package io.unitycatalog.server.service;

import com.auth0.jwt.interfaces.DecodedJWT;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.annotation.Delete;
import com.linecorp.armeria.server.annotation.ExceptionHandler;
import com.linecorp.armeria.server.annotation.Get;
import com.linecorp.armeria.server.annotation.Param;
import com.linecorp.armeria.server.annotation.Post;
import com.linecorp.armeria.server.annotation.Produces;
import com.linecorp.armeria.server.annotation.Put;
import com.linecorp.armeria.server.annotation.StatusCode;
import com.unboundid.scim2.common.exceptions.BadRequestException;
import com.unboundid.scim2.common.exceptions.PreconditionFailedException;
import com.unboundid.scim2.common.exceptions.ResourceConflictException;
import com.unboundid.scim2.common.exceptions.ScimException;
import com.unboundid.scim2.common.filters.Filter;
import com.unboundid.scim2.common.messages.ListResponse;
import com.unboundid.scim2.common.types.Email;
import com.unboundid.scim2.common.types.Meta;
import com.unboundid.scim2.common.types.Photo;
import com.unboundid.scim2.common.types.UserResource;
import com.unboundid.scim2.common.utils.FilterEvaluator;
import com.unboundid.scim2.common.utils.Parser;
import io.unitycatalog.control.model.User;
import io.unitycatalog.server.auth.UnityCatalogAuthorizer;
import io.unitycatalog.server.auth.annotation.AuthorizeExpression;
import io.unitycatalog.server.auth.annotation.AuthorizeKey;
import io.unitycatalog.server.exception.BaseException;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.GlobalExceptionHandler;
import io.unitycatalog.server.exception.Scim2RuntimeException;
import io.unitycatalog.server.model.SecurableType;
import io.unitycatalog.server.persist.UserRepository;
import io.unitycatalog.server.persist.model.CreateUser;
import io.unitycatalog.server.persist.model.UpdateUser;
import io.unitycatalog.server.security.JwtClaim;
import java.net.URI;
import java.util.Calendar;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;

@ExceptionHandler(GlobalExceptionHandler.class)
/* loaded from: input_file:io/unitycatalog/server/service/Scim2UserService.class */
public class Scim2UserService {
    private static final UserRepository USER_REPOSITORY = UserRepository.getInstance();
    private final UnityCatalogAuthorizer authorizer;

    public Scim2UserService(UnityCatalogAuthorizer unityCatalogAuthorizer) {
        this.authorizer = unityCatalogAuthorizer;
    }

    @AuthorizeKey(SecurableType.METASTORE)
    @Produces("application/scim+json")
    @StatusCode(200)
    @AuthorizeExpression("#principal != null")
    @Get("")
    public ListResponse<UserResource> getScimUsers(@Param("filter") Optional<String> optional, @Param("startIndex") Optional<Integer> optional2, @Param("count") Optional<Integer> optional3) {
        Filter filter = (Filter) optional.filter(str -> {
            return !str.isEmpty();
        }).map(this::parseFilter).orElse(null);
        FilterEvaluator filterEvaluator = new FilterEvaluator();
        List list = USER_REPOSITORY.listUsers(optional2.orElse(1).intValue() - 1, optional3.orElse(50).intValue(), user -> {
            return match(filterEvaluator, filter, asUserResource(user));
        }).stream().map(this::asUserResource).toList();
        Meta meta = new Meta();
        meta.setCreated(Calendar.getInstance());
        meta.setLastModified(Calendar.getInstance());
        meta.setResourceType("User");
        ListResponse<UserResource> listResponse = new ListResponse<>(list.size(), list, optional2.orElse(1), Integer.valueOf(list.size()));
        listResponse.setMeta(meta);
        return listResponse;
    }

    @Post("")
    @AuthorizeKey(SecurableType.METASTORE)
    @Produces("application/scim+json")
    @StatusCode(201)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER)")
    public UserResource createScimUser(UserResource userResource) {
        Email email = (Email) userResource.getEmails().stream().filter((v0) -> {
            return v0.getPrimary();
        }).findFirst().orElseThrow(() -> {
            return new Scim2RuntimeException(new PreconditionFailedException("User does not have a primary email."));
        });
        String str = "";
        if (userResource.getPhotos() != null && !userResource.getPhotos().isEmpty()) {
            str = ((Photo) userResource.getPhotos().get(0)).getValue().toString();
        }
        try {
            return asUserResource(USER_REPOSITORY.createUser(CreateUser.builder().name(userResource.getDisplayName()).email(email.getValue()).active(userResource.getActive()).externalId(userResource.getExternalId()).pictureUrl(str).build()));
        } catch (BaseException e) {
            if (e.getErrorCode() == ErrorCode.ALREADY_EXISTS) {
                throw new Scim2RuntimeException(new ResourceConflictException(e.getMessage()));
            }
            throw new Scim2RuntimeException(new BadRequestException(e.getMessage()));
        }
    }

