package team.sailboat.ms.ac.controller;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.Parameters;
import io.swagger.v3.oas.annotations.parameters.RequestBody;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.validation.Validator;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import team.sailboat.commons.fan.collection.XC;
import team.sailboat.commons.fan.http.IdentityTrace;
import team.sailboat.commons.fan.json.JSONObject;
import team.sailboat.commons.fan.lang.Assert;
import team.sailboat.commons.fan.lang.JCommon;
import team.sailboat.commons.fan.text.XString;
import team.sailboat.commons.fan.time.XTime;
import team.sailboat.commons.ms.ac.InnerProtectedApi;
import team.sailboat.commons.ms.bean.Page;
import team.sailboat.commons.ms.crypto.RSAKeyPairMaker4JS;
import team.sailboat.commons.ms.util.WebUtils;
import team.sailboat.commons.ms.valid.ValidateUtils;
import team.sailboat.commons.web.ac.ResId;
import team.sailboat.ms.ac.AppConfig;
import team.sailboat.ms.ac.AppConsts;
import team.sailboat.ms.ac.IAppAuths;
import team.sailboat.ms.ac.bean.ClientAppBrief;
import team.sailboat.ms.ac.bean.OrgUnit4User;
import team.sailboat.ms.ac.bean.UserItem;
import team.sailboat.ms.ac.dbean.OrgUnit;
import team.sailboat.ms.ac.dbean.R_OrgUnit_User;
import team.sailboat.ms.ac.dbean.ResSpace;
import team.sailboat.ms.ac.dbean.Role;
import team.sailboat.ms.ac.dbean.User;
import team.sailboat.ms.ac.server.IAuthCenterDataManager;
import team.sailboat.ms.ac.server.IClientAppDataManager;
import team.sailboat.ms.ac.server.IUserDataManager;
import team.sailboat.ms.ac.server.ResourceManageServer;
import team.sailboat.ms.ac.utils.SecurityUtils;

@RestController
/* loaded from: input_file:team/sailboat/ms/ac/controller/UserDataController.class */
public class UserDataController {
    final Logger mLogger = LoggerFactory.getLogger(getClass());

    @Autowired
    Validator mValidator;

    @Autowired
    ResourceManageServer mResMngServer;

    @Autowired
    RSAKeyPairMaker4JS mRSAMaker;

    @Autowired
    AppConfig mAppConf;

    @Autowired
    PasswordEncoder mPasswordEncoder;

    @Autowired
    @Qualifier("resetPasswdUsernames")
    Map<String, String> mResetPasswdUserNames;

    @PostMapping(value = {"/user/self/password/reset/forExpired"}, consumes = {"application/x-www-form-urlencoded"})
    @InnerProtectedApi
    @Operation(description = "用户重置过期的密码。参数不要在url中传递")
    @Parameters({@Parameter(name = "authToken", description = "一个临时标识码，表名用户已经验证通过"), @Parameter(name = "codeId", description = "动态RSA秘钥的标识码。Https协议下，可以不用加密"), @Parameter(name = "password", description = "密码。用动态RSA秘钥的公钥加密过后的密码。Https协议下，可以不用加密")})
    public void resetExpiredPassword(@RequestParam("authToken") String str, @RequestParam(name = "codeId", required = false) String str2, @RequestParam("password") String str3, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        Assert.notEmpty(str3, "新密码不能为空！", new Object[0]);
        String remove = this.mResetPasswdUserNames.remove(str);
        Assert.notEmpty(remove, "无效的AuthToken：%s", new Object[]{str});
        User mo14loadUserByUsername = this.mResMngServer.getUserDataMng().mo14loadUserByUsername(remove);
        Assert.notNull(mo14loadUserByUsername, "无效的用户名：%s", new Object[]{remove});
        String decrypt4js = this.mRSAMaker.decrypt4js(str2, str3);
        mo14loadUserByUsername.setPassword(this.mPasswordEncoder.encode(decrypt4js));
        Date plusDays = XTime.plusDays(XTime.today(), this.mAppConf.getCredentialRenewalDays().intValue());
        mo14loadUserByUsername.setCredentialsExpiredTime(plusDays);
        this.mLogger.info("用户[{}]的密码已经重新设置，凭据过期时间延长至{}", mo14loadUserByUsername.getRealName(), XTime.format$yyyyMMddHHmmssSSS(plusDays));
        String randomString = XString.randomString(32);
        this.mResetPasswdUserNames.put(randomString, new JSONObject().put("username", mo14loadUserByUsername.getUsername()).put("password", decrypt4js).toJSONString());
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/login?authToken=" + randomString);
    }

