package com.atlassian.stash.internal.crowd;

import com.atlassian.crowd.embedded.api.CrowdDirectoryService;
import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.Directory;
import com.atlassian.crowd.embedded.api.Group;
import com.atlassian.crowd.embedded.api.OperationType;
import com.atlassian.crowd.embedded.api.Query;
import com.atlassian.crowd.embedded.api.SearchRestriction;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.impl.ImmutableGroup;
import com.atlassian.crowd.embedded.impl.ImmutableUser;
import com.atlassian.crowd.exception.CrowdException;
import com.atlassian.crowd.exception.InvalidCredentialException;
import com.atlassian.crowd.exception.InvalidUserException;
import com.atlassian.crowd.exception.OperationNotPermittedException;
import com.atlassian.crowd.exception.embedded.InvalidGroupException;
import com.atlassian.crowd.exception.runtime.CrowdRuntimeException;
import com.atlassian.crowd.exception.runtime.GroupNotFoundException;
import com.atlassian.crowd.exception.runtime.OperationFailedException;
import com.atlassian.crowd.model.group.GroupType;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.Combine;
import com.atlassian.crowd.search.builder.Restriction;
import com.atlassian.crowd.search.query.entity.GroupQuery;
import com.atlassian.crowd.search.query.entity.UserQuery;
import com.atlassian.crowd.search.query.entity.restriction.NullRestrictionImpl;
import com.atlassian.crowd.search.query.entity.restriction.constants.GroupTermKeys;
import com.atlassian.crowd.search.query.entity.restriction.constants.UserTermKeys;
import com.atlassian.crowd.search.query.membership.GroupMembershipQuery;
import com.atlassian.crowd.search.query.membership.UserMembersOfGroupQuery;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.security.random.SecureTokenGenerator;
import com.atlassian.stash.crowd.AllowedDirectoryOperations;
import com.atlassian.stash.crowd.CrowdAdminService;
import com.atlassian.stash.crowd.CrowdGroup;
import com.atlassian.stash.crowd.CrowdUser;
import com.atlassian.stash.exception.ForbiddenException;
import com.atlassian.stash.exception.IntegrityException;
import com.atlassian.stash.exception.InvalidTokenException;
import com.atlassian.stash.exception.LicenseLimitException;
import com.atlassian.stash.exception.NoMailHostConfigurationException;
import com.atlassian.stash.exception.NoSuchEntityException;
import com.atlassian.stash.exception.SendingEmailException;
import com.atlassian.stash.exception.ServerException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.i18n.KeyedMessage;
import com.atlassian.stash.internal.annotation.Unsecured;
import com.atlassian.stash.license.LicenseService;
import com.atlassian.stash.user.PermissionAdminService;
import com.atlassian.stash.util.Page;
import com.atlassian.stash.util.PageImpl;
import com.atlassian.stash.util.PageRequest;
import com.google.common.base.Function;
import com.google.common.base.Throwables;
import com.google.common.collect.Iterables;
import java.util.Set;
import javax.annotation.Nonnull;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.web.authentication.rememberme.PersistentTokenRepository;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@Service
@AvailableToPlugins(CrowdAdminService.class)
/* loaded from: input_file:com/atlassian/stash/internal/crowd/CrowdAdminServiceImpl.class */
public class CrowdAdminServiceImpl implements CrowdAdminService {
    private final CrowdService crowdService;
    private final CrowdDirectoryService directoryService;
    private final PermissionAdminService permissionAdminService;
    private final SecureTokenGenerator tokenGenerator;
    private final PasswordResetHelper passwordResetHelper;
    private final EmailNotifier emailNotifier;
    private final LicenseService licenseService;
    private final I18nService i18nService;
    private final PersistentTokenRepository tokenRepository;
    private static final Logger LOG = LoggerFactory.getLogger(CrowdAdminServiceImpl.class);
    private static final Function<User, CrowdUser> USER_TRANSFORM = new Function<User, CrowdUser>() { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.9
        public CrowdUser apply(User user) {
            return new CrowdUser(user, (String) null, (Boolean) null);
        }
    };

