package tv.hd3g.authkit.mod.service;

import de.mkammerer.argon2.Argon2;
import de.mkammerer.argon2.Argon2Factory;
import jakarta.servlet.http.Cookie;
import jakarta.servlet.http.HttpServletRequest;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.time.Duration;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import tv.hd3g.authkit.mod.component.AuthKitEndpointsListener;
import tv.hd3g.authkit.mod.controller.ControllerLogin;
import tv.hd3g.authkit.mod.dto.ExternalAuthUserDto;
import tv.hd3g.authkit.mod.dto.LoginRequestContentDto;
import tv.hd3g.authkit.mod.dto.Password;
import tv.hd3g.authkit.mod.dto.SetupTOTPTokenDto;
import tv.hd3g.authkit.mod.dto.ressource.GroupOrRoleDto;
import tv.hd3g.authkit.mod.dto.ressource.UserDto;
import tv.hd3g.authkit.mod.dto.ressource.UserPrivacyDto;
import tv.hd3g.authkit.mod.dto.validated.AddGroupOrRoleDto;
import tv.hd3g.authkit.mod.dto.validated.AddUserDto;
import tv.hd3g.authkit.mod.dto.validated.LoginFormDto;
import tv.hd3g.authkit.mod.dto.validated.RenameGroupOrRoleDto;
import tv.hd3g.authkit.mod.dto.validated.TOTPLogonCodeFormDto;
import tv.hd3g.authkit.mod.dto.validated.ValidationSetupTOTPDto;
import tv.hd3g.authkit.mod.dto.validated.ValidationTOTPDto;
import tv.hd3g.authkit.mod.entity.Credential;
import tv.hd3g.authkit.mod.entity.Group;
import tv.hd3g.authkit.mod.entity.Role;
import tv.hd3g.authkit.mod.entity.RoleRight;
import tv.hd3g.authkit.mod.entity.RoleRightContext;
import tv.hd3g.authkit.mod.entity.User;
import tv.hd3g.authkit.mod.entity.Userprivacy;
import tv.hd3g.authkit.mod.exception.AuthKitException;
import tv.hd3g.authkit.mod.exception.BlockedUserException;
import tv.hd3g.authkit.mod.exception.NotAcceptableSecuredTokenException;
import tv.hd3g.authkit.mod.exception.PasswordComplexityException;
import tv.hd3g.authkit.mod.exception.ResetWithSamePasswordException;
import tv.hd3g.authkit.mod.exception.UserCantLoginException;
import tv.hd3g.authkit.mod.repository.CredentialRepository;
import tv.hd3g.authkit.mod.repository.GroupRepository;
import tv.hd3g.authkit.mod.repository.RoleRepository;
import tv.hd3g.authkit.mod.repository.RoleRightContextRepository;
import tv.hd3g.authkit.mod.repository.RoleRightRepository;
import tv.hd3g.authkit.mod.repository.UserDao;
import tv.hd3g.authkit.mod.repository.UserPrivacyRepository;
import tv.hd3g.authkit.mod.repository.UserRepository;
import tv.hd3g.authkit.mod.service.AuditReportService;
import tv.hd3g.authkit.mod.service.ValidPasswordPolicyService;
import tv.hd3g.authkit.utility.LogSanitizer;

@Transactional(readOnly = false)
@Service
/* loaded from: input_file:tv/hd3g/authkit/mod/service/AuthenticationServiceImpl.class */
public class AuthenticationServiceImpl implements AuthenticationService {
    private static final Logger log = LoggerFactory.getLogger(AuthenticationServiceImpl.class);
    private static final Argon2 ARGON2 = Argon2Factory.create();
    private static final String MSG_CANT_FOUND_CREDENTIAL_FOR_USER = "Can't found Credential for user ";

    @Autowired
    private SecuredTokenService tokenService;

    @Autowired
    private CredentialRepository credentialRepository;

    @Autowired
    private AuditReportService auditReportService;

    @Autowired
    private CipherService cipherService;

    @Autowired
    private TOTPService totpService;

    @Autowired
    private AuthKitEndpointsListener authKitEndpointsListener;

    @Autowired
    private UserRepository userRepository;

