package pl.edu.icm.unity.engine.identity;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.TreeMap;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.api.confirmation.EmailConfirmationManager;
import pl.edu.icm.unity.engine.api.identity.EntityResolver;
import pl.edu.icm.unity.engine.api.identity.IdentityTypeDefinition;
import pl.edu.icm.unity.engine.api.identity.IdentityTypesRegistry;
import pl.edu.icm.unity.engine.api.notification.NotificationProducer;
import pl.edu.icm.unity.engine.attribute.AttributeClassUtil;
import pl.edu.icm.unity.engine.attribute.AttributesHelper;
import pl.edu.icm.unity.engine.audit.AuditEventListener;
import pl.edu.icm.unity.engine.audit.AuditEventTrigger;
import pl.edu.icm.unity.engine.audit.AuditPublisher;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.engine.credential.CredentialAttributeTypeProvider;
import pl.edu.icm.unity.engine.credential.EntityCredentialsHelper;
import pl.edu.icm.unity.engine.events.InvocationEventProducer;
import pl.edu.icm.unity.engine.group.GroupHelper;
import pl.edu.icm.unity.exceptions.AuthorizationException;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.IllegalIdentityValueException;
import pl.edu.icm.unity.exceptions.IllegalTypeException;
import pl.edu.icm.unity.exceptions.MergeConflictException;
import pl.edu.icm.unity.exceptions.SchemaConsistencyException;
import pl.edu.icm.unity.store.api.AttributeTypeDAO;
import pl.edu.icm.unity.store.api.EntityDAO;
import pl.edu.icm.unity.store.api.GroupDAO;
import pl.edu.icm.unity.store.api.IdentityDAO;
import pl.edu.icm.unity.store.api.IdentityTypeDAO;
import pl.edu.icm.unity.store.api.MembershipDAO;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;
import pl.edu.icm.unity.store.types.StoredIdentity;
import pl.edu.icm.unity.types.basic.Attribute;
import pl.edu.icm.unity.types.basic.AttributeExt;
import pl.edu.icm.unity.types.basic.AttributeStatement;
import pl.edu.icm.unity.types.basic.AttributeType;
import pl.edu.icm.unity.types.basic.Entity;
import pl.edu.icm.unity.types.basic.EntityInformation;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.EntityScheduledOperation;
import pl.edu.icm.unity.types.basic.EntityState;
import pl.edu.icm.unity.types.basic.Group;
import pl.edu.icm.unity.types.basic.GroupMembership;
import pl.edu.icm.unity.types.basic.Identity;
import pl.edu.icm.unity.types.basic.IdentityParam;
import pl.edu.icm.unity.types.basic.IdentityTaV;
import pl.edu.icm.unity.types.basic.IdentityType;
import pl.edu.icm.unity.types.basic.audit.AuditEntity;
import pl.edu.icm.unity.types.basic.audit.AuditEventAction;
import pl.edu.icm.unity.types.basic.audit.AuditEventTag;
import pl.edu.icm.unity.types.basic.audit.AuditEventType;
import pl.edu.icm.unity.types.confirmation.ConfirmationInfo;

@Component
@Primary
@InvocationEventProducer
/* loaded from: input_file:pl/edu/icm/unity/engine/identity/EntityManagementImpl.class */
public class EntityManagementImpl implements EntityManagement {
    private static final Logger log = Log.getLogger("unity.server", EntityManagementImpl.class);
    private IdentityTypeDAO idTypeDAO;
    private IdentityTypeHelper idTypeHelper;
    private IdentityDAO idDAO;
    private EntityDAO entityDAO;
    private GroupDAO groupDAO;
    private AttributeTypeDAO attributeTypeDAO;
    private MembershipDAO membershipDAO;
    private EntityCredentialsHelper credentialsHelper;
    private GroupHelper groupHelper;
    private SheduledOperationHelper scheduledOperationHelper;
    private AttributesHelper attributesHelper;
    private IdentityHelper identityHelper;
    private EntityResolver idResolver;
    private InternalAuthorizationManager authz;
    private IdentityTypesRegistry idTypesRegistry;
    private EmailConfirmationManager confirmationManager;
    private AttributeClassUtil acUtil;
    private TransactionalRunner tx;
    private UnityServerConfiguration cfg;
    private NotificationProducer notificationProducer;
    private AuditEventListener auditEventListener;
    private AuditPublisher auditPublisher;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/engine/identity/EntityManagementImpl$IdentityWithAuthzInfo.class */
    public static class IdentityWithAuthzInfo {
        private Identity identity;
        private boolean fullAuthz;

