package org.apache.nifi.registry.web.api;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiParam;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import io.swagger.annotations.Authorization;
import io.swagger.annotations.Extension;
import io.swagger.annotations.ExtensionProperty;
import java.net.URI;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpStatus;
import org.apache.nifi.registry.authorization.User;
import org.apache.nifi.registry.authorization.UserGroup;
import org.apache.nifi.registry.event.EventFactory;
import org.apache.nifi.registry.event.EventService;
import org.apache.nifi.registry.exception.ResourceNotFoundException;
import org.apache.nifi.registry.security.authorization.Authorizer;
import org.apache.nifi.registry.security.authorization.AuthorizerCapabilityDetection;
import org.apache.nifi.registry.security.authorization.RequestAction;
import org.apache.nifi.registry.service.AuthorizationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader;
import org.springframework.stereotype.Component;

@Api(value = "tenants", description = "Endpoint for managing users and user groups.", authorizations = {@Authorization("Authorization")})
@Path("tenants")
@Component
/* loaded from: input_file:WEB-INF/classes/org/apache/nifi/registry/web/api/TenantResource.class */
public class TenantResource extends AuthorizableApplicationResource {
    private static final Logger logger = LoggerFactory.getLogger(TenantResource.class);
    private Authorizer authorizer;

    @Autowired
    public TenantResource(AuthorizationService authorizationService, EventService eventService) {
        super(authorizationService, eventService);
        this.authorizer = authorizationService.getAuthorizer();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("users")
    @Consumes({"application/json"})
    @ApiOperation(value = "Create user", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = User.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @POST
    @Produces({"application/json"})
    public Response createUser(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The user configuration details.", required = true) User user) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        if (user == null) {
            throw new IllegalArgumentException("User details must be specified when creating a new user.");
        }
        if (user.getIdentifier() != null) {
            throw new IllegalArgumentException("User identifier cannot be specified when creating a new user.");
        }
        if (StringUtils.isBlank(user.getIdentity())) {
            throw new IllegalArgumentException("User identity must be specified when creating a new user.");
        }
        authorizeAccess(RequestAction.WRITE);
        User createUser = this.authorizationService.createUser(user);
        publish(EventFactory.userCreated(createUser));
        return generateCreatedResponse(URI.create(generateUserUri(createUser)), createUser).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("users")
    @Consumes({"*/*"})
    @ApiOperation(value = "Get all users", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = User.class, responseContainer = "List", extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "read"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response getUsers() {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        return generateOkResponse(this.authorizationService.getUsers()).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("users/{id}")
    @Consumes({"*/*"})
    @ApiOperation(value = "Get user", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = User.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "read"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response getUser(@PathParam("id") @ApiParam(value = "The user id.", required = true) String str) {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        User user = this.authorizationService.getUser(str);
        if (user != null) {
            return generateOkResponse(user).build();
        }
        logger.warn("The specified user id [{}] does not exist.", str);
        throw new ResourceNotFoundException("The specified user ID does not exist in this registry.");
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("users/{id}")
    @Consumes({"application/json"})
    @ApiOperation(value = "Update user", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = User.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    @PUT
    public Response updateUser(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The user id.", required = true) String str, @ApiParam(value = "The user configuration details.", required = true) User user) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        authorizeAccess(RequestAction.WRITE);
        if (user == null) {
            throw new IllegalArgumentException("User details must be specified when updating a user.");
        }
        if (!str.equals(user.getIdentifier())) {
            throw new IllegalArgumentException(String.format("The user id in the request body (%s) does not equal the user id of the requested resource (%s).", user.getIdentifier(), str));
        }
        User updateUser = this.authorizationService.updateUser(user);
        if (updateUser == null) {
            logger.warn("The specified user id [{}] does not exist.", str);
            throw new ResourceNotFoundException("The specified user ID does not exist in this registry.");
        }
        publish(EventFactory.userUpdated(updateUser));
        return generateOkResponse(updateUser).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("users/{id}")
    @Consumes({"*/*"})
    @DELETE
    @ApiOperation(value = "Delete user", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = User.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "delete"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response removeUser(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The user id.", required = true) String str) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        authorizeAccess(RequestAction.DELETE);
        User deleteUser = this.authorizationService.deleteUser(str);
        if (deleteUser == null) {
            logger.warn("The specified user id [{}] does not exist.", str);
            throw new ResourceNotFoundException("The specified user ID does not exist in this registry.");
        }
        publish(EventFactory.userDeleted(deleteUser));
        return generateOkResponse(deleteUser).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("user-groups")
    @Consumes({"application/json"})
    @ApiOperation(value = "Create user group", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = UserGroup.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @POST
    @Produces({"application/json"})
    public Response createUserGroup(@Context HttpServletRequest httpServletRequest, @ApiParam(value = "The user group configuration details.", required = true) UserGroup userGroup) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        authorizeAccess(RequestAction.WRITE);
        if (userGroup == null) {
            throw new IllegalArgumentException("User group details must be specified when creating a new group.");
        }
        if (userGroup.getIdentifier() != null) {
            throw new IllegalArgumentException("User group ID cannot be specified when creating a new group.");
        }
        if (StringUtils.isBlank(userGroup.getIdentity())) {
            throw new IllegalArgumentException("User group identity must be specified when creating a new group.");
        }
        UserGroup createUserGroup = this.authorizationService.createUserGroup(userGroup);
        publish(EventFactory.userGroupCreated(createUserGroup));
        return generateCreatedResponse(URI.create(generateUserGroupUri(createUserGroup)), createUserGroup).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("user-groups")
    @Consumes({"*/*"})
    @ApiOperation(value = "Get user groups", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = UserGroup.class, responseContainer = "List", extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "read"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response getUserGroups() {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        return generateOkResponse(this.authorizationService.getUserGroups()).build();
    }