    /* loaded from: input_file:com/atlassian/stash/internal/crowd/CrowdAdminServiceImpl$AllowedDirectoryOperationsImpl.class */
    private static final class AllowedDirectoryOperationsImpl implements AllowedDirectoryOperations {
        private final boolean mutateAttributes;
        private final boolean mutateGroups;

        private AllowedDirectoryOperationsImpl(boolean z, boolean z2) {
            this.mutateAttributes = z;
            this.mutateGroups = z2;
        }

        public boolean canMutateUsersGroups() {
            return this.mutateGroups;
        }

        public boolean canMutateUsersDetails() {
            return this.mutateAttributes;
        }
    }

    @Autowired
    public CrowdAdminServiceImpl(CrowdService crowdService, @Qualifier("publicCrowdDirectoryService") CrowdDirectoryService crowdDirectoryService, PermissionAdminService permissionAdminService, PasswordResetHelper passwordResetHelper, EmailNotifier emailNotifier, LicenseService licenseService, I18nService i18nService, SecureTokenGenerator secureTokenGenerator, PersistentTokenRepository persistentTokenRepository) {
        this.crowdService = crowdService;
        this.directoryService = crowdDirectoryService;
        this.permissionAdminService = permissionAdminService;
        this.tokenGenerator = secureTokenGenerator;
        this.passwordResetHelper = passwordResetHelper;
        this.emailNotifier = emailNotifier;
        this.licenseService = licenseService;
        this.i18nService = i18nService;
        this.tokenRepository = persistentTokenRepository;
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public CrowdUser findUser(@Nonnull String str) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            return null;
        }
        return new CrowdUser(user, (String) null, (Boolean) null);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public CrowdUser findUserWithDirectoryInfo(@Nonnull String str) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            return null;
        }
        DirectoryCache directoryCache = new DirectoryCache(this.directoryService);
        return new CrowdUser(user, directoryCache.getDirectoryName(user), Boolean.valueOf(directoryCache.isReadOnly(user)));
    }

    @Nonnull
    @Unsecured("Determining which Crowd operations are permitted does not require a specific permission")
    public AllowedDirectoryOperations getAllowedOperationsForDirectoryContaining(@Nonnull String str) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            return new AllowedDirectoryOperationsImpl(false, false);
        }
        Directory findDirectoryById = this.directoryService.findDirectoryById(user.getDirectoryId());
        if (findDirectoryById == null) {
            LOG.warn("Permitted mutations: Couldn't find the directory of the user: " + str);
            return new AllowedDirectoryOperationsImpl(false, false);
        }
        Set allowedOperations = findDirectoryById.getAllowedOperations();
        return new AllowedDirectoryOperationsImpl(allowedOperations.contains(OperationType.UPDATE_USER), allowedOperations.contains(OperationType.UPDATE_GROUP));
    }

    @Nonnull
    @Transactional
    @PreAuthorize("hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#name, 'SYS_ADMIN'))")
    public CrowdUser updateUserDetails(@Nonnull String str, @Nonnull String str2, @Nonnull String str3) {
        try {
            return new CrowdUser(this.crowdService.updateUser(ImmutableUser.newUser(validateUserExists(str)).displayName(str2).emailAddress(str3).toUser()));
        } catch (InvalidUserException e) {
            throw canNotUpdateUser(str, e);
        } catch (OperationFailedException e2) {
            throw canNotUpdateUser(str, e2);
        } catch (OperationNotPermittedException e3) {
            throw canNotUpdateUser(str, e3);
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#name, 'SYS_ADMIN'))")
    public void updateUserPassword(@Nonnull String str, @Nonnull String str2) {
        try {
            this.passwordResetHelper.resetPassword(validateUserExists(str), str2);
        } catch (OperationNotPermittedException e) {
            throw canNotUpdateUser(str, e);
        } catch (OperationFailedException e2) {
            throw canNotUpdateUser(str, e2);
        } catch (InvalidCredentialException e3) {
            throw canNotUpdateUser(str, e3);
        }
    }

    private ServerException canNotUpdateUser(String str, Exception exc) {
        KeyedMessage keyedText = this.i18nService.getKeyedText("stash.service.users.canNotUpdate", "The user {0} could not be updated: {1}", new Object[]{str, Throwables.getRootCause(exc).getLocalizedMessage()});
        if (LOG.isDebugEnabled()) {
            LOG.debug(keyedText.getLocalisedMessage(), exc);
        }
        throw new ServerException(keyedText, exc);
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<CrowdUser> findUsers(@Nonnull PageRequest pageRequest) {
        return StringUtils.isBlank(pageRequest.getFilter()) ? findAllUsers(pageRequest) : findMatchingUsers(pageRequest);
    }

