package sirius.biz.tenants;

import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.time.Duration;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import sirius.biz.jobs.system.SystemJobsFactory;
import sirius.biz.model.LoginData;
import sirius.biz.statistics.AggregationLevel;
import sirius.biz.statistics.StatisticalEvent;
import sirius.biz.statistics.Statistics;
import sirius.biz.web.BizController;
import sirius.db.mixing.OMA;
import sirius.kernel.cache.Cache;
import sirius.kernel.cache.CacheManager;
import sirius.kernel.commons.Explain;
import sirius.kernel.commons.Strings;
import sirius.kernel.commons.Tuple;
import sirius.kernel.commons.Value;
import sirius.kernel.di.std.Part;
import sirius.kernel.di.std.Register;
import sirius.kernel.health.Exceptions;
import sirius.kernel.settings.Extension;
import sirius.web.http.WebContext;
import sirius.web.security.GenericUserManager;
import sirius.web.security.ScopeInfo;
import sirius.web.security.UserInfo;
import sirius.web.security.UserManager;
import sirius.web.security.UserManagerFactory;
import sirius.web.security.UserSettings;

/* loaded from: input_file:sirius/biz/tenants/TenantUserManager.class */
public class TenantUserManager extends GenericUserManager {
    public static final String PERMISSION_SYSTEM_TENANT = "flag-system-tenant";
    public static final String PERMISSION_MANAGE_SYSTEM = "permission-manage-system";
    public static final String PERMISSION_SPY_USER = "flag-spy-user";
    public static final String PERMISSION_SELECT_USER_ACCOUNT = "permission-select-user-account";
    public static final String PERMISSION_SELECT_TENANT = "permission-select-tenant";
    public static final String TENANT_SPY_ID_SUFFIX = "-tenant-spy-id";
    public static final String SPY_ID_SUFFIX = "-spy-id";
    private final String systemTenant;
    private final String defaultSalt;
    private final boolean acceptApiTokens;
    private final boolean autocreateTenant;

    @Part
    private static OMA oma;

    @Part
    private static Statistics statistics;
    private static final StatisticalEvent LOGGED_IN_EVENT = StatisticalEvent.create("useraccount-login", AggregationLevel.MONTHS);
    private static Cache<String, Set<String>> rolesCache = CacheManager.createCache("tenants-roles");
    private static Cache<String, UserAccount> userAccountCache = CacheManager.createCache("tenants-users");
    private static Cache<String, Tenant> tenantsCache = CacheManager.createCache("tenants-tenants");
    private static Cache<String, Tuple<UserSettings, String>> configCache = CacheManager.createCache("tenants-configs");

    @Register(name = "tenants", framework = "biz.tenants")
    /* loaded from: input_file:sirius/biz/tenants/TenantUserManager$Factory.class */
    public static class Factory implements UserManagerFactory {
        @Nonnull
        public UserManager createManager(@Nonnull ScopeInfo scopeInfo, @Nonnull Extension extension) {
            return new TenantUserManager(scopeInfo, extension);
        }
    }

    protected TenantUserManager(ScopeInfo scopeInfo, Extension extension) {
        super(scopeInfo, extension);
        this.systemTenant = extension.get("system-tenant").asString();
        this.defaultSalt = extension.get("default-salt").asString("");
        this.acceptApiTokens = extension.get("accept-api-tokens").asBoolean(true);
        this.autocreateTenant = extension.get("autocreate-tenant").asBoolean(true);
    }

    public static void flushCacheForUserAccount(UserAccount userAccount) {
        rolesCache.remove(userAccount.getUniqueName());
        userAccountCache.remove(userAccount.getUniqueName());
        configCache.remove(userAccount.getUniqueName());
    }

    public static void flushCacheForTenant(Tenant tenant) {
        tenantsCache.remove(tenant.getIdAsString());
        configCache.remove(tenant.getUniqueName());
        configCache.removeIf(cacheEntry -> {
            return Strings.areEqual(((Tuple) cacheEntry.getValue()).getSecond(), tenant.getUniqueName());
        });
    }

    protected UserInfo findUserInSession(WebContext webContext) {
        UserInfo becomeSpyUser;
        UserInfo findUserInSession = super.findUserInSession(webContext);
        if (findUserInSession == null || this.defaultUser.equals(findUserInSession)) {
            return findUserInSession;
        }
        String asString = webContext.getSessionValue(this.scope.getScopeId() + SPY_ID_SUFFIX).asString();
        if (Strings.isFilled(asString) && (becomeSpyUser = becomeSpyUser(asString, findUserInSession)) != null) {
            return becomeSpyUser;
        }
        String asString2 = webContext.getSessionValue(this.scope.getScopeId() + TENANT_SPY_ID_SUFFIX).asString();
        return Strings.isFilled(asString2) ? createUserWithTenant(findUserInSession, asString2) : findUserInSession;
    }