        IdentityWithAuthzInfo(Identity identity, boolean z) {
            this.identity = identity;
            this.fullAuthz = z;
        }
    }

    @Autowired
    public EntityManagementImpl(IdentityTypeDAO identityTypeDAO, IdentityTypeHelper identityTypeHelper, IdentityDAO identityDAO, EntityDAO entityDAO, GroupDAO groupDAO, AttributeTypeDAO attributeTypeDAO, MembershipDAO membershipDAO, EntityCredentialsHelper entityCredentialsHelper, GroupHelper groupHelper, SheduledOperationHelper sheduledOperationHelper, AttributesHelper attributesHelper, IdentityHelper identityHelper, EntityResolver entityResolver, InternalAuthorizationManager internalAuthorizationManager, IdentityTypesRegistry identityTypesRegistry, EmailConfirmationManager emailConfirmationManager, AttributeClassUtil attributeClassUtil, TransactionalRunner transactionalRunner, UnityServerConfiguration unityServerConfiguration, NotificationProducer notificationProducer, AuditEventListener auditEventListener, AuditPublisher auditPublisher) {
        this.idTypeDAO = identityTypeDAO;
        this.idTypeHelper = identityTypeHelper;
        this.idDAO = identityDAO;
        this.entityDAO = entityDAO;
        this.groupDAO = groupDAO;
        this.attributeTypeDAO = attributeTypeDAO;
        this.membershipDAO = membershipDAO;
        this.credentialsHelper = entityCredentialsHelper;
        this.groupHelper = groupHelper;
        this.scheduledOperationHelper = sheduledOperationHelper;
        this.attributesHelper = attributesHelper;
        this.identityHelper = identityHelper;
        this.idResolver = entityResolver;
        this.authz = internalAuthorizationManager;
        this.idTypesRegistry = identityTypesRegistry;
        this.confirmationManager = emailConfirmationManager;
        this.acUtil = attributeClassUtil;
        this.tx = transactionalRunner;
        this.cfg = unityServerConfiguration;
        this.notificationProducer = notificationProducer;
        this.auditEventListener = auditEventListener;
        this.auditPublisher = auditPublisher;
    }

    public Identity addEntity(IdentityParam identityParam, String str, EntityState entityState, boolean z) throws EngineException {
        return addEntity(identityParam, str, entityState, z, null);
    }

    public Identity addEntity(IdentityParam identityParam, EntityState entityState, boolean z) throws EngineException {
        return addEntity(identityParam, "sys:all", entityState, z, null);
    }

    public Identity addEntity(IdentityParam identityParam, String str, EntityState entityState, boolean z, List<Attribute> list) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.identityModify);
        List<Attribute> emptyList = list == null ? Collections.emptyList() : list;
        return (Identity) this.tx.runInTransactionRetThrowing(() -> {
            return this.identityHelper.addEntity(identityParam, str, entityState, z, emptyList, true);
        });
    }

    public Identity addEntity(IdentityParam identityParam, EntityState entityState, boolean z, List<Attribute> list) throws EngineException {
        return addEntity(identityParam, "sys:all", entityState, z, list);
    }

    public Identity addIdentity(IdentityParam identityParam, EntityParam entityParam, boolean z) throws EngineException {
        IdentityWithAuthzInfo identityWithAuthzInfo = (IdentityWithAuthzInfo) this.tx.runInTransactionRetThrowing(() -> {
            long entityId = this.idResolver.getEntityId(entityParam);
            IdentityType identityType = this.idTypeDAO.get(identityParam.getTypeId());
            boolean authorizeIdentityChange = authorizeIdentityChange(entityId, Sets.newHashSet(new IdentityParam[]{identityParam}), identityType.isSelfModificable());
            if (!authorizeIdentityChange) {
                identityParam.setConfirmationInfo(new ConfirmationInfo(false));
            }
            List<Identity> byEntity = this.idDAO.getByEntity(entityId);
            if (!authorizeIdentityChange && getIdentityCountOfType(byEntity, identityType.getIdentityTypeProvider()) >= identityType.getMaxInstances()) {
                throw new SchemaConsistencyException("Can not add another identity of this type as the configured maximum number of instances was reached.");
            }
            Identity upcastIdentityParam = this.idTypeHelper.upcastIdentityParam(identityParam, entityId);
            this.idDAO.create(new StoredIdentity(upcastIdentityParam));
            this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.IDENTITY).action(AuditEventAction.ADD).name(String.join(":", upcastIdentityParam.getTypeId(), upcastIdentityParam.getName())).subject(Long.valueOf(upcastIdentityParam.getEntityId())).tags(AuditEventTag.USERS));
            if (z && authorizeIdentityChange) {
                this.identityHelper.addExtractedAttributes(upcastIdentityParam);
            }
            return new IdentityWithAuthzInfo(upcastIdentityParam, authorizeIdentityChange);
        });
        if (!identityWithAuthzInfo.fullAuthz) {
            this.tx.runInTransactionThrowing(() -> {
                this.confirmationManager.sendVerificationNoTx(new EntityParam(Long.valueOf(identityWithAuthzInfo.identity.getEntityId())), identityWithAuthzInfo.identity, false);
            });
        }
        return identityWithAuthzInfo.identity;
    }

