package com.atlassian.stash.internal.user;

import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.Group;
import com.atlassian.crowd.embedded.api.SearchRestriction;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.api.UserWithAttributes;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.crowd.embedded.impl.ImmutableUser;
import com.atlassian.crowd.exception.DirectoryNotFoundException;
import com.atlassian.crowd.exception.ExpiredCredentialException;
import com.atlassian.crowd.exception.FailedAuthenticationException;
import com.atlassian.crowd.exception.InactiveAccountException;
import com.atlassian.crowd.exception.InvalidCredentialException;
import com.atlassian.crowd.exception.InvalidUserException;
import com.atlassian.crowd.exception.OperationNotPermittedException;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.builder.Restriction;
import com.atlassian.crowd.search.query.entity.restriction.constants.GroupTermKeys;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.stash.exception.AuthenticationFailedException;
import com.atlassian.stash.exception.AuthorisationException;
import com.atlassian.stash.exception.OperationFailedException;
import com.atlassian.stash.exception.ServerException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.i18n.KeyedMessage;
import com.atlassian.stash.internal.annotation.Secured;
import com.atlassian.stash.internal.annotation.Unsecured;
import com.atlassian.stash.internal.crowd.PasswordResetHelper;
import com.atlassian.stash.server.ApplicationPropertiesService;
import com.atlassian.stash.user.CaptchaAuthenticationException;
import com.atlassian.stash.user.CaptchaResponse;
import com.atlassian.stash.user.StashAuthenticationContext;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.user.UserService;
import com.atlassian.stash.util.Page;
import com.atlassian.stash.util.PageImpl;
import com.atlassian.stash.util.PageRequest;
import com.atlassian.stash.util.PageUtils;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Throwables;
import com.google.common.collect.Iterables;
import com.octo.captcha.service.CaptchaService;
import com.octo.captcha.service.CaptchaServiceException;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@AvailableToPlugins(UserService.class)
@Service("userService")
/* loaded from: input_file:com/atlassian/stash/internal/user/UserServiceImpl.class */
public class UserServiceImpl implements UserService {
    public static final String FAILED_AUTHENTICATION_ATTEMPT_COUNT = "failedAuthenticationAttemptCount";
    private final DirectoryManager directoryManager;
    private final CrowdService crowdService;
    private final I18nService i18nService;
    private final StashUserDao stashUserDao;
    private final PasswordResetHelper passwordResetHelper;
    private final UserUtils userUtils;
    private final CaptchaService captchaService;
    private final ApplicationPropertiesService applicationPropertiesService;
    private final StashAuthenticationContext authenticationContext;

    @Value("${page.max.users}")
    private int maxUserPageSize;

    @Value("${page.max.groups}")
    private int maxGroupPageSize;
    private final Predicate<StashUser> notDeletedPredicate = new Predicate<StashUser>() { // from class: com.atlassian.stash.internal.user.UserServiceImpl.2
        public boolean apply(StashUser stashUser) {
            return UserServiceImpl.this.crowdService.getUser(stashUser.getName()) != null;
        }
    };
    private static final Logger LOG = LoggerFactory.getLogger(UserServiceImpl.class);
    private static final Function<String, String> LOWERCASE_STRING = new Function<String, String>() { // from class: com.atlassian.stash.internal.user.UserServiceImpl.1
        public String apply(String str) {
            return IdentifierUtils.toLowerCase(str);
        }
    };

    @Autowired
    public UserServiceImpl(CrowdService crowdService, DirectoryManager directoryManager, I18nService i18nService, StashUserDao stashUserDao, PasswordResetHelper passwordResetHelper, UserUtils userUtils, CaptchaService captchaService, ApplicationPropertiesService applicationPropertiesService, StashAuthenticationContext stashAuthenticationContext) {
        this.crowdService = crowdService;
        this.directoryManager = directoryManager;
        this.i18nService = i18nService;
        this.stashUserDao = stashUserDao;
        this.passwordResetHelper = passwordResetHelper;
        this.userUtils = userUtils;
        this.captchaService = captchaService;
        this.applicationPropertiesService = applicationPropertiesService;
        this.authenticationContext = stashAuthenticationContext;
    }