    @Autowired
    private GroupRepository groupRepository;

    @Autowired
    private RoleRepository roleRepository;

    @Autowired
    private RoleRightRepository roleRightRepository;

    @Autowired
    private RoleRightContextRepository roleRightContextRepository;

    @Autowired
    private UserDao userDao;

    @Autowired
    private UserPrivacyRepository userPrivacyRepository;

    @Autowired
    private ValidPasswordPolicyService validPasswordPolicy;

    @Autowired
    private ExternalAuthClientService externalAuthClientService;

    @Autowired
    private CookieService cookieService;

    @Value("${authkit.realm:default}")
    private String realm;

    @Value("${authkit.longSessionDuration:24h}")
    private Duration longSessionDuration;

    @Value("${authkit.shortSessionDuration:10m}")
    private Duration shortSessionDuration;

    @Value("${authkit.maxLogonTrial:10}")
    private short maxLogonTrial;

    @Value("${authkit.argon2.iterations:10}")
    private int iterations;

    @Value("${authkit.argon2.memory:2048}")
    private int memory;

    @Value("${authkit.argon2.parallelism:2}")
    private int parallelism;

    private User getUserByUUID(String str) {
        return (User) Optional.ofNullable(this.userRepository.getByUUID(str)).orElseThrow(() -> {
            return new AuthKitException("Can't found User " + str);
        });
    }

    private Group getGroupByName(String str) {
        return (Group) Optional.ofNullable(this.groupRepository.getByName(str)).orElseThrow(() -> {
            return new AuthKitException("Can't found group \"" + str + "\"");
        });
    }

    private Role getRoleByName(String str) {
        return (Role) Optional.ofNullable(this.roleRepository.getByName(str)).orElseThrow(() -> {
            return new AuthKitException("Can't found role \"" + str + "\"");
        });
    }

    private RoleRight getRoleRight(String str, String str2) {
        return (RoleRight) Optional.ofNullable(this.roleRightRepository.getRoleRight(str, str2)).orElseThrow(() -> {
            return new AuthKitException("Can't found role right \"" + str + ":" + str2 + "\"");
        });
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public Optional<AuditReportService.RejectLoginCause> checkPassword(Password password, Credential credential) {
        if (password == null) {
            return Optional.ofNullable(AuditReportService.RejectLoginCause.MISSING_PASSWORD);
        }
        if (password.length() == 0) {
            return Optional.ofNullable(AuditReportService.RejectLoginCause.EMPTY_PASSWORD);
        }
        if (credential.getLdapdomain() != null) {
            try {
                this.externalAuthClientService.logonUser(credential.getLogin(), password, credential.getLdapdomain());
            } catch (UserCantLoginException e) {
                return Optional.ofNullable(AuditReportService.RejectLoginCause.INVALID_PASSWORD);
            }
        } else {
            if (!password.verify(ARGON2, this.cipherService.unCipherToString(credential.getPasswordhash()))) {
                return Optional.ofNullable(AuditReportService.RejectLoginCause.INVALID_PASSWORD);
            }
        }
        return Optional.empty();
    }

    private void checkLoginUserIsEnabled(HttpServletRequest httpServletRequest, Credential credential, String str) throws UserCantLoginException.DisabledUserCantLoginException {
        if (credential.isEnabled()) {
            return;
        }
        this.auditReportService.onRejectLogin(httpServletRequest, AuditReportService.RejectLoginCause.DISABLED_LOGIN, this.realm, str);
        throw new UserCantLoginException.DisabledUserCantLoginException();
    }

    private void checkLoginUserMustchangepassword(Credential credential, String str) throws UserCantLoginException.UserMustChangePasswordException {
        if (credential.isMustchangepassword()) {
            throw new UserCantLoginException.UserMustChangePasswordException(str);
        }
    }

    private void checkLoginUserBlocked(Credential credential) throws UserCantLoginException.BlockedUserCantLoginException {
        if (credential.getLogontrial() >= this.maxLogonTrial) {
            throw new UserCantLoginException.BlockedUserCantLoginException();
        }
    }