    private int getIdentityCountOfType(List<Identity> list, String str) {
        int i = 0;
        Iterator<Identity> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().getTypeId().equals(str)) {
                i++;
            }
        }
        return i;
    }

    private void checkVerifiedMinCountForRemoval(List<Identity> list, IdentityTaV identityTaV, IdentityType identityType) throws SchemaConsistencyException, IllegalIdentityValueException {
        IdentityTypeDefinition typeDefinition = this.idTypeHelper.getTypeDefinition(identityType);
        if (typeDefinition.isEmailVerifiable()) {
            int i = 0;
            String comparableValue = typeDefinition.getComparableValue(identityTaV.getValue(), identityTaV.getRealm(), identityTaV.getTarget());
            for (Identity identity : list) {
                if (identity.getTypeId().equals(identityTaV.getTypeId())) {
                    if (comparableValue.equals(identity.getComparableValue()) && !identity.isConfirmed()) {
                        return;
                    }
                    if (identity.isConfirmed()) {
                        i++;
                    }
                }
            }
            if (i <= identityType.getMinVerifiedInstances()) {
                throw new SchemaConsistencyException("Can not remove the verified identity as the configured minimum number of verified instances was reached.");
            }
        }
    }

    private boolean authorizeIdentityChange(long j, Collection<? extends IdentityParam> collection, boolean z) throws AuthorizationException {
        if (this.authz.getCapabilities(false, "/").contains(AuthzCapability.identityModify)) {
            return true;
        }
        this.authz.checkAuthorization(z && this.authz.isSelf(j), AuthzCapability.identityModify);
        Iterator<? extends IdentityParam> it = collection.iterator();
        while (it.hasNext()) {
            it.next().setConfirmationInfo(new ConfirmationInfo());
        }
        return false;
    }

    @Transactional
    public void removeIdentity(IdentityTaV identityTaV) throws EngineException {
        long entityId = this.idResolver.getEntityId(new EntityParam(identityTaV));
        IdentityType identityType = (IdentityType) this.idTypeDAO.get(identityTaV.getTypeId());
        List<Identity> byEntity = this.idDAO.getByEntity(entityId);
        String identityTypeProvider = identityType.getIdentityTypeProvider();
        boolean authorizeIdentityChange = authorizeIdentityChange(entityId, new ArrayList(), identityType.isSelfModificable());
        if (byEntity.size() == 1) {
            throw new SchemaConsistencyException("Can not remove the last identity, it is only possible to perform the full removeal by deleting its entity now.");
        }
        if (!authorizeIdentityChange) {
            if (getIdentityCountOfType(byEntity, identityTypeProvider) <= identityType.getMinInstances()) {
                throw new SchemaConsistencyException("Can not remove the identity as the configured minimum number of instances was reached.");
            }
            checkVerifiedMinCountForRemoval(byEntity, identityTaV, identityType);
        }
        String comparableValue = this.idTypeHelper.getTypeDefinition(identityType).getComparableValue(identityTaV.getValue(), identityTaV.getRealm(), identityTaV.getTarget());
        this.idDAO.delete(StoredIdentity.toInDBIdentityValue(identityType.getName(), comparableValue));
        this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.IDENTITY).action(AuditEventAction.REMOVE).name(String.join(":", identityTaV.getTypeId(), comparableValue)).subject(this.auditEventListener.createAuditEntity(Long.valueOf(entityId))).tags(AuditEventTag.USERS));
    }