    private UserInfo becomeSpyUser(String str, UserInfo userInfo) {
        UserAccount fetchAccount = fetchAccount(str, null);
        if (fetchAccount == null) {
            return null;
        }
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(PERMISSION_SPY_USER);
        newArrayList.add(PERMISSION_SELECT_USER_ACCOUNT);
        if (userInfo.hasPermission(PERMISSION_SYSTEM_TENANT)) {
            newArrayList.add(PERMISSION_SYSTEM_TENANT);
        }
        return asUser(fetchAccount, newArrayList);
    }

    public UserInfo createUserWithTenant(UserInfo userInfo, String str) {
        if (Strings.isEmpty(str) || Strings.areEqual(userInfo.getTenantId(), str)) {
            return userInfo;
        }
        Tenant tenant = (Tenant) tenantsCache.get(str, str2 -> {
            return (Tenant) oma.find(Tenant.class, str2).orElse(null);
        });
        if (tenant == null) {
            return userInfo;
        }
        UserAccount userAccount = (UserAccount) userInfo.getUserObject(UserAccount.class);
        UserAccount userAccount2 = new UserAccount();
        userAccount2.setId(userAccount.getId());
        userAccount2.getLogin().setUsername(userAccount.getLogin().getUsername());
        userAccount2.setEmail(userAccount.getEmail());
        userAccount2.getPermissions().setConfigString(userAccount.getPermissions().getConfigString());
        userAccount2.getPermissions().getPermissions().addAll(userAccount.getPermissions().getPermissions());
        userAccount2.getTenant().setValue(tenant);
        Set<String> computeRoles = computeRoles(userAccount2, tenant, userInfo.hasPermission(PERMISSION_SYSTEM_TENANT));
        computeRoles.add(PERMISSION_SPY_USER);
        computeRoles.add(PERMISSION_SELECT_TENANT);
        return asUserWithRoles(userAccount2, computeRoles);
    }

    public String getOriginalTenantId(WebContext webContext) {
        return webContext.getSessionValue(this.scope.getScopeId() + "-tenant-id").asString();
    }

    public void attachToSession(@Nonnull UserInfo userInfo, @Nonnull WebContext webContext) {
        if (userInfo.hasPermission(PERMISSION_SPY_USER)) {
            return;
        }
        super.attachToSession(userInfo, webContext);
    }

    public UserInfo findUserByName(@Nullable WebContext webContext, String str) {
        if (Strings.isEmpty(str)) {
            return null;
        }
        Optional<UserAccount> one = oma.select(UserAccount.class).eq(UserAccount.LOGIN.inner(LoginData.USERNAME), str.toLowerCase()).one();
        if (!one.isPresent()) {
            one = createSystemTenantIfNonExistent();
            if (!one.isPresent()) {
                return null;
            }
        }
        if (one.get().getLogin().isAccountLocked()) {
            throw Exceptions.createHandled().withNLSKey("LoginData.accountIsLocked").handle();
        }
        UserAccount fetchAccount = fetchAccount(one.get().getUniqueName(), one.get());
        if (fetchAccount == null) {
            return null;
        }
        return asUser(fetchAccount, null);
    }

    @Nullable
    public UserInfo findUserByUserId(String str) {
        UserAccount fetchAccount = fetchAccount(str, null);
        if (fetchAccount == null) {
            return null;
        }
        return asUser(fetchAccount, null);
    }

    @Nullable
    private UserAccount fetchAccount(@Nonnull String str, @Nullable UserAccount userAccount) {
        UserAccount userAccount2;
        UserAccount userAccount3 = userAccount;
        UserAccount userAccount4 = (UserAccount) userAccountCache.get(str);
        if (userAccount4 == null || (userAccount3 != null && userAccount3.getVersion() > userAccount4.getVersion())) {
            if (userAccount3 == null) {
                userAccount3 = (UserAccount) oma.resolve(str).orElse(null);
                if (userAccount3 == null) {
                    return null;
                }
            }
            userAccountCache.put(userAccount3.getUniqueName(), userAccount3);
            rolesCache.remove(userAccount3.getUniqueName());
            configCache.remove(userAccount3.getUniqueName());
            userAccount2 = userAccount3;
        } else {
            userAccount2 = userAccount4;
        }
        userAccount2.getTenant().setValue(fetchTenant(userAccount2, userAccount3));
        return userAccount2;
    }

