()) {
                                role.addSystemPrivilege(new SystemPrivilege((String) it.next()));
                            }
                        } else {
                            if (str2.equals("default")) {
                                role.setDefaultRole(((Boolean) obj).booleanValue());
                                return;
                            }
                            ObjectPrivilegeType objectPrivilegeType = new ObjectPrivilegeType(str2);
                            Iterator it2 = ((List) obj).iterator();
                            while (it2.hasNext()) {
                                role.addObjectPrivilege(new ObjectPrivilege(objectPrivilegeType, (String) it2.next()));
                            }
                        }
                    });
                }
                this.roles.put(role.getName(), role);
            }
        }
    }

    @Deprecated
    private synchronized void mirrorToProtobufDatabase() {
        AccountCollection.Builder newBuilder = AccountCollection.newBuilder();
        newBuilder.setSeq(this.accountIdSequence.get());
        Iterator<User> it = this.users.values().iterator();
        while (it.hasNext()) {
            newBuilder.addRecords(it.next().toRecord());
        }
        Iterator<ServiceAccount> it2 = this.serviceAccounts.values().iterator();
        while (it2.hasNext()) {
            newBuilder.addRecords(it2.next().toRecord());
        }
        GroupCollection.Builder newBuilder2 = GroupCollection.newBuilder();
        newBuilder2.setSeq(this.groupIdSequence.get());
        Iterator<Group> it3 = this.groups.values().iterator();
        while (it3.hasNext()) {
            newBuilder2.addRecords(it3.next().toRecord());
        }
        try {
            this.protobufDatabase.save(ACCOUNT_COLLECTION, newBuilder.m704build());
            this.protobufDatabase.save(GROUP_COLLECTION, newBuilder2.m894build());
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public boolean validateUserPassword(String str, char[] cArr) {
        Account findAccountByName = this.db.findAccountByName(str);
        if (!(findAccountByName instanceof User) || ((User) findAccountByName).getHash() == null) {
            return false;
        }
        return hasher.validatePassword(cArr, ((User) findAccountByName).getHash());
    }

    public boolean validateApplicationPassword(String str, char[] cArr) {
        Account accountForApplication = getAccountForApplication(str);
        if (accountForApplication == null) {
            throw new IllegalArgumentException("No such application");
        }
        if (accountForApplication instanceof ServiceAccount) {
            return hasher.validatePassword(cArr, ((ServiceAccount) accountForApplication).getApplicationHash());
        }
        throw new UnsupportedOperationException();
    }

    public void changePassword(User user, char[] cArr) {
        if (user.isExternallyManaged()) {
            throw new IllegalArgumentException("The identity of this user is not managed by Yamcs");
        }
        if (validateUserPassword(user.getName(), cArr)) {
            return;
        }
        user.setHash(hasher.createHash(cArr));
        this.users.put(user.name, user);
        mirrorToProtobufDatabase();
        this.db.updateAccount(user);
    }

    public Account getAccount(String str) {
        User user = getUser(str);
        return user != null ? user : getServiceAccount(str);
    }

    public User getUser(long j) {
        Account findAccount = this.db.findAccount(j);
        User user = findAccount instanceof User ? (User) findAccount : null;
        if (user != null) {
            setUserPrivileges(user);
        }
        return user;
    }

    public User getUser(String str) {
        Account findAccountByName = this.db.findAccountByName(str);
        User user = findAccountByName instanceof User ? (User) findAccountByName : null;
        if (user != null) {
            setUserPrivileges(user);
        }
        return user;
    }

    public List<User> getUsers() {
        return (List) this.db.listAccounts().stream().filter(account -> {
            return account instanceof User;
        }).map(account2 -> {
            return (User) account2;
        }).collect(Collectors.toList());
    }

    public Account getAccountForApplication(String str) {
        return this.db.findServiceAccountForApplicationId(str);
    }

    public Group getGroup(String str) {
        return this.db.findGroupByName(str);
    }

    public List<Group> getGroups() {
        return this.db.listGroups();
    }

    public List<Group> getGroups(User user) {
        return (List) getGroups().stream().filter(group -> {
            return group.hasMember(user.getId());
        }).collect(Collectors.toList());
    }

    public ServiceAccount getServiceAccount(String str) {
        Account findAccountByName = this.db.findAccountByName(str);
        if (findAccountByName instanceof ServiceAccount) {
            return (ServiceAccount) findAccountByName;
        }
        return null;
    }

    public List<ServiceAccount> getServiceAccounts() {
        return (List) this.db.listAccounts().stream().filter(account -> {
            return account instanceof ServiceAccount;
        }).map(account2 -> {
            return (ServiceAccount) account2;
        }).collect(Collectors.toList());
    }

    public List<Role> getRoles() {
        return new ArrayList(this.roles.values());
    }

    public Role getRole(String str) {
        return this.roles.get(str);
    }
}