    @Transactional
    public void updateIdentity(IdentityTaV identityTaV, IdentityParam identityParam) throws EngineException {
        if (!Objects.equals(identityParam.getTypeId(), identityTaV.getTypeId())) {
            throw new IllegalArgumentException("Identity type can not be changed");
        }
        this.authz.checkAuthorization(AuthzCapability.identityModify);
        IdentityType identityType = this.idTypeDAO.get(identityTaV.getTypeId());
        IdentityTypeDefinition typeDefinition = this.idTypeHelper.getTypeDefinition(identityType);
        String comparableValue = typeDefinition.getComparableValue(identityTaV.getValue(), identityTaV.getRealm(), identityTaV.getTarget());
        if (!Objects.equals(comparableValue, typeDefinition.getComparableValue(identityParam.getValue(), identityParam.getRealm(), identityParam.getTarget()))) {
            throw new IllegalArgumentException("Identity change can not effect in comparable value change of existing identity");
        }
        String inDBIdentityValue = StoredIdentity.toInDBIdentityValue(identityType.getName(), comparableValue);
        Identity upcastIdentityParam = this.idTypeHelper.upcastIdentityParam(identityParam, this.idResolver.getEntityId(new EntityParam(identityTaV)));
        this.idDAO.updateByName(inDBIdentityValue, new StoredIdentity(upcastIdentityParam));
        this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.IDENTITY).action(AuditEventAction.UPDATE).name(String.join(":", upcastIdentityParam.getTypeId(), upcastIdentityParam.getName())).subject(Long.valueOf(upcastIdentityParam.getEntityId())).details(ImmutableMap.of("action", "manual update")).tags(AuditEventTag.USERS));
    }

    @Transactional
    public void setIdentities(EntityParam entityParam, Collection<String> collection, Collection<? extends IdentityParam> collection2) throws EngineException {
        for (IdentityWithAuthzInfo identityWithAuthzInfo : (List) this.tx.runInTransactionRetThrowing(() -> {
            entityParam.validateInitialization();
            ensureNoDynamicIdentityType(collection);
            ensureIdentitiesAreOfSpecifiedTypes(collection, collection2);
            long entityId = this.idResolver.getEntityId(entityParam);
            Map<String, IdentityType> allAsMap = this.idTypeDAO.getAllAsMap();
            boolean authorizeIdentityChange = authorizeIdentityChange(entityId, collection2, areAllTypesSelfModifiable(collection, allAsMap));
            Map<String, Set<Identity>> currentIdentitiesByType = getCurrentIdentitiesByType(collection, this.idDAO.getByEntity(entityId));
            Map<String, Set<IdentityParam>> requestedIdentitiesByType = getRequestedIdentitiesByType(collection, collection2);
            ArrayList arrayList = new ArrayList();
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                setIdentitiesOfType(allAsMap.get(str), entityId, currentIdentitiesByType.get(str), requestedIdentitiesByType.get(str), authorizeIdentityChange).stream().map(identity -> {
                    return new IdentityWithAuthzInfo(identity, authorizeIdentityChange);
                }).forEach(identityWithAuthzInfo2 -> {
                    arrayList.add(identityWithAuthzInfo2);
                });
            }
            return arrayList;
        })) {
            if (!identityWithAuthzInfo.fullAuthz) {
                this.tx.runInTransactionThrowing(() -> {
                    this.confirmationManager.sendVerificationNoTx(new EntityParam(Long.valueOf(identityWithAuthzInfo.identity.getEntityId())), identityWithAuthzInfo.identity, false);
                });
            }
        }
    }

    private List<Identity> setIdentitiesOfType(IdentityType identityType, long j, Set<Identity> set, Set<IdentityParam> set2, boolean z) throws EngineException {
        Set<IdentityParam> substractIdentitySets = substractIdentitySets(identityType, set, set2);
        Set<IdentityParam> substractIdentitySets2 = substractIdentitySets(identityType, set2, set);
        verifyLimitsOfIdentities(identityType, set, set2, substractIdentitySets, substractIdentitySets2, z);
        ArrayList arrayList = new ArrayList();
        for (IdentityParam identityParam : substractIdentitySets2) {
            if (!z) {
                identityParam.setConfirmationInfo(new ConfirmationInfo(false));
            }
            arrayList.add(this.identityHelper.insertIdentity(identityParam, j, false));
        }
        for (IdentityParam identityParam2 : substractIdentitySets) {
            this.idDAO.delete(StoredIdentity.toInDBIdentityValue(identityParam2.getTypeId(), this.idTypeHelper.upcastIdentityParam(identityParam2, j).getComparableValue()));
        }
        return arrayList;
    }