    private Tenant fetchTenant(UserAccount userAccount, @Nullable UserAccount userAccount2) {
        Tenant tenant = (Tenant) tenantsCache.get(String.valueOf(userAccount.getTenant().getId()));
        if (tenant != null && userAccount2 == null) {
            return tenant;
        }
        Tenant tenant2 = (Tenant) oma.find(Tenant.class, userAccount.getTenant().getId()).orElseThrow(() -> {
            return new IllegalStateException(Strings.apply("Tenant %s for UserAccount %s vanished!", new Object[]{userAccount.getTenant().getId(), Long.valueOf(userAccount.getId())}));
        });
        if (tenant != null && tenant2.getVersion() <= tenant.getVersion()) {
            return tenant;
        }
        tenantsCache.put(tenant2.getIdAsString(), tenant2);
        rolesCache.remove(userAccount.getUniqueName());
        configCache.remove(userAccount.getUniqueName());
        configCache.remove(tenant2.getUniqueName());
        return tenant2;
    }

    private Optional<UserAccount> createSystemTenantIfNonExistent() {
        try {
            if (this.autocreateTenant && !oma.select(Tenant.class).exists()) {
                BizController.LOG.INFO("No tenant is present, creating system tenant....");
                Tenant tenant = new Tenant();
                tenant.setName("System Tenant");
                tenant.getTrace().setSilent(true);
                oma.update(tenant);
                BizController.LOG.INFO("No user account is present, creating system / system - Please change the password now!");
                UserAccount userAccount = new UserAccount();
                userAccount.getTenant().setValue(oma.select(Tenant.class).orderAsc(Tenant.ID).queryFirst());
                userAccount.setEmail("system@localhost.local");
                userAccount.getLogin().setUsername(SystemJobsFactory.SYSTEM);
                userAccount.getLogin().setCleartextPassword(SystemJobsFactory.SYSTEM);
                userAccount.getTrace().setSilent(true);
                userAccount.getPermissions().getPermissions().add("administrator");
                userAccount.getPermissions().getPermissions().add("user-administrator");
                oma.update(userAccount);
                return Optional.of(userAccount);
            }
        } catch (Exception e) {
            Exceptions.handle().to(BizController.LOG).error(e).withSystemErrorMessage("Cannot initialize tenants or user accounts: %s (%s)", new Object[0]).handle();
        }
        return Optional.empty();
    }

    protected UserInfo asUser(UserAccount userAccount, List<String> list) {
        Set<String> computeRoles = computeRoles(null, userAccount.getUniqueName());
        if (list != null) {
            computeRoles = Sets.newTreeSet(computeRoles);
            computeRoles.addAll(list);
        }
        return asUserWithRoles(userAccount, computeRoles);
    }

    private UserInfo asUserWithRoles(UserAccount userAccount, Set<String> set) {
        return UserInfo.Builder.createUser(userAccount.getUniqueName()).withUsername(userAccount.getLogin().getUsername()).withTenantId(String.valueOf(userAccount.getTenant().getId())).withTenantName(((Tenant) userAccount.getTenant().getValue()).getName()).withEmail(userAccount.getEmail()).withLang("de").withPermissions(set).withSettingsSupplier(userInfo -> {
            return getUserSettings(getScopeSettings(), userInfo);
        }).withUserSupplier(userInfo2 -> {
            return userAccount;
        }).build();
    }

    public UserInfo findUserByCredentials(@Nullable WebContext webContext, String str, String str2) {
        UserInfo findUserByName;
        if (Strings.isEmpty(str2) || (findUserByName = findUserByName(webContext, str)) == null) {
            return null;
        }
        UserAccount userAccount = (UserAccount) findUserByName.getUserObject(UserAccount.class);
        if (userAccount.isExternalLoginRequired() && !isWithinInterval(userAccount.getLogin().getLastExternalLogin(), ((Tenant) userAccount.getTenant().getValue()).getExternalLoginIntervalDays())) {
            throw Exceptions.createHandled().withNLSKey("UserAccount.externalLoginMustBePerformed").handle();
        }
        LoginData login = userAccount.getLogin();
        if ((this.acceptApiTokens && Strings.areEqual(str2, login.getApiToken())) || LoginData.hashPassword(Value.of(login.getSalt()).asString(this.defaultSalt), str2).equals(login.getPasswordHash())) {
            return findUserByName;
        }
        return null;
    }