    private void checkLoginUserNoCredential(HttpServletRequest httpServletRequest, Credential credential, String str) throws UserCantLoginException.UnknownUserCantLoginException {
        if (credential == null) {
            this.auditReportService.onRejectLogin(httpServletRequest, AuditReportService.RejectLoginCause.USER_NOT_FOUND, this.realm, str);
            throw new UserCantLoginException.UnknownUserCantLoginException();
        }
    }

    private void checkPasswordDuringLogin(HttpServletRequest httpServletRequest, LoginFormDto loginFormDto, Credential credential) throws UserCantLoginException.NoPasswordUserCantLoginException, UserCantLoginException.BadPasswordUserCantLoginException {
        Optional<AuditReportService.RejectLoginCause> checkPassword = checkPassword(loginFormDto.getUserpassword(), credential);
        if (checkPassword.isPresent()) {
            this.auditReportService.onRejectLogin(httpServletRequest, checkPassword.get(), this.realm, loginFormDto.getUserlogin());
            if (checkPassword.get().isNoPasswordUser()) {
                throw new UserCantLoginException.NoPasswordUserCantLoginException();
            }
            credential.setLogontrial(credential.getLogontrial() + 1);
            this.credentialRepository.save(credential);
            throw new UserCantLoginException.BadPasswordUserCantLoginException();
        }
    }

    private Credential importLDAPUserFirstTime(HttpServletRequest httpServletRequest, LoginFormDto loginFormDto) throws UserCantLoginException.UnknownUserCantLoginException {
        try {
            if (!this.externalAuthClientService.isIPAllowedToCreateUserAccount(InetAddress.getByName(AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest)))) {
                throw new UserCantLoginException.UnknownUserCantLoginException();
            }
            ExternalAuthUserDto logonUser = this.externalAuthClientService.logonUser(loginFormDto.getUserlogin(), loginFormDto.getUserpassword());
            return this.credentialRepository.getByUserUUID(this.userDao.addLDAPUserCredential(logonUser.getLogin(), logonUser.getDomain(), this.realm).toString());
        } catch (UnknownHostException | UserCantLoginException e) {
            this.auditReportService.onRejectLogin(httpServletRequest, AuditReportService.RejectLoginCause.USER_NOT_FOUND, this.realm, loginFormDto.getUserlogin());
            throw new UserCantLoginException.UnknownUserCantLoginException();
        }
    }

