package pl.edu.icm.unity.engine.credential;

import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.CredentialManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorSupportService;
import pl.edu.icm.unity.engine.api.authn.local.LocalCredentialsRegistry;
import pl.edu.icm.unity.engine.attribute.AttributeTypeHelper;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.engine.events.InvocationEventProducer;
import pl.edu.icm.unity.engine.identity.IdentityHelper;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalCredentialException;
import pl.edu.icm.unity.store.api.AttributeDAO;
import pl.edu.icm.unity.store.api.AttributeTypeDAO;
import pl.edu.icm.unity.store.api.generic.CredentialDB;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.types.UpdateFlag;
import pl.edu.icm.unity.types.authn.CredentialDefinition;
import pl.edu.icm.unity.types.authn.CredentialRequirements;
import pl.edu.icm.unity.types.authn.CredentialType;
import pl.edu.icm.unity.types.authn.LocalCredentialState;
import pl.edu.icm.unity.types.basic.AttributeExt;

@Transactional
@Component
@Primary
@InvocationEventProducer
/* loaded from: input_file:pl/edu/icm/unity/engine/credential/CredentialManagementImpl.class */
public class CredentialManagementImpl implements CredentialManagement {
    private static final Logger log = Log.getLogger("unity.server.core", CredentialManagementImpl.class);
    private LocalCredentialsRegistry localCredReg;
    private CredentialDB credentialDB;
    private CredentialReqRepository credentialRequirementRepository;
    private CredentialRepository credentialRepository;
    private IdentityHelper identityHelper;
    private AttributeTypeDAO attributeTypeDAO;
    private AttributeDAO attributeDAO;
    private InternalAuthorizationManager authz;
    private SystemCredentialProvider sysProvider;
    private AttributeTypeHelper attrTypeHelper;
    private EntityCredentialsHelper entityCredentialsHelper;
    private AuthenticatorSupportService authenticatorsService;

    @Autowired
    public CredentialManagementImpl(LocalCredentialsRegistry localCredentialsRegistry, CredentialDB credentialDB, CredentialReqRepository credentialReqRepository, IdentityHelper identityHelper, AttributeTypeDAO attributeTypeDAO, AttributeDAO attributeDAO, InternalAuthorizationManager internalAuthorizationManager, SystemCredentialProvider systemCredentialProvider, CredentialRepository credentialRepository, AttributeTypeHelper attributeTypeHelper, EntityCredentialsHelper entityCredentialsHelper, AuthenticatorSupportService authenticatorSupportService) {
        this.localCredReg = localCredentialsRegistry;
        this.credentialDB = credentialDB;
        this.credentialRequirementRepository = credentialReqRepository;
        this.identityHelper = identityHelper;
        this.attributeTypeDAO = attributeTypeDAO;
        this.attributeDAO = attributeDAO;
        this.authz = internalAuthorizationManager;
        this.sysProvider = systemCredentialProvider;
        this.credentialRepository = credentialRepository;
        this.attrTypeHelper = attributeTypeHelper;
        this.entityCredentialsHelper = entityCredentialsHelper;
        this.authenticatorsService = authenticatorSupportService;
    }

    public Collection<CredentialType> getCredentialTypes() throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.readInfo);
        return this.localCredReg.getLocalCredentialTypes();
    }

    public void addCredentialDefinition(CredentialDefinition credentialDefinition) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        assertIsNotReadOnly(credentialDefinition);
        assertIsNotSystemCredential(credentialDefinition.getName());
        CredentialHolder credentialHolder = new CredentialHolder(credentialDefinition, this.localCredReg);
        this.credentialDB.create(credentialDefinition);
        this.attributeTypeDAO.create(this.attrTypeHelper.getCredentialAT(credentialHolder.getCredentialDefinition().getName()));
    }

    public void updateCredentialDefinition(CredentialDefinition credentialDefinition, LocalCredentialState localCredentialState) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        assertIsNotReadOnly(credentialDefinition);
        assertIsNotSystemCredential(credentialDefinition.getName());
        assertTypeUnchanged(credentialDefinition, (CredentialDefinition) this.credentialDB.get(credentialDefinition.getName()));
        CredentialHolder credentialHolder = new CredentialHolder(credentialDefinition, this.localCredReg);
        HashSet hashSet = new HashSet();
        for (CredentialRequirements credentialRequirements : this.credentialRequirementRepository.getCredentialRequirements()) {
            if (credentialRequirements.getRequiredCredentials().contains(credentialDefinition.getName())) {
                hashSet.add(credentialRequirements.getName());
            }
        }
        Map<Long, String> entitiesWithCredential = getEntitiesWithCredential(this.identityHelper.getEntitiesByRootAttribute(CredentialAttributeTypeProvider.CREDENTIAL_REQUIREMENTS, hashSet), credentialHolder.getCredentialDefinition().getName());
        for (Map.Entry<Long, String> entry : entitiesWithCredential.entrySet()) {
            checkEntityCredentialState(entry.getKey().longValue(), entry.getValue(), localCredentialState, credentialHolder);
        }
        for (Map.Entry<Long, String> entry2 : entitiesWithCredential.entrySet()) {
            updateCredentialAfterDefinitionChange(entry2.getKey(), entry2.getValue(), credentialHolder, localCredentialState);
        }
        this.credentialDB.updateControlled(credentialDefinition, getUpdateFlags(credentialDefinition));
        this.authenticatorsService.refreshAuthenticatorsOfCredential(credentialDefinition.getName());
    }

