package de.sep.sesam.restapi.dao.impl;

import de.sep.sesam.auth.PasswordUtil;
import de.sep.sesam.common.logging.ContextLogger;
import de.sep.sesam.common.logging.LogGroup;
import de.sep.sesam.common.logging.messages.SecurityMessages;
import de.sep.sesam.common.logging.messages.SimpleMessage;
import de.sep.sesam.common.security.PasswordController;
import de.sep.sesam.model.AclUser;
import de.sep.sesam.model.UserGroupRelations;
import de.sep.sesam.model.Users;
import de.sep.sesam.model.core.defaults.DefaultUserNames;
import de.sep.sesam.model.filter.core.AbstractFilter;
import de.sep.sesam.model.type.AclUserType;
import de.sep.sesam.model.type.UserOrigin;
import de.sep.sesam.rest.exceptions.AuthenticationException;
import de.sep.sesam.rest.exceptions.ObjectNotFoundException;
import de.sep.sesam.rest.exceptions.OperationNotPossibleException;
import de.sep.sesam.rest.exceptions.ServiceException;
import de.sep.sesam.restapi.authentication.SessionContext;
import de.sep.sesam.restapi.authentication.SessionHandler;
import de.sep.sesam.restapi.core.defaults.DefaultsUtil;
import de.sep.sesam.restapi.core.filter.UsersFilter;
import de.sep.sesam.restapi.dao.AclsDaoServer;
import de.sep.sesam.restapi.dao.DefaultsDaoServer;
import de.sep.sesam.restapi.dao.GenericLongDao;
import de.sep.sesam.restapi.dao.UserAllowedHostsDaoServer;
import de.sep.sesam.restapi.dao.UserGroupRelationsDaoServer;
import de.sep.sesam.restapi.dao.UsersDaoServer;
import de.sep.sesam.restapi.dao.cache.CacheFactory;
import de.sep.sesam.restapi.dao.cache.EntityCache;
import de.sep.sesam.restapi.mapper.UsersMapper;
import de.sep.sesam.ui.images.Overlays;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.locks.ReentrantLock;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.PropertyAccessor;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.stereotype.Service;

@Service("usersDao")
/* loaded from: input_file:de/sep/sesam/restapi/dao/impl/UsersDaoImpl.class */
public class UsersDaoImpl extends GenericLongDao<Users, UsersMapper> implements UsersDaoServer {
    private final ReentrantLock createUserLock = new ReentrantLock();
    static final /* synthetic */ boolean $assertionsDisabled;