    private void ldapLogon(HttpServletRequest httpServletRequest, LoginFormDto loginFormDto, Credential credential, User user) throws UserCantLoginException.UnknownUserCantLoginException {
        try {
            ExternalAuthUserDto logonUser = this.externalAuthClientService.logonUser(credential.getLogin(), loginFormDto.getUserpassword(), credential.getLdapdomain());
            setUserPrivacy(user.getUuid(), new UserPrivacyDto(logonUser));
            Set set = (Set) user.getGroups().stream().map((v0) -> {
                return v0.getName();
            }).distinct().collect(Collectors.toUnmodifiableSet());
            logonUser.getGroups().forEach(str -> {
                if (set.contains(str)) {
                    return;
                }
                Group byName = this.groupRepository.getByName(str);
                if (byName == null) {
                    Group group = new Group(str);
                    group.setDescription("Imported from LDAP");
                    byName = (Group) this.groupRepository.save(group);
                    log.info("Create group \"{}\" from LDAP query", str);
                }
                user.getGroups().add(byName);
            });
        } catch (UserCantLoginException e) {
            this.auditReportService.onRejectLogin(httpServletRequest, AuditReportService.RejectLoginCause.USER_NOT_FOUND, this.realm, credential.getLogin());
            throw new UserCantLoginException.UnknownUserCantLoginException();
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    @Transactional(readOnly = false)
    public void setupTOTPWithChecks(ValidationSetupTOTPDto validationSetupTOTPDto, String str) {
        try {
            SetupTOTPTokenDto setupTOTPTokenDto = this.tokenService.setupTOTPExtractToken(validationSetupTOTPDto.getControlToken());
            if (!str.equalsIgnoreCase(setupTOTPTokenDto.getUserUUID())) {
                throw new AuthKitException("You can't use this token for this user");
            }
            if (!this.totpService.isCodeIsValid(TOTPServiceImpl.base32.decode(setupTOTPTokenDto.getSecret()), validationSetupTOTPDto.getTwoauthcode())) {
                throw new AuthKitException("Invalid code");
            }
            Optional<AuditReportService.RejectLoginCause> checkPassword = checkPassword(validationSetupTOTPDto.getCurrentpassword(), this.credentialRepository.getByUserUUID(str));
            if (checkPassword.isPresent()) {
                throw new AuthKitException(401, "Can't accept demand, bad password ; " + checkPassword.get().toString());
            }
            this.totpService.setupTOTP(setupTOTPTokenDto.getSecret(), setupTOTPTokenDto.getBackupCodes(), str);
        } catch (NotAcceptableSecuredTokenException e) {
            log.error("Invalid token", e);
            throw new AuthKitException("You can't use this token");
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    @Transactional(readOnly = true)
    public void checkCodeAndPassword(Credential credential, ValidationTOTPDto validationTOTPDto) {
        Optional<AuditReportService.RejectLoginCause> checkPassword = checkPassword(validationTOTPDto.getCurrentpassword(), credential);
        if (checkPassword.isPresent()) {
            throw new AuthKitException(401, "Invalid password: " + checkPassword.get());
        }
        try {
            this.totpService.checkCode(credential, validationTOTPDto.getTwoauthcode());
        } catch (UserCantLoginException.BadTOTPCodeCantLoginException e) {
            throw new AuthKitException(401, "Invalid 2auth code");
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public LoginRequestContentDto userLoginRequest(HttpServletRequest httpServletRequest, LoginFormDto loginFormDto) throws UserCantLoginException {
        Credential fromRealmLogin = this.credentialRepository.getFromRealmLogin(this.realm, loginFormDto.getUserlogin());
        if (fromRealmLogin == null && this.externalAuthClientService.isAvailable()) {
            fromRealmLogin = importLDAPUserFirstTime(httpServletRequest, loginFormDto);
        }
        checkLoginUserNoCredential(httpServletRequest, fromRealmLogin, loginFormDto.getUserlogin());
        checkLoginUserBlocked(fromRealmLogin);
        User user = fromRealmLogin.getUser();
        checkLoginUserIsEnabled(httpServletRequest, fromRealmLogin, loginFormDto.getUserlogin());
        if (fromRealmLogin.getLdapdomain() != null) {
            ldapLogon(httpServletRequest, loginFormDto, fromRealmLogin, user);
        } else {
            checkPasswordDuringLogin(httpServletRequest, loginFormDto, fromRealmLogin);
        }
        String uuid = user.getUuid();
        checkLoginUserMustchangepassword(fromRealmLogin, uuid);
        if (fromRealmLogin.getTotpkey() != null) {
            throw new UserCantLoginException.TOTPUserCantLoginException(uuid);
        }
        return prepareSessionToken(httpServletRequest, loginFormDto.isShortSessionTime(), fromRealmLogin, uuid);
    }