    private void verifyLimitsOfIdentities(IdentityType identityType, Set<Identity> set, Set<IdentityParam> set2, Set<IdentityParam> set3, Set<IdentityParam> set4, boolean z) throws SchemaConsistencyException {
        if (z) {
            return;
        }
        int size = set2.size();
        if (size < identityType.getMinInstances() && set.size() >= identityType.getMaxInstances()) {
            throw new SchemaConsistencyException("The operation can not be completed as in effect the configured minimum number of instances would be violated for the identity type " + identityType.getIdentityTypeProvider());
        }
        if (size > identityType.getMaxInstances() && set.size() <= identityType.getMaxInstances()) {
            throw new SchemaConsistencyException("The operation can not be completed as in effect the configured maximum number of instances would be violated for the identity type " + identityType.getIdentityTypeProvider());
        }
        if (this.idTypeHelper.getTypeDefinition(identityType).isEmailVerifiable()) {
            int i = 0;
            Iterator<Identity> it = set.iterator();
            while (it.hasNext()) {
                if (it.next().isConfirmed()) {
                    i++;
                }
            }
            int i2 = i;
            Iterator<IdentityParam> it2 = set3.iterator();
            while (it2.hasNext()) {
                if (it2.next().isConfirmed()) {
                    i--;
                }
            }
            Iterator<IdentityParam> it3 = set4.iterator();
            while (it3.hasNext()) {
                if (it3.next().isConfirmed()) {
                    i++;
                }
            }
            if (i < identityType.getMinVerifiedInstances() && i2 >= identityType.getMinVerifiedInstances()) {
                throw new SchemaConsistencyException("The operation can not be completed as in effect the configured minimum number of confirmed identities would be violated for the identity type " + identityType.getIdentityTypeProvider());
            }
        }
    }

    private Set<IdentityParam> substractIdentitySets(IdentityType identityType, Set<? extends IdentityParam> set, Set<? extends IdentityParam> set2) throws IllegalIdentityValueException {
        IdentityTypeDefinition typeDefinition = this.idTypeHelper.getTypeDefinition(identityType);
        HashSet hashSet = new HashSet();
        for (IdentityParam identityParam : set) {
            String comparableValue = typeDefinition.getComparableValue(identityParam.getValue(), identityParam.getRealm(), identityParam.getTarget());
            boolean z = false;
            Iterator<? extends IdentityParam> it = set2.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                IdentityParam next = it.next();
                if (comparableValue.equals(typeDefinition.getComparableValue(next.getValue(), next.getRealm(), next.getTarget()))) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                hashSet.add(identityParam);
            }
        }
        return hashSet;
    }

    private Map<String, Set<IdentityParam>> getRequestedIdentitiesByType(Collection<String> collection, Collection<? extends IdentityParam> collection2) {
        HashMap hashMap = new HashMap();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            hashMap.put(it.next(), new HashSet());
        }
        for (IdentityParam identityParam : collection2) {
            ((Set) hashMap.get(identityParam.getTypeId())).add(identityParam);
        }
        return hashMap;
    }

    private Map<String, Set<Identity>> getCurrentIdentitiesByType(Collection<String> collection, List<Identity> list) {
        HashMap hashMap = new HashMap();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            hashMap.put(it.next(), new HashSet());
        }
        for (Identity identity : list) {
            if (collection.contains(identity.getTypeId())) {
                ((Set) hashMap.get(identity.getTypeId())).add(identity);
            }
        }
        return hashMap;
    }

    private boolean areAllTypesSelfModifiable(Collection<String> collection, Map<String, IdentityType> map) {
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            if (!map.get(it.next()).isSelfModificable()) {
                return false;
            }
        }
        return true;
    }

    private void ensureIdentitiesAreOfSpecifiedTypes(Collection<String> collection, Collection<? extends IdentityParam> collection2) throws IllegalIdentityValueException {
        Iterator<? extends IdentityParam> it = collection2.iterator();
        while (it.hasNext()) {
            if (!collection.contains(it.next().getTypeId())) {
                throw new IllegalArgumentException("All new identities must be of types specified as the first argument");
            }
        }
    }

    private void ensureNoDynamicIdentityType(Collection<String> collection) throws IllegalTypeException, IllegalIdentityValueException {
        for (String str : collection) {
            if (((IdentityTypeDefinition) this.idTypesRegistry.getByName(str)).isDynamic()) {
                throw new IllegalIdentityValueException("Identity type " + str + " is dynamic and can not be manually set");
            }
        }
    }

    @Transactional
    public void resetIdentity(EntityParam entityParam, String str, String str2, String str3) throws EngineException {
        entityParam.validateInitialization();
        if (str == null) {
            throw new IllegalIdentityValueException("Identity type can not be null");
        }
        if (!((IdentityTypeDefinition) this.idTypesRegistry.getByName(str)).isDynamic()) {
            throw new IllegalIdentityValueException("Identity type " + str + " is not dynamic and can not be reset");
        }
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.identityModify);
        resetIdentityForEntity(entityId, str, str2, str3);
    }

