package org.exist.xquery.functions.securitymanager;

import org.exist.EXistException;
import org.exist.config.ConfigurationException;
import org.exist.dom.QName;
import org.exist.security.AXSchemaType;
import org.exist.security.Account;
import org.exist.security.EXistSchemaType;
import org.exist.security.Group;
import org.exist.security.PermissionDeniedException;
import org.exist.security.SecurityManager;
import org.exist.security.Subject;
import org.exist.security.internal.Password;
import org.exist.security.internal.aider.GroupAider;
import org.exist.security.internal.aider.UserAider;
import org.exist.storage.DBBroker;
import org.exist.xquery.BasicFunction;
import org.exist.xquery.FunctionSignature;
import org.exist.xquery.XPathException;
import org.exist.xquery.XQueryContext;
import org.exist.xquery.value.FunctionParameterSequenceType;
import org.exist.xquery.value.Sequence;
import org.exist.xquery.value.SequenceType;
import org.hibernate.validator.internal.metadata.core.ConstraintHelper;

/* loaded from: input_file:WEB-INF/lib/exist-core-3.0.RC1.jar:org/exist/xquery/functions/securitymanager/AccountManagementFunction.class */
public class AccountManagementFunction extends BasicFunction {
    public static final QName qnCreateAccount = new QName("create-account", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    public static final QName qnRemoveAccount = new QName("remove-account", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    public static final QName qnPasswd = new QName("passwd", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    public static final QName qnPasswdHash = new QName("passwd-hash", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    public static final FunctionSignature FNS_CREATE_ACCOUNT = new FunctionSignature(qnCreateAccount, "Creates a User Account.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password", 22, 2, "The User's password."), new FunctionParameterSequenceType("primary-group", 22, 2, "The primary group of the user."), new FunctionParameterSequenceType(ConstraintHelper.GROUPS, 22, 7, "Any supplementary groups of which the user should be a member.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_CREATE_ACCOUNT_WITH_METADATA = new FunctionSignature(qnCreateAccount, "Creates a User Account.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password", 22, 2, "The User's password."), new FunctionParameterSequenceType("primary-group", 22, 2, "The primary group of the user."), new FunctionParameterSequenceType(ConstraintHelper.GROUPS, 22, 7, "Any supplementary groups of which the user should be a member."), new FunctionParameterSequenceType("full-name", 22, 2, "The full name of the user."), new FunctionParameterSequenceType("description", 22, 2, "A description of the user.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_CREATE_ACCOUNT_WITH_PERSONAL_GROUP = new FunctionSignature(qnCreateAccount, "Creates a User Account and a personal group for that user. The personal group takes the same name as the user, and is set as the user's primary group.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password", 22, 2, "The User's password."), new FunctionParameterSequenceType(ConstraintHelper.GROUPS, 22, 7, "Any supplementary groups of which the user should be a member.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_CREATE_ACCOUNT_WITH_PERSONAL_GROUP_WITH_METADATA = new FunctionSignature(qnCreateAccount, "Creates a User Account and a personal group for that user. The personal group takes the same name as the user, and is set as the user's primary group.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password", 22, 2, "The User's password."), new FunctionParameterSequenceType(ConstraintHelper.GROUPS, 22, 7, "Any supplementary groups of which the user should be a member."), new FunctionParameterSequenceType("full-name", 22, 2, "The full name of the user."), new FunctionParameterSequenceType("description", 22, 2, "A description of the user.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_REMOVE_ACCOUNT = new FunctionSignature(qnRemoveAccount, "Removes a User Account. If the user has a personal group you are responsible for removing that separately through sm:remove-group. ", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_PASSWD = new FunctionSignature(qnPasswd, "Changes the password of a User Account.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password", 22, 2, "The User's new password.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_PASSWD_HASH = new FunctionSignature(qnPasswdHash, "Changes the password of a User Account by directly setting the stored digest password. The use-case for this function is migrating a user from one eXist instance to another.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The User's username."), new FunctionParameterSequenceType("password-digest", 22, 2, "The encoded digest of the User's new password (assumes eXist's default digest algorithm).")}, new SequenceType(10, 1));

    public AccountManagementFunction(XQueryContext xQueryContext, FunctionSignature functionSignature) {
        super(xQueryContext, functionSignature);
    }