    @Transactional(noRollbackFor = {AuthenticationFailedException.class})
    @Nonnull
    @Unsecured("This needs to be available to unauthenticated contexts")
    public StashUser authenticate(@Nonnull String str, @Nonnull String str2, CaptchaResponse captchaResponse) {
        if (captchaEntryRequiredByUser(str)) {
            if (captchaResponse == null) {
                throw new CaptchaAuthenticationException(missingCaptchaResponse());
            }
            if (!isCaptchaValid(captchaResponse)) {
                incFailedAuthAttemptCountUser(str);
                throw new CaptchaAuthenticationException(invalidCaptcha());
            }
        }
        try {
            User authenticate = this.crowdService.authenticate(str, str2);
            if (authenticate == null) {
                throw new OperationFailedException(remoteDirOpFail());
            }
            StashUser orCreateMappedUser = getOrCreateMappedUser(authenticate);
            clearFailedAuthAttemptCountForUser(str);
            return orCreateMappedUser;
        } catch (com.atlassian.crowd.exception.runtime.OperationFailedException e) {
            throw new OperationFailedException(remoteDirOpFail());
        } catch (ExpiredCredentialException e2) {
            throw AuthenticationFailedException.captchaNotRequired(expiredCredentials());
        } catch (FailedAuthenticationException e3) {
            if (captchaEntryRequired(incFailedAuthAttemptCountUser(str))) {
                throw AuthenticationFailedException.captchaRequired(authFail());
            }
            throw AuthenticationFailedException.captchaNotRequired(authFail());
        } catch (InactiveAccountException e4) {
            throw AuthenticationFailedException.captchaNotRequired(inactiveAccount());
        }
    }

    private boolean isCaptchaValid(CaptchaResponse captchaResponse) {
        try {
            return this.captchaService.validateResponseForID(captchaResponse.getChallengeId(), captchaResponse.getUserResponse()).booleanValue();
        } catch (CaptchaServiceException e) {
            throw new OperationFailedException(captchaServiceFail());
        }
    }

    private boolean captchaEntryRequiredByUser(String str) {
        return captchaEntryRequired(getFailedAuthAttemptCountForUser(str));
    }

    private boolean captchaEntryRequired(long j) {
        return j > 0 && j >= ((long) this.applicationPropertiesService.getMaxCaptchaAttempts());
    }

    private KeyedMessage missingCaptchaResponse() {
        return this.i18nService.getKeyedText("stash.service.user.missingcaptcharesponse", "No CAPTCHA response was supplied", new Object[0]);
    }

    private KeyedMessage invalidCaptcha() {
        return this.i18nService.getKeyedText("stash.service.user.invalidcaptcha", "The CAPTCHA was supplied but it was invalid", new Object[0]);
    }

    private KeyedMessage remoteDirOpFail() {
        return this.i18nService.getKeyedText("stash.service.user.opfail", "Authentication failed because the remote user directory did not respond properly", new Object[0]);
    }

    private KeyedMessage captchaServiceFail() {
        return this.i18nService.getKeyedText("stash.service.user.captchasvcfail", "The CAPTCHA service found itself in an awkward situation", new Object[0]);
    }

    private KeyedMessage expiredCredentials() {
        return this.i18nService.getKeyedText("stash.service.user.expiredcredentials", "Authentication failed because the credentials have expired", new Object[0]);
    }

    private KeyedMessage inactiveAccount() {
        return this.i18nService.getKeyedText("stash.service.user.inactive", "Authentication failed because the user account is inactive", new Object[0]);
    }

    private KeyedMessage authFail() {
        return this.i18nService.getKeyedText("stash.service.user.authenticationfailed", "Authentication failed because the user does not exist, or the account is inactive, or the credentials are incorrect", new Object[0]);
    }

    @Transactional
    @Unsecured("This needs to be available to unauthenticated contexts")
    public StashUser getUser(@Nonnull Integer num) {
        InternalStashUser internalStashUser = (InternalStashUser) this.stashUserDao.getById(num);
        if (internalStashUser != null) {
            return getOrCreateMappedUser(internalStashUser, this.crowdService.getUser(internalStashUser.getName()));
        }
        LOG.warn("User with ID " + num + " does not exist");
        return null;
    }