    private Page<CrowdUser> findAllUsers(PageRequest pageRequest) {
        Iterable<User> search = this.crowdService.search(new UserQuery(User.class, NullRestrictionImpl.INSTANCE, pageRequest.getStart(), pageRequest.getLimit() + 1));
        return asUserPage(pageRequest, search, Iterables.size(search) <= pageRequest.getLimit());
    }

    private Page<CrowdUser> findMatchingUsers(PageRequest pageRequest) {
        String filter = pageRequest.getFilter();
        Page<User> scan = new UserMatchingFilter<User>(this.crowdService, filter) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.1
            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<User> getQuery(String str, int i, int i2) {
                return new UserQuery(User.class, Combine.anyOf(new SearchRestriction[]{Restriction.on(UserTermKeys.DISPLAY_NAME).containing(str), Restriction.on(UserTermKeys.USERNAME).containing(str), Restriction.on(UserTermKeys.EMAIL).containing(str)}), i, i2);
            }
        }.scan(pageRequest, filter);
        return asUserPage(pageRequest, scan, scan.getIsLastPage());
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<CrowdGroup> findGroups(@Nonnull PageRequest pageRequest) {
        return StringUtils.isBlank(pageRequest.getFilter()) ? findAllGroups(pageRequest) : findMatchingGroups(pageRequest);
    }

    private Page<CrowdGroup> findAllGroups(PageRequest pageRequest) {
        Iterable search = this.crowdService.search(new GroupQuery(String.class, GroupType.GROUP, NullRestrictionImpl.INSTANCE, pageRequest.getStart(), pageRequest.getLimit() + 1));
        return asGroupPage(pageRequest, Iterables.limit(search, pageRequest.getLimit()), Iterables.size(search) <= pageRequest.getLimit());
    }

    private Page<CrowdGroup> findMatchingGroups(PageRequest pageRequest) {
        String filter = pageRequest.getFilter();
        Page<String> scan = new GroupMatchingFilter(this.crowdService, filter) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.2
            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<String> getQuery(String str, int i, int i2) {
                return new GroupQuery(String.class, GroupType.GROUP, Restriction.on(GroupTermKeys.NAME).containing(str), i, i2);
            }
        }.scan(pageRequest, filter);
        return asGroupPage(pageRequest, scan.getValues(), scan.getIsLastPage());
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public boolean userExists(@Nonnull String str) {
        return this.crowdService.search(new UserQuery(String.class, Restriction.on(UserTermKeys.USERNAME).exactlyMatching(str), 0, 1)).iterator().hasNext();
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public boolean groupExists(@Nonnull String str) {
        return this.crowdService.search(new GroupQuery(String.class, GroupType.GROUP, Restriction.on(GroupTermKeys.NAME).exactlyMatching(str), 0, 1)).iterator().hasNext();
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public boolean canCreateGroups() {
        return isAllowedInAnyDirectory(OperationType.CREATE_GROUP);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public boolean canDeleteGroups() {
        return isAllowedInAnyDirectory(OperationType.DELETE_GROUP);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public CrowdGroup createGroup(@Nonnull String str) throws IntegrityException, CrowdRuntimeException {
        try {
            this.crowdService.addGroup(new ImmutableGroup(str));
            return new CrowdGroup(str, canDeleteGroups());
        } catch (InvalidGroupException e) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.group.alreadyexists", "A group {0} already exists.", new Object[]{str}));
        } catch (CrowdException e2) {
            throw new CrowdRuntimeException(e2);
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public CrowdUser deleteUser(@Nonnull String str) throws IntegrityException, ForbiddenException, NoSuchEntityException, CrowdRuntimeException {
        this.permissionAdminService.canDeleteUser(str);
        try {
            User validateUserExists = validateUserExists(str);
            this.crowdService.removeUser(validateUserExists);
            this.permissionAdminService.revokeAllUserPermissions(str);
            this.tokenRepository.removeUserTokens(str);
            return new CrowdUser(validateUserExists, (String) null, (Boolean) null);
        } catch (CrowdException e) {
            throw new CrowdRuntimeException(e);
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public CrowdGroup deleteGroup(@Nonnull String str) throws IntegrityException, ForbiddenException, NoSuchEntityException, com.atlassian.stash.exception.OperationNotPermittedException, CrowdRuntimeException {
        this.permissionAdminService.canDeleteGroup(str);
        try {
            Group validateGroupExists = validateGroupExists(str);
            this.crowdService.removeGroup(validateGroupExists);
            this.permissionAdminService.revokeAllGroupPermissions(str);
            return new CrowdGroup(validateGroupExists, true);
        } catch (OperationNotPermittedException e) {
            throw new com.atlassian.stash.exception.OperationNotPermittedException(this.i18nService.getKeyedText("stash.service.delete.group.notpermitted", "The group {0} could not be deleted as it belongs to a read-only directory.", new Object[]{str}), e);
        } catch (CrowdException e2) {
            throw new CrowdRuntimeException(e2);
        }
    }

