package com.cloudera.api.dao.impl;

import com.cloudera.api.DataView;
import com.cloudera.api.dao.DAOFactory;
import com.cloudera.api.dao.UserManagerDao;
import com.cloudera.api.model.ApiAuthRoleRef;
import com.cloudera.api.model.ApiUser;
import com.cloudera.api.model.ApiUser2;
import com.cloudera.api.model.ApiUser2List;
import com.cloudera.api.model.ApiUserList;
import com.cloudera.api.model.ApiUserSession;
import com.cloudera.api.model.ApiUserSessionList;
import com.cloudera.cmf.model.DbAuthRole;
import com.cloudera.cmf.model.DbUser;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.scm.ScmHandler;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.cmf.user.UserRole;
import com.cloudera.server.cmf.CurrentUserManager;
import com.cloudera.server.cmf.components.CmServerState;
import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.Comparator;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.NoSuchElementException;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.NoSuchBeanDefinitionException;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;

/* loaded from: input_file:com/cloudera/api/dao/impl/UserManagerDaoImpl.class */
public class UserManagerDaoImpl extends ManagerDaoBase implements UserManagerDao {
    private final CurrentUserManager currentUserMgr;
    private final SessionRegistry sessionRegistry;
    private final CmServerState cmss;

    /* JADX INFO: Access modifiers changed from: protected */
    public UserManagerDaoImpl(DAOFactory dAOFactory, CurrentUserManager currentUserManager, SessionRegistry sessionRegistry, CmServerState cmServerState) {
        super(dAOFactory);
        this.currentUserMgr = currentUserManager;
        this.sessionRegistry = sessionRegistry;
        this.cmss = cmServerState;
    }

    private DbUser findUser(String str) {
        DbUser findUserByName = this.cmfEM.findUserByName(str);
        if (findUserByName == null) {
            throw new NoSuchElementException(String.format("User '%s' does not exist.", str));
        }
        return findUserByName;
    }

    private DbAuthRole findAuthRole(UserRole userRole) {
        DbAuthRole findAuthRole = this.cmfEM.findAuthRole(userRole);
        if (findAuthRole == null) {
            throw new NoSuchElementException(String.format("Auth role '%s' does not exist.", userRole));
        }
        return findAuthRole;
    }

    private Set<String> getRequiredModifyAuths(DbUser dbUser) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator it = dbUser.getImmutableAuthRole().iterator();
        while (it.hasNext()) {
            newHashSet.add(getModifyAuth((DbAuthRole) it.next()));
        }
        if (newHashSet.isEmpty()) {
            newHashSet.add("AUTH_USERS_CONFIG");
        }
        return newHashSet;
    }

    private String getModifyAuth(DbAuthRole dbAuthRole) {
        return UserRole.valueOf(dbAuthRole.getEffectiveUserRoleName()).getModifyAuth();
    }

    public void user2ListPreconditions(ApiUser2List apiUser2List) {
        Preconditions.checkArgument((apiUser2List == null || apiUser2List.getUsers2().isEmpty()) ? false : true, "User list must be provided.");
        Iterator it = apiUser2List.iterator();
        while (it.hasNext()) {
            ApiUser2 apiUser2 = (ApiUser2) it.next();
            Preconditions.checkArgument(apiUser2 != null, "User information not provided.");
            Preconditions.checkArgument(apiUser2.getName() != null, "User name not provided.");
            if (apiUser2.getPwHash() != null) {
                Preconditions.checkArgument(apiUser2.getPwHash() != null, "Missing user password hash");
                Preconditions.checkArgument(apiUser2.getPwSalt() != null, "Missing user password salt");
                Preconditions.checkArgument(apiUser2.getPwLogin() != null, "Missing user login location information");
            } else {
                Preconditions.checkArgument(apiUser2.getPassword() != null, "User is missing password information");
            }
        }
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUserList createUsers(ApiUserList apiUserList) {
        return ApiUserUtils.demote(createUsers2(ApiUserUtils.promoteToV2(apiUserList, this.cmfEM)), this.cmfEM);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser deleteUser(String str) {
        return deleteUser(str, false);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser deleteUserForDeployment(String str) {
        return deleteUser(str, true);
    }