    private LoginRequestContentDto prepareSessionToken(HttpServletRequest httpServletRequest, boolean z, Credential credential, String str) {
        String originalRemoteAddr = AuditReportServiceImpl.getOriginalRemoteAddr(httpServletRequest);
        Set<String> copyOf = Set.copyOf(this.userDao.getRightsForUser(str, originalRemoteAddr));
        credential.setLastlogin(new Date());
        credential.setLogontrial(0);
        Duration duration = z ? this.shortSessionDuration : this.longSessionDuration;
        String loggedUserRightsGenerateToken = this.tokenService.loggedUserRightsGenerateToken(str, duration, copyOf, this.userDao.haveRightsForUserWithOnlyIP(str, originalRemoteAddr) ? originalRemoteAddr : null);
        Cookie createLogonCookie = this.cookieService.createLogonCookie(loggedUserRightsGenerateToken, duration);
        this.auditReportService.onLogin(httpServletRequest, this.longSessionDuration, copyOf);
        return new LoginRequestContentDto(loggedUserRightsGenerateToken, createLogonCookie);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public LoginRequestContentDto userLoginRequest(HttpServletRequest httpServletRequest, TOTPLogonCodeFormDto tOTPLogonCodeFormDto) throws UserCantLoginException, NotAcceptableSecuredTokenException {
        String userFormExtractTokenUUID = this.tokenService.userFormExtractTokenUUID(ControllerLogin.TOKEN_FORMNAME_ENTER_TOTP, tOTPLogonCodeFormDto.getSecuretoken());
        Credential byUserUUID = this.credentialRepository.getByUserUUID(userFormExtractTokenUUID);
        checkLoginUserNoCredential(httpServletRequest, byUserUUID, userFormExtractTokenUUID);
        checkLoginUserBlocked(byUserUUID);
        checkLoginUserIsEnabled(httpServletRequest, byUserUUID, userFormExtractTokenUUID);
        checkLoginUserMustchangepassword(byUserUUID, userFormExtractTokenUUID);
        try {
            this.totpService.checkCode(byUserUUID, tOTPLogonCodeFormDto.getCode());
            return prepareSessionToken(httpServletRequest, tOTPLogonCodeFormDto.getShorttime().booleanValue(), byUserUUID, userFormExtractTokenUUID);
        } catch (UserCantLoginException.BadTOTPCodeCantLoginException e) {
            byUserUUID.setLogontrial(byUserUUID.getLogontrial() + 1);
            this.credentialRepository.save(byUserUUID);
            throw e;
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public String addUser(AddUserDto addUserDto) {
        String userLogin = addUserDto.getUserLogin();
        try {
            this.validPasswordPolicy.checkPasswordValidation(addUserDto, ValidPasswordPolicyService.PasswordValidationLevel.DEFAULT);
            if (this.credentialRepository.getFromRealmLogin(this.realm, userLogin) != null) {
                throw new AuthKitException("User \"" + addUserDto.getUserLogin() + "\" actually exists");
            }
            String uuid = this.userDao.addUserCredential(userLogin, this.cipherService.cipherFromString(addUserDto.getUserPassword().hash(cArr -> {
                return ARGON2.hash(this.iterations, this.memory, this.parallelism, cArr);
            })), this.realm).toString();
            log.info("Add user {} [{}]", userLogin, uuid);
            return uuid;
        } catch (PasswordComplexityException e) {
            throw new AuthKitException("Invalid new password: " + e.getMessage());
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeUser(String str) {
        getUserByUUID(str);
        log.info("Remove user {}", str);
        this.userDao.deleteUser(UUID.fromString(str));
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void disableUser(String str) {
        User userByUUID = getUserByUUID(str);
        log.info("Disable user {}", str);
        Credential credential = userByUUID.getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + str);
        credential.setEnabled(false);
        this.credentialRepository.save(credential);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void enableUser(String str) {
        User userByUUID = getUserByUUID(str);
        log.info("Enable user {}", str);
        Credential credential = userByUUID.getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + str);
        credential.setEnabled(true);
        this.credentialRepository.save(credential);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void resetUserLogonTrials(String str) {
        User userByUUID = getUserByUUID(str);
        log.info("Reset user logon trials {}", str);
        Credential credential = userByUUID.getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + str);
        credential.setLogontrial(0);
        this.credentialRepository.save(credential);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void setUserMustChangePassword(String str) {
        User userByUUID = getUserByUUID(str);
        log.info("Switch user must change password {}", str);
        Credential credential = userByUUID.getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + str);
        credential.setMustchangepassword(true);
        this.credentialRepository.save(credential);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void changeUserPassword(String str, Password password) throws ResetWithSamePasswordException, BlockedUserException {