    @Transactional
    @Unsecured("This needs to be available to unauthenticated contexts")
    public StashUser getUser(@Nonnull String str) {
        return getUser(str, false);
    }

    @Transactional
    @Unsecured("This needs to be available to unauthenticated contexts")
    public StashUser getUser(@Nonnull String str, boolean z) {
        StashUser stashUser = null;
        User user = this.crowdService.getUser(str);
        if (user != null) {
            stashUser = getOrCreateMappedUser(user);
        } else if (z) {
            stashUser = this.stashUserDao.findByName(str);
        }
        return stashUser;
    }

    @Transactional
    @Secured("You can only update the profile of the current user")
    public StashUser updateProfile(@Nonnull String str, @Nonnull String str2) {
        String name = getCurrentUser().getName();
        try {
            this.crowdService.updateUser(ImmutableUser.newUser().name(name).displayName(str).emailAddress(str2).toUser());
            return getUser(name);
        } catch (InvalidUserException e) {
            throw canNotUpdateProfile(e);
        } catch (com.atlassian.crowd.exception.runtime.OperationFailedException e2) {
            throw canNotUpdateProfile(e2);
        } catch (OperationNotPermittedException e3) {
            throw canNotUpdateProfile(e3);
        }
    }

    @Transactional
    @Secured("You can only update the profile of the current user")
    public void updatePassword(@Nonnull String str, @Nonnull String str2) {
        String name = getCurrentUser().getName();
        try {
            this.passwordResetHelper.resetPassword(this.crowdService.authenticate(name, str), str2);
        } catch (InvalidCredentialException e) {
            throw canNotUpdateUserPassword(name, e);
        } catch (OperationNotPermittedException e2) {
            throw canNotUpdateUserPassword(name, e2);
        } catch (FailedAuthenticationException e3) {
            throw AuthenticationFailedException.captchaNotRequired(this.i18nService.getKeyedText("stash.service.user.password.invalid", "The current password does not match", new Object[0]));
        } catch (com.atlassian.crowd.exception.runtime.OperationFailedException e4) {
            throw canNotUpdateUserPassword(name, e4);
        }
    }

    @Nonnull
    private StashUser getCurrentUser() {
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser == null) {
            throw new AuthorisationException(this.i18nService.getKeyedText("stash.service.user.canNotUpdate.anonymous", "Please login to update your profile or password", new Object[0]));
        }
        return currentUser;
    }

    private ServerException canNotUpdateProfile(Exception exc) {
        KeyedMessage keyedText = this.i18nService.getKeyedText("stash.service.user.profile.canNotUpdate", "Could not update your profile: {0}", new Object[]{Throwables.getRootCause(exc).getLocalizedMessage()});
        if (LOG.isDebugEnabled()) {
            LOG.debug(keyedText.getLocalisedMessage(), exc);
        }
        throw new ServerException(keyedText, exc);
    }