    @PostMapping({"/user/self/password/_reset"})
    @InnerProtectedApi
    @Operation(description = "用户重置自己的密码")
    @Parameters({@Parameter(name = "codeId", description = "动态RSA秘钥的标识码。Https协议下，可以不用加密"), @Parameter(name = "username", description = "用户名"), @Parameter(name = "oldPassword", description = "旧密码。用动态RSA秘钥的公钥加密过后的密码。Https协议下，可以不用加密"), @Parameter(name = "password", description = "密码。用动态RSA秘钥的公钥加密过后的密码。Https协议下，可以不用加密")})
    public void resetSelfPassword(@RequestParam(name = "codeId", required = false) String str, @RequestParam("username") String str2, @RequestParam("oldPassword") String str3, @RequestParam("password") String str4, HttpServletRequest httpServletRequest) throws Exception {
        Assert.notEmpty(str4, "新密码不能为空！", new Object[0]);
        Assert.isNotTrue(str4.equals(str3), "新旧密码不能相同！");
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            this.mLogger.warn("已拒绝！未登陆，试图重置用户[{}]的密码。{}", str2, IdentityTrace.get(httpServletRequest));
            return;
        }
        User user = (User) authentication.getPrincipal();
        if (JCommon.unequals(user.getUsername(), str2)) {
            this.mLogger.warn("已拒绝！登陆用户[{}]试图修改用户[{}]的密码！", user.getUsername(), str2);
            return;
        }
        String decrypt4js = this.mRSAMaker.decrypt4js(str, str3);
        String decrypt4js2 = this.mRSAMaker.decrypt4js(str, str4);
        Assert.isTrue(this.mPasswordEncoder.matches(decrypt4js, user.getPassword()), "旧密码不正确！", new Object[0]);
        user.setPassword(this.mPasswordEncoder.encode(decrypt4js2));
        this.mLogger.info("用户[{}]重置了自己的密码。{}", IdentityTrace.get(httpServletRequest));
    }

    @PostMapping(value = {"/user/password/admin"}, consumes = {"application/x-www-form-urlencoded"})
    @InnerProtectedApi
    @Operation(description = "设置 admin用户的密码，只有系统部署的时候，可以设置一次")
    @Parameters({@Parameter(name = "codeId", description = "动态RSA秘钥的标识码。Https协议下，可以不用加密"), @Parameter(name = "password", description = "密码。用动态RSA秘钥的公钥加密过后的密码。Https协议下，可以不用加密")})
    public String setAdminPassword(@RequestParam(name = "codeId", required = false) String str, @RequestParam("password") String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Model model) throws Exception {
        User mo14loadUserByUsername = this.mResMngServer.getUserDataMng().mo14loadUserByUsername(AppConsts.sUser_admin);
        Assert.notNull("不存在指定的用户[%s]", AppConsts.sUser_admin, new Object[0]);
        if (XString.isNotEmpty(mo14loadUserByUsername.getPassword())) {
            this.mLogger.warn("已拒绝！admin已经设置密码，拒绝通过此无需认证的接口重置密码。{}", IdentityTrace.get(httpServletRequest));
            model.addAttribute("code", Integer.valueOf(HttpStatus.FORBIDDEN.value()));
            model.addAttribute("message", "已拒绝！admin已经设置密码，拒绝通过此无需认证的接口重置密码");
            return WebUtils.isWebRequest(httpServletRequest) ? "redirect:error" : "";
        }
        mo14loadUserByUsername.setPassword(this.mPasswordEncoder.encode(this.mRSAMaker.decrypt4js(str, str2)));
        this.mResMngServer.setAdminPasswordSetted(true);
        this.mLogger.info("admin的密码被初始化。{}", IdentityTrace.get(httpServletRequest).toString());
        if (!WebUtils.isWebRequest(httpServletRequest)) {
            return "";
        }
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/login_view");
        return "";
    }