        Objects.requireNonNull(password, "No password enter");
        Credential credential = getUserByUUID(str).getCredential();
        Objects.requireNonNull(credential, "Can't found Credential for user " + str);
        if (credential.getLogontrial() >= this.maxLogonTrial) {
            throw new BlockedUserException();
        }
        try {
            this.validPasswordPolicy.checkPasswordValidation(credential.getLogin(), password, ValidPasswordPolicyService.PasswordValidationLevel.DEFAULT);
            if (password.duplicate().verify(ARGON2, this.cipherService.unCipherToString(credential.getPasswordhash()))) {
                throw new ResetWithSamePasswordException();
            }
            credential.setPasswordhash(this.cipherService.cipherFromString(password.hash(cArr -> {
                return ARGON2.hash(this.iterations, this.memory, this.parallelism, cArr);
            })));
            credential.setMustchangepassword(false);
            log.info("User change password {}", str);
            this.credentialRepository.save(credential);
        } catch (PasswordComplexityException e) {
            throw new AuthKitException("Invalid new password: " + e.getMessage());
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<String> getRightsForUser(String str, String str2) {
        return this.userDao.getRightsForUser(str, str2);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<String> getContextRightsForUser(String str, String str2, String str3) {
        return this.userDao.getContextRightsForUser(str, str2, str3);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public boolean isUserEnabledAndNonBlocked(String str) {
        Credential byUserUUID = this.credentialRepository.getByUserUUID(str);
        return !(byUserUUID == null || !byUserUUID.isEnabled() || byUserUUID.isMustchangepassword() || byUserUUID.getLogontrial() >= this.maxLogonTrial);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addGroup(AddGroupOrRoleDto addGroupOrRoleDto) {
        String name = addGroupOrRoleDto.getName();
        if (this.groupRepository.getByName(name) != null) {
            return;
        }
        Group group = new Group(name);
        group.setDescription(addGroupOrRoleDto.getDescription());
        this.groupRepository.save(group);
        log.info("Create group \"{}\"", name);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void renameGroup(RenameGroupOrRoleDto renameGroupOrRoleDto) {
        String name = renameGroupOrRoleDto.getName();
        getGroupByName(name).setName(renameGroupOrRoleDto.getNewname());
        log.info("Rename group \"{}\" to \"{}\"", name, renameGroupOrRoleDto.getNewname());
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void setGroupDescription(AddGroupOrRoleDto addGroupOrRoleDto) {
        String name = addGroupOrRoleDto.getName();
        getGroupByName(name).setDescription(addGroupOrRoleDto.getDescription());
        log.info("Change role \"" + name + "\" description to \"" + LogSanitizer.sanitize(addGroupOrRoleDto.getDescription()) + "\"");
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addUserInGroup(String str, String str2) {
        getUserByUUID(str).getGroups().add(getGroupByName(str2));
        log.info("Add user {} in group \"{}\"", str, str2);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeUserInGroup(String str, String str2) {
        getUserByUUID(str).getGroups().remove(getGroupByName(str2));
        log.info("Remove user {} from group \"{}\"", str, str2);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeGroup(String str) {
        this.groupRepository.delete(getGroupByName(str));
        log.info("Remove group \"{}\"", str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<GroupOrRoleDto> listAllGroups() {
        return this.groupRepository.findAll().stream().map(GroupOrRoleDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<GroupOrRoleDto> listGroupsForUser(String str) {
        return this.groupRepository.getByUserUUID(str).stream().map(GroupOrRoleDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addRole(AddGroupOrRoleDto addGroupOrRoleDto) {
        String name = addGroupOrRoleDto.getName();
        if (this.roleRepository.getByName(name) != null) {
            return;
        }
        Role role = new Role(name);
        role.setDescription(addGroupOrRoleDto.getDescription());
        this.roleRepository.save(role);
        log.info("Create role \"{}\"", name);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void renameRole(RenameGroupOrRoleDto renameGroupOrRoleDto) {
        String name = renameGroupOrRoleDto.getName();
        getRoleByName(name).setName(renameGroupOrRoleDto.getNewname());
        log.info("Rename role \"{}\" to \"{}\"", name, renameGroupOrRoleDto.getNewname());
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void setRoleDescription(AddGroupOrRoleDto addGroupOrRoleDto) {
        String name = addGroupOrRoleDto.getName();
        getRoleByName(name).setDescription(addGroupOrRoleDto.getDescription());
        log.info("Change role \"" + name + "\" description to \"" + LogSanitizer.sanitize(addGroupOrRoleDto.getDescription()) + "\"");