    public UsersDaoImpl() {
        setBypassAclAllThreads(true);
    }

    @Override // de.sep.sesam.restapi.dao.AbstractAclEnabledDao, de.sep.sesam.restapi.dao.GenericDao, de.sep.sesam.restapi.core.interfaces.IWritableRestService, de.sep.sesam.restapi.dao.AccountsDao
    public Users update(Users users) throws ServiceException {
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        boolean bypassAcl = getBypassAcl();
        try {
            setBypassAcl(true);
            Users byNameInternal = getByNameInternal(users.getName(), new UserOrigin[0]);
            setBypassAcl(bypassAcl);
            if (byNameInternal != null && byNameInternal.getId() != null && !byNameInternal.getId().equals(users.getId())) {
                throw new OperationNotPossibleException(OperationNotPossibleException.ONPMessage.DUPLICATE_ENTRY_BY_NAME, StringUtils.lowerCase(users.getClass().getSimpleName()), users.getName());
            }
            Users users2 = (Users) super.get((UsersDaoImpl) users.getId());
            String str = null;
            String salt = StringUtils.isNotBlank(users.getSalt()) ? users.getSalt() : users2.getSalt();
            if (StringUtils.isNotBlank(salt)) {
                str = PasswordController.getInstance().decrypt(salt);
            }
            if (StringUtils.isBlank(str)) {
                str = users2.getName();
            }
            if (!$assertionsDisabled && !StringUtils.isNotBlank(str)) {
                throw new AssertionError();
            }
            if (StringUtils.isBlank(salt)) {
                users.setSalt(PasswordController.getInstance().encrypt(str));
            } else {
                users.setSalt(salt);
            }
            if (users2.getPassword().equals(users.getPassword()) || !StringUtils.isNotBlank(users.getPassword()) || users.getPassword().equals(PasswordUtil.STARS)) {
                users.setPassword(users2.getPassword());
            } else {
                users.setPassword(PasswordUtil.encodePassword(str, users.getPassword()));
                getLogger().info(Overlays.UPDATE, LogGroup.SECURITY, SecurityMessages.PASSWORD_CHANGED, users.getName());
            }
            if (users.getOrigin() == null) {
                users.setOrigin(users2.getOrigin());
            }
            return fixOutput((Users) super.update((UsersDaoImpl) users));
        } catch (Throwable th) {
            setBypassAcl(bypassAcl);
            throw th;
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // de.sep.sesam.restapi.dao.GenericLongDao, de.sep.sesam.restapi.dao.AbstractAclEnabledDao, de.sep.sesam.restapi.dao.GenericDao, de.sep.sesam.restapi.core.interfaces.IWritableRestService, de.sep.sesam.restapi.dao.AccountsDao
    public Users create(Users users) throws ServiceException {
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (users.getOrigin() == null) {
            users.setOrigin(UserOrigin.USER);
        }
        boolean bypassAcl = getBypassAcl();
        try {
            setBypassAcl(true);
            Users byNameInternal = getByNameInternal(users.getName(), new UserOrigin[0]);
            setBypassAcl(bypassAcl);
            if (byNameInternal != null) {
                throw new OperationNotPossibleException(OperationNotPossibleException.ONPMessage.DUPLICATE_ENTRY_BY_NAME, StringUtils.lowerCase(users.getClass().getSimpleName()), users.getName());
            }
            String uuid = UUID.randomUUID().toString();
            users.setSalt(PasswordController.getInstance().encrypt(uuid));
            users.setPassword(PasswordUtil.encodePassword(uuid, users.getPassword()));
            try {
                this.createUserLock.lock();
                Users users2 = (Users) super.create((UsersDaoImpl) users);
                this.createUserLock.unlock();
                if (users2 != null) {
                    return fixOutput(users2);
                }
                return null;
            } catch (Throwable th) {
                this.createUserLock.unlock();
                throw th;
            }
        } catch (Throwable th2) {
            setBypassAcl(bypassAcl);
            throw th2;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // de.sep.sesam.restapi.dao.GenericDao
    public void validate(Users users) throws ServiceException {
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (StringUtils.containsAny(users.getName(), "\"", "/", "\\", PropertyAccessor.PROPERTY_KEY_PREFIX, "]", ":", ScriptUtils.DEFAULT_STATEMENT_SEPARATOR, "|", "=", ",", "+", "*", "?", "<", ">")) {
            throw new IllegalArgumentException("User name contains at least on of following invalid characters: \" / \\ [ ] : ; | = , + * ? < >");
        }
        if (users.getOrigin() == null) {
            users.setOrigin(UserOrigin.USER);
        }
        if (users.getAccountExpired() == null) {
            users.setAccountExpired(Boolean.FALSE);
        }
        if (users.getLocked() == null) {
            users.setLocked(Boolean.FALSE);
        }
        if (users.getPasswordExpired() == null) {
            users.setPasswordExpired(Boolean.FALSE);
        }
        if (users.getEnabled() == null) {
            users.setEnabled(Boolean.TRUE);
        }
        if (StringUtils.isBlank(users.getUuid())) {
            users.setUuid(UUID.randomUUID().toString());
        }
        super.validate((UsersDaoImpl) users);
    }