    @GetMapping(value = {"/user/all"}, produces = {"application/json"})
    @Operation(description = "取得所有用户")
    @Parameters({@Parameter(name = "pageSize", description = "每页数据量"), @Parameter(name = "pageIndex", description = "页码，从0开始")})
    public Page<UserItem> getUsersOfPage(@RequestParam(name = "pageSize", required = false, defaultValue = "100") int i, @RequestParam(name = "pageIndex", required = false, defaultValue = "0") int i2) {
        IUserDataManager userDataMng = this.mResMngServer.getUserDataMng();
        Collection<User> allUsersOrderByRealNameAsc = userDataMng.getAllUsersOrderByRealNameAsc();
        IAuthCenterDataManager authCenterDataMng = this.mResMngServer.getAuthCenterDataMng();
        return Page.of(i, i2, XC.arrayList(allUsersOrderByRealNameAsc, i2, i, user -> {
            UserItem userItem = new UserItem();
            user.initBean(userItem);
            R_OrgUnit_User[] r_OrgUnit_UserOfUser = authCenterDataMng.getR_OrgUnit_UserOfUser(user.getId());
            if (r_OrgUnit_UserOfUser != null && r_OrgUnit_UserOfUser.length > 0) {
                userItem.setOrgUnits(XC.extractAsArrayList(r_OrgUnit_UserOfUser, r_OrgUnit_User -> {
                    OrgUnit4User orgUnit4User = new OrgUnit4User();
                    orgUnit4User.setOrgUnitId(r_OrgUnit_User.getOrgUnitId());
                    orgUnit4User.setJob(r_OrgUnit_User.getJob());
                    OrgUnit orgUnit = authCenterDataMng.getOrgUnit(r_OrgUnit_User.getOrgUnitId());
                    if (orgUnit != null) {
                        orgUnit4User.setOrgUnitName(orgUnit.getName());
                    } else {
                        this.mLogger.warn("组织单元[{}]已不存在，但是在R_OrgUnit_User表中仍有与之相关的记录！", r_OrgUnit_User.getOrgUnitId());
                    }
                    return orgUnit4User;
                }));
            }
            userItem.setCreateUserDisplayName(userDataMng.getUserDisplayName(user.getCreateUserId()));
            userItem.setLastEditUserDisplayName(userDataMng.getUserDisplayName(user.getLastEditUserId()));
            return userItem;
        }, true), allUsersOrderByRealNameAsc.size());
    }

    @GetMapping(value = {"/user/current"}, produces = {"application/json"})
    @Operation(description = "取得当前登录用户的信息")
    public User.BUser getCurrentUser() {
        return ((User) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).asBean();
    }

    @GetMapping(value = {"/user/amount"}, produces = {"application/json"})
    @Operation(description = "用户的数量统计，包括总数(totalAmount)、锁定用户数量(lockedAmount)，未被锁的用户数量(unlockedAmount)")
    public Map<String, Integer> getUserAmount() {
        int i = 0;
        int i2 = 0;
        List<User> allUsers = this.mResMngServer.getUserDataMng().getAllUsers();
        Iterator<User> it = allUsers.iterator();
        while (it.hasNext()) {
            if (it.next().isAccountNonLocked()) {
                i++;
            } else {
                i2++;
            }
        }
        HashMap hashMap = new HashMap();
        hashMap.put("totalAmount", Integer.valueOf(allUsers.size()));
        hashMap.put("unlockedAmount", Integer.valueOf(i));
        hashMap.put("lockedAmount", Integer.valueOf(i2));
        return hashMap;
    }

    @PostMapping(value = {"/user/username/_check"}, produces = {"text/plain"})
    @Operation(description = "检查指定的用户名是否可用")
    @PreAuthorize(IAppAuths.sHasAuthority_CDU_UserData)
    @Parameter(name = "username", description = "用户名")
    public String checkUsernameAvailable(@RequestParam("username") String str) {
        try {
            this.mResMngServer.getUserDataMng().mo14loadUserByUsername(str);
            return "false";
        } catch (UsernameNotFoundException e) {
            return "true";
        }
    }

    @PostMapping(value = {"/user/one"}, produces = {"text/plain"})
    @Operation(description = "创建用户")
    @PreAuthorize(IAppAuths.sHasAuthority_CDU_UserData)
    @RequestBody(description = "用户信息")
    @Parameter(name = "codeId", description = "如果想在此次创建中把密码设置上，就得获取RSA公钥，对密码进行加密。加密后的内容设置在password字段上。Https协议下，可以不用加密")
    public String createUser(@org.springframework.web.bind.annotation.RequestBody UserItem userItem, @RequestParam(name = "codeId", required = false) String str) throws Exception {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        if (XString.isEmpty(userItem.getPassword())) {
            userItem.setPassword(null);
        } else {
            userItem.setPassword(this.mPasswordEncoder.encode(this.mRSAMaker.decrypt4js(str, userItem.getPassword())));
        }
        ValidateUtils.validateAndThrow(this.mValidator, userItem);
        User createUser = this.mResMngServer.getUserDataMng().createUser(userItem, user.getId());
        if (XC.isNotEmpty(userItem.getOrgUnits())) {
            IAuthCenterDataManager authCenterDataMng = this.mResMngServer.getAuthCenterDataMng();
            for (OrgUnit4User orgUnit4User : userItem.getOrgUnits()) {
                authCenterDataMng.bindUserToOrgUnit(createUser.getId(), orgUnit4User.getOrgUnitId(), orgUnit4User.getJob(), user.getId());
            }
        }
        return createUser.getId();
    }

