package com.alibaba.nacos.plugin.auth.impl.controller;

import com.alibaba.nacos.auth.annotation.Secured;
import com.alibaba.nacos.auth.config.AuthConfigs;
import com.alibaba.nacos.common.model.RestResult;
import com.alibaba.nacos.common.model.RestResultUtils;
import com.alibaba.nacos.common.utils.JacksonUtils;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.core.context.RequestContextHolder;
import com.alibaba.nacos.persistence.model.Page;
import com.alibaba.nacos.plugin.auth.api.IdentityContext;
import com.alibaba.nacos.plugin.auth.constant.ActionTypes;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import com.alibaba.nacos.plugin.auth.impl.authenticate.IAuthenticationManager;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthConstants;
import com.alibaba.nacos.plugin.auth.impl.constant.AuthSystemTypes;
import com.alibaba.nacos.plugin.auth.impl.persistence.RoleInfo;
import com.alibaba.nacos.plugin.auth.impl.persistence.User;
import com.alibaba.nacos.plugin.auth.impl.roles.NacosRoleServiceImpl;
import com.alibaba.nacos.plugin.auth.impl.token.TokenManagerDelegate;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUserDetailsServiceImpl;
import com.alibaba.nacos.plugin.auth.impl.utils.PasswordEncoderUtil;
import com.alibaba.nacos.plugin.auth.impl.utils.PasswordGeneratorUtil;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.web.HttpSessionRequiredException;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@RequestMapping({"/v1/auth", "/v1/auth/users"})
@RestController("user")
/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/controller/UserController.class */
public class UserController {

    @Autowired
    private TokenManagerDelegate jwtTokenManager;

    @Autowired
    @Deprecated
    private AuthenticationManager authenticationManager;

    @Autowired
    private NacosUserDetailsServiceImpl userDetailsService;

    @Autowired
    private NacosRoleServiceImpl roleService;

    @Autowired
    private AuthConfigs authConfigs;

    @Autowired
    private IAuthenticationManager iAuthenticationManager;

    @PostMapping
    @Secured(resource = "console/users", action = ActionTypes.WRITE)
    public Object createUser(@RequestParam String str, @RequestParam String str2) {
        if ("nacos".equals(str)) {
            return RestResultUtils.failed(HttpStatus.CONFLICT.value(), "User `nacos` is default admin user. Please use `/nacos/v1/auth/users/admin` API to init `nacos` users. Detail see `https://nacos.io/docs/latest/manual/admin/auth/#31-%E8%AE%BE%E7%BD%AE%E7%AE%A1%E7%90%86%E5%91%98%E5%AF%86%E7%A0%81`");
        }
        if (this.userDetailsService.getUserFromDatabase(str) != null) {
            throw new IllegalArgumentException("user '" + str + "' already exist!");
        }
        this.userDetailsService.createUser(str, PasswordEncoderUtil.encode(str2));
        return RestResultUtils.success("create user ok!");
    }

    @PostMapping({"/admin"})
    public Object createAdminUser(@RequestParam(required = false) String str) {
        if (!AuthSystemTypes.NACOS.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            return RestResultUtils.failed(HttpStatus.NOT_IMPLEMENTED.value(), "not support");
        }
        if (this.iAuthenticationManager.hasGlobalAdminRole()) {
            return RestResultUtils.failed(HttpStatus.CONFLICT.value(), "have admin user cannot use it");
        }
        if (StringUtils.isBlank(str)) {
            str = PasswordGeneratorUtil.generateRandomPassword();
        }
        this.userDetailsService.createUser("nacos", PasswordEncoderUtil.encode(str));
        this.roleService.addAdminRole("nacos");
        ObjectNode createEmptyJsonNode = JacksonUtils.createEmptyJsonNode();
        createEmptyJsonNode.put(AuthConstants.PARAM_USERNAME, "nacos");
        createEmptyJsonNode.put(AuthConstants.PARAM_PASSWORD, str);
        return createEmptyJsonNode;
    }

    @DeleteMapping
    @Secured(resource = "console/users", action = ActionTypes.WRITE)
    public Object deleteUser(@RequestParam String str) {
        List<RoleInfo> roles = this.roleService.getRoles(str);
        if (roles != null) {
            Iterator<RoleInfo> it = roles.iterator();
            while (it.hasNext()) {
                if (AuthConstants.GLOBAL_ADMIN_ROLE.equals(it.next().getRole())) {
                    throw new IllegalArgumentException("cannot delete admin: " + str);
                }
            }
        }
        this.userDetailsService.deleteUser(str);
        return RestResultUtils.success("delete user ok!");
    }