    @Override // de.sep.sesam.restapi.dao.UsersDao
    public Boolean setPassword(String str, String str2, String str3) throws ServiceException {
        Users byNameInternal = getByNameInternal(str, new UserOrigin[0]);
        if (byNameInternal == null) {
            throw new ObjectNotFoundException("user", str);
        }
        if (!byNameInternal.getEnabled().booleanValue() || byNameInternal.getAccountExpired().booleanValue()) {
            getLogger().info("setPassword", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is " + (byNameInternal.getAccountExpired().booleanValue() ? "expired." : "disabled.")), str);
            throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, str);
        }
        String str4 = null;
        String salt = byNameInternal.getSalt();
        if (StringUtils.isNotBlank(salt)) {
            str4 = PasswordController.getInstance().decrypt(salt);
        }
        if (StringUtils.isBlank(str4)) {
            str4 = byNameInternal.getName();
        }
        if (!$assertionsDisabled && !StringUtils.isNotBlank(str4)) {
            throw new AssertionError();
        }
        String encodePassword = PasswordUtil.encodePassword(str4, str2);
        if (!StringUtils.isEmpty(byNameInternal.getPassword()) && !byNameInternal.getPassword().equals(encodePassword)) {
            throw new OperationNotPossibleException(OperationNotPossibleException.ONPMessage.INVALID_REQUEST, "set password for user '" + str + "'", "Provided password invalid.");
        }
        byNameInternal.setPassword(PasswordUtil.encodePassword(str4, str3));
        getLogger().info("setPassword", LogGroup.SECURITY, SecurityMessages.PASSWORD_CHANGED, byNameInternal.getName());
        super.update((UsersDaoImpl) byNameInternal);
        return true;
    }

    @Override // de.sep.sesam.restapi.dao.AbstractAclEnabledDao, de.sep.sesam.restapi.dao.GenericDao, de.sep.sesam.restapi.core.interfaces.IReadableRestService
    public Users get(Long l) throws ServiceException {
        Users users = (Users) super.get((UsersDaoImpl) l);
        if (users == null) {
            return null;
        }
        return fixOutput(users);
    }

    @Override // de.sep.sesam.restapi.dao.UsersDaoServer
    public Users login(String str, String str2, Certificate certificate) throws AuthenticationException {
        String str3 = null;
        try {
            str3 = ((DefaultsDaoServer) getDaos().getService(DefaultsDaoServer.class)).getSystemDefault("gui.enable.credentials.mfa.certificate");
        } catch (ServiceException e) {
        }
        boolean z = false;
        if (StringUtils.isNotBlank(str3)) {
            z = DefaultsUtil.toBool(str3);
        }
        Users byNameInternal = getByNameInternal(str, new UserOrigin[0]);
        if (byNameInternal != null && byNameInternal.getOrigin() != null) {
            switch (byNameInternal.getOrigin()) {
                case LDAP:
                case AD:
                    return null;
            }
        }
        if (StringUtils.isBlank(str2) && (certificate == null || z)) {
            getLogger().info("login", LogGroup.SECURITY, new SimpleMessage("User {0} provided empty password."), str);
            throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, str);
        }
        if (certificate == null && z) {
            getLogger().info("login", LogGroup.SECURITY, new SimpleMessage("User {0} provided empty certificate."), str);
            throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, str);
        }
        if (byNameInternal == null && StringUtils.equals(str, "root")) {
            byNameInternal = getByNameInternal(DefaultUserNames.ADMIN_USER, new UserOrigin[0]);
        }
        if (byNameInternal == null) {
            getLogger().info("login", LogGroup.SECURITY, new SimpleMessage("User {0} does not exist."), str);
            throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, str);
        }
        if (!byNameInternal.getEnabled().booleanValue() || byNameInternal.getAccountExpired().booleanValue()) {
            getLogger().info("login", LogGroup.SECURITY, new SimpleMessage("Account for user {0} is " + (byNameInternal.getAccountExpired().booleanValue() ? "expired." : "disabled.")), str);
            throw new AuthenticationException(AuthenticationException.AuthMessage.ACCOUNT_INVALID, str);
        }
        if (StringUtils.isNotBlank(str2) && byNameInternal.getPasswordExpired().booleanValue()) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.PASSWORD_INVALID, str);
        }
        AuthenticationException authenticationException = null;
        if (certificate != null) {
            try {
                verifyCertificate(byNameInternal, certificate);
            } catch (AuthenticationException e2) {
                if (StringUtils.isBlank(str2) || !StringUtils.equals(e2.getKey(), AuthenticationException.AuthMessage.CERTIFICATE_UNASSOCIATED.key())) {
                    throw e2;
                }
                certificate = null;
                authenticationException = e2;
            }
        }
        if (certificate == null || z) {
            String str4 = null;
            String salt = byNameInternal.getSalt();
            if (StringUtils.isNotBlank(salt)) {
                str4 = PasswordController.getInstance().decrypt(salt);
            }
            if (StringUtils.isBlank(str4)) {
                str4 = byNameInternal.getName();
            }
            if (!$assertionsDisabled && !StringUtils.isNotBlank(str4)) {
                throw new AssertionError();
            }
            if (!byNameInternal.getPassword().equals(PasswordUtil.encodePassword(str4, str2))) {
                String str5 = authenticationException != null ? "User {0} provided invalid certificate (" + authenticationException.getLocalizedMessage() + ")." : null;
                if (StringUtils.isBlank(str5)) {
                    str5 = "User {0} provided wrong password.";
                }
                getLogger().info("login", LogGroup.SECURITY, new SimpleMessage(str5), str);
                throw new AuthenticationException(AuthenticationException.AuthMessage.CREDENTIALS_INVALID, str);
            }
        }
        return byNameInternal;
    }