    private Page<CrowdUser> asUserPage(PageRequest pageRequest, Page<User> page, boolean z) {
        return asUserPage(pageRequest, page.getValues(), z);
    }

    private Page<CrowdUser> asUserPage(PageRequest pageRequest, Iterable<User> iterable, boolean z) {
        final DirectoryCache directoryCache = new DirectoryCache(this.directoryService);
        return new PageImpl(pageRequest, Iterables.transform(iterable, new Function<User, CrowdUser>() { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.3
            public CrowdUser apply(User user) {
                return new CrowdUser(user, directoryCache.getDirectoryName(user), Boolean.valueOf(directoryCache.isReadOnly(user)));
            }
        }), z);
    }

    private Page<CrowdGroup> asGroupPage(PageRequest pageRequest, Iterable<String> iterable, boolean z) {
        final boolean canDeleteGroups = canDeleteGroups();
        return new PageImpl(pageRequest, Iterables.transform(iterable, new Function<String, CrowdGroup>() { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.4
            public CrowdGroup apply(String str) {
                return new CrowdGroup(str, canDeleteGroups);
            }
        }), z);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<CrowdUser> findUsersInGroup(@Nonnull PageRequest pageRequest, @Nonnull String str) {
        return new UserMatchingFilter<CrowdUser>(this.crowdService, USER_TRANSFORM, pageRequest.getFilter()) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.5
            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<User> getQuery(String str2, int i, int i2) {
                return new UserMembersOfGroupQuery(User.class, true, EntityDescriptor.group(), str2, EntityDescriptor.user(), i, i2);
            }
        }.scan(pageRequest, str);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<CrowdUser> findUsersNotInGroup(@Nonnull final PageRequest pageRequest, @Nonnull final String str) {
        final boolean isBlank = StringUtils.isBlank(pageRequest.getFilter());
        return new UserMatchingFilter<CrowdUser>(this.crowdService, USER_TRANSFORM, pageRequest.getFilter()) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.6
            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // com.atlassian.stash.internal.crowd.UserMatchingFilter, com.atlassian.stash.internal.crowd.Filter
            public boolean isMatch(User user) {
                return !CrowdAdminServiceImpl.this.crowdService.isUserMemberOfGroup(user.getName(), str) && super.isMatch(user);
            }

            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<User> getQuery(String str2, int i, int i2) {
                return new UserQuery(User.class, isBlank ? NullRestrictionImpl.INSTANCE : Combine.anyOf(new SearchRestriction[]{Restriction.on(UserTermKeys.DISPLAY_NAME).containing(pageRequest.getFilter()), Restriction.on(UserTermKeys.USERNAME).containing(pageRequest.getFilter()), Restriction.on(UserTermKeys.EMAIL).containing(pageRequest.getFilter())}), i, i2);
            }
        }.scan(pageRequest, str);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN') or isCurrentUser(#user)")
    public Page<String> findGroupsForUser(@Nonnull PageRequest pageRequest, @Nonnull final String str) {
        return new GroupMatchingFilter(this.crowdService, pageRequest.getFilter()) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.7
            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<String> getQuery(String str2, int i, int i2) {
                return new GroupMembershipQuery(String.class, false, EntityDescriptor.user(), str, EntityDescriptor.group(), i, i2);
            }
        }.scan(pageRequest, str);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<String> findGroupsWithoutUser(@Nonnull final PageRequest pageRequest, @Nonnull final String str) {
        final boolean isBlank = StringUtils.isBlank(pageRequest.getFilter());
        return new GroupMatchingFilter(this.crowdService, pageRequest.getFilter()) { // from class: com.atlassian.stash.internal.crowd.CrowdAdminServiceImpl.8
            /* JADX INFO: Access modifiers changed from: package-private */
            @Override // com.atlassian.stash.internal.crowd.GroupMatchingFilter, com.atlassian.stash.internal.crowd.Filter
            public boolean isMatch(String str2) {
                return !CrowdAdminServiceImpl.this.crowdService.isUserMemberOfGroup(str, str2) && super.isMatch(str2);
            }