    private ApiUser deleteUser(String str, boolean z) {
        return ApiUserUtils.demote(deleteUser2(str, z), this.cmfEM);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxReadOnly
    public ApiUser getUser(String str) {
        return ApiUserUtils.demote(getUser2(str), this.cmfEM);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxReadOnly
    public ApiUserList listUsers(DataView dataView) {
        return ApiUserUtils.demote(listUsers2(dataView), this.cmfEM);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser updateUser(String str, ApiUser apiUser) {
        return ApiUserUtils.demote(updateUser2(str, ApiUserUtils.promoteToV2(apiUser, this.cmfEM)), this.cmfEM);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxReadOnly
    public ApiUserSessionList getSessions() {
        if (!this.currentUserMgr.hasAuthority("AUTH_USERS_CONFIG")) {
            throw new SecurityException("User not allowed to perform operation.");
        }
        ApiUserSessionList apiUserSessionList = new ApiUserSessionList();
        if (this.sessionRegistry == null) {
            return apiUserSessionList;
        }
        Iterator it = this.cmfEM.findAllUsers().iterator();
        while (it.hasNext()) {
            String name = ((DbUser) it.next()).getName();
            if (!name.startsWith("__cloudera_internal_user__")) {
                for (SessionInformation sessionInformation : this.sessionRegistry.getAllSessions(name, false)) {
                    String httpClient = this.cmss.getHttpClient(sessionInformation.getSessionId());
                    ApiUserSession apiUserSession = new ApiUserSession();
                    apiUserSession.setName(name);
                    apiUserSession.setRemoteAddr(httpClient);
                    apiUserSession.setLastRequest(sessionInformation.getLastRequest());
                    apiUserSessionList.add(apiUserSession);
                }
            }
        }
        return apiUserSessionList;
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser2List createUsers2(ApiUser2List apiUser2List) {
        DbUser addUser;
        user2ListPreconditions(apiUser2List);
        ApiUser2List apiUser2List2 = new ApiUser2List();
        Iterator it = apiUser2List.iterator();
        while (it.hasNext()) {
            ApiUser2 apiUser2 = (ApiUser2) it.next();
            if (apiUser2.getName().startsWith("__cloudera_internal_user__") && (apiUser2.getAuthRoles() == null || apiUser2.getAuthRoles().isEmpty())) {
                DbAuthRole findAuthRole = findAuthRole(UserRole.ROLE_USER);
                apiUser2.setAuthRoles(Sets.newHashSet(new ApiAuthRoleRef[]{new ApiAuthRoleRef(findAuthRole.getUuid(), findAuthRole.getName())}));
            }
            if (apiUser2.getPwHash() != null) {
                addUser = this.operationsManager.addUser(this.cmfEM, apiUser2.getName(), apiUser2.getPwHash(), apiUser2.getPwSalt(), apiUser2.getPwLogin().booleanValue());
            } else {
                validateUserPassword(apiUser2.getPassword());
                addUser = this.operationsManager.addUser(this.cmfEM, apiUser2.getName(), apiUser2.getPassword());
            }
            HashSet newHashSet = Sets.newHashSet();
            for (ApiAuthRoleRef apiAuthRoleRef : apiUser2.getAuthRoles()) {
                newHashSet.add(findAuthRole(apiAuthRoleRef.getUuid(), apiAuthRoleRef.getName()));
            }
            this.operationsManager.assignUserAuthRoles(this.cmfEM, addUser, newHashSet);
            apiUser2List2.getUsers2().add(this.modelFactory.newUser2(addUser));
        }
        return apiUser2List2;
    }

    public void validateUserPassword(String str) {
        validateUserPassword(str, (Long) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_MIN_LENGTH, this.cmfEM.getScmConfigProvider()), (Long) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_MIN_NO_OF_LETTERS, this.cmfEM.getScmConfigProvider()), (Long) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_MIN_NO_OF_DIGITS, this.cmfEM.getScmConfigProvider()), (Long) ScmHandler.getScmConfigValue(ScmParams.PASSWORD_MIN_NO_OF_SPECIAL_CHARS, this.cmfEM.getScmConfigProvider()));
    }