    private void assertTypeUnchanged(CredentialDefinition credentialDefinition, CredentialDefinition credentialDefinition2) {
        if (!credentialDefinition.getTypeId().equals(credentialDefinition2.getTypeId())) {
            throw new IllegalArgumentException("Credential '" + credentialDefinition.getName() + "' can not have its type changed from " + credentialDefinition2.getTypeId());
        }
    }

    private EnumSet<UpdateFlag> getUpdateFlags(CredentialDefinition credentialDefinition) {
        return new CredentialHolder(this.credentialDB.get(credentialDefinition.getName()), this.localCredReg).getHandler().isCredentialDefinitionChagneOutdatingCredentials(credentialDefinition.getConfiguration()) ? EnumSet.noneOf(UpdateFlag.class) : EnumSet.of(UpdateFlag.DOESNT_MAKE_INSTANCES_INVALID);
    }

    private void updateCredentialAfterDefinitionChange(Long l, String str, CredentialHolder credentialHolder, LocalCredentialState localCredentialState) {
        if (localCredentialState == LocalCredentialState.notSet) {
            return;
        }
        credentialHolder.getHandler().updateCredentialAfterConfigurationChange(str).ifPresent(str2 -> {
            log.info("Updating credential of {} after its definition was changed", l);
            this.entityCredentialsHelper.setPreviouslyPreparedEntityCredential(l.longValue(), str2, credentialHolder.getCredentialDefinition().getName());
        });
    }

    public void removeCredentialDefinition(String str) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        assertIsNotSystemCredential(str);
        this.credentialDB.delete(str);
        this.attributeTypeDAO.delete(CredentialAttributeTypeProvider.CREDENTIAL_PREFIX + str);
    }

    public Collection<CredentialDefinition> getCredentialDefinitions() throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.readInfo);
        return this.credentialRepository.getCredentialDefinitions();
    }

    public CredentialDefinition getCredentialDefinition(String str) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.readInfo);
        return this.credentialRepository.get(str);
    }

    private void checkEntityCredentialState(long j, String str, LocalCredentialState localCredentialState, CredentialHolder credentialHolder) throws EngineException {
        if (localCredentialState == LocalCredentialState.outdated) {
            return;
        }
        if (localCredentialState == LocalCredentialState.notSet) {
            this.attributeDAO.deleteAttribute(CredentialAttributeTypeProvider.CREDENTIAL_PREFIX + credentialHolder.getCredentialDefinition().getName(), j, "/");
        } else if (credentialHolder.getHandler().checkCredentialState(str).getState() != LocalCredentialState.correct && localCredentialState == LocalCredentialState.correct) {
            throw new IllegalCredentialException("The new credential is not compatible with the previous definition and can not keep the credential state as correct");
        }
    }

    private Map<Long, String> getEntitiesWithCredential(Set<Long> set, String str) throws EngineException {
        HashMap hashMap = new HashMap();
        Iterator<Long> it = set.iterator();
        while (it.hasNext()) {
            long longValue = it.next().longValue();
            getEntityCredential(longValue, str).ifPresent(str2 -> {
                hashMap.put(Long.valueOf(longValue), str2);
            });
        }
        return hashMap;
    }

    private Optional<String> getEntityCredential(long j, String str) throws EngineException {
        List entityAttributes = this.attributeDAO.getEntityAttributes(j, CredentialAttributeTypeProvider.CREDENTIAL_PREFIX + str, "/");
        return entityAttributes.isEmpty() ? Optional.empty() : Optional.of((String) ((AttributeExt) entityAttributes.iterator().next()).getValues().get(0));
    }

    private void assertIsNotSystemCredential(String str) {
        if (((Set) this.sysProvider.getSystemCredentials().stream().map(credentialDefinition -> {
            return credentialDefinition.getName();
        }).collect(Collectors.toSet())).contains(str)) {
            throw new IllegalArgumentException("Credential '" + str + "' is the system credential and can not be overwritten or removed");
        }
    }

    private void assertIsNotReadOnly(CredentialDefinition credentialDefinition) throws EngineException {
        if (credentialDefinition.isReadOnly()) {
            throw new IllegalArgumentException("Cannot create read only credentials through this API");
        }
    }
}