    @Override // org.exist.xquery.BasicFunction
    public Sequence eval(Sequence[] sequenceArr, Sequence sequence) throws XPathException {
        String[] groups;
        DBBroker broker = getContext().getBroker();
        Subject subject = broker.getSubject();
        SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
        String stringValue = sequenceArr[0].getStringValue();
        try {
            if (!isCalledAs(qnRemoveAccount.getLocalPart())) {
                String stringValue2 = sequenceArr[1].getStringValue();
                if (isCalledAs(qnPasswd.getLocalPart()) || isCalledAs(qnPasswdHash.getLocalPart())) {
                    if (!subject.getName().equals(stringValue) && !subject.hasDbaRole()) {
                        throw new XPathException("You may only change your own password, unless you are a DBA.");
                    }
                    Account account = securityManager.getAccount(stringValue);
                    if (isCalledAs(qnPasswdHash.getLocalPart())) {
                        account.setCredential(new Password(account, Password.DEFAULT_ALGORITHM, stringValue2));
                    } else {
                        account.setPassword(stringValue2);
                    }
                    securityManager.updateAccount(account);
                } else {
                    if (!isCalledAs(qnCreateAccount.getLocalPart())) {
                        throw new XPathException("Unknown function call: " + getSignature());
                    }
                    if (!subject.hasDbaRole()) {
                        throw new XPathException("You must be a DBA to create a User Account.");
                    }
                    if (securityManager.hasAccount(stringValue)) {
                        throw new XPathException("The user account with username " + stringValue + " already exists.");
                    }
                    UserAider userAider = new UserAider(stringValue);
                    userAider.setPassword(stringValue2);
                    if (getSignature().getArgumentCount() >= 5) {
                        userAider.setMetadataValue(AXSchemaType.FULLNAME, sequenceArr[getSignature().getArgumentCount() - 2].toString());
                        userAider.setMetadataValue(EXistSchemaType.DESCRIPTION, sequenceArr[getSignature().getArgumentCount() - 1].toString());
                    }
                    if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                        GroupAider groupAider = new GroupAider(stringValue);
                        groupAider.setMetadataValue(EXistSchemaType.DESCRIPTION, "Personal group for " + stringValue);
                        groupAider.addManager(subject);
                        securityManager.addGroup(groupAider);
                        userAider.addGroup(stringValue);
                        groups = getGroups(sequenceArr[2]);
                    } else {
                        userAider.addGroup(sequenceArr[2].getStringValue());
                        groups = getGroups(sequenceArr[3]);
                    }
                    for (String str : groups) {
                        userAider.addGroup(str);
                    }
                    securityManager.addAccount(userAider);
                    if (getSignature().getArgumentCount() == 3 || getSignature().getArgumentCount() == 5) {
                        Group group = securityManager.getGroup(stringValue);
                        group.addManager(securityManager.getAccount(stringValue));
                        securityManager.updateGroup(group);
                    }
                }
            } else {
                if (!subject.hasDbaRole()) {
                    throw new XPathException("Only a DBA user may remove accounts.");
                }
                if (!securityManager.hasAccount(stringValue)) {
                    throw new XPathException("The user account with username " + stringValue + " does not exist.");
                }
                if (subject.getName().equals(stringValue)) {
                    throw new XPathException("You cannot remove yourself i.e. the currently logged in user.");
                }
                securityManager.deleteAccount(stringValue);
            }
            return Sequence.EMPTY_SEQUENCE;
        } catch (ConfigurationException e) {
            throw new XPathException(this, e);
        } catch (EXistException e2) {
            throw new XPathException(this, e2);
        } catch (PermissionDeniedException e3) {
            throw new XPathException(this, e3);
        }
    }

    private String[] getGroups(Sequence sequence) {
        String[] strArr = new String[sequence.getItemCount()];
        for (int i = 0; i < sequence.getItemCount(); i++) {
            strArr[i] = sequence.itemAt(i).toString();
        }
        return strArr;
    }
}