    @Override // de.sep.sesam.restapi.dao.UsersDaoServer
    public void verifyCertificate(Users users, Certificate certificate) throws AuthenticationException {
        if (!$assertionsDisabled && users == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && certificate == null) {
            throw new AssertionError();
        }
        if (!(certificate instanceof X509Certificate)) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CERTIFICATE_INVALID, users.getName());
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        Date notAfter = x509Certificate.getNotAfter();
        if (notAfter != null && notAfter.before(new Date())) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CERTIFICATE_EXPIRED, users.getName());
        }
        Date notBefore = x509Certificate.getNotBefore();
        if (notBefore != null && notBefore.after(new Date())) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CERTIFICATE_INACTIVE, users.getName());
        }
        String str = null;
        try {
            str = StringUtils.lowerCase(DigestUtils.sha1Hex(x509Certificate.getEncoded()));
        } catch (CertificateEncodingException e) {
        }
        List list = null;
        String thumbprint = users.getThumbprint();
        if (StringUtils.isNotBlank(thumbprint)) {
            list = (List) Arrays.stream(thumbprint.split(",")).filter((v0) -> {
                return StringUtils.isNotBlank(v0);
            }).map(str2 -> {
                String trim = StringUtils.trim(str2);
                if (StringUtils.contains(trim, "=")) {
                    trim = StringUtils.substring(trim, StringUtils.indexOf(trim, "=") + 1);
                }
                if (StringUtils.contains(trim, ":")) {
                    trim = StringUtils.remove(trim, ':');
                }
                return StringUtils.lowerCase(trim);
            }).collect(Collectors.toList());
        }
        if (CollectionUtils.isEmpty(list) || !list.contains(str)) {
            throw new AuthenticationException(AuthenticationException.AuthMessage.CERTIFICATE_UNASSOCIATED, users.getName());
        }
    }

    @Override // de.sep.sesam.restapi.dao.AbstractAclEnabledDao, de.sep.sesam.restapi.dao.GenericDao, de.sep.sesam.restapi.core.interfaces.IReadableRestService
    public List<Users> getAll() throws ServiceException {
        return fixOutput(super.getAll());
    }

    @Override // de.sep.sesam.restapi.dao.UsersDao
    public Users getByName(String str) throws ServiceException {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        for (Users users : getAll()) {
            if (str.equals(users.getName()) || str.equals(users.getDisplayLabel())) {
                return fixOutput(users);
            }
        }
        try {
            Long valueOf = Long.valueOf(Long.parseLong(str));
            if (get(valueOf) != null) {
                return fixOutput(get(valueOf));
            }
            return null;
        } catch (NumberFormatException e) {
            return null;
        }
    }

    private Users fixOutput(Users users) {
        Users users2 = new Users(users);
        users2.setPassword(PasswordUtil.STARS);
        return users2;
    }

    private List<Users> fixOutput(List<Users> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Users> it = list.iterator();
        while (it.hasNext()) {
            Users users = new Users(it.next());
            users.setPassword(PasswordUtil.STARS);
            arrayList.add(users);
        }
        return arrayList;
    }

    @Override // de.sep.sesam.restapi.dao.UsersDaoServer
    public Users getByIdInternal(String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        Users users = null;
        Long l = null;
        try {
            l = Long.valueOf(Long.parseLong(str));
        } catch (NumberFormatException e) {
        }
        if (l != null) {
            try {
                users = (Users) super.get((UsersDaoImpl) l);
            } catch (ServiceException e2) {
            }
        }
        return users;
    }