    private ServerException canNotUpdateUserPassword(String str, Exception exc) {
        Preconditions.checkNotNull(str);
        KeyedMessage keyedText = this.i18nService.getKeyedText("stash.service.user.password.canNotUpdate", "Could not update your password: {0}", new Object[]{Throwables.getRootCause(exc).getLocalizedMessage()});
        if (LOG.isDebugEnabled()) {
            LOG.debug(keyedText.getLocalisedMessage(), exc);
        }
        throw new ServerException(keyedText, exc);
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<? extends StashUser> findAllUsers(@Nonnull PageRequest pageRequest) {
        return findAllUsers(false, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<? extends StashUser> findAllUsers(boolean z, @Nonnull PageRequest pageRequest) {
        PageRequest buildRestrictedPageRequest = pageRequest.buildRestrictedPageRequest(this.maxUserPageSize);
        Predicate<StashUser> alwaysTrue = Predicates.alwaysTrue();
        if (!z) {
            alwaysTrue = this.notDeletedPredicate;
        }
        return this.userUtils.getCrowdBackedPageOfStashUsers(this.stashUserDao.findAll(buildRestrictedPageRequest, alwaysTrue));
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<? extends StashUser> findUsersByContainedText(String str, @Nonnull PageRequest pageRequest) {
        return findUsersByContainedText(str, false, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<? extends StashUser> findUsersByContainedText(String str, boolean z, @Nonnull PageRequest pageRequest) {
        PageRequest buildRestrictedPageRequest = pageRequest.buildRestrictedPageRequest(this.maxUserPageSize);
        Predicate<StashUser> alwaysTrue = Predicates.alwaysTrue();
        if (!z) {
            alwaysTrue = this.notDeletedPredicate;
        }
        return this.userUtils.getCrowdBackedPageOfStashUsers(this.stashUserDao.findAllByContainedText(str, buildRestrictedPageRequest, alwaysTrue));
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<String> findAllGroups(@Nonnull PageRequest pageRequest) {
        return findGroupsByContainedText(null, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public Page<String> findGroupsByContainedText(String str, @Nonnull PageRequest pageRequest) {
        PageRequest buildRestrictedPageRequest = pageRequest.buildRestrictedPageRequest(this.maxGroupPageSize);
        Iterable transform = Iterables.transform(search(Group.class, EntityDescriptor.group(), buildRestrictedPageRequest.getStart(), buildRestrictedPageRequest.getLimit() + 1, StringUtils.isNotBlank(str) ? Restriction.on(GroupTermKeys.NAME).containing(str) : null), new Function<Group, String>() { // from class: com.atlassian.stash.internal.user.UserServiceImpl.3
            public String apply(@Nullable Group group) {
                if (group == null) {
                    return null;
                }
                return group.getName();
            }
        });
        int size = Iterables.size(transform);
        return new PageImpl(buildRestrictedPageRequest, Math.min(size, buildRestrictedPageRequest.getLimit()), Iterables.limit(transform, buildRestrictedPageRequest.getLimit()), size <= buildRestrictedPageRequest.getLimit());
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN') or isCurrentUser(#user.name)")
    public boolean isUserMemberOfGroup(@Nonnull StashUser stashUser, @Nonnull String str) {
        Preconditions.checkNotNull(stashUser);
        Preconditions.checkNotNull(str);
        User backingCrowdUser = this.userUtils.getBackingCrowdUser(InternalConverter.convertToInternalUser(stashUser));
        try {
            return this.directoryManager.isUserNestedGroupMember(backingCrowdUser.getDirectoryId(), backingCrowdUser.getName(), str);
        } catch (com.atlassian.crowd.exception.OperationFailedException e) {
            LOG.error("Could not determine group membership for user " + stashUser.getName(), e);
            return false;
        } catch (DirectoryNotFoundException e2) {
            LOG.error("User directory was not found", e2);
            return false;
        }
    }

    @Nonnull
    @Unsecured("This isn't restricted by permission because its needed by everyone via licencing, permissioning and login")
    public Page<String> getGroupsForUser(@Nonnull String str, @Nonnull PageRequest pageRequest) {
        return PageUtils.createPage(Iterables.transform(this.crowdService.search(QueryBuilder.queryFor(String.class, EntityDescriptor.group()).parentsOf(EntityDescriptor.user()).withName(str).startingAt(pageRequest.getStart()).returningAtMost(pageRequest.getLimit() + 1)), LOWERCASE_STRING), pageRequest);
    }

    @Nonnull
    @Unsecured("This isn't restricted by permission because its needed by everyone via licencing, permissioning and login")
    public Page<String> getUsersInGroup(@Nonnull String str, @Nonnull PageRequest pageRequest) {
        return PageUtils.createPage(this.crowdService.search(QueryBuilder.queryFor(String.class, EntityDescriptor.user()).childrenOf(EntityDescriptor.group()).withName(str).startingAt(pageRequest.getStart()).returningAtMost(pageRequest.getLimit() + 1)), pageRequest);
    }

    long getFailedAuthAttemptCountForUser(@Nonnull String str) {
        Long failedAuthAttemptCountForUser;
        Preconditions.checkNotNull(str);
        UserWithAttributes userWithAttributes = this.crowdService.getUserWithAttributes(str);
        if (userWithAttributes == null || (failedAuthAttemptCountForUser = getFailedAuthAttemptCountForUser(userWithAttributes)) == null) {
            return 0L;
        }
        return failedAuthAttemptCountForUser.longValue();
    }

    private Long getFailedAuthAttemptCountForUser(UserWithAttributes userWithAttributes) {
        String value = userWithAttributes.getValue(FAILED_AUTHENTICATION_ATTEMPT_COUNT);
        if (value != null) {
            try {
                return Long.valueOf(value);
            } catch (NumberFormatException e) {
                LOG.error(String.format("Invalid attribute %s for user %s: %s", FAILED_AUTHENTICATION_ATTEMPT_COUNT, userWithAttributes.getName(), value));
            }
        }
        return 0L;
    }

