package org.exist.xquery.functions.securitymanager;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.tools.ant.DirectoryScanner;
import org.apache.xmlrpc.serializer.MapSerializer;
import org.exist.EXistException;
import org.exist.dom.QName;
import org.exist.security.Account;
import org.exist.security.Group;
import org.exist.security.PermissionDeniedException;
import org.exist.security.SecurityManager;
import org.exist.security.Subject;
import org.exist.storage.DBBroker;
import org.exist.xquery.BasicFunction;
import org.exist.xquery.FunctionSignature;
import org.exist.xquery.XPathException;
import org.exist.xquery.XQueryContext;
import org.exist.xquery.value.BooleanValue;
import org.exist.xquery.value.FunctionParameterSequenceType;
import org.exist.xquery.value.FunctionReturnSequenceType;
import org.exist.xquery.value.Sequence;
import org.exist.xquery.value.SequenceType;
import org.exist.xquery.value.StringValue;
import org.exist.xquery.value.ValueSequence;

/* loaded from: input_file:WEB-INF/lib/exist-core-3.0.RC1.jar:org/exist/xquery/functions/securitymanager/GroupMembershipFunction.class */
public class GroupMembershipFunction extends BasicFunction {
    private static final QName qnAddGroupMember = new QName("add-group-member", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnRemoveGroupMember = new QName("remove-group-member", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnGetGroupMembers = new QName("get-group-members", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnAddGroupManager = new QName("add-group-manager", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnRemoveGroupManager = new QName("remove-group-manager", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnGetGroupManagers = new QName("get-group-managers", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnIsDba = new QName("is-dba", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    private static final QName qnSetPrimaryGroup = new QName("set-user-primary-group", SecurityManagerModule.NAMESPACE_URI, SecurityManagerModule.PREFIX);
    public static final FunctionSignature FNS_ADD_GROUP_MEMBER = new FunctionSignature(qnAddGroupMember, "Adds a user to a group. Can only be called by a group manager or DBA.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The name of the group whoose membership you wish to modify."), new FunctionParameterSequenceType(MapSerializer.MEMBER_TAG, 22, 6, "The user(s) to add to the group membership.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_REMOVE_GROUP_MEMBER = new FunctionSignature(qnRemoveGroupMember, "Removes a user from a group. Can only be called by a group manager of DBA.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The name of the group whoose membership you wish to modify."), new FunctionParameterSequenceType(MapSerializer.MEMBER_TAG, 22, 6, "The user(s) to remove from the group membership.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_GET_GROUP_MEMBERS = new FunctionSignature(qnGetGroupMembers, "Gets a list of the group members.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The group name to retrieve the list of members for.")}, new FunctionReturnSequenceType(22, 6, "The list of group members for the group $group"));
    public static final FunctionSignature FNS_ADD_GROUP_MANAGER = new FunctionSignature(qnAddGroupManager, "Adds a manager to a groups managers. Can only be called by a group manager or DBA.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The name of the group to which you wish to add a manager(s)."), new FunctionParameterSequenceType("manager", 22, 6, "The user(s) to add to the group managers.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_REMOVE_GROUP_MANAGER = new FunctionSignature(qnRemoveGroupManager, "Removes a manager from a groups managers. Can only be called by a group manager of DBA.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The name of the group from which you wish to remove a manager(s)"), new FunctionParameterSequenceType("manager", 22, 6, "The user(s) to remove from the group managers.")}, new SequenceType(10, 1));
    public static final FunctionSignature FNS_GET_GROUP_MANAGERS = new FunctionSignature(qnGetGroupManagers, "Gets a list of the group managers. Can only be called by a group manager.", new SequenceType[]{new FunctionParameterSequenceType("group", 22, 2, "The group name to retrieve the list of managers for.")}, new FunctionReturnSequenceType(22, 6, "The list of group managers for the group $group"));
    public static final FunctionSignature FNS_IS_DBA = new FunctionSignature(qnIsDba, "Determines if the user is a DBA.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The username of the user account to check if they are a member of the DBA group.")}, new FunctionReturnSequenceType(23, 2, "true of the user is a DBA, false otherwise."));
    public static final FunctionSignature FNS_SET_USER_PRIMARY_GROUP = new FunctionSignature(qnSetPrimaryGroup, "Sets the primary group of a user account. If the user is not yet in the group, then they are added to the group first.", new SequenceType[]{new FunctionParameterSequenceType("username", 22, 2, "The name of the user account to set the primary group for."), new FunctionParameterSequenceType("group", 22, 2, "The group to set as the primary group for the user.")}, new SequenceType(10, 1));

    public GroupMembershipFunction(XQueryContext xQueryContext, FunctionSignature functionSignature) {
        super(xQueryContext, functionSignature);
    }

