package li.strolch.privilege.handler;

import java.io.File;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.text.MessageFormat;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import li.strolch.privilege.base.AccessDeniedException;
import li.strolch.privilege.base.InvalidCredentialsException;
import li.strolch.privilege.base.NotAuthenticatedException;
import li.strolch.privilege.base.PrivilegeConflictResolution;
import li.strolch.privilege.base.PrivilegeException;
import li.strolch.privilege.base.PrivilegeModelException;
import li.strolch.privilege.helper.XmlConstants;
import li.strolch.privilege.model.Certificate;
import li.strolch.privilege.model.IPrivilege;
import li.strolch.privilege.model.PrivilegeContext;
import li.strolch.privilege.model.PrivilegeRep;
import li.strolch.privilege.model.Restrictable;
import li.strolch.privilege.model.RoleRep;
import li.strolch.privilege.model.SimpleRestrictable;
import li.strolch.privilege.model.Usage;
import li.strolch.privilege.model.UserRep;
import li.strolch.privilege.model.UserState;
import li.strolch.privilege.model.internal.PrivilegeImpl;
import li.strolch.privilege.model.internal.Role;
import li.strolch.privilege.model.internal.User;
import li.strolch.privilege.model.internal.UserChallenge;
import li.strolch.privilege.model.internal.UserHistory;
import li.strolch.privilege.policy.PrivilegePolicy;
import li.strolch.privilege.xml.CertificateStubsDomWriter;
import li.strolch.privilege.xml.CertificateStubsSaxReader;
import li.strolch.utils.collections.Tuple;
import li.strolch.utils.dbc.DBC;
import li.strolch.utils.helper.AesCryptoHelper;
import li.strolch.utils.helper.StringHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:li/strolch/privilege/handler/DefaultPrivilegeHandler.class */
public class DefaultPrivilegeHandler implements PrivilegeHandler {
    protected static final Logger logger = LoggerFactory.getLogger(DefaultPrivilegeHandler.class);
    public static final String SOURCE_UNKNOWN = "unknown";
    protected Map<String, PrivilegeContext> privilegeContextMap;
    protected Map<String, Class<PrivilegePolicy>> policyMap;
    protected PersistenceHandler persistenceHandler;
    protected EncryptionHandler encryptionHandler;
    protected PasswordStrengthHandler passwordStrengthHandler;
    protected SingleSignOnHandler ssoHandler;
    protected UserChallengeHandler userChallengeHandler;
    protected boolean initialized;
    protected boolean autoPersistOnUserChangesData;
    protected boolean persistSessions;
    protected File persistSessionsPath;
    protected SecretKey secretKey;
    protected boolean allowSessionRefresh;
    protected PrivilegeConflictResolution privilegeConflictResolution;
    private String identifier;
    private Map<String, String> parameterMap;

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public SingleSignOnHandler getSsoHandler() {
        return this.ssoHandler;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserChallengeHandler getUserChallengeHandler() {
        return this.userChallengeHandler;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public PersistenceHandler getPersistenceHandler() {
        return this.persistenceHandler;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Map<String, String> getParameterMap() {
        return this.parameterMap;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean isRefreshAllowed() {
        return this.allowSessionRefresh;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean isPersistOnUserDataChanged() {
        return this.autoPersistOnUserChangesData;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public EncryptionHandler getEncryptionHandler() throws PrivilegeException {
        return this.encryptionHandler;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep getRole(Certificate certificate, String str) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_GET_ROLE);
        Role role = this.persistenceHandler.getRole(str);
        if (role == null) {
            return null;
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_GET_ROLE, new Tuple((Object) null, role)));
        return role.asRoleRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep getUser(Certificate certificate, String str) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_GET_USER);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            return null;
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_GET_USER, new Tuple((Object) null, user)));
        return user.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Map<String, String> getPolicyDefs(Certificate certificate) {
        validate(certificate).validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ACTION, PrivilegeHandler.PRIVILEGE_ACTION_GET_POLICIES));
        HashMap hashMap = new HashMap(this.policyMap.size());
        for (Map.Entry<String, Class<PrivilegePolicy>> entry : this.policyMap.entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue().getName());
        }
        return hashMap;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public List<Certificate> getCertificates(Certificate certificate) {
        validate(certificate).validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ACTION, PrivilegeHandler.PRIVILEGE_ACTION_GET_CERTIFICATES));
        return (List) this.privilegeContextMap.values().stream().map((v0) -> {
            return v0.getCertificate();
        }).collect(Collectors.toList());
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public List<RoleRep> getRoles(Certificate certificate) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_GET_ROLE);
        return (List) this.persistenceHandler.getAllRoles().stream().filter(role -> {
            return validate.hasPrivilege(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_GET_ROLE, new Tuple((Object) null, role)));
        }).map((v0) -> {
            return v0.asRoleRep();
        }).collect(Collectors.toList());
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public List<UserRep> getUsers(Certificate certificate) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_GET_USER);
        return (List) this.persistenceHandler.getAllUsers().stream().filter(user -> {
            return validate.hasPrivilege(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_GET_USER, new Tuple((Object) null, user)));
        }).map((v0) -> {
            return v0.asUserRep();
        }).collect(Collectors.toList());
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public List<UserRep> queryUsers(Certificate certificate, UserRep userRep) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_GET_USER);
        String userId = userRep.getUserId();
        String username = userRep.getUsername();
        String firstname = userRep.getFirstname();
        String lastname = userRep.getLastname();
        UserState userState = userRep.getUserState();
        Locale locale = userRep.getLocale();
        Set<String> roles = userRep.getRoles();
        Map<String, String> properties = userRep.getProperties();
        ArrayList arrayList = new ArrayList();
        for (User user : this.persistenceHandler.getAllUsers()) {
            if (validate.hasPrivilege(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_GET_USER, new Tuple((Object) null, user)))) {
                if ((StringHelper.isEmpty(userId) || userId.equals(user.getUserId())) && (StringHelper.isEmpty(username) || username.equals(user.getUsername())) && (StringHelper.isEmpty(firstname) || firstname.equals(user.getFirstname())) && (StringHelper.isEmpty(lastname) || lastname.equals(user.getLastname())) && (userState == null || userState.equals(user.getUserState())) && (locale == null || locale.equals(user.getLocale())) && isSelectedByRole(roles, user.getRoles()) && isSelectedByProperty(properties, user.getProperties())) {
                    arrayList.add(user.asUserRep());
                }
            }
        }
        return arrayList;
    }

    private boolean isSelectedByProperty(Map<String, String> map, Map<String, String> map2) {
        if (map == null) {
            return true;
        }
        if (map.isEmpty() && map2.isEmpty()) {
            return true;
        }
        for (String str : map.keySet()) {
            String str2 = map2.get(str);
            if (str2 == null || !str2.equals(map.get(str))) {
                return false;
            }
        }
        return true;
    }