    @PutMapping({"/user/one"})
    @Operation(description = "更新用户信息（非自己）。不包括密码")
    @PreAuthorize(IAppAuths.sHasAuthority_CDU_UserData)
    @RequestBody(description = "用户信息")
    public void updateUser(@org.springframework.web.bind.annotation.RequestBody UserItem userItem) throws Exception {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        this.mResMngServer.getUserDataMng().updateUser(userItem, user.getId());
        if (XC.isNotEmpty(userItem.getOrgUnits())) {
            IAuthCenterDataManager authCenterDataMng = this.mResMngServer.getAuthCenterDataMng();
            for (OrgUnit4User orgUnit4User : userItem.getOrgUnits()) {
                authCenterDataMng.bindUserToOrgUnit(userItem.getId(), orgUnit4User.getOrgUnitId(), orgUnit4User.getJob(), user.getId());
            }
        }
    }

    @PostMapping(value = {"/user/password/_reset"}, produces = {"application/x-www-form-urlencoded"})
    @Operation(description = "重置其它用户的密码")
    @Parameters({@Parameter(name = "codeId", description = "动态RSA秘钥的标识码。Https协议下，可以不用加密"), @Parameter(name = "password", description = "密码。用动态RSA秘钥的公钥加密过后的密码"), @Parameter(name = "userId", description = "目标用户id，被修改密码的用户id")})
    @PreAuthorize(IAppAuths.sHasAuthority_Reset_PasswordOfOtherUser)
    public void resetUserPassword(@RequestParam(name = "codeId", required = false) String str, @RequestParam("password") String str2, @RequestParam("userId") String str3) throws Exception {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        User user2 = this.mResMngServer.getUserDataMng().getUser(str3);
        Assert.notNull(user2, "无效的用户id：%s", new Object[]{str3});
        user2.setPassword(this.mPasswordEncoder.encode(this.mRSAMaker.decrypt4js(str, str2)));
        user2.setLastEditTime(new Date());
        user2.setLastEditUserId(user.getId());
        this.mLogger.info("用户" + user.getDisplayName() + "修改了【" + user2.getDisplayName() + "】的登录密码！");
    }

    @Operation(description = "删除指定用户")
    @PreAuthorize(IAppAuths.sHasAuthority_CDU_UserData)
    @Parameter(name = "userId", description = "目标用户id，被删除的用户id")
    @GetMapping({"/user/one/delete"})
    public void deleteUser(@RequestParam("userId") String str) {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        User user2 = this.mResMngServer.getUserDataMng().getUser(str);
        if (this.mResMngServer.getUserDataMng().deleteUser(str, user.getId())) {
            this.mLogger.info("用户[{}]删除了指定用户 {}[{}] !", new Object[]{user.getDisplayName(), user2.getDisplayName(), user2.getId()});
        }
    }

    @InnerProtectedApi
    @GetMapping(value = {"/user/self/clientAppBrief/ofCanVisit"}, produces = {"application/json"})
    @Operation(description = "取得当前会话用户可以访问的应用简要信息")
    public List<ClientAppBrief> getClientAppBriefsOfSelfCanVisit() {
        return XC.extractAsArrayList(this.mResMngServer.getClientAppDataMng().getClientAppsOfUserCanVisit(SecurityUtils.checkUser().getId()), ClientAppBrief::of);
    }

    @Operation(description = "取得指定用户可以访问的应用简要信息。（需要权限）")
    @PreAuthorize("hasAuthority('CDU_UserData') or hasAuthority('View_AllUsers')")
    @Parameter(name = "userId", description = "目标用户id")
    @GetMapping(value = {"/user/clientAppBrief/ofCanVisit"}, produces = {"application/json"})
    public List<ClientAppBrief> getClientAppBriefsOfUserCanVisit(@RequestParam("userId") String str) {
        return XC.extractAsArrayList(this.mResMngServer.getClientAppDataMng().getClientAppsOfUserCanVisit(str), ClientAppBrief::of);
    }