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void setRoleOnlyForClient(String str, String str2) {
        try {
            String lowerCase = InetAddress.getByName(str2).getHostAddress().toLowerCase();
            this.roleRepository.getByName(str).setOnlyforclient(lowerCase);
            log.info("Change role \"{}\" IP restriction to \"{}\"", str, lowerCase);
        } catch (UnknownHostException e) {
            throw new IllegalArgumentException("Invalid IP Addr", e);
        }
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addGroupInRole(String str, String str2) {
        getGroupByName(str).getRoles().add(getRoleByName(str2));
        log.info("Add role {} in group \"{}\"", str2, str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeGroupInRole(String str, String str2) {
        getGroupByName(str).getRoles().remove(getRoleByName(str2));
        log.info("Remove role {} from group \"{}\"", str2, str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeRole(String str) {
        this.roleRepository.delete(getRoleByName(str));
        log.info("Remove role \"{}\"", str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<GroupOrRoleDto> listAllRoles() {
        return this.roleRepository.findAll().stream().map(GroupOrRoleDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<GroupOrRoleDto> listRolesForGroup(String str) {
        return this.roleRepository.getByGroupName(str).stream().map(GroupOrRoleDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addRightInRole(String str, String str2) {
        Role roleByName = getRoleByName(str);
        if (roleByName.getRoleRights().stream().anyMatch(roleRight -> {
            return roleRight.getName().equals(str2);
        })) {
            return;
        }
        this.roleRightRepository.save(new RoleRight(str2, roleByName));
        log.info("Add right \"{}\" in role \"{}\"", str2, str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeRightInRole(String str, String str2) {
        getRoleByName(str).getRoleRights().removeIf(roleRight -> {
            return roleRight.getName().equals(str2);
        });
        log.info("Remove right \"{}\" from role \"{}\"", str2, str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public Set<String> getAllRights() {
        return this.authKitEndpointsListener.getAllRights();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<String> listRightsForRole(String str) {
        return this.roleRightRepository.getRoleRightNamesByRoleName(str);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void addContextInRight(String str, String str2, String str3) {
        if (this.roleRightContextRepository.countContextPresenceForRightRole(str, str2, str3) > 0) {
            return;
        }
        this.roleRightContextRepository.save(new RoleRightContext(str3, getRoleRight(str, str2)));
        log.info("Add right context {} for right \"{}\" in role \"{}\"", new Object[]{str3, str2, str});
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void removeContextInRight(String str, String str2, String str3) {
        if (this.roleRightContextRepository.countContextPresenceForRightRole(str, str2, str3) == 0) {
            return;
        }
        getRoleRight(str, str2).getRoleRightContexts().removeIf(roleRightContext -> {
            return roleRightContext.getName().equals(str3);
        });
        log.info("Remove right context {} from right \"{}\" in role \"{}\"", new Object[]{str3, str2, str});
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<String> listContextsForRight(String str, String str2) {
        return this.roleRightContextRepository.listContextsForRightRole(str, str2);
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<UserDto> listLinkedUsersForGroup(String str) {
        return getGroupByName(str).getUsers().stream().map(UserDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<GroupOrRoleDto> listLinkedGroupsForRole(String str) {
        return getRoleByName(str).getGroups().stream().map(GroupOrRoleDto::new).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public List<UserPrivacyDto> getUserPrivacyList(Collection<String> collection) {
        Function function = bArr -> {
            if (bArr == null) {
                return null;
            }
            return this.cipherService.unCipherToString(bArr);
        };
        return this.userPrivacyRepository.getByUserUUID(collection).stream().map(userprivacy -> {
            return new UserPrivacyDto(userprivacy, function);
        }).toList();
    }

    @Override // tv.hd3g.authkit.mod.service.AuthenticationService
    public void setUserPrivacy(String str, UserPrivacyDto userPrivacyDto) {
        Userprivacy byUserUUID = this.userPrivacyRepository.getByUserUUID(str);
        if (byUserUUID == null) {
            byUserUUID = new Userprivacy(str);
        }
        userPrivacyDto.mergue(byUserUUID, str2 -> {
            return this.cipherService.cipherFromString(str2);
        });
        if (userPrivacyDto.getEmail() != null) {
            byUserUUID.setHashedEmail(this.cipherService.computeSHA3FromString(userPrivacyDto.getEmail()));
        }
        this.userPrivacyRepository.save(byUserUUID);
    }
}