    private boolean isSelectedByRole(Set<String> set, Set<String> set2) {
        return set == null || set2.containsAll(set);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep addUser(Certificate certificate, UserRep userRep, char[] cArr) {
        try {
            PrivilegeContext validate = validate(certificate);
            validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_ADD_USER);
            if (StringHelper.isNotEmpty(userRep.getUserId())) {
                throw new PrivilegeModelException(MessageFormat.format("UserId can not be set when adding a new user!", userRep.getUsername()));
            }
            UserRep m11clone = userRep.m11clone();
            m11clone.setUserId(StringHelper.getUniqueId());
            m11clone.validate();
            validateRolesExist(m11clone);
            if (this.persistenceHandler.getUser(m11clone.getUsername()) != null) {
                throw new PrivilegeModelException(MessageFormat.format("User {0} can not be added as it already exists!", m11clone.getUsername()));
            }
            UserHistory userHistory = new UserHistory();
            byte[] bArr = null;
            byte[] bArr2 = null;
            if (cArr != null) {
                validatePassword(certificate.getLocale(), cArr);
                bArr2 = this.encryptionHandler.nextSalt();
                bArr = this.encryptionHandler.hashPassword(cArr, bArr2);
                userHistory.setLastPasswordChange(ZonedDateTime.now());
            }
            User createUser = createUser(m11clone, userHistory, bArr, bArr2, false);
            assertNoPrivilegeConflict(createUser);
            validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ADD_USER, new Tuple((Object) null, createUser)));
            this.persistenceHandler.addUser(createUser);
            logger.info("Created new user " + createUser.getUsername());
            UserRep asUserRep = createUser.asUserRep();
            clearPassword(cArr);
            return asUserRep;
        } catch (Throwable th) {
            clearPassword(cArr);
            throw th;
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void addOrUpdateUsers(Certificate certificate, List<UserRep> list) throws PrivilegeException {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_ADD_USER);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        Iterator<UserRep> it = list.iterator();
        while (it.hasNext()) {
            UserRep m11clone = it.next().m11clone();
            User user = this.persistenceHandler.getUser(m11clone.getUsername());
            if (user != null) {
                if (m11clone.getUserId() == null) {
                    m11clone.setUserId(user.getUserId());
                }
                User createUser = createUser(m11clone, user.getHistory().getClone(), user.getPassword(), user.getSalt(), user.isPasswordChangeRequested());
                assertNoPrivilegeConflict(createUser);
                validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_USER, new Tuple(user, createUser)));
                arrayList2.add(createUser);
                logger.info("Updating existing user " + createUser.getUsername());
            } else {
                if (StringHelper.isNotEmpty(m11clone.getUserId())) {
                    throw new PrivilegeModelException(MessageFormat.format("UserId can not be set when adding a new user!", m11clone.getUsername()));
                }
                m11clone.setUserId(StringHelper.getUniqueId());
                m11clone.validate();
                validateRolesExist(m11clone);
                User createUser2 = createUser(m11clone, new UserHistory(), null, null, false);
                assertNoPrivilegeConflict(createUser2);
                validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ADD_USER, new Tuple((Object) null, createUser2)));
                arrayList.add(createUser2);
                logger.info("Creating new user " + createUser2.getUsername());
            }
        }
        arrayList.forEach(user2 -> {
            this.persistenceHandler.addUser(user2);
        });
        arrayList2.forEach(user3 -> {
            this.persistenceHandler.replaceUser(user3);
        });
        logger.info("Created " + arrayList.size() + " users");
        logger.info("Updated " + arrayList2.size() + " users");
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep replaceUser(Certificate certificate, UserRep userRep, char[] cArr) {
        try {
            PrivilegeContext validate = validate(certificate);
            validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_MODIFY_USER);
            userRep.validate();
            validateRolesExist(userRep);
            User user = this.persistenceHandler.getUser(userRep.getUsername());
            if (user == null) {
                throw new PrivilegeModelException(MessageFormat.format("User {0} can not be replaced as it does not exist!", userRep.getUsername()));
            }
            if (!user.getUserId().equals(userRep.getUserId())) {
                throw new PrivilegeModelException(MessageFormat.format(MessageFormat.format("UserId of existing user {0} does not match userRep {1}", user.getUserId(), userRep.getUserId()), userRep.getUsername()));
            }
            UserHistory clone = user.getHistory().getClone();
            byte[] bArr = null;
            byte[] bArr2 = null;
            if (cArr != null) {
                validatePassword(certificate.getLocale(), cArr);
                bArr2 = this.encryptionHandler.nextSalt();
                bArr = this.encryptionHandler.hashPassword(cArr, bArr2);
                clone.setLastPasswordChange(ZonedDateTime.now());
            }
            User createUser = createUser(userRep, clone, bArr, bArr2, user.isPasswordChangeRequested());
            assertNoPrivilegeConflict(createUser);
            validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_USER, new Tuple(user, createUser)));
            this.persistenceHandler.replaceUser(createUser);
            logger.info("Replaced user " + createUser.getUsername());
            UserRep asUserRep = createUser.asUserRep();
            clearPassword(cArr);
            return asUserRep;
        } catch (Throwable th) {
            clearPassword(cArr);
            throw th;
        }
    }

    private void validateRolesExist(UserRep userRep) {
        for (String str : userRep.getRoles()) {
            if (this.persistenceHandler.getRole(str) == null) {
                throw new PrivilegeModelException(MessageFormat.format("Can not add user {0} as role {1} does not exist!", userRep.getUsername(), str));
            }
        }
    }