            @Override // com.atlassian.stash.internal.crowd.Filter
            Query<String> getQuery(String str2, int i, int i2) {
                return new GroupQuery(String.class, GroupType.GROUP, isBlank ? NullRestrictionImpl.INSTANCE : Restriction.on(GroupTermKeys.NAME).containing(pageRequest.getFilter()), i, i2);
            }
        }.scan(pageRequest, str);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void addUserToGroup(@Nonnull String str, @Nonnull String str2) throws ForbiddenException, NoSuchEntityException, LicenseLimitException, CrowdRuntimeException, com.atlassian.stash.exception.OperationNotPermittedException {
        this.permissionAdminService.canAddUserToGroup(str);
        try {
            Group validateGroupExists = validateGroupExists(str);
            User validateUserExists = validateUserExists(str2);
            this.licenseService.validateCanAddUserToGroup(str2, str);
            this.crowdService.addUserToGroup(validateUserExists, validateGroupExists);
        } catch (OperationNotPermittedException e) {
            LOG.warn(Throwables.getRootCause(e).getLocalizedMessage(), e);
            throw new com.atlassian.stash.exception.OperationNotPermittedException(this.i18nService.getKeyedText("stash.service.remoteUserFromGroup.notpermitted", "The user {0} could not be added to the group {1}. Verify if they are not from the same read-only directory or consult the logs for more information on the error.", new Object[]{str2, str}));
        } catch (CrowdException e2) {
            throw new CrowdRuntimeException(e2);
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void removeUserFromGroup(@Nonnull String str, @Nonnull String str2) throws IntegrityException, ForbiddenException, NoSuchEntityException, CrowdRuntimeException, com.atlassian.stash.exception.OperationNotPermittedException {
        boolean z;
        this.permissionAdminService.canRemoveUserFromGroup(str2, str);
        try {
            z = this.crowdService.removeUserFromGroup(validateUserExists(str2), validateGroupExists(str));
        } catch (OperationNotPermittedException e) {
            LOG.warn(Throwables.getRootCause(e).getLocalizedMessage(), e);
            throw new com.atlassian.stash.exception.OperationNotPermittedException(this.i18nService.getKeyedText("stash.service.remoteUserFromGroup.notpermitted", "The user {0} could not be removed from the group {1}. Verify if they are not from the same read-only directory or consult the logs for more information on the error.", new Object[]{str2, str}));
        } catch (GroupNotFoundException e2) {
            z = false;
            LOG.debug("Failed to remove user %1$s from group %2$s.", e2);
        } catch (CrowdException e3) {
            throw new CrowdRuntimeException(e3);
        }
        if (z) {
            return;
        }
        CrowdUser findUserWithDirectoryInfo = findUserWithDirectoryInfo(str2);
        if (findUserWithDirectoryInfo == null) {
            throw new NoSuchEntityException(this.i18nService.getKeyedText("stash.service.remoteUserFromGroup.noSuchUser", "The user {0} does not exist.", new Object[]{str2}));
        }
        LOG.info(String.format("Failed to remove user %1$s from group %2$s. Group %2$s may not exist in the same directory as the primary user with name %1$s. The 'primary' user is the first user with that name resolved from the ordered list of User Directories.", str2, str));
        throw new NoSuchEntityException(this.i18nService.getKeyedText("stash.service.remoteUserFromGroup.notFromGroup", "The user {0} from directory {1} does not belong to the group {2} in that directory, so can not be removed. This user may be shadowed by a user with the same name in another directory.", new Object[]{str2, findUserWithDirectoryInfo.getDirectoryName(), str}));
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public boolean canCreateUsers() {
        return isAllowedInAnyDirectory(OperationType.CREATE_USER);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void createUser(@Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nonnull String str4) throws IntegrityException, LicenseLimitException, CrowdRuntimeException {
        createUser(str, str2, str3, str4, true);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void createUser(@Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nonnull String str4, boolean z) throws IntegrityException, LicenseLimitException, CrowdRuntimeException {
        try {
            createUser(ImmutableUser.newUser().name(str).displayName(str3).emailAddress(str4).toUser(), str2, z);
        } catch (CrowdException e) {
            throw new CrowdRuntimeException(e);
        } catch (InvalidUserException e2) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.user.alreadyExists", "A user with this name already exists.", new Object[0]));
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void createUserWithGeneratedPassword(@Nonnull String str, @Nonnull String str2, @Nonnull String str3) throws IntegrityException, NoMailHostConfigurationException, LicenseLimitException, CrowdRuntimeException, SendingEmailException {
        this.emailNotifier.validateCanSendEmails();
        try {
            User user = ImmutableUser.newUser().name(str).displayName(str2).emailAddress(str3).toUser();
            String generateToken = this.tokenGenerator.generateToken();
            String generateToken2 = this.tokenGenerator.generateToken();
            createUser(user, generateToken, true);
            this.passwordResetHelper.addResetPasswordToken(user, generateToken2);
            this.emailNotifier.sendCreatedUser(user, generateToken2);
        } catch (InvalidUserException e) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.user.alreadyExists", "A user with this name already exists.", new Object[0]));
        } catch (CrowdException e2) {
            throw new CrowdRuntimeException(e2);
        }
    }