    @Transactional
    public void removeEntity(EntityParam entityParam) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.identityModify);
        sendNotification(entityId, this.cfg.getValue("accountRemovedNotification"));
        AuditEntity createAuditEntity = this.auditEventListener.createAuditEntity(Long.valueOf(entityId));
        this.entityDAO.deleteByKey(entityId);
        this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.ENTITY).action(AuditEventAction.REMOVE).emptyName().subject(createAuditEntity).tags(AuditEventTag.USERS));
    }

    @Transactional
    public void setEntityStatus(EntityParam entityParam, EntityState entityState) throws EngineException {
        entityParam.validateInitialization();
        if (entityState == EntityState.onlyLoginPermitted) {
            throw new IllegalArgumentException("The new entity status 'only login permitted' can be only set as a side effect of scheduling an account removal with a grace period.");
        }
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.identityModify);
        EntityInformation entityInformation = (EntityInformation) this.entityDAO.getByKey(entityId);
        if (entityInformation.getEntityState() == entityState) {
            return;
        }
        String str = null;
        if (entityInformation.getEntityState() == EntityState.valid && (entityState == EntityState.authenticationDisabled || entityState == EntityState.disabled)) {
            str = this.cfg.getValue("accountDisabledNotification");
        }
        if (entityState == EntityState.valid && (entityInformation.getEntityState() == EntityState.authenticationDisabled || entityInformation.getEntityState() == EntityState.disabled)) {
            str = this.cfg.getValue("accountActivatedNotification");
        }
        entityInformation.setEntityState(entityState);
        this.entityDAO.updateByKey(entityId, entityInformation);
        this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.ENTITY).action(AuditEventAction.UPDATE).emptyName().subject(Long.valueOf(entityId)).details(ImmutableMap.of("state", entityState.toString())).tags(AuditEventTag.USERS));
        sendNotification(entityId, str);
    }

    @Transactional
    public Entity getEntity(EntityParam entityParam) throws EngineException {
        return getEntity(entityParam, null, true, "/");
    }

    @Transactional
    public Entity getEntityNoContext(EntityParam entityParam, String str) throws EngineException {
        Entity resolveEntityBasic;
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        try {
            this.authz.checkAuthorization(this.authz.isSelf(entityId), str, AuthzCapability.readHidden);
            resolveEntityBasic = assembleEntity(entityId, this.idDAO.getByEntity(entityId));
        } catch (AuthorizationException e) {
            resolveEntityBasic = resolveEntityBasic(entityId, null, false, str);
        }
        return resolveEntityBasic;
    }

    @Transactional
    public Entity getEntity(EntityParam entityParam, String str, boolean z, String str2) throws EngineException {
        entityParam.validateInitialization();
        return resolveEntityBasic(this.idResolver.getEntityId(entityParam), str, z, str2);
    }

    @Transactional
    public String getEntityLabel(EntityParam entityParam) throws EngineException {
        entityParam.validateInitialization();
        AttributeExt attributeByMetadata = this.attributesHelper.getAttributeByMetadata(entityParam, "/", "entityDisplayedName");
        if (attributeByMetadata == null) {
            return null;
        }
        List values = attributeByMetadata.getValues();
        if (values.isEmpty()) {
            return null;
        }
        return values.get(0).toString();
    }

    private Entity resolveEntityBasic(long j, String str, boolean z, String str2) throws EngineException {
        this.authz.checkAuthorization(this.authz.isSelf(j), str2, AuthzCapability.read);
        return assembleEntity(j, getIdentitiesForEntity(j, str, z));
    }

    private Entity assembleEntity(long j, List<Identity> list) throws EngineException {
        return new Entity(list, (EntityInformation) this.entityDAO.getByKey(j), this.credentialsHelper.getCredentialInfo(j));
    }

    @Transactional
    public Map<String, GroupMembership> getGroups(EntityParam entityParam) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.read);
        return getEntityMembershipAsMap(entityId);
    }

    private Map<String, GroupMembership> getEntityMembershipAsMap(long j) throws EngineException {
        List<GroupMembership> entityMembership = this.membershipDAO.getEntityMembership(j);
        HashMap hashMap = new HashMap();
        for (GroupMembership groupMembership : entityMembership) {
            hashMap.put(groupMembership.getGroup(), groupMembership);
        }
        return hashMap;
    }