    private User createUser(UserRep userRep, UserHistory userHistory, byte[] bArr, byte[] bArr2, boolean z) {
        return new User(userRep.getUserId(), userRep.getUsername(), bArr, bArr2, this.encryptionHandler.getAlgorithm(), this.encryptionHandler.getIterations(), this.encryptionHandler.getKeyLength(), userRep.getFirstname(), userRep.getLastname(), userRep.getUserState(), userRep.getRoles(), userRep.getLocale(), userRep.getProperties(), z, userHistory);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep updateUser(Certificate certificate, UserRep userRep) throws PrivilegeException {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_MODIFY_USER);
        User user = this.persistenceHandler.getUser(userRep.getUsername());
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", userRep.getUsername()));
        }
        if (StringHelper.isEmpty(userRep.getFirstname()) && StringHelper.isEmpty(userRep.getLastname()) && userRep.getLocale() == null && (userRep.getProperties() == null || userRep.getProperties().isEmpty())) {
            throw new PrivilegeModelException(MessageFormat.format("All updateable fields are empty for update of user {0}", userRep.getUsername()));
        }
        String userId = user.getUserId();
        String username = user.getUsername();
        byte[] password = user.getPassword();
        byte[] salt = user.getSalt();
        String firstname = user.getFirstname();
        String lastname = user.getLastname();
        UserState userState = user.getUserState();
        Set<String> roles = user.getRoles();
        Locale locale = user.getLocale();
        Map<String, String> properties = user.getProperties();
        String hashAlgorithm = user.getHashAlgorithm();
        int hashIterations = user.getHashIterations();
        int hashKeyLength = user.getHashKeyLength();
        if (StringHelper.isNotEmpty(userRep.getFirstname())) {
            firstname = userRep.getFirstname();
        }
        if (StringHelper.isNotEmpty(userRep.getLastname())) {
            lastname = userRep.getLastname();
        }
        if (userRep.getProperties() != null && !userRep.getProperties().isEmpty()) {
            properties = userRep.getProperties();
        }
        if (userRep.getLocale() != null) {
            locale = userRep.getLocale();
        }
        if (userRep.getUserState() != null) {
            userState = userRep.getUserState();
        }
        if (userRep.getRoles() != null && !userRep.getRoles().equals(roles)) {
            roles = userRep.getRoles();
        }
        User user2 = new User(userId, username, password, salt, hashAlgorithm, hashIterations, hashKeyLength, firstname, lastname, userState, roles, locale, properties, user.isPasswordChangeRequested(), user.getHistory().getClone());
        assertNoPrivilegeConflict(user2);
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_USER, new Tuple(user, user2)));
        this.persistenceHandler.replaceUser(user2);
        logger.info("Updated user " + user2.getUsername());
        updateExistingSessionsForUser(user2);
        return user2.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep removeUser(Certificate certificate, String str) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_REMOVE_USER);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("Can not remove User {0} because user does not exist!", str));
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_REMOVE_USER, new Tuple((Object) null, user)));
        invalidSessionsFor(user);
        this.persistenceHandler.removeUser(str);
        logger.info("Removed user " + str);
        return user.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep addRoleToUser(Certificate certificate, String str, String str2) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER, new Tuple(user, str2)));
        Set<String> roles = user.getRoles();
        if (roles.contains(str2)) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} already has role {1}", str, str2));
        }
        if (this.persistenceHandler.getRole(str2) == null) {
            throw new PrivilegeModelException(MessageFormat.format("Role {0} does not exist!", str2));
        }
        HashSet hashSet = new HashSet(roles);
        hashSet.add(str2);
        User user2 = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getSalt(), user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), hashSet, user.getLocale(), user.getProperties(), user.isPasswordChangeRequested(), user.getHistory().getClone());
        assertNoPrivilegeConflict(user2);
        this.persistenceHandler.replaceUser(user2);
        logger.info("Added role " + str2 + " to " + user2.getUsername());
        updateExistingSessionsForUser(user2);
        return user2.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep removeRoleFromUser(Certificate certificate, String str, String str2) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER, new Tuple(user, str2)));
        Set<String> roles = user.getRoles();
        if (!roles.contains(str2)) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not have role {1}", user.getUsername(), str2));
        }
        HashSet hashSet = new HashSet(roles);
        hashSet.remove(str2);
        User user2 = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getSalt(), user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), hashSet, user.getLocale(), user.getProperties(), user.isPasswordChangeRequested(), user.getHistory().getClone());
        this.persistenceHandler.replaceUser(user2);
        logger.info("Removed role " + str2 + " from " + user2.getUsername());
        updateExistingSessionsForUser(user2);
        return user2.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep setUserLocale(Certificate certificate, String str, Locale locale) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_SET_USER_LOCALE);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        User user2 = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getSalt(), user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), user.getRoles(), locale, user.getProperties(), user.isPasswordChangeRequested(), user.getHistory().getClone());
        if (!certificate.getUsername().equals(str)) {
            validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_SET_USER_LOCALE, new Tuple(user, user2)));
        }
        this.persistenceHandler.replaceUser(user2);
        if (this.autoPersistOnUserChangesData) {
            this.persistenceHandler.persist();
        }
        logger.info("Set locale to " + locale + " for " + user2.getUsername());
        return user2.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void requirePasswordChange(Certificate certificate, String str) throws PrivilegeException {
        validate(certificate).assertHasPrivilege(PrivilegeHandler.PRIVILEGE_REQUIRE_PASSWORD_CHANGE);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        if (user.getUserState().isRemote()) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} is remote and can not set password!", str));
        }
        User user2 = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getSalt(), user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), user.getRoles(), user.getLocale(), user.getProperties(), true, user.getHistory().getClone());
        this.persistenceHandler.replaceUser(user2);
        if (this.autoPersistOnUserChangesData) {
            this.persistenceHandler.persist();
        }
        logger.info("Requiring user " + user2.getUsername() + " to change their password on next login.");
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void setUserPassword(Certificate certificate, String str, char[] cArr) {
        try {
            PrivilegeContext validate = validate(certificate);
            validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD);
            User user = this.persistenceHandler.getUser(str);
            if (user == null) {
                throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
            }
            UserHistory clone = user.getHistory().getClone();
            byte[] bArr = null;
            byte[] bArr2 = null;
            if (cArr != null) {
                validatePassword(certificate.getLocale(), cArr);
                bArr2 = this.encryptionHandler.nextSalt();
                bArr = this.encryptionHandler.hashPassword(cArr, bArr2);
                clone.setLastPasswordChange(ZonedDateTime.now());
            }
            User user2 = new User(user.getUserId(), user.getUsername(), bArr, bArr2, this.encryptionHandler.getAlgorithm(), this.encryptionHandler.getIterations(), this.encryptionHandler.getKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), user.getRoles(), user.getLocale(), user.getProperties(), false, clone);
            if (!certificate.getUsername().equals(str)) {
                validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD, new Tuple(user, user2)));
            }
            this.persistenceHandler.replaceUser(user2);
            if (this.autoPersistOnUserChangesData) {
                this.persistenceHandler.persist();
            }
            if (certificate.getUsage() == Usage.SET_PASSWORD) {
                invalidate(certificate);
            }
            if (cArr == null) {
                logger.info("Cleared password for " + user2.getUsername());
            } else {
                logger.info("Updated password for " + user2.getUsername());
            }
        } finally {
            clearPassword(cArr);
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public UserRep setUserState(Certificate certificate, String str, UserState userState) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_SET_USER_STATE);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        User user2 = new User(user.getUserId(), user.getUsername(), user.getPassword(), user.getSalt(), user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength(), user.getFirstname(), user.getLastname(), userState, user.getRoles(), user.getLocale(), user.getProperties(), user.isPasswordChangeRequested(), user.getHistory().getClone());
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_SET_USER_STATE, new Tuple(user, user2)));
        this.persistenceHandler.replaceUser(user2);
        logger.info("Set state of user " + user2.getUsername() + " to " + userState);
        return user2.asUserRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep addRole(Certificate certificate, RoleRep roleRep) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_ADD_ROLE);
        roleRep.validate();
        if (this.persistenceHandler.getRole(roleRep.getName()) != null) {
            throw new PrivilegeModelException(MessageFormat.format("Can not add role {0} as it already exists!", roleRep.getName()));
        }
        Role role = new Role(roleRep);
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ADD_ROLE, new Tuple((Object) null, role)));
        validatePolicies(role);
        this.persistenceHandler.addRole(role);
        logger.info("Added new role " + role.getName());
        return role.asRoleRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep replaceRole(Certificate certificate, RoleRep roleRep) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE);
        roleRep.validate();
        Role role = this.persistenceHandler.getRole(roleRep.getName());
        if (role == null) {
            throw new PrivilegeModelException(MessageFormat.format("Can not replace role {0} as it does not exist!", roleRep.getName()));
        }
        Role role2 = new Role(roleRep);
        assertNoPrivilegeConflict(role2);
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE, new Tuple(role, role2)));
        validatePolicies(role2);
        this.persistenceHandler.replaceRole(role2);
        logger.info("Replaced role " + role2.getName());
        updateExistingSessionsWithNewRole(role2);
        return role2.asRoleRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep removeRole(Certificate certificate, String str) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE);
        List<UserRep> queryUsers = queryUsers(certificate, new UserRep(null, null, null, null, null, new HashSet(Collections.singletonList(str)), null, null, null));
        if (!queryUsers.isEmpty()) {
            throw new PrivilegeModelException(MessageFormat.format("The role {0} can not be removed as the following {1} user have the role assigned: {2}", str, Integer.valueOf(queryUsers.size()), (String) queryUsers.stream().map((v0) -> {
                return v0.getUsername();
            }).collect(Collectors.joining(", "))));
        }
        Role role = this.persistenceHandler.getRole(str);
        if (role == null) {
            throw new PrivilegeModelException(MessageFormat.format("Can not remove Role {0} because role does not exist!", str));
        }
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_REMOVE_ROLE, new Tuple((Object) null, role)));
        this.persistenceHandler.removeRole(str);
        logger.info("Removed role " + str);
        return role.asRoleRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep addOrReplacePrivilegeOnRole(Certificate certificate, String str, PrivilegeRep privilegeRep) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE);
        privilegeRep.validate();
        Role role = this.persistenceHandler.getRole(str);
        if (role == null) {
            throw new PrivilegeModelException(MessageFormat.format("Role {0} does not exist!", str));
        }
        String policy = privilegeRep.getPolicy();
        if (policy != null && !this.policyMap.containsKey(policy)) {
            throw new PrivilegeModelException(MessageFormat.format("Policy {0} for Privilege {1} does not exist", policy, privilegeRep.getName()));
        }
        PrivilegeImpl privilegeImpl = new PrivilegeImpl(privilegeRep);
        Set<String> privilegeNames = role.getPrivilegeNames();
        HashMap hashMap = new HashMap(privilegeNames.size() + 1);
        for (String str2 : privilegeNames) {
            hashMap.put(str2, role.getPrivilege(str2));
        }
        hashMap.put(privilegeImpl.getName(), privilegeImpl);
        Role role2 = new Role(role.getName(), hashMap);
        assertNoPrivilegeConflict(role2);
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE, new Tuple(role, role2)));
        this.persistenceHandler.replaceRole(role2);
        logger.info("Added/replaced privilege " + privilegeRep.getName() + " to " + str);
        updateExistingSessionsWithNewRole(role2);
        return role2.asRoleRep();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public RoleRep removePrivilegeFromRole(Certificate certificate, String str, String str2) {
        PrivilegeContext validate = validate(certificate);
        validate.assertHasPrivilege(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE);
        Role role = this.persistenceHandler.getRole(str);
        if (role == null) {
            throw new PrivilegeModelException(MessageFormat.format("Role {0} does not exist!", str));
        }
        if (!role.hasPrivilege(str2)) {
            throw new PrivilegeModelException(MessageFormat.format("Role {0} does not have Privilege {1}", str, str2));
        }
        Set<String> privilegeNames = role.getPrivilegeNames();
        HashMap hashMap = new HashMap(privilegeNames.size() - 1);
        Iterator<String> it = privilegeNames.iterator();
        while (it.hasNext()) {
            IPrivilege privilege = role.getPrivilege(it.next());
            if (!privilege.getName().equals(str2)) {
                hashMap.put(privilege.getName(), privilege);
            }
        }
        Role role2 = new Role(role.getName(), hashMap);
        validate.validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_MODIFY_ROLE, new Tuple(role, role2)));
        this.persistenceHandler.replaceRole(role2);
        logger.info("Removed privilege " + str2 + " from " + str);
        updateExistingSessionsWithNewRole(role2);
        return role2.asRoleRep();
    }