    public void validateUserPassword(String str, Long l, Long l2, Long l3, Long l4) {
        if (str == null || str.length() < l.intValue()) {
            throw new IllegalArgumentException(String.format("Password must contain a minimum of %s characters", Integer.valueOf(l.intValue())));
        }
        long j = 0;
        long j2 = 0;
        long j3 = 0;
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (Character.isLetter(charAt)) {
                j++;
            } else if (Character.isDigit(charAt)) {
                j2++;
            } else {
                j3++;
            }
        }
        if (l2.longValue() > j || l3.longValue() > j2 || l4.longValue() > j3) {
            throw new IllegalArgumentException(String.format("Password must contain a minimum of %s letters, %s digits and %s special characters", l2, l3, l4));
        }
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser2List createUsers2TrimNames(ApiUser2List apiUser2List) {
        Iterator it = apiUser2List.iterator();
        while (it.hasNext()) {
            ApiUser2 apiUser2 = (ApiUser2) it.next();
            String trim = StringUtils.trim(apiUser2.getName());
            if (trim == null || trim.isEmpty()) {
                throw new IllegalArgumentException("Empty user name");
            }
            apiUser2.setName(trim);
        }
        return createUsers2(apiUser2List);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser2 deleteUser2(String str) {
        return deleteUser2(str, false);
    }

    public ApiUser2 deleteUser2(String str, boolean z) {
        boolean z2;
        DbUser findUser = findUser(str);
        Preconditions.checkArgument(findUser != null);
        DbUser loggedInUser = this.currentUserMgr.getLoggedInUser(this.cmfEM);
        Preconditions.checkArgument(loggedInUser != null);
        Set<String> requiredModifyAuths = getRequiredModifyAuths(findUser);
        if (loggedInUser.isInternal()) {
            if (!str.equals(loggedInUser.getName())) {
                throw new SecurityException("Internal users can only delete self.");
            }
        } else {
            if (!this.currentUserMgr.hasAllAuthorities(requiredModifyAuths)) {
                throw new SecurityException("Only administrators can delete users.");
            }
            if (str.equals(loggedInUser.getName()) && !z && !this.currentUserMgr.isDeletableLastFullAdmin(this.cmfEM.findAllUsers())) {
                throw new SecurityException("Cannot delete self.");
            }
        }
        ApiUser2 newUser2 = this.modelFactory.newUser2(findUser);
        if (z) {
            try {
            } catch (NoSuchBeanDefinitionException e) {
                this.cmfEM.deleteUser(findUser);
            }
            if (findUser.equals(loggedInUser)) {
                z2 = false;
                this.operationsManager.deleteUser(this.cmfEM, findUser, z2);
                return newUser2;
            }
        }
        z2 = true;
        this.operationsManager.deleteUser(this.cmfEM, findUser, z2);
        return newUser2;
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser2 deleteUser2ForDeployment(String str) {
        return deleteUser2(str, true);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public void expireSessions(String str) {
        if (!this.currentUserMgr.hasAuthority("AUTH_USERS_CONFIG") || this.currentUserMgr.getLoggedInUser(this.cmfEM).isInternal()) {
            throw new SecurityException(String.format("User %s not allowed to perform operation.", str));
        }
        this.operationsManager.expireSessions(this.cmfEM, str);
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxReadOnly
    public ApiUser2 getUser2(String str) {
        return this.modelFactory.newUser2(findUser(str));
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxReadOnly
    public ApiUser2List listUsers2(DataView dataView) {
        List<DbUser> findAllUsers = this.cmfEM.findAllUsers();
        ApiUser2List apiUser2List = new ApiUser2List();
        for (DbUser dbUser : findAllUsers) {
            if (dataView == DataView.EXPORT || dataView == DataView.EXPORT_REDACTED || !dbUser.isInternal()) {
                HashSet newHashSet = Sets.newHashSet();
                Iterator it = dbUser.getImmutableAuthRole().iterator();
                while (it.hasNext()) {
                    newHashSet.add(getModifyAuth((DbAuthRole) it.next()));
                }
                if (newHashSet.isEmpty()) {
                    newHashSet.add("AUTH_USERS_CONFIG");
                }
                if (this.currentUserMgr == null || this.currentUserMgr.hasAllAuthorities(newHashSet) || dbUser.getName().equals(this.currentUserMgr.getUsername())) {
                    apiUser2List.getUsers2().add(this.modelFactory.newUser2(dbUser, dataView));
                }
            }
        }
        Collections.sort(apiUser2List.getUsers2(), new Comparator<ApiUser2>() { // from class: com.cloudera.api.dao.impl.UserManagerDaoImpl.1
            @Override // java.util.Comparator
            public int compare(ApiUser2 apiUser2, ApiUser2 apiUser22) {
                return (apiUser2 == null ? CommandUtils.CONFIG_TOP_LEVEL_DIR : apiUser2.getName()).compareTo(apiUser22 == null ? CommandUtils.CONFIG_TOP_LEVEL_DIR : apiUser22.getName());
            }
        });
        return apiUser2List;
    }