    protected void recordUserLogin(WebContext webContext, UserInfo userInfo) {
        recordLogin(userInfo, false);
    }

    public void recordLogin(UserInfo userInfo, boolean z) {
        try {
            UserAccount userAccount = (UserAccount) getUserObject(userInfo);
            statistics.incrementStatistic(LOGGED_IN_EVENT, userAccount.getUniqueName());
            if (userAccount.getTrace().getCreatedAt() == null) {
                return;
            }
            userAccount.getTrace().setSilent(true);
            userAccount.getJournal().setSilent(true);
            userAccount.getLogin().setNumberOfLogins(userAccount.getLogin().getNumberOfLogins() + 1);
            userAccount.getLogin().setLastLogin(LocalDateTime.now());
            if (z) {
                userAccount.getLogin().setLastExternalLogin(LocalDateTime.now());
            }
            oma.override(userAccount);
        } catch (Exception e) {
            Exceptions.handle(BizController.LOG, e);
        }
    }

    protected Object getUserObject(UserInfo userInfo) {
        return fetchAccount(userInfo.getUserId(), null);
    }

    protected UserSettings getUserSettings(UserSettings userSettings, UserInfo userInfo) {
        UserAccount userAccount = (UserAccount) userInfo.getUserObject(UserAccount.class);
        return userAccount.getPermissions().getConfig() == null ? ((Tenant) userAccount.getTenant().getValue()).getPermissions().getConfig() == null ? userSettings : (UserSettings) ((Tuple) configCache.get(userAccount.getTenant().getUniqueObjectName(), str -> {
            return Tuple.create(new UserSettings(((Tenant) userAccount.getTenant().getValue()).getPermissions().getConfig().withFallback(userSettings.getConfig())), userAccount.getTenant().getUniqueObjectName());
        })).getFirst() : (UserSettings) ((Tuple) configCache.get(userAccount.getUniqueName(), str2 -> {
            return Tuple.create(new UserSettings(userAccount.getPermissions().getConfig().withFallback(((Tenant) userAccount.getTenant().getValue()).getPermissions().getConfig().withFallback(userSettings.getConfig()))), userAccount.getTenant().getUniqueObjectName());
        })).getFirst();
    }

    @Explain("Using explicit abort conditions and a final true makes all checks obvious")
    protected boolean isUserStillValid(String str) {
        UserAccount fetchAccount = fetchAccount(str, null);
        if (fetchAccount == null || fetchAccount.getLogin().isAccountLocked() || !isWithinInterval(fetchAccount.getLogin().getLastLogin(), ((Tenant) fetchAccount.getTenant().getValue()).getLoginIntervalDays())) {
            return false;
        }
        return !fetchAccount.isExternalLoginRequired() || isWithinInterval(fetchAccount.getLogin().getLastExternalLogin(), ((Tenant) fetchAccount.getTenant().getValue()).getExternalLoginIntervalDays());
    }

    private boolean isWithinInterval(LocalDateTime localDateTime, Integer num) {
        if (num == null) {
            return true;
        }
        return localDateTime != null && Duration.between(LocalDateTime.now(), localDateTime).toDays() < ((long) num.intValue());
    }

    private Set<String> computeRoles(UserAccount userAccount, Tenant tenant, boolean z) {
        TreeSet newTreeSet = Sets.newTreeSet();
        newTreeSet.addAll(userAccount.getPermissions().getPermissions());
        newTreeSet.addAll(tenant.getPermissions().getPermissions());
        newTreeSet.add("flag-logged-in");
        Set transformRoles = transformRoles(newTreeSet, false);
        if (!z || !transformRoles.contains(PERMISSION_MANAGE_SYSTEM)) {
            return transformRoles;
        }
        newTreeSet.add(PERMISSION_SYSTEM_TENANT);
        return transformRoles(newTreeSet, false);
    }

    protected Set<String> computeRoles(WebContext webContext, String str) {
        Set<String> set = (Set) rolesCache.get(str);
        if (set != null) {
            return set;
        }
        UserAccount fetchAccount = fetchAccount(str, null);
        Set<String> computeRoles = fetchAccount != null ? computeRoles(fetchAccount, (Tenant) fetchAccount.getTenant().getValue(), Strings.areEqual(this.systemTenant, String.valueOf(((Tenant) fetchAccount.getTenant().getValue()).getId()))) : Collections.emptySet();
        rolesCache.put(str, computeRoles);
        return computeRoles;
    }
}