    private void updateExistingSessionsForUser(User user) {
        synchronized (this.privilegeContextMap) {
            for (PrivilegeContext privilegeContext : new ArrayList(this.privilegeContextMap.values())) {
                if (privilegeContext.getUserRep().getUsername().equals(user.getUsername())) {
                    Certificate certificate = privilegeContext.getCertificate();
                    Certificate buildCertificate = buildCertificate(certificate.getUsage(), user, certificate.getAuthToken(), certificate.getSessionId(), certificate.getSource(), certificate.getLoginTime(), certificate.isKeepAlive());
                    this.privilegeContextMap.put(buildCertificate.getSessionId(), buildPrivilegeContext(buildCertificate, user));
                }
            }
        }
    }

    private void updateExistingSessionsWithNewRole(Role role) {
        synchronized (this.privilegeContextMap) {
            for (PrivilegeContext privilegeContext : new ArrayList(this.privilegeContextMap.values())) {
                if (privilegeContext.getUserRep().hasRole(role.getName())) {
                    User user = this.persistenceHandler.getUser(privilegeContext.getUsername());
                    if (user != null) {
                        Certificate certificate = privilegeContext.getCertificate();
                        Certificate buildCertificate = buildCertificate(certificate.getUsage(), user, certificate.getAuthToken(), certificate.getSessionId(), certificate.getSource(), certificate.getLoginTime(), certificate.isKeepAlive());
                        this.privilegeContextMap.put(buildCertificate.getSessionId(), buildPrivilegeContext(buildCertificate, user));
                    }
                }
            }
        }
    }