    @PostMapping({"/user/clientApp/ofCanVisit/_addOrDelete"})
    @Operation(description = "添加/删除用户可访问某些应用的权限")
    @Parameters({@Parameter(name = "userId", description = "目标用户id"), @Parameter(name = "addClientAppIds", description = "新添加可访问权限的ClientApp的id，多个之间用“,”相连"), @Parameter(name = "delClientAppIds", description = "删除可访问权限的ClientApp的id，多个之间用“,”相连")})
    @PreAuthorize(IAppAuths.sHasAuthority_CDU_UserData)
    public void addClientAppVisitRightToUser(@RequestParam("userId") String str, @RequestParam(name = "addClientAppIds", required = false) String[] strArr, @RequestParam(name = "delClientAppIds", required = false) String[] strArr2) {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        IClientAppDataManager clientAppDataMng = this.mResMngServer.getClientAppDataMng();
        if (XC.isNotEmpty(strArr)) {
            for (String str2 : strArr) {
                if (XString.isNotEmpty(str2)) {
                    clientAppDataMng.grantClientAppToUser(str2, str, user.getId());
                }
            }
        }
        if (XC.isNotEmpty(strArr2)) {
            for (String str3 : strArr) {
                if (XString.isNotEmpty(str3)) {
                    clientAppDataMng.ungrantClientAppToUser(str3, str, user.getId());
                }
            }
        }
    }

    @Operation(description = "取得用户在指定应用下所拥有的资源空间")
    @Parameters({@Parameter(name = "clientAppId", description = "客户端应用id"), @Parameter(name = "userId", description = "用户id")})
    @PreAuthorize("hasAuthority('CDU_UserData') or hasAuthority('View_AllUsers')")
    @GetMapping(value = {"/user/clientApp/resSpace"}, produces = {"application/json"})
    public List<ResSpace.BResSpace> getResSpacesOfUserInClientApp(@RequestParam("userId") String str, @RequestParam("clientAppId") String str2) {
        return XC.extractAsArrayList(this.mResMngServer.getClientAppDataMng().getResSpaceOfUserInClientApp(str, str2), (v0) -> {
            return v0.asBean();
        });
    }

    @Operation(description = "取得用户在指定资源空间下面的角色")
    @Parameters({@Parameter(name = "userId", description = "用户id"), @Parameter(name = "resSpaceId", description = "资源空间id")})
    @PreAuthorize("hasAuthority('CDU_UserData') or hasAuthority('View_AllUsers') or hasAuthority('Manage_Special_CanVisitUser:' + #_resId_)")
    @GetMapping(value = {"/user/clientApp/resSapce/role"}, produces = {"application/json"})
    public List<Role.BRole> getRolesOfUserInResSapce(@RequestParam("userId") String str, @RequestParam("resSpaceId") @ResId("getClientAppIdFromResSpaceId") String str2) {
        return XC.extractAsArrayList(this.mResMngServer.getClientAppDataMng().getRoleOfUserInResSpace(str, str2), (v0) -> {
            return v0.asBean();
        });
    }

    @PostMapping({"/user/clientApp/resSpace/role/_addOrDelete"})
    @Operation(description = "添加/删除某个用户在某个应用的资源空间下的角色")
    @Parameters({@Parameter(name = "userId", description = "用户id"), @Parameter(name = "resSpaceId", description = "资源空间id"), @Parameter(name = "addRoleIds", description = "需要添加的角色id，多个之间用“,”分隔"), @Parameter(name = "delRoleIds", description = "需要删除的角色id，多个之间用“,”分隔")})
    @PreAuthorize("hasAuthority('CDU_UserData') or hasAuthority('Manage_Special_CanVisitUser:' + #_resId_)")
    public void addOrDeleteRolesOfUserInRespace(@RequestParam("userId") String str, @RequestParam("resSpaceId") @ResId("getClientAppIdFromResSpaceId") String str2, @RequestParam(name = "addRoleIds", required = false) String[] strArr, @RequestParam(name = "delRoleIds", required = false) String[] strArr2) {
        User user = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        IClientAppDataManager clientAppDataMng = this.mResMngServer.getClientAppDataMng();
        if (XC.isNotEmpty(strArr)) {
            for (String str3 : strArr) {
                clientAppDataMng.grantRoleToUser(str2, str3, str, user.getId());
            }
        }
        if (XC.isNotEmpty(strArr2)) {
            for (String str4 : strArr2) {
                clientAppDataMng.ungrantRoleToUser(str2, str4, str, user.getId());
            }
        }
    }
}