    @Override // com.cloudera.api.dao.UserManagerDao
    @TxCommit
    public ApiUser2 updateUser2(String str, ApiUser2 apiUser2) {
        DbUser findUser = findUser(str);
        Preconditions.checkArgument(findUser != null);
        DbUser loggedInUser = this.currentUserMgr.getLoggedInUser(this.cmfEM);
        Preconditions.checkArgument(loggedInUser != null);
        Set<String> requiredModifyAuths = getRequiredModifyAuths(findUser);
        if (findUser.isExternalUser()) {
            ScmParams.AuthBackendOrder authBackendOrder = (ScmParams.AuthBackendOrder) ScmHandler.getScmConfigValue(ScmParams.AUTH_BACKEND_ORDER, this.cmfEM.getScmConfigProvider());
            ScmParams.AuthorizationBackendOrder authorizationBackendOrder = (ScmParams.AuthorizationBackendOrder) ScmHandler.getScmConfigValue(ScmParams.AUTHOR_BACKEND, this.cmfEM.getScmConfigProvider());
            if (EnumSet.of(ScmParams.AuthBackendOrder.EXTERNAL_ONLY_WITHOUT_DB_ADMINS, ScmParams.AuthBackendOrder.LDAP_ONLY).contains(authBackendOrder) && authorizationBackendOrder == ScmParams.AuthorizationBackendOrder.EXTERNAL_ONLY) {
                throw new SecurityException("External users cannot be modified when External Authentication and External Only Authorization are in use.");
            }
        }
        if (!str.equals(this.currentUserMgr.getUsername()) && !this.currentUserMgr.hasAllAuthorities(requiredModifyAuths)) {
            throw new SecurityException("User not allowed to perform operation.");
        }
        if (apiUser2.getAuthRoles() != null) {
            HashSet newHashSet = Sets.newHashSet();
            HashSet newHashSet2 = Sets.newHashSet();
            for (ApiAuthRoleRef apiAuthRoleRef : apiUser2.getAuthRoles()) {
                DbAuthRole findAuthRole = findAuthRole(apiAuthRoleRef.getUuid(), apiAuthRoleRef.getName());
                newHashSet.add(findAuthRole);
                newHashSet2.add(getModifyAuth(findAuthRole));
            }
            if (!str.equals(this.currentUserMgr.getUsername()) && !this.currentUserMgr.hasAllAuthorities(newHashSet2)) {
                throw new SecurityException("User not allowed to perform operation.");
            }
            if (str.equals(loggedInUser.getName()) && !findUser.getImmutableAuthRole().equals(newHashSet) && !this.currentUserMgr.isDeletableLastFullAdmin(this.cmfEM.findAllUsers())) {
                throw new SecurityException("Cannot edit own roles.");
            }
            this.operationsManager.assignUserAuthRoles(this.cmfEM, findUser, newHashSet);
        }
        if (apiUser2.getPassword() != null) {
            validateUserPassword(apiUser2.getPassword());
            this.operationsManager.setUserPassword(this.cmfEM, findUser, apiUser2.getPassword());
        }
        return this.modelFactory.newUser2(findUser);
    }
}