    @Override // de.sep.sesam.restapi.dao.UsersDaoServer
    public Users getByNameInternal(String str, UserOrigin... userOriginArr) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        Users users = null;
        try {
            for (Users users2 : super.getAll()) {
                if (StringUtils.equalsAny(str, users2.getName(), users2.getDisplayLabel()) && (!ArrayUtils.isNotEmpty(userOriginArr) || !Stream.of((Object[]) userOriginArr).filter((v0) -> {
                    return Objects.nonNull(v0);
                }).noneMatch(userOrigin -> {
                    return userOrigin.equals(users2.getOrigin());
                }))) {
                    users = new Users(users2);
                    break;
                }
            }
        } catch (ServiceException e) {
        }
        return users;
    }

    @Override // de.sep.sesam.restapi.dao.AbstractAclEnabledDao, de.sep.sesam.restapi.dao.GenericDao, de.sep.sesam.restapi.dao.IGenericDao, de.sep.sesam.restapi.dao.AccountsDao
    public Long remove(Long l) throws ServiceException {
        if (!$assertionsDisabled && l == null) {
            throw new AssertionError();
        }
        Users users = get(l);
        ContextLogger logger = getLogger();
        LogGroup logGroup = LogGroup.SECURITY;
        SimpleMessage simpleMessage = new SimpleMessage("Removing user with ID ''{0}'' (name = ''{1}'') from database.", String.valueOf(l.longValue()));
        Object[] objArr = new Object[1];
        objArr[0] = users != null ? users.getName() : "";
        logger.info("remove", logGroup, simpleMessage, objArr);
        ((UserGroupRelationsDaoServer) getDaos().getService(UserGroupRelationsDaoServer.class)).removeByUser(l);
        ((UserAllowedHostsDaoServer) getDaos().getService(UserAllowedHostsDaoServer.class)).removeByUser(l);
        AclUser aclUser = new AclUser();
        aclUser.setId(l.toString());
        aclUser.setType(AclUserType.USER);
        ((AclsDaoServer) getDaos().getService(AclsDaoServer.class)).removeFromAcls(aclUser);
        for (SessionContext sessionContext : SessionHandler.getAll()) {
            if (!Objects.isNull(sessionContext) && !Objects.isNull(sessionContext.getUser()) && sessionContext.getUser().equals(users)) {
                SessionHandler.remove(sessionContext.getId());
            }
        }
        return (Long) super.remove((UsersDaoImpl) l);
    }

    @Override // de.sep.sesam.restapi.dao.UsersDao
    public List<Users> getByGroup(Long l) throws ServiceException {
        if (!$assertionsDisabled && l == null) {
            throw new AssertionError();
        }
        ArrayList arrayList = new ArrayList();
        List<Users> all = getAll();
        List<UserGroupRelations> byGroupId = ((UserGroupRelationsDaoServer) getDaos().getService(UserGroupRelationsDaoServer.class)).getByGroupId(l);
        for (Users users : all) {
            Iterator<UserGroupRelations> it = byGroupId.iterator();
            while (true) {
                if (it.hasNext()) {
                    UserGroupRelations next = it.next();
                    if (users.getId() != null && users.getId().equals(next.getUserId())) {
                        arrayList.add(users);
                        break;
                    }
                }
            }
        }
        return fixOutput(arrayList);
    }

    @Override // de.sep.sesam.restapi.dao.UsersDao
    public List<Users> filter(UsersFilter usersFilter) throws ServiceException {
        return usersFilter.getGroup() != null ? fixOutput(getByGroup(usersFilter.getGroup())) : fixOutput(super.filter((AbstractFilter) usersFilter));
    }

    @Override // de.sep.sesam.restapi.dao.UsersDao
    public /* bridge */ /* synthetic */ Users persist(Users users) throws ServiceException {
        return (Users) super.persist((UsersDaoImpl) users);
    }

    static {
        $assertionsDisabled = !UsersDaoImpl.class.desiredAssertionStatus();
        CacheFactory.add(Users.class, new EntityCache(UsersDaoServer.class, "users"));
    }
}
