package org.kuali.kfs.sys.rest.resource;

import com.fasterxml.jackson.databind.JsonNode;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.log4j.Logger;
import org.kuali.kfs.kns.service.CfAuthenticationService;
import org.kuali.kfs.kns.service.KNSServiceLocator;
import org.kuali.kfs.krad.UserSession;
import org.kuali.kfs.krad.util.KRADUtils;
import org.kuali.rice.core.api.config.property.ConfigContext;
import org.kuali.rice.core.api.exception.RiceRuntimeException;
import org.kuali.rice.kim.api.KimConstants;
import org.kuali.rice.kim.api.permission.Permission;
import org.kuali.rice.kim.api.services.KimApiServiceLocator;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;

@Produces({"application/json"})
@Path("/backdoor")
@Consumes({"application/json"})
/* loaded from: input_file:WEB-INF/lib/kfs-core-2017-10-05.jar:org/kuali/kfs/sys/rest/resource/BackdoorResource.class */
public class BackdoorResource {
    private static final Logger LOG = Logger.getLogger(BackdoorResource.class);
    private CfAuthenticationService cfAuthenticationService;

    @POST
    @Path(DefaultLoginPageGeneratingFilter.DEFAULT_LOGIN_PAGE_URL)
    public Response login(@Context HttpServletRequest httpServletRequest, JsonNode jsonNode) {
        LOG.debug("login() started");
        if (ConfigContext.getCurrentContextConfig().isProductionEnvironment()) {
            return Response.status(Response.Status.BAD_REQUEST).build();
        }
        String asText = jsonNode.has("backdoorId") ? jsonNode.get("backdoorId").asText() : "";
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        switch (getCfAuthenticationService().validatePrincipalName(asText)) {
            case INVALID_PRINCIPAL_NAME_BLANK:
                return Response.status(Response.Status.BAD_REQUEST).entity("{\"message\":\"BackdoorId was empty\"}").build();
            case INVALID_PRINCIPAL_DOES_NOT_EXIST:
                LOG.debug("login() Principal does not exist");
                return logout(httpServletRequest);
            case INVALID_PRINCIPAL_CANNOT_LOGIN:
                LOG.debug("login() Principal does not have permissions to back door login");
                return logout(httpServletRequest);
            default:
                if (!isBackdoorAuthorized(userSessionFromRequest)) {
                    return Response.status(Response.Status.UNAUTHORIZED).entity("{\"message\":\"User not permitted to use backdoor functionality\"}").build();
                }
                userSessionFromRequest.clearObjectMap();
                try {
                    userSessionFromRequest.setBackdoorUser(asText);
                    return Response.ok("{\"backdoorId\": \"" + userSessionFromRequest.getPrincipalName() + "\"}").build();
                } catch (RiceRuntimeException e) {
                    LOG.warn("invalid backdoor id " + asText, e);
                    return Response.status(Response.Status.BAD_REQUEST).entity("{\"message\":\"Invalid backdoorId\"}").build();
                }
        }
    }

    @GET
    @Path("/logout")
    public Response logout(@Context HttpServletRequest httpServletRequest) {
        LOG.debug("logout() started");
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        if (userSessionFromRequest == null) {
            return Response.status(Response.Status.BAD_REQUEST).entity("{\"message\":\"Session was empty\"}").build();
        }
        userSessionFromRequest.clearBackdoorUser();
        return Response.ok("{\"message\":\"Successfully logged out\"}").build();
    }

    @GET
    @Path("/id")
    public Response findBackdoorId(@Context HttpServletRequest httpServletRequest) {
        LOG.debug("findBackdoorId() started");
        UserSession userSessionFromRequest = KRADUtils.getUserSessionFromRequest(httpServletRequest);
        String str = "";
        if (userSessionFromRequest != null && userSessionFromRequest.isBackdoorInUse()) {
            str = userSessionFromRequest.getPrincipalName();
        }
        return Response.ok("{\"backdoorId\": \"" + str + "\"}").build();
    }

    public boolean isBackdoorAuthorized(UserSession userSession) {
        boolean z = true;
        HashMap hashMap = new HashMap();
        String property = ConfigContext.getCurrentContextConfig().getProperty("app.code");
        hashMap.put(KimConstants.AttributeConstants.APP_CODE, property);
        Iterator<Permission> it = KimApiServiceLocator.getPermissionService().findPermissionsByTemplate("KR-SYS", KimConstants.PermissionTemplateNames.BACKDOOR_RESTRICTION).iterator();
        while (it.hasNext()) {
            if (it.next().getAttributes().values().contains(property)) {
                z = KimApiServiceLocator.getPermissionService().isAuthorizedByTemplate(userSession.getActualPerson().getPrincipalId(), "KR-SYS", KimConstants.PermissionTemplateNames.BACKDOOR_RESTRICTION, hashMap, Collections.emptyMap());
            }
        }
        if (!z) {
            LOG.warn("Attempt to backdoor was made by user: " + userSession.getPerson().getPrincipalId() + " into application with app code: " + property + " but they do not have appropriate permissions. Backdoor processing aborted.");
        }
        return z;
    }

    private CfAuthenticationService getCfAuthenticationService() {
        if (this.cfAuthenticationService == null) {
            this.cfAuthenticationService = KNSServiceLocator.getCfAuthenticationService();
        }
        return this.cfAuthenticationService;
    }
}