    @Secured(resource = AuthConstants.UPDATE_PASSWORD_ENTRY_POINT, action = ActionTypes.WRITE, tags = {AuthConstants.UPDATE_PASSWORD_ENTRY_POINT})
    @PutMapping
    public Object updateUser(@RequestParam String str, @RequestParam String str2, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws IOException {
        try {
            if (!hasPermission(str, httpServletRequest)) {
                httpServletResponse.sendError(403, "authorization failed!");
                return null;
            }
            if (this.userDetailsService.getUserFromDatabase(str) == null) {
                throw new IllegalArgumentException("user " + str + " not exist!");
            }
            this.userDetailsService.updateUserPassword(str, PasswordEncoderUtil.encode(str2));
            return RestResultUtils.success("update user ok!");
        } catch (HttpSessionRequiredException e) {
            httpServletResponse.sendError(401, "session expired!");
            return null;
        } catch (AccessException e2) {
            httpServletResponse.sendError(403, "authorization failed!");
            return null;
        }
    }

    private boolean hasPermission(String str, HttpServletRequest httpServletRequest) throws HttpSessionRequiredException, AccessException {
        if (!this.authConfigs.isAuthEnabled()) {
            return true;
        }
        IdentityContext identityContext = RequestContextHolder.getContext().getAuthContext().getIdentityContext();
        if (identityContext == null) {
            throw new HttpSessionRequiredException("session expired!");
        }
        NacosUser nacosUser = (NacosUser) identityContext.getParameter(AuthConstants.NACOS_USER_KEY);
        if (nacosUser == null) {
            nacosUser = this.iAuthenticationManager.authenticate(httpServletRequest);
            if (nacosUser == null) {
                throw new HttpSessionRequiredException("session expired!");
            }
            this.iAuthenticationManager.hasGlobalAdminRole(nacosUser);
        }
        if (nacosUser.isGlobalAdmin()) {
            return true;
        }
        return nacosUser.getUserName().equals(str);
    }

    @Secured(resource = "console/users", action = ActionTypes.READ)
    @GetMapping(params = {"search=accurate"})
    public Page<User> getUsers(@RequestParam int i, @RequestParam int i2, @RequestParam(name = "username", required = false, defaultValue = "") String str) {
        return this.userDetailsService.getUsersFromDatabase(i, i2, str);
    }

    @Secured(resource = "console/users", action = ActionTypes.READ)
    @GetMapping(params = {"search=blur"})
    public Page<User> fuzzySearchUser(@RequestParam int i, @RequestParam int i2, @RequestParam(name = "username", required = false, defaultValue = "") String str) {
        return this.userDetailsService.findUsersLike4Page(str, i, i2);
    }

    @PostMapping({"/login"})
    public Object login(@RequestParam String str, @RequestParam String str2, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws AccessException, IOException {
        if (!AuthSystemTypes.NACOS.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType()) && !AuthSystemTypes.LDAP.name().equalsIgnoreCase(this.authConfigs.getNacosAuthSystemType())) {
            try {
                Authentication authenticate = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(str, str2));
                SecurityContextHolder.getContext().setAuthentication(authenticate);
                String createToken = this.jwtTokenManager.createToken(authenticate);
                httpServletResponse.addHeader(AuthConstants.AUTHORIZATION_HEADER, AuthConstants.TOKEN_PREFIX + createToken);
                return RestResultUtils.success(AuthConstants.TOKEN_PREFIX + createToken);
            } catch (BadCredentialsException e) {
                return RestResultUtils.failed(HttpStatus.UNAUTHORIZED.value(), (Object) null, "Login failed");
            }
        }
        NacosUser authenticate2 = this.iAuthenticationManager.authenticate(httpServletRequest);
        httpServletResponse.addHeader(AuthConstants.AUTHORIZATION_HEADER, AuthConstants.TOKEN_PREFIX + authenticate2.getToken());
        ObjectNode createEmptyJsonNode = JacksonUtils.createEmptyJsonNode();
        createEmptyJsonNode.put("accessToken", authenticate2.getToken());
        createEmptyJsonNode.put("tokenTtl", this.jwtTokenManager.getTokenTtlInSeconds(authenticate2.getToken()));
        createEmptyJsonNode.put("globalAdmin", this.iAuthenticationManager.hasGlobalAdminRole(authenticate2));
        createEmptyJsonNode.put(AuthConstants.PARAM_USERNAME, authenticate2.getUserName());
        return createEmptyJsonNode;
    }

    @PutMapping({"/password"})
    @Deprecated
    public RestResult<String> updatePassword(@RequestParam("oldPassword") String str, @RequestParam("newPassword") String str2) {
        String username = ((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername();
        try {
            if (!PasswordEncoderUtil.matches(str, this.userDetailsService.getUserFromDatabase(username).getPassword()).booleanValue()) {
                return RestResultUtils.failed(HttpStatus.UNAUTHORIZED.value(), "Old password is invalid");
            }
            this.userDetailsService.updateUserPassword(username, PasswordEncoderUtil.encode(str2));
            return RestResultUtils.success("Update password success");
        } catch (Exception e) {
            return RestResultUtils.failed(HttpStatus.INTERNAL_SERVER_ERROR.value(), "Update userpassword failed");
        }
    }

    @Secured(resource = "console/users", action = ActionTypes.WRITE)
    @GetMapping({"/search"})
    public List<String> searchUsersLikeUsername(@RequestParam String str) {
        return this.userDetailsService.findUserLikeUsername(str);
    }
}