    @Override // org.exist.xquery.BasicFunction
    public Sequence eval(Sequence[] sequenceArr, Sequence sequence) throws XPathException {
        Sequence sequence2 = Sequence.EMPTY_SEQUENCE;
        DBBroker broker = getContext().getBroker();
        Subject subject = broker.getSubject();
        SecurityManager securityManager = broker.getBrokerPool().getSecurityManager();
        try {
            if (isCalledAs(qnIsDba.getLocalPart())) {
                String stringValue = sequenceArr[0].getStringValue();
                if (!securityManager.hasAccount(stringValue)) {
                    throw new XPathException("The user account with username " + stringValue + DirectoryScanner.DOES_NOT_EXIST_POSTFIX);
                }
                sequence2 = BooleanValue.valueOf(securityManager.hasAdminPrivileges(securityManager.getAccount(stringValue)));
            } else if (isCalledAs(qnSetPrimaryGroup.getLocalPart())) {
                String stringValue2 = sequenceArr[0].getStringValue();
                String stringValue3 = sequenceArr[1].getStringValue();
                if (!securityManager.hasAccount(stringValue2)) {
                    throw new XPathException("The user account with username " + stringValue2 + DirectoryScanner.DOES_NOT_EXIST_POSTFIX);
                }
                if (!securityManager.hasGroup(stringValue3)) {
                    throw new XPathException("The user group with name " + stringValue3 + DirectoryScanner.DOES_NOT_EXIST_POSTFIX);
                }
                Group group = securityManager.getGroup(stringValue3);
                if (!isCalledAs(qnGetGroupMembers.getLocalPart()) && !group.isManager(subject) && !subject.hasDbaRole()) {
                    throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
                }
                Account account = securityManager.getAccount(stringValue2);
                account.setPrimaryGroup(group);
                securityManager.updateAccount(account);
            } else {
                String stringValue4 = sequenceArr[0].getStringValue();
                if (!securityManager.hasGroup(stringValue4)) {
                    throw new XPathException("The user group with name " + stringValue4 + DirectoryScanner.DOES_NOT_EXIST_POSTFIX);
                }
                Group group2 = securityManager.getGroup(stringValue4);
                if (!isCalledAs(qnGetGroupMembers.getLocalPart()) && !group2.isManager(subject) && !subject.hasDbaRole()) {
                    throw new XPathException("Only a Group Manager or DBA may modify the group or retrieve sensitive group information.");
                }
                if (isCalledAs(qnAddGroupMember.getLocalPart())) {
                    addGroupMembers(securityManager, group2, getUsers(securityManager, sequenceArr[1]));
                } else if (isCalledAs(qnRemoveGroupMember.getLocalPart())) {
                    removeGroupMembers(securityManager, group2, getUsers(securityManager, sequenceArr[1]));
                } else if (isCalledAs(qnGetGroupMembers.getLocalPart())) {
                    List<String> findAllGroupMembers = securityManager.findAllGroupMembers(stringValue4);
                    ValueSequence valueSequence = new ValueSequence();
                    Iterator<String> it = findAllGroupMembers.iterator();
                    while (it.hasNext()) {
                        valueSequence.add(new StringValue(it.next()));
                    }
                    sequence2 = valueSequence;
                } else if (isCalledAs(qnAddGroupManager.getLocalPart())) {
                    addGroupManagers(securityManager, group2, getUsers(securityManager, sequenceArr[1]));
                } else if (isCalledAs(qnRemoveGroupManager.getLocalPart())) {
                    removeGroupManagers(securityManager, group2, getUsers(securityManager, sequenceArr[1]));
                } else {
                    if (!isCalledAs(qnGetGroupManagers.getLocalPart())) {
                        throw new XPathException("Unknown function call: " + getSignature());
                    }
                    ValueSequence valueSequence2 = new ValueSequence();
                    Iterator<Account> it2 = group2.getManagers().iterator();
                    while (it2.hasNext()) {
                        valueSequence2.add(new StringValue(it2.next().getName()));
                    }
                    sequence2 = valueSequence2;
                }
            }
            return sequence2;
        } catch (EXistException e) {
            throw new XPathException(this, e);
        } catch (PermissionDeniedException e2) {
            throw new XPathException(this, e2);
        }
    }

    private void addGroupMembers(SecurityManager securityManager, Group group, List<Account> list) throws PermissionDeniedException, EXistException {
        for (Account account : list) {
            Subject subject = this.context.getBroker().getSubject();
            try {
                this.context.getBroker().setSubject(securityManager.getSystemSubject());
                account.addGroup(group);
                securityManager.updateAccount(account);
                this.context.getBroker().setSubject(subject);
            } catch (Throwable th) {
                this.context.getBroker().setSubject(subject);
                throw th;
            }
        }
    }

    private void removeGroupMembers(SecurityManager securityManager, Group group, List<Account> list) throws PermissionDeniedException, EXistException {
        for (Account account : list) {
            Subject subject = this.context.getBroker().getSubject();
            try {
                this.context.getBroker().setSubject(securityManager.getSystemSubject());
                account.remGroup(group.getName());
                securityManager.updateAccount(account);
                this.context.getBroker().setSubject(subject);
            } catch (Throwable th) {
                this.context.getBroker().setSubject(subject);
                throw th;
            }
        }
    }

    private void addGroupManagers(SecurityManager securityManager, Group group, List<Account> list) throws PermissionDeniedException, EXistException {
        group.addManagers(list);
        securityManager.updateGroup(group);
    }

    private void removeGroupManagers(SecurityManager securityManager, Group group, List<Account> list) throws PermissionDeniedException, EXistException {
        Iterator<Account> it = list.iterator();
        while (it.hasNext()) {
            group.removeManager(it.next());
        }
        securityManager.updateGroup(group);
    }

    private List<Account> getUsers(SecurityManager securityManager, Sequence sequence) throws XPathException {
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < sequence.getItemCount(); i++) {
            String obj = sequence.itemAt(i).toString();
            Account account = securityManager.getAccount(obj);
            if (account == null) {
                throw new XPathException("The user account '" + obj + "' does not exist!");
            }
            arrayList.add(account);
        }
        return arrayList;
    }
}