    @Transactional
    public Collection<Group> getGroupsForPresentation(EntityParam entityParam) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.read);
        return getEntityGroupsLimited(entityId);
    }

    private Set<Group> getEntityGroupsLimited(long j) {
        List entityMembership = this.membershipDAO.getEntityMembership(j);
        Map allAsMap = this.groupDAO.getAllAsMap();
        HashSet hashSet = new HashSet();
        Iterator it = entityMembership.iterator();
        while (it.hasNext()) {
            Group group = (Group) allAsMap.get(((GroupMembership) it.next()).getGroup());
            group.setAttributesClasses(Collections.emptySet());
            group.setAttributeStatements(new AttributeStatement[0]);
            hashSet.add(group);
        }
        return hashSet;
    }

    @Transactional
    public void scheduleEntityChange(EntityParam entityParam, Date date, EntityScheduledOperation entityScheduledOperation) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.identityModify);
        if (entityScheduledOperation == null || date == null || date.getTime() > System.currentTimeMillis()) {
            this.scheduledOperationHelper.setScheduledOperationByAdmin(entityId, date, entityScheduledOperation);
        } else {
            this.scheduledOperationHelper.performScheduledOperation(entityId, entityScheduledOperation);
        }
    }

    @Transactional
    public void scheduleRemovalByUser(EntityParam entityParam, Date date) throws EngineException {
        entityParam.validateInitialization();
        long entityId = this.idResolver.getEntityId(entityParam);
        this.authz.checkAuthorization(this.authz.isSelf(entityId), AuthzCapability.attributeModify);
        if (date.getTime() <= System.currentTimeMillis()) {
            this.scheduledOperationHelper.performScheduledOperation(entityId, EntityScheduledOperation.REMOVE);
        } else {
            this.scheduledOperationHelper.setScheduledRemovalByUser(entityId, date);
        }
    }

    @Transactional
    public void mergeEntities(EntityParam entityParam, EntityParam entityParam2, boolean z) throws EngineException {
        entityParam.validateInitialization();
        entityParam2.validateInitialization();
        this.authz.checkAuthorization(AuthzCapability.identityModify);
        long entityId = this.idResolver.getEntityId(entityParam2);
        long entityId2 = this.idResolver.getEntityId(entityParam);
        mergeIdentities(entityId, entityId2, z);
        mergeMemberships(entityId, entityId2);
        mergeAttributes(entityId, entityId2, z);
        this.entityDAO.deleteByKey(entityId);
    }

    private void mergeAttributes(long j, long j2, boolean z) throws EngineException {
        Collection<AttributeExt> allAttributes = this.attributesHelper.getAllAttributes(j, null, false, null);
        Collection<AttributeExt> allAttributes2 = this.attributesHelper.getAllAttributes(j2, null, false, null);
        HashSet hashSet = new HashSet();
        Iterator<AttributeExt> it = allAttributes2.iterator();
        while (it.hasNext()) {
            hashSet.add(getAttrKey(it.next()));
        }
        Map allAsMap = this.attributeTypeDAO.getAllAsMap();
        Iterator<AttributeExt> it2 = allAttributes.iterator();
        while (it2.hasNext()) {
            Attribute attribute = (AttributeExt) it2.next();
            AttributeType attributeType = (AttributeType) allAsMap.get(attribute.getName());
            if (attribute.getName().startsWith(CredentialAttributeTypeProvider.CREDENTIAL_PREFIX)) {
                copyCredentialAttribute(attribute, hashSet, j2, z);
            } else if (attributeType.isInstanceImmutable()) {
                continue;
            } else if (hashSet.contains(getAttrKey(attribute))) {
                if (z) {
                    throw new MergeConflictException("Attribute " + attribute.getName() + " in group " + attribute.getGroupPath() + " is in conflict");
                }
            } else if (this.acUtil.getACHelper(j2, attribute.getGroupPath()).isAllowed(attribute.getName())) {
                this.attributesHelper.createAttribute(attribute, j2);
            } else if (z) {
                throw new MergeConflictException("Attribute " + attribute.getName() + " in group " + attribute.getGroupPath() + " is in conflict with target's entity attribute classes");
            }
        }
    }

    private void copyCredentialAttribute(AttributeExt attributeExt, Set<String> set, long j, boolean z) throws EngineException {
        if (!set.contains(getAttrKey(attributeExt))) {
            this.attributesHelper.createAttribute(attributeExt, j);
        } else if (z) {
            throw new MergeConflictException("Credential " + attributeExt.getName().substring(CredentialAttributeTypeProvider.CREDENTIAL_PREFIX.length()) + " is in conflict");
        }
    }

    private String getAttrKey(Attribute attribute) {
        return attribute.getGroupPath() + "///" + attribute.getName();
    }