    private void invalidSessionsFor(User user) {
        ArrayList<PrivilegeContext> arrayList;
        synchronized (this.privilegeContextMap) {
            arrayList = new ArrayList(this.privilegeContextMap.values());
        }
        for (PrivilegeContext privilegeContext : arrayList) {
            if (privilegeContext.getUserRep().getUsername().equals(user.getUsername())) {
                invalidate(privilegeContext.getCertificate());
            }
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void initiateChallengeFor(Usage usage, String str) {
        initiateChallengeFor(usage, str, SOURCE_UNKNOWN);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void initiateChallengeFor(Usage usage, String str, String str2) {
        DBC.PRE.assertNotEmpty("source must not be empty!", str2);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        this.userChallengeHandler.initiateChallengeFor(usage, user, str2);
        logger.info(MessageFormat.format("Initiated Challenge for {0} with usage {1}", str, usage));
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate validateChallenge(String str, String str2) throws PrivilegeException {
        return validateChallenge(str, str2, SOURCE_UNKNOWN);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate validateChallenge(String str, String str2, String str3) throws PrivilegeException {
        DBC.PRE.assertNotEmpty("source must not be empty!", str3);
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new PrivilegeModelException(MessageFormat.format("User {0} does not exist!", str));
        }
        UserChallenge validateResponse = this.userChallengeHandler.validateResponse(user, str2);
        String nextToken = this.encryptionHandler.nextToken();
        String uuid = UUID.randomUUID().toString();
        Usage usage = validateResponse.getUsage();
        Certificate buildCertificate = buildCertificate(usage, user, nextToken, uuid, validateResponse.getSource(), ZonedDateTime.now(), false);
        this.privilegeContextMap.put(uuid, buildPrivilegeContext(buildCertificate, user));
        if (!str3.equals(SOURCE_UNKNOWN) && !str3.equals(validateResponse.getSource())) {
            logger.warn("Challenge request and response source's are different: request: " + validateResponse.getSource() + " to " + str3);
        }
        persistSessions();
        logger.info(MessageFormat.format("Challenge validated for user {0} with usage {1}", str, usage));
        return buildCertificate;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate authenticate(String str, char[] cArr, boolean z) {
        return authenticate(str, cArr, SOURCE_UNKNOWN, Usage.ANY, z);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate authenticate(String str, char[] cArr, String str2, Usage usage, boolean z) {
        DBC.PRE.assertNotEmpty("source must not be empty!", str2);
        try {
            if (str != null) {
                try {
                    try {
                        if (str.length() >= 2) {
                            User checkCredentialsAndUserState = checkCredentialsAndUserState(str, cArr);
                            if (checkCredentialsAndUserState.getRoles().isEmpty()) {
                                throw new InvalidCredentialsException(MessageFormat.format("User {0} does not have any roles defined!", str));
                            }
                            if (checkCredentialsAndUserState.isPasswordChangeRequested()) {
                                if (usage == Usage.SINGLE) {
                                    throw new IllegalStateException("Password change requested!");
                                }
                                usage = Usage.SET_PASSWORD;
                            }
                            String nextToken = this.encryptionHandler.nextToken();
                            String uuid = UUID.randomUUID().toString();
                            Certificate buildCertificate = buildCertificate(usage, checkCredentialsAndUserState, nextToken, uuid, str2, ZonedDateTime.now(), z);
                            this.privilegeContextMap.put(uuid, buildPrivilegeContext(buildCertificate, checkCredentialsAndUserState));
                            persistSessions();
                            if (checkCredentialsAndUserState.getHistory().isFirstLoginEmpty()) {
                                checkCredentialsAndUserState.getHistory().setFirstLogin(ZonedDateTime.now());
                            }
                            checkCredentialsAndUserState.getHistory().setLastLogin(ZonedDateTime.now());
                            this.persistenceHandler.replaceUser(checkCredentialsAndUserState);
                            if (this.autoPersistOnUserChangesData) {
                                this.persistenceHandler.persist();
                            }
                            logger.info(MessageFormat.format("User {0} authenticated: {1}", str, buildCertificate));
                            clearPassword(cArr);
                            return buildCertificate;
                        }
                    } catch (PrivilegeException e) {
                        throw e;
                    }
                } catch (RuntimeException e2) {
                    logger.error(e2.getMessage(), e2);
                    throw new PrivilegeException(MessageFormat.format("User {0} failed to authenticate: {1}", str, e2.getMessage()), e2);
                }
            }
            throw new InvalidCredentialsException(MessageFormat.format("The given username ''{0}'' is shorter than 2 characters", str));
        } catch (Throwable th) {
            clearPassword(cArr);
            throw th;
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate authenticateSingleSignOn(Object obj, boolean z) throws PrivilegeException {
        return authenticateSingleSignOn(obj, SOURCE_UNKNOWN, z);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate authenticateSingleSignOn(Object obj, String str, boolean z) throws PrivilegeException {
        DBC.PRE.assertNotEmpty("source must not be empty!", str);
        if (this.ssoHandler == null) {
            throw new IllegalStateException("The SSO Handler is not configured!");
        }
        User authenticateSingleSignOn = this.ssoHandler.authenticateSingleSignOn(obj);
        DBC.PRE.assertEquals("SSO Users must have UserState.REMOTE!", UserState.REMOTE, authenticateSingleSignOn.getUserState());
        authenticateSingleSignOn.getHistory().setLastLogin(ZonedDateTime.now());
        User user = this.persistenceHandler.getUser(authenticateSingleSignOn.getUsername());
        if (user == null) {
            authenticateSingleSignOn.getHistory().setFirstLogin(ZonedDateTime.now());
            this.persistenceHandler.addUser(authenticateSingleSignOn);
        } else {
            authenticateSingleSignOn.getHistory().setFirstLogin(user.getHistory().getFirstLogin());
            this.persistenceHandler.replaceUser(authenticateSingleSignOn);
        }
        if (this.autoPersistOnUserChangesData) {
            this.persistenceHandler.persist();
        }
        String nextToken = this.encryptionHandler.nextToken();
        String uuid = UUID.randomUUID().toString();
        Certificate buildCertificate = buildCertificate(Usage.ANY, authenticateSingleSignOn, nextToken, uuid, str, ZonedDateTime.now(), z);
        this.privilegeContextMap.put(uuid, buildPrivilegeContext(buildCertificate, authenticateSingleSignOn));
        persistSessions();
        logger.info(MessageFormat.format("User {0} authenticated: {1}", authenticateSingleSignOn.getUsername(), buildCertificate));
        return buildCertificate;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public Certificate refresh(Certificate certificate, String str) throws AccessDeniedException {
        DBC.PRE.assertNotNull("certificate must not be null!", certificate);
        try {
            if (!this.allowSessionRefresh) {
                throw new AccessDeniedException("Refreshing of sessions not allowed!");
            }
            validate(certificate);
            if (!certificate.isKeepAlive()) {
                throw new AccessDeniedException("Refreshing of session not allowed!");
            }
            if (!certificate.getSource().equals(str)) {
                logger.error("Source of existing session {} is not the same as the refresh request's source {}", certificate.getSource(), str);
            }
            User user = this.persistenceHandler.getUser(certificate.getUsername());
            String nextToken = this.encryptionHandler.nextToken();
            String uuid = UUID.randomUUID().toString();
            Certificate buildCertificate = buildCertificate(certificate.getUsage(), user, nextToken, uuid, str, ZonedDateTime.now(), true);
            this.privilegeContextMap.put(uuid, buildPrivilegeContext(buildCertificate, user));
            invalidate(certificate);
            persistSessions();
            logger.info(MessageFormat.format("User {0} refreshed session: {1}", user.getUsername(), buildCertificate));
            return buildCertificate;
        } catch (PrivilegeException e) {
            throw e;
        } catch (RuntimeException e2) {
            logger.error(e2.getMessage(), e2);
            throw new PrivilegeException(MessageFormat.format("User {0} failed to refresh session: {1}", certificate.getUsername(), e2.getMessage()), e2);
        }
    }

    private Certificate buildCertificate(Usage usage, User user, String str, String str2, String str3, ZonedDateTime zonedDateTime, boolean z) {
        DBC.PRE.assertNotEmpty("source must not be empty!", str3);
        return new Certificate(usage, str2, user.getUsername(), user.getFirstname(), user.getLastname(), user.getUserState(), str, str3, zonedDateTime, z && this.allowSessionRefresh, user.getLocale(), user.getRoles(), new HashMap(user.getProperties()));
    }

    private synchronized boolean persistSessions() {
        if (!this.persistSessions) {
            return false;
        }
        List list = (List) new ArrayList(this.privilegeContextMap.values()).stream().map((v0) -> {
            return v0.getCertificate();
        }).filter(certificate -> {
            return !certificate.getUserState().isSystem();
        }).collect(Collectors.toList());
        try {
            OutputStream newOutputStream = Files.newOutputStream(this.persistSessionsPath.toPath(), new OpenOption[0]);
            try {
                OutputStream wrapEncrypt = AesCryptoHelper.wrapEncrypt(this.secretKey, newOutputStream);
                try {
                    new CertificateStubsDomWriter(list, wrapEncrypt).write();
                    wrapEncrypt.flush();
                    if (wrapEncrypt != null) {
                        wrapEncrypt.close();
                    }
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                    return true;
                } catch (Throwable th) {
                    if (wrapEncrypt != null) {
                        try {
                            wrapEncrypt.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            logger.error("Failed to persist sessions!", e);
            if (!this.persistSessionsPath.exists() || this.persistSessionsPath.delete()) {
                return true;
            }
            logger.error("Failed to delete sessions file after failing to write to it, at " + this.persistSessionsPath.getAbsolutePath());
            return true;
        }
    }