    @AuthorizeKey(SecurableType.METASTORE)
    @Produces("application/scim+json")
    @StatusCode(200)
    @AuthorizeExpression("#principal != null")
    @Get("/self")
    public UserResource getCurrentUser() {
        DecodedJWT decodedJWT = (DecodedJWT) ServiceRequestContext.current().attr(AuthDecorator.DECODED_JWT_ATTR);
        if (decodedJWT == null) {
            throw new Scim2RuntimeException(new BadRequestException("No user found."));
        }
        return asUserResource(USER_REPOSITORY.getUserByEmail(decodedJWT.getClaim(JwtClaim.SUBJECT.key()).asString()));
    }

    @AuthorizeKey(SecurableType.METASTORE)
    @Produces("application/scim+json")
    @StatusCode(200)
    @AuthorizeExpression("#principal != null")
    @Get("/{id}")
    public UserResource getUser(@Param("id") String str) {
        return asUserResource(USER_REPOSITORY.getUser(str));
    }

    @Put("/{id}")
    @AuthorizeKey(SecurableType.METASTORE)
    @Produces("application/scim+json")
    @StatusCode(200)
    @AuthorizeExpression("#authorize(#principal, #metastore, OWNER)")
    public UserResource updateUser(@Param("id") String str, UserResource userResource) {
        asUserResource(USER_REPOSITORY.getUser(str));
        if (!str.equals(userResource.getId())) {
            throw new Scim2RuntimeException(new ResourceConflictException("User id mismatch."));
        }
        return asUserResource(USER_REPOSITORY.updateUser(str, UpdateUser.builder().name(userResource.getDisplayName()).active(userResource.getActive()).externalId(userResource.getExternalId()).build()));
    }

    @Delete("/{id}")
    @AuthorizeKey(SecurableType.METASTORE)
    @AuthorizeExpression("#authorizeAny(#principal, #metastore, OWNER)")
    public HttpResponse deleteUser(@Param("id") String str) {
        User user = USER_REPOSITORY.getUser(str);
        this.authorizer.clearAuthorizationsForPrincipal(UUID.fromString((String) Objects.requireNonNull(user.getId())));
        USER_REPOSITORY.deleteUser(user.getId());
        return HttpResponse.of(HttpStatus.OK);
    }

    public UserResource asUserResource(User user) {
        Meta meta = new Meta();
        Calendar calendar = Calendar.getInstance();
        if (user.getCreatedAt() != null) {
            calendar.setTimeInMillis(user.getCreatedAt().longValue());
        }
        meta.setCreated(calendar);
        Calendar calendar2 = Calendar.getInstance();
        if (user.getUpdatedAt() != null) {
            calendar2.setTimeInMillis(user.getUpdatedAt().longValue());
        }
        meta.setLastModified(calendar2);
        meta.setResourceType("User");
        String pictureUrl = user.getPictureUrl();
        if (pictureUrl == null) {
            pictureUrl = "";
        }
        UserResource userResource = new UserResource();
        userResource.setUserName(user.getEmail()).setDisplayName(user.getName()).setEmails(List.of(new Email().setValue(user.getEmail()).setPrimary(true))).setPhotos(List.of(new Photo().setValue(URI.create(pictureUrl))));
        userResource.setId(user.getId());
        userResource.setMeta(meta);
        userResource.setActive(Boolean.valueOf(user.getState() == User.StateEnum.ENABLED));
        userResource.setExternalId(user.getExternalId());
        return userResource;
    }

    private Filter parseFilter(String str) {
        try {
            return Parser.parseFilter(str);
        } catch (BadRequestException e) {
            throw new Scim2RuntimeException(e);
        }
    }

    private boolean match(FilterEvaluator filterEvaluator, Filter filter, UserResource userResource) {
        if (filter != null) {
            try {
                if (!((Boolean) filter.visit(filterEvaluator, userResource.asGenericScimResource().getObjectNode())).booleanValue()) {
                    return false;
                }
            } catch (ScimException e) {
                throw new Scim2RuntimeException(e);
            }
        }
        return true;
    }
}