    private void mergeMemberships(long j, long j2) throws EngineException {
        Map<String, GroupMembership> entityMembershipAsMap = getEntityMembershipAsMap(j2);
        Map<String, GroupMembership> entityMembershipAsMap2 = getEntityMembershipAsMap(j);
        EntityParam entityParam = new EntityParam(Long.valueOf(j2));
        entityMembershipAsMap2.keySet().removeAll(entityMembershipAsMap.keySet());
        for (Map.Entry entry : new TreeMap(entityMembershipAsMap2).entrySet()) {
            this.groupHelper.addMemberFromParent((String) entry.getKey(), entityParam, ((GroupMembership) entry.getValue()).getRemoteIdp(), ((GroupMembership) entry.getValue()).getTranslationProfile(), ((GroupMembership) entry.getValue()).getCreationTs());
        }
    }

    private void mergeIdentities(long j, long j2, boolean z) throws EngineException {
        List<Identity> byEntity = this.idDAO.getByEntity(j);
        List byEntity2 = this.idDAO.getByEntity(j2);
        HashSet hashSet = new HashSet();
        Iterator it = byEntity2.iterator();
        while (it.hasNext()) {
            hashSet.add(getIdTypeKeyWithTargetAndRealm((Identity) it.next()));
        }
        for (Identity identity : byEntity) {
            IdentityTypeDefinition identityTypeDefinition = (IdentityTypeDefinition) this.idTypesRegistry.getByName(identity.getTypeId());
            if (identityTypeDefinition.isRemovable()) {
                if (identityTypeDefinition.isDynamic() && hashSet.contains(getIdTypeKeyWithTargetAndRealm(identity))) {
                    if (z) {
                        throw new MergeConflictException("There is conflicting dynamic identity: " + identity);
                    }
                } else {
                    identity.setEntityId(j2);
                    this.idDAO.update(new StoredIdentity(identity));
                    this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.IDENTITY).action(AuditEventAction.UPDATE).name(String.join(":", identity.getTypeId(), identity.getName())).details(ImmutableMap.of("description", "Merged identities", "source", "Entity id " + j, "destination", "Entity id " + j2)).tags(AuditEventTag.USERS));
                }
            }
        }
    }

    private String getIdTypeKeyWithTargetAndRealm(Identity identity) {
        return identity.getTypeId() + "__" + identity.getTarget() + "__" + identity.getRealm();
    }

    private void resetIdentityForEntity(long j, String str, String str2, String str3) throws IllegalTypeException {
        List<StoredIdentity> byEntityFull = this.idDAO.getByEntityFull(j);
        if (!this.idTypeHelper.getTypeDefinition(this.idTypeDAO.get(str)).isDynamic()) {
            throw new IllegalTypeException("Reset is possible for dynamic identity types only");
        }
        for (StoredIdentity storedIdentity : byEntityFull) {
            Identity identity = storedIdentity.getIdentity();
            if (identity.getTypeId().equals(str) && (str2 == null || str2.equals(identity.getRealm()))) {
                if (str3 == null || str3.equals(identity.getTarget())) {
                    this.idDAO.delete(storedIdentity.getName());
                    this.auditPublisher.log(AuditEventTrigger.builder().type(AuditEventType.IDENTITY).action(AuditEventAction.REMOVE).name(String.join(":", identity.getTypeId(), identity.getName())).subject(Long.valueOf(identity.getEntityId())).tags(AuditEventTag.USERS));
                }
            }
        }
    }

    private List<Identity> getIdentitiesForEntity(long j, String str, boolean z) throws IllegalTypeException {
        List<Identity> byEntity = this.idDAO.getByEntity(j);
        ArrayList arrayList = new ArrayList(byEntity.size() + 4);
        for (Identity identity : byEntity) {
            if (identity.getTarget() == null || identity.getTarget().equals(str)) {
                arrayList.add(identity);
            }
        }
        HashSet hashSet = new HashSet();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            hashSet.add(((Identity) it.next()).getTypeId());
        }
        if (z) {
            this.identityHelper.addDynamic(j, hashSet, arrayList, str);
        }
        return arrayList;
    }

    private void sendNotification(long j, String str) {
        if (str == null) {
            return;
        }
        try {
            EntityParam entityParam = new EntityParam(Long.valueOf(j));
            String entityLabel = getEntityLabel(entityParam);
            HashMap hashMap = new HashMap();
            hashMap.put("user", entityLabel == null ? "" : entityLabel);
            this.notificationProducer.sendNotification(entityParam, str, hashMap, this.cfg.getDefaultLocale().toString(), (String) null, false);
        } catch (Exception e) {
            log.warn("Unable to send notification using template " + str + " to entity " + j, e);
        }
    }
}