    @Transactional
    long incFailedAuthAttemptCountUser(@Nonnull String str) {
        Preconditions.checkNotNull(str);
        UserWithAttributes userWithAttributes = this.crowdService.getUserWithAttributes(str);
        if (userWithAttributes == null) {
            return 0L;
        }
        Long valueOf = Long.valueOf(incWithOverflowCheck(getFailedAuthAttemptCountForUser(userWithAttributes).longValue()));
        try {
            this.crowdService.setUserAttribute(userWithAttributes, FAILED_AUTHENTICATION_ATTEMPT_COUNT, Long.toString(valueOf.longValue()));
        } catch (OperationNotPermittedException e) {
            logAttributeUpdateFailure(e);
        }
        return valueOf.longValue();
    }

    @Transactional
    void clearFailedAuthAttemptCountForUser(@Nonnull String str) {
        Preconditions.checkNotNull(str);
        UserWithAttributes userWithAttributes = this.crowdService.getUserWithAttributes(str);
        if (userWithAttributes != null) {
            try {
                this.crowdService.setUserAttribute(userWithAttributes, FAILED_AUTHENTICATION_ATTEMPT_COUNT, Long.toString(0L));
            } catch (OperationNotPermittedException e) {
                logAttributeUpdateFailure(e);
            }
        }
    }

    private void logAttributeUpdateFailure(Exception exc) {
        String format = String.format("Couldn't update the %s attribute", FAILED_AUTHENTICATION_ATTEMPT_COUNT);
        LOG.error(format);
        LOG.debug(format, exc);
    }

    private long incWithOverflowCheck(long j) {
        if (j == Long.MAX_VALUE) {
            return Long.MAX_VALUE;
        }
        return j + 1;
    }

    @Unsecured("This is not restricted by permissions so that SAL tests pass. It should not be exposed via rest")
    public boolean isUserMemberOfGroup(@Nonnull String str, @Nonnull String str2) {
        Preconditions.checkNotNull(str);
        Preconditions.checkNotNull(str2);
        StashUser user = getUser(str);
        return user != null && isUserMemberOfGroup(user, str2);
    }

    @PreAuthorize("hasAnyPermission('PROJECT_ADMIN')")
    public boolean existsGroup(String str) {
        return this.crowdService.getGroup(str) != null;
    }

    @Transactional
    @Unsecured("This needs to be available to unauthenticated contexts")
    public StashUser preauthenticate(@Nonnull String str) {
        StashUser user = getUser(str);
        if (user != null) {
            SecurityContextHolder.getContext().setAuthentication(new StashUserAuthenticationToken(user));
        }
        return user;
    }

    @Unsecured("This needs to be available to all contexts")
    public void unauthenticate() {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
    }

    private StashUser getOrCreateMappedUser(User user) {
        Preconditions.checkNotNull(user);
        return getOrCreateMappedUser(this.stashUserDao.findByName(user.getName()), user);
    }

    private StashUser getOrCreateMappedUser(InternalStashUser internalStashUser, User user) {
        if (user == null) {
            return null;
        }
        if (internalStashUser == null) {
            internalStashUser = new InternalStashUser(user.getName());
            this.stashUserDao.create(internalStashUser);
        }
        return internalStashUser.copy().crowdUser(user).build();
    }

    private <T> Iterable<T> search(Class<T> cls, EntityDescriptor entityDescriptor, int i, int i2, SearchRestriction searchRestriction) {
        QueryBuilder.PartialEntityQuery queryFor = QueryBuilder.queryFor(cls, entityDescriptor);
        return this.crowdService.search(searchRestriction != null ? queryFor.with(searchRestriction).startingAt(i).returningAtMost(i2) : queryFor.startingAt(i).returningAtMost(i2));
    }
}