    private void loadSessions() {
        if (!this.persistSessions) {
            logger.info("Persisting of sessions not enabled, so not loading!.");
            return;
        }
        if (!this.persistSessionsPath.exists()) {
            logger.info("Sessions file does not exist");
            return;
        }
        if (!this.persistSessionsPath.isFile()) {
            throw new PrivilegeModelException("Sessions data file is not a file but exists at " + this.persistSessionsPath.getAbsolutePath());
        }
        try {
            InputStream newInputStream = Files.newInputStream(this.persistSessionsPath.toPath(), new OpenOption[0]);
            try {
                InputStream wrapDecrypt = AesCryptoHelper.wrapDecrypt(this.secretKey, newInputStream);
                try {
                    List<CertificateStubsSaxReader.CertificateStub> read = new CertificateStubsSaxReader(wrapDecrypt).read();
                    if (wrapDecrypt != null) {
                        wrapDecrypt.close();
                    }
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                    if (read.isEmpty()) {
                        logger.info("No persisted sessions exist to be loaded.");
                        return;
                    }
                    for (CertificateStubsSaxReader.CertificateStub certificateStub : read) {
                        Usage usage = certificateStub.getUsage();
                        String username = certificateStub.getUsername();
                        String sessionId = certificateStub.getSessionId();
                        String authToken = certificateStub.getAuthToken();
                        String source = certificateStub.getSource();
                        User user = this.persistenceHandler.getUser(username);
                        if (user == null) {
                            logger.error("Ignoring session data for missing user " + username);
                        } else if (user.getUserState() == UserState.DISABLED || user.getUserState() == UserState.EXPIRED) {
                            logger.error("Ignoring session data for disabled/expired user " + username);
                        } else if (user.getRoles().isEmpty()) {
                            logger.error("Ignoring session data for user " + username + " which has not roles defined!");
                        } else {
                            Certificate buildCertificate = buildCertificate(usage, user, authToken, sessionId, source, certificateStub.getLoginTime(), certificateStub.isKeepAlive());
                            buildCertificate.setLocale(certificateStub.getLocale());
                            buildCertificate.setLastAccess(certificateStub.getLastAccess());
                            this.privilegeContextMap.put(sessionId, buildPrivilegeContext(buildCertificate, user));
                        }
                    }
                    logger.info("Loaded " + this.privilegeContextMap.size() + " sessions.");
                } catch (Throwable th) {
                    if (wrapDecrypt != null) {
                        try {
                            wrapDecrypt.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            logger.error("Failed to load sessions!", e);
            if (this.persistSessionsPath.delete()) {
                return;
            }
            logger.error("Failed to delete session file at " + this.persistSessionsPath.getAbsolutePath());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public synchronized User checkCredentialsAndUserState(String str, char[] cArr) throws InvalidCredentialsException, AccessDeniedException {
        if (cArr == null || cArr.length < 3) {
            throw new InvalidCredentialsException("Password is invalid!");
        }
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new InvalidCredentialsException(MessageFormat.format("There is no user defined with the username {0}", str));
        }
        if (user.getUserState() == UserState.SYSTEM) {
            throw new InvalidCredentialsException(MessageFormat.format("User {0} is a system user and may not login!", str));
        }
        if (user.getUserState() != UserState.ENABLED) {
            throw new AccessDeniedException(MessageFormat.format("User {0} does not have state {1} and can not login!", str, UserState.ENABLED));
        }
        byte[] password = user.getPassword();
        if (password == null) {
            throw new InvalidCredentialsException(MessageFormat.format("User {0} has no password and may not login!", str));
        }
        byte[] salt = user.getSalt();
        if (!Arrays.equals(salt == null ? this.encryptionHandler.hashPasswordWithoutSalt(cArr) : (user.getHashAlgorithm() == null || user.getHashIterations() == -1 || user.getHashKeyLength() == -1) ? this.encryptionHandler.hashPassword(cArr, salt) : this.encryptionHandler.hashPassword(cArr, salt, user.getHashAlgorithm(), user.getHashIterations(), user.getHashKeyLength()), password)) {
            throw new InvalidCredentialsException(MessageFormat.format("Password is incorrect for {0}", str));
        }
        if (user.getHashAlgorithm() == null || user.getHashIterations() != this.encryptionHandler.getIterations() || user.getHashKeyLength() != this.encryptionHandler.getKeyLength()) {
            logger.warn("Updating user " + str + " due to change in hashing algorithm properties ");
            byte[] nextSalt = this.encryptionHandler.nextSalt();
            User user2 = new User(user.getUserId(), user.getUsername(), this.encryptionHandler.hashPassword(cArr, nextSalt), nextSalt, this.encryptionHandler.getAlgorithm(), this.encryptionHandler.getIterations(), this.encryptionHandler.getKeyLength(), user.getFirstname(), user.getLastname(), user.getUserState(), user.getRoles(), user.getLocale(), user.getProperties(), user.isPasswordChangeRequested(), user.getHistory().getClone());
            this.persistenceHandler.replaceUser(user2);
            if (this.autoPersistOnUserChangesData) {
                this.persistenceHandler.persist();
            }
            logger.info("Updated password for " + user2.getUsername());
        }
        return user;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v55, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v56, types: [java.util.Set] */
    private PrivilegeContext buildPrivilegeContext(Certificate certificate, User user) {
        HashSet hashSet;
        HashSet hashSet2;
        Set<String> roles = user.getRoles();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (String str : roles) {
            Role role = this.persistenceHandler.getRole(str);
            if (role == null) {
                logger.error("Role " + str + " does not exist for user " + user.getUsername());
            } else {
                for (String str2 : role.getPrivilegeNames()) {
                    IPrivilege privilege = role.getPrivilege(str2);
                    if (privilege == null) {
                        logger.error(MessageFormat.format("The Privilege {0} does not exist for role {1}", str2, str));
                    } else if (!hashMap.containsKey(str2)) {
                        hashMap.put(str2, privilege);
                        String policy = privilege.getPolicy();
                        if (!hashMap2.containsKey(policy)) {
                            PrivilegePolicy policy2 = getPolicy(policy);
                            if (policy2 == null) {
                                logger.error(MessageFormat.format("The Policy {0} does not exist for Privilege {1}", policy, str2));
                            } else {
                                hashMap2.put(policy, policy2);
                            }
                        }
                    } else {
                        if (this.privilegeConflictResolution.isStrict()) {
                            throw new PrivilegeModelException(MessageFormat.format("User has conflicts for privilege {0} with role {1}", str2, str));
                        }
                        IPrivilege iPrivilege = (IPrivilege) hashMap.get(str2);
                        boolean z = iPrivilege.isAllAllowed() || privilege.isAllAllowed();
                        if (z) {
                            hashSet = Collections.emptySet();
                            hashSet2 = Collections.emptySet();
                        } else {
                            hashSet = new HashSet(iPrivilege.getAllowList());
                            hashSet.addAll(privilege.getAllowList());
                            hashSet2 = new HashSet(iPrivilege.getDenyList());
                            hashSet2.addAll(privilege.getDenyList());
                        }
                        hashMap.put(str2, new PrivilegeImpl(iPrivilege.getName(), iPrivilege.getPolicy(), z, hashSet2, hashSet));
                    }
                }
            }
        }
        return new PrivilegeContext(user.asUserRep(), certificate, hashMap, hashMap2);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean invalidate(Certificate certificate) {
        PrivilegeContext remove = this.privilegeContextMap.remove(certificate.getSessionId());
        if (remove != null) {
            persistSessions();
        }
        boolean z = remove != null;
        if (z) {
            logger.info(MessageFormat.format("User {0} logged out.", certificate.getUsername()));
        } else {
            logger.warn("User already logged out!");
        }
        return z;
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public PrivilegeContext validate(Certificate certificate) throws PrivilegeException {
        return validate(certificate, SOURCE_UNKNOWN);
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void validateSystemSession(PrivilegeContext privilegeContext) throws PrivilegeException {
        if (privilegeContext == null) {
            throw new PrivilegeException("PrivilegeContext may not be null!");
        }
        if (privilegeContext.getUserRep().getUserState() != UserState.SYSTEM) {
            throw new PrivilegeException(MessageFormat.format("The PrivilegeContext's user {0} does not have expected user state {1}", privilegeContext.getUserRep().getUsername(), UserState.SYSTEM));
        }
        Certificate certificate = privilegeContext.getCertificate();
        PrivilegeContext privilegeContext2 = this.privilegeContextMap.get(certificate.getSessionId());
        if (privilegeContext2 == null) {
            throw new NotAuthenticatedException(MessageFormat.format("There is no session information for {0}", certificate));
        }
        if (privilegeContext != privilegeContext2) {
            throw new PrivilegeException(MessageFormat.format("The given PrivilegeContext {0} is not the same as registered under the sessionId {1}", privilegeContext.getCertificate().getSessionId(), privilegeContext2.getCertificate().getSessionId()));
        }
        if (!privilegeContext2.getCertificate().equals(certificate)) {
            throw new PrivilegeException(MessageFormat.format("Received illegal certificate for session id {0}", certificate.getSessionId()));
        }
        certificate.setLastAccess(ZonedDateTime.now());
        if (!certificate.getSource().equals(this.identifier)) {
            throw new IllegalStateException("Source has changed for certificate " + certificate + " to " + certificate.getSource());
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public PrivilegeContext validate(Certificate certificate, String str) throws PrivilegeException {
        DBC.PRE.assertNotEmpty("source must not be empty!", str);
        if (certificate == null) {
            throw new PrivilegeException("Certificate may not be null!");
        }
        PrivilegeContext privilegeContext = this.privilegeContextMap.get(certificate.getSessionId());
        if (privilegeContext == null) {
            throw new NotAuthenticatedException(MessageFormat.format("There is no session information for {0}", certificate));
        }
        Certificate certificate2 = privilegeContext.getCertificate();
        if (!certificate2.equals(certificate)) {
            throw new PrivilegeException(MessageFormat.format("Received illegal certificate for session id {0}", certificate.getSessionId()));
        }
        if (certificate2.getUsage() == Usage.ANY || !certificate2.getLoginTime().plusHours(1L).isBefore(ZonedDateTime.now())) {
            certificate.setLastAccess(ZonedDateTime.now());
            return privilegeContext;
        }
        invalidate(certificate2);
        throw new NotAuthenticatedException("Certificate has already expired!");
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void validatePassword(Locale locale, char[] cArr) throws PrivilegeException {
        if (!this.passwordStrengthHandler.validateStrength(cArr)) {
            throw new PrivilegeException(this.passwordStrengthHandler.getDescription(locale));
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean persist(Certificate certificate) {
        validate(certificate).validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ACTION, PrivilegeHandler.PRIVILEGE_ACTION_PERSIST));
        return this.persistenceHandler.persist();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean persistSessions(Certificate certificate, String str) {
        validate(certificate).validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ACTION, PrivilegeHandler.PRIVILEGE_ACTION_PERSIST_SESSIONS));
        return persistSessions();
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public boolean reload(Certificate certificate, String str) {
        validate(certificate, str).validateAction(new SimpleRestrictable(PrivilegeHandler.PRIVILEGE_ACTION, PrivilegeHandler.PRIVILEGE_ACTION_RELOAD));
        return this.persistenceHandler.reload();
    }