    @GET
    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("user-groups/{id}")
    @Consumes({"*/*"})
    @ApiOperation(value = "Get user group", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = UserGroup.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "read"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response getUserGroup(@PathParam("id") @ApiParam(value = "The user group id.", required = true) String str) {
        verifyAuthorizerIsManaged();
        authorizeAccess(RequestAction.READ);
        UserGroup userGroup = this.authorizationService.getUserGroup(str);
        if (userGroup != null) {
            return generateOkResponse(userGroup).build();
        }
        logger.warn("The specified user group id [{}] does not exist.", str);
        throw new ResourceNotFoundException("The specified user group ID does not exist in this registry.");
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("user-groups/{id}")
    @Consumes({"application/json"})
    @ApiOperation(value = "Update user group", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = UserGroup.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "write"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    @PUT
    public Response updateUserGroup(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The user group id.", required = true) String str, @ApiParam(value = "The user group configuration details.", required = true) UserGroup userGroup) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        if (userGroup == null) {
            throw new IllegalArgumentException("User group details must be specified to update a user group.");
        }
        if (!str.equals(userGroup.getIdentifier())) {
            throw new IllegalArgumentException(String.format("The user group id in the request body (%s) does not equal the user group id of the requested resource (%s).", userGroup.getIdentifier(), str));
        }
        authorizeAccess(RequestAction.WRITE);
        UserGroup updateUserGroup = this.authorizationService.updateUserGroup(userGroup);
        if (updateUserGroup == null) {
            logger.warn("The specified user group id [{}] does not exist.", str);
            throw new ResourceNotFoundException("The specified user group ID does not exist in this registry.");
        }
        publish(EventFactory.userGroupUpdated(updateUserGroup));
        return generateOkResponse(updateUserGroup).build();
    }

    @ApiResponses({@ApiResponse(code = 400, message = "NiFi Registry was unable to complete the request because it was invalid. The request should not be retried without modification."), @ApiResponse(code = 401, message = "Client could not be authenticated."), @ApiResponse(code = 403, message = "Client is not authorized to make this request."), @ApiResponse(code = 404, message = "The specified resource could not be found."), @ApiResponse(code = HttpStatus.SC_CONFLICT, message = "NiFi Registry was unable to complete the request because it assumes a server state that is not valid.")})
    @Path("user-groups/{id}")
    @Consumes({"*/*"})
    @DELETE
    @ApiOperation(value = "Delete user group", notes = ApplicationResource.NON_GUARANTEED_ENDPOINT, response = UserGroup.class, extensions = {@Extension(name = "access-policy", properties = {@ExtensionProperty(name = "action", value = "delete"), @ExtensionProperty(name = DefaultBeanDefinitionDocumentReader.RESOURCE_ATTRIBUTE, value = "/tenants")})})
    @Produces({"application/json"})
    public Response removeUserGroup(@Context HttpServletRequest httpServletRequest, @PathParam("id") @ApiParam(value = "The user group id.", required = true) String str) {
        verifyAuthorizerSupportsConfigurableUserGroups();
        authorizeAccess(RequestAction.DELETE);
        UserGroup deleteUserGroup = this.authorizationService.deleteUserGroup(str);
        if (deleteUserGroup == null) {
            logger.warn("The specified user group id [{}] does not exist.", str);
            throw new ResourceNotFoundException("The specified user group ID does not exist in this registry.");
        }
        publish(EventFactory.userGroupDeleted(deleteUserGroup));
        return generateOkResponse(deleteUserGroup).build();
    }

    private void verifyAuthorizerIsManaged() {
        if (!AuthorizerCapabilityDetection.isManagedAuthorizer(this.authorizer)) {
            throw new IllegalStateException(AuthorizationService.MSG_NON_MANAGED_AUTHORIZER);
        }
    }

    private void verifyAuthorizerSupportsConfigurableUserGroups() {
        if (!AuthorizerCapabilityDetection.isConfigurableUserGroupProvider(this.authorizer)) {
            throw new IllegalStateException(AuthorizationService.MSG_NON_CONFIGURABLE_USERS);
        }
    }

    private void authorizeAccess(RequestAction requestAction) {
        this.authorizationService.authorize(this.authorizableLookup.getTenantsAuthorizable(), requestAction);
    }

    private String generateUserUri(User user) {
        return generateResourceUri("tenants", "users", user.getIdentifier());
    }

    private String generateUserGroupUri(UserGroup userGroup) {
        return generateResourceUri("tenants", "user-groups", userGroup.getIdentifier());
    }
}
