package com.atlassian.jira.rest.v2.issue;

import com.atlassian.annotations.ExperimentalApi;
import com.atlassian.annotations.security.LicensedOnly;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.impl.ImmutableUser;
import com.atlassian.crowd.exception.InvalidCredentialException;
import com.atlassian.crowd.exception.OperationNotPermittedException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.jira.application.ApplicationKeys;
import com.atlassian.jira.application.ApplicationRoleManager;
import com.atlassian.jira.avatar.Avatar;
import com.atlassian.jira.avatar.AvatarManager;
import com.atlassian.jira.avatar.AvatarPickerHelper;
import com.atlassian.jira.avatar.AvatarService;
import com.atlassian.jira.bc.ServiceOutcome;
import com.atlassian.jira.bc.ServiceResult;
import com.atlassian.jira.bc.issue.IssueService;
import com.atlassian.jira.bc.issue.fields.ColumnService;
import com.atlassian.jira.bc.project.ProjectAction;
import com.atlassian.jira.bc.project.ProjectService;
import com.atlassian.jira.bc.security.login.LoginInfo;
import com.atlassian.jira.bc.security.login.LoginService;
import com.atlassian.jira.bc.user.UserService;
import com.atlassian.jira.bc.user.search.UserSearchIssueContext;
import com.atlassian.jira.bc.user.search.UserSearchUtilities;
import com.atlassian.jira.config.properties.ApplicationProperties;
import com.atlassian.jira.datetime.DateTimeFormatterFactory;
import com.atlassian.jira.datetime.DateTimeStyle;
import com.atlassian.jira.event.user.UserAvatarUpdatedEvent;
import com.atlassian.jira.exception.CreateException;
import com.atlassian.jira.exception.PermissionException;
import com.atlassian.jira.icon.IconType;
import com.atlassian.jira.issue.Issue;
import com.atlassian.jira.issue.fields.layout.column.ColumnLayout;
import com.atlassian.jira.issue.fields.rest.json.beans.JiraBaseUrls;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.permission.ProjectPermissions;
import com.atlassian.jira.permission.UserSearchConfiguration;
import com.atlassian.jira.plugin.user.PasswordPolicyManager;
import com.atlassian.jira.project.Project;
import com.atlassian.jira.project.ProjectManager;
import com.atlassian.jira.rest.api.http.CacheControl;
import com.atlassian.jira.rest.api.issue.ColumnsBean;
import com.atlassian.jira.rest.api.util.ErrorCollection;
import com.atlassian.jira.rest.exception.BadRequestWebException;
import com.atlassian.jira.rest.exception.ForbiddenWebException;
import com.atlassian.jira.rest.exception.NotAuthorisedWebException;
import com.atlassian.jira.rest.exception.NotFoundWebException;
import com.atlassian.jira.rest.exception.ServerErrorWebException;
import com.atlassian.jira.rest.util.AttachmentHelper;
import com.atlassian.jira.rest.util.ResponseFactory;
import com.atlassian.jira.rest.util.UpdateUserApplicationHelper;
import com.atlassian.jira.rest.v2.admin.applicationrole.ApplicationRoleBeanConverter;
import com.atlassian.jira.rest.v2.issue.users.DuplicatedUsersCountBean;
import com.atlassian.jira.rest.v2.issue.users.DuplicatedUsersHelper;
import com.atlassian.jira.rest.v2.issue.users.DuplicatedUsersMapBeanFactory;
import com.atlassian.jira.rest.v2.issue.users.UserPickerResourceHelper;
import com.atlassian.jira.rest.v2.search.ColumnOptions;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.security.PermissionManager;
import com.atlassian.jira.security.Permissions;
import com.atlassian.jira.security.plugin.ProjectPermissionKey;
import com.atlassian.jira.security.xsrf.XsrfCheckResult;
import com.atlassian.jira.security.xsrf.XsrfInvocationChecker;
import com.atlassian.jira.timezone.TimeZoneManager;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.user.ApplicationUsers;
import com.atlassian.jira.user.DelegatingApplicationUser;
import com.atlassian.jira.user.UserPropertyManager;
import com.atlassian.jira.user.util.UserManager;
import com.atlassian.jira.user.util.UserUtil;
import com.atlassian.jira.util.EmailFormatter;
import com.atlassian.jira.util.ErrorCollection;