    public synchronized void initialize(Map<String, String> map, EncryptionHandler encryptionHandler, PasswordStrengthHandler passwordStrengthHandler, PersistenceHandler persistenceHandler, UserChallengeHandler userChallengeHandler, SingleSignOnHandler singleSignOnHandler, Map<String, Class<PrivilegePolicy>> map2) {
        if (this.initialized) {
            throw new PrivilegeModelException("Already initialized!");
        }
        this.policyMap = map2;
        this.encryptionHandler = encryptionHandler;
        this.passwordStrengthHandler = passwordStrengthHandler;
        this.persistenceHandler = persistenceHandler;
        this.userChallengeHandler = userChallengeHandler;
        this.ssoHandler = singleSignOnHandler;
        handleAutoPersistOnUserDataChange(map);
        handlePersistSessionsParam(map);
        handleConflictResolutionParam(map);
        handleSecretParams(map);
        this.allowSessionRefresh = Boolean.parseBoolean(map.get(PrivilegeHandler.PARAM_ALLOW_SESSION_REFRESH));
        Iterator<Role> it = persistenceHandler.getAllRoles().iterator();
        while (it.hasNext()) {
            validatePolicies(it.next());
        }
        validatePrivilegeConflicts();
        this.privilegeContextMap = Collections.synchronizedMap(new HashMap());
        loadSessions();
        this.parameterMap = map;
        this.initialized = true;
    }

    private void handleAutoPersistOnUserDataChange(Map<String, String> map) {
        String str = map.get(PrivilegeHandler.PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA);
        if (StringHelper.isEmpty(str) || str.equals(Boolean.FALSE.toString())) {
            this.autoPersistOnUserChangesData = false;
        } else if (str.equals(Boolean.TRUE.toString())) {
            this.autoPersistOnUserChangesData = true;
            logger.info("Enabling automatic persistence when user changes their data.");
        } else {
            logger.error(MessageFormat.format("Parameter {0} has illegal value {1}. Overriding with {2}", PrivilegeHandler.PARAM_AUTO_PERSIST_ON_USER_CHANGES_DATA, str, Boolean.FALSE));
            this.autoPersistOnUserChangesData = false;
        }
    }

    private void handlePersistSessionsParam(Map<String, String> map) {
        String str = map.get(PrivilegeHandler.PARAM_PERSIST_SESSIONS);
        if (StringHelper.isEmpty(str) || str.equals(Boolean.FALSE.toString())) {
            this.persistSessions = false;
            return;
        }
        if (!str.equals(Boolean.TRUE.toString())) {
            logger.error(MessageFormat.format("Parameter {0} has illegal value {1}. Overriding with {2}", PrivilegeHandler.PARAM_PERSIST_SESSIONS, str, Boolean.FALSE));
            this.persistSessions = false;
            return;
        }
        this.persistSessions = true;
        String str2 = map.get(PrivilegeHandler.PARAM_PERSIST_SESSIONS_PATH);
        if (StringHelper.isEmpty(str2)) {
            throw new PrivilegeModelException(MessageFormat.format("Parameter {0} has illegal value {1}.", PrivilegeHandler.PARAM_PERSIST_SESSIONS_PATH, str2));
        }
        File file = new File(str2);
        if (!file.getParentFile().isDirectory()) {
            throw new PrivilegeModelException(MessageFormat.format("Path for param {0} is invalid as parent does not exist or is not a directory. Value: {1}", PrivilegeHandler.PARAM_PERSIST_SESSIONS_PATH, file.getAbsolutePath()));
        }
        if (file.exists() && (!file.isFile() || !file.canWrite())) {
            throw new PrivilegeModelException(MessageFormat.format("Path for param {0} is invalid as file exists but is not a file or not writeable. Value: {1}", PrivilegeHandler.PARAM_PERSIST_SESSIONS_PATH, file.getAbsolutePath()));
        }
        this.persistSessionsPath = file;
        logger.info(MessageFormat.format("Enabling persistence of sessions to {0}", this.persistSessionsPath.getAbsolutePath()));
    }

    private void handleConflictResolutionParam(Map<String, String> map) {
        String str = map.get(PrivilegeHandler.PARAM_PRIVILEGE_CONFLICT_RESOLUTION);
        if (str == null) {
            this.privilegeConflictResolution = PrivilegeConflictResolution.STRICT;
            logger.info(MessageFormat.format("No {0} parameter defined. Using {1}", PrivilegeHandler.PARAM_PRIVILEGE_CONFLICT_RESOLUTION, this.privilegeConflictResolution));
        } else {
            try {
                this.privilegeConflictResolution = PrivilegeConflictResolution.valueOf(str);
            } catch (Exception e) {
                throw new PrivilegeModelException(MessageFormat.format("Parameter {0} has illegal value {1}.", PrivilegeHandler.PARAM_PRIVILEGE_CONFLICT_RESOLUTION, str));
            }
        }
        logger.info("Privilege conflict resolution set to " + this.privilegeConflictResolution);
    }