    private void createUser(User user, String str, boolean z) throws InvalidUserException, InvalidCredentialException, OperationNotPermittedException {
        this.crowdService.addUser(user, str);
        if (z) {
            addToGroupIfExisting(user, "stash-users");
        }
    }

    private void addToGroupIfExisting(User user, String str) throws OperationNotPermittedException {
        Group group = this.crowdService.getGroup(str);
        if (group != null) {
            this.licenseService.validateCanAddUserToGroup(user.getName(), group.getName());
            this.crowdService.addUserToGroup(user, group);
        }
    }

    @Transactional
    @Unsecured("Password reset runs in a non-authenticated context and requires no permissions")
    public void preparePasswordReset(@Nonnull String str) throws NoSuchEntityException, NoMailHostConfigurationException, SendingEmailException, CrowdRuntimeException {
        try {
            User validateUserExists = validateUserExists(str);
            String generateToken = this.tokenGenerator.generateToken();
            this.passwordResetHelper.addResetPasswordToken(validateUserExists, generateToken);
            this.emailNotifier.sendPasswordReset(validateUserExists, generateToken);
        } catch (CrowdException e) {
            throw new CrowdRuntimeException(e);
        }
    }

    @Unsecured("Password reset runs in a non-authenticated context and requires no permissions")
    public User findByPasswordResetRequest(@Nonnull String str) {
        return this.passwordResetHelper.findUserByResetToken(str);
    }

    @Transactional
    @Unsecured("Password reset runs in a non-authenticated context and requires no permissions")
    public void resetPassword(@Nonnull String str, @Nonnull String str2, @Nonnull String str3) throws InvalidTokenException, NoSuchEntityException, CrowdRuntimeException {
        User userWithAttributes = this.crowdService.getUserWithAttributes(str2);
        if (userWithAttributes == null) {
            throw new NoSuchEntityException(this.i18nService.getKeyedText("stash.service.user.noSuchUser", "No user named '{0}' found", new Object[]{str2}));
        }
        if (!str.equals(this.passwordResetHelper.getPasswordToken(userWithAttributes))) {
            throw new InvalidTokenException(this.i18nService.getKeyedText("stash.service.invalidtoken", "Invalid token", new Object[0]), str);
        }
        try {
            this.passwordResetHelper.resetPassword(userWithAttributes, str3);
        } catch (CrowdException e) {
            throw new CrowdRuntimeException(e);
        }
    }

    private boolean isAllowedInAnyDirectory(OperationType operationType) {
        for (Directory directory : this.directoryService.findAllDirectories()) {
            if (directory.isActive() && directory.getAllowedOperations().contains(operationType)) {
                return true;
            }
        }
        return false;
    }

    private User validateUserExists(String str) {
        User user = this.crowdService.getUser(str);
        if (user == null) {
            throw new NoSuchEntityException(this.i18nService.getKeyedText("stash.service.users.noSuchUser", "No user named ''{0}'' was found", new Object[]{str}));
        }
        return user;
    }

    private Group validateGroupExists(String str) {
        Group group = this.crowdService.getGroup(str);
        if (group == null) {
            throw new NoSuchEntityException(this.i18nService.getKeyedText("stash.service.groups.noSuchGroup", "No group named ''{0}'' was found", new Object[]{str}));
        }
        return group;
    }
}