    private void handleSecretParams(Map<String, String> map) {
        String str = map.get(PrivilegeHandler.PARAM_SECRET_KEY);
        if (StringHelper.isEmpty(str)) {
            throw new PrivilegeModelException(MessageFormat.format("Parameter {0} may not be empty", PrivilegeHandler.PARAM_SECRET_KEY, PrivilegeHandler.PARAM_PRIVILEGE_CONFLICT_RESOLUTION));
        }
        String str2 = map.get(PrivilegeHandler.PARAM_SECRET_SALT);
        if (StringHelper.isEmpty(str2)) {
            throw new PrivilegeModelException(MessageFormat.format("Parameter {0} may not be empty", PrivilegeHandler.PARAM_SECRET_SALT, PrivilegeHandler.PARAM_PRIVILEGE_CONFLICT_RESOLUTION));
        }
        this.secretKey = AesCryptoHelper.buildSecret(str.toCharArray(), str2.getBytes());
        this.identifier = Base64.getEncoder().encodeToString(AesCryptoHelper.encrypt(this.secretKey, XmlConstants.XML_HANDLER_PRIVILEGE.getBytes()));
        map.remove(PrivilegeHandler.PARAM_SECRET_KEY);
        map.remove(PrivilegeHandler.PARAM_SECRET_SALT);
    }

    private void validatePrivilegeConflicts() {
        if (this.privilegeConflictResolution.isStrict()) {
            ArrayList arrayList = new ArrayList();
            Iterator<User> it = this.persistenceHandler.getAllUsers().iterator();
            while (it.hasNext()) {
                arrayList.addAll(detectPrivilegeConflicts(new HashMap(), it.next()));
            }
            if (arrayList.isEmpty()) {
                return;
            }
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                logger.error((String) it2.next());
            }
            throw new PrivilegeModelException("There are " + arrayList.size() + " privilege conflicts!");
        }
    }

    private void assertNoPrivilegeConflict(User user) {
        if (this.privilegeConflictResolution.isStrict()) {
            List<String> detectPrivilegeConflicts = detectPrivilegeConflicts(new HashMap(), user);
            if (!detectPrivilegeConflicts.isEmpty()) {
                throw new PrivilegeModelException(String.join("\n", detectPrivilegeConflicts));
            }
        }
    }

    private void assertNoPrivilegeConflict(Role role) {
        if (this.privilegeConflictResolution.isStrict()) {
            HashMap hashMap = new HashMap();
            Iterator<String> it = role.getPrivilegeNames().iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), role.getName());
            }
            ArrayList arrayList = new ArrayList();
            for (User user : this.persistenceHandler.getAllUsers()) {
                if (user.hasRole(role.getName())) {
                    arrayList.addAll(detectPrivilegeConflicts(hashMap, user));
                }
            }
            if (!arrayList.isEmpty()) {
                throw new PrivilegeModelException(String.join("\n", arrayList));
            }
        }
    }

    private List<String> detectPrivilegeConflicts(Map<String, String> map, User user) {
        ArrayList arrayList = new ArrayList();
        for (String str : user.getRoles()) {
            for (String str2 : this.persistenceHandler.getRole(str).getPrivilegeNames()) {
                String str3 = map.get(str2);
                if (str3 == null) {
                    map.put(str2, str);
                } else if (!str3.equals(str)) {
                    arrayList.add(MessageFormat.format("User {0} has conflicts for privilege {1} on roles {2} and {3}", user.getUsername(), str2, str3, str));
                }
            }
        }
        return arrayList;
    }

    private void validatePolicies(Role role) {
        Iterator<String> it = role.getPrivilegeNames().iterator();
        while (it.hasNext()) {
            IPrivilege privilege = role.getPrivilege(it.next());
            String policy = privilege.getPolicy();
            if (policy != null && !this.policyMap.containsKey(policy)) {
                throw new PrivilegeModelException(MessageFormat.format("Policy {0} for Privilege {1} does not exist on role {2}", policy, privilege.getName(), role));
            }
        }
    }

    private void clearPassword(char[] cArr) {
        if (cArr != null) {
            Arrays.fill(cArr, (char) 0);
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public void runAs(String str, SystemAction systemAction) throws Exception {
        PrivilegeContext initiateSystemPrivilege = initiateSystemPrivilege(str, systemAction);
        String sessionId = initiateSystemPrivilege.getCertificate().getSessionId();
        try {
            systemAction.execute(initiateSystemPrivilege);
            this.privilegeContextMap.remove(sessionId);
        } catch (Throwable th) {
            this.privilegeContextMap.remove(sessionId);
            throw th;
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public <T> T runWithResult(String str, SystemActionWithResult<T> systemActionWithResult) throws Exception {
        PrivilegeContext initiateSystemPrivilege = initiateSystemPrivilege(str, systemActionWithResult);
        String sessionId = initiateSystemPrivilege.getCertificate().getSessionId();
        try {
            T execute = systemActionWithResult.execute(initiateSystemPrivilege);
            this.privilegeContextMap.remove(sessionId);
            return execute;
        } catch (Throwable th) {
            this.privilegeContextMap.remove(sessionId);
            throw th;
        }
    }

    @Override // li.strolch.privilege.handler.PrivilegeHandler
    public PrivilegeContext openSystemUserContext(String str) throws PrivilegeException {
        PrivilegeContext systemUserPrivilegeContext = getSystemUserPrivilegeContext(str);
        this.privilegeContextMap.put(systemUserPrivilegeContext.getCertificate().getSessionId(), systemUserPrivilegeContext);
        return systemUserPrivilegeContext;
    }

    private PrivilegeContext initiateSystemPrivilege(String str, Restrictable restrictable) {
        if (str == null) {
            throw new PrivilegeException("systemUsername may not be null!");
        }
        if (restrictable == null) {
            throw new PrivilegeException("action may not be null!");
        }
        PrivilegeContext systemUserPrivilegeContext = getSystemUserPrivilegeContext(str);
        systemUserPrivilegeContext.validateAction(restrictable);
        this.privilegeContextMap.put(systemUserPrivilegeContext.getCertificate().getSessionId(), systemUserPrivilegeContext);
        return systemUserPrivilegeContext;
    }

    private PrivilegeContext getSystemUserPrivilegeContext(String str) {
        User user = this.persistenceHandler.getUser(str);
        if (user == null) {
            throw new AccessDeniedException(MessageFormat.format("The system user with username {0} does not exist!", str));
        }
        if (user.getPassword() != null) {
            throw new AccessDeniedException(MessageFormat.format("System users must not have a password: {0}", user.getUsername()));
        }
        if (user.getUserState() != UserState.SYSTEM) {
            throw new PrivilegeException(MessageFormat.format("The system {0} user does not have expected user state {1}", user.getUsername(), UserState.SYSTEM));
        }
        if (user.getRoles().isEmpty()) {
            throw new PrivilegeException(MessageFormat.format("The system user {0} does not have any roles defined!", user.getUsername()));
        }
        Certificate buildCertificate = buildCertificate(Usage.ANY, user, this.encryptionHandler.nextToken(), UUID.randomUUID().toString(), this.identifier, ZonedDateTime.now(), false);
        PrivilegeContext buildPrivilegeContext = buildPrivilegeContext(buildCertificate, user);
        if (logger.isDebugEnabled()) {
            logger.info(MessageFormat.format("The system user ''{0}'' is logged in with session {1}", user.getUsername(), buildCertificate.getSessionId()));
        }
        return buildPrivilegeContext;
    }

    private PrivilegePolicy getPolicy(String str) {
        Class<PrivilegePolicy> cls = this.policyMap.get(str);
        if (cls == null) {
            return null;
        }
        try {
            return cls.getConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (Exception e) {
            throw new PrivilegeModelException(MessageFormat.format("The class for the policy with the name {0} does not exist!{1}", str, str), e);
        }
    }
}