import com.atlassian.jira.util.I18nHelper;
import com.atlassian.jira.util.SimpleErrorCollection;
import com.atlassian.jira.web.ExecutingHttpRequest;
import com.atlassian.plugins.rest.api.multipart.FilePart;
import com.atlassian.plugins.rest.api.multipart.MultipartFormParam;
import com.atlassian.plugins.rest.api.security.annotation.AnonymousSiteAccess;
import com.atlassian.plugins.rest.api.security.exception.XsrfCheckFailedException;
import com.atlassian.sal.api.websudo.WebSudoRequired;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.opensymphony.module.propertyset.PropertySet;
import com.opensymphony.util.TextUtils;
import io.atlassian.fugue.Either;
import io.atlassian.fugue.Eithers;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.Parameters;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.parameters.RequestBody;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Path("user")
@Consumes({"application/json"})
@Produces({"application/json"})
@LicensedOnly
/* loaded from: input_file:com/atlassian/jira/rest/v2/issue/UserResource.class */
public class UserResource {
    public static final int DEPRECATION_WARNING_LOG_INTERVAL_MINUTES = 5;
    public static final int DEFAULT_USERS_RETURNED = 50;
    public static final int MAX_USERS_RETURNED = 1000;
    static final String USER_SEARCH_RESULTS_LIMIT = "jira.user.search.maxresults.limit";
    private static final int MAX_LENGTH = 255;
    private volatile long lastLogTime = 0;
    private final UserService userService;
    private final UserUtil userUtil;
    private final UserManager userManager;
    private final PasswordPolicyManager passwordPolicyManager;
    private final I18nHelper i18n;
    private final EmailFormatter emailFormatter;
    private final JiraAuthenticationContext authContext;
    private final TimeZoneManager timeZoneManager;
    private final AvatarService avatarService;
    private final AvatarResourceHelper avatarResourceHelper;
    private final UserPropertyManager userPropertyManager;
    private final PermissionManager permissionManager;
    private final GlobalPermissionManager globalPermissionManager;
    private final ProjectService projectService;
    private final IssueService issueService;
    private final ProjectManager projectManager;
    private final AvatarManager avatarManager;
    private final EventPublisher eventPublisher;
    private final UserPickerResourceHelper userPickerHelper;
    private final JiraBaseUrls jiraBaseUrls;
    private final ColumnService columnService;
    private final XsrfInvocationChecker xsrfChecker;
    private final I18nHelper.BeanFactory beanFactory;
    private final ApplicationRoleManager applicationRoleManager;
    private final ApplicationRoleBeanConverter applicationRoleBeanConverter;
    private final UpdateUserApplicationHelper updateUserApplicationHelper;
    private final ResponseFactory responseFactory;
    private final ApplicationProperties applicationProperties;
    private final DuplicatedUsersHelper duplicatedUsersHelper;
    private final LoginService loginService;
    private final DateTimeFormatterFactory dateTimeFormatterFactory;
    public static final int MAX_USERS_RETURNED_FOR_OPTIMISED_LOOKUP = UserSearchConfiguration.getMaxTopReturnedUsersValue();
    private static final Logger log = LoggerFactory.getLogger(UserResource.class);

    @Inject
    public UserResource(UserService userService, UserUtil userUtil, PasswordPolicyManager passwordPolicyManager, I18nHelper i18nHelper, EmailFormatter emailFormatter, JiraAuthenticationContext jiraAuthenticationContext, TimeZoneManager timeZoneManager, AvatarPickerHelper avatarPickerHelper, AvatarManager avatarManager, AvatarService avatarService, AttachmentHelper attachmentHelper, UserPropertyManager userPropertyManager, PermissionManager permissionManager, GlobalPermissionManager globalPermissionManager, ProjectService projectService, IssueService issueService, ProjectManager projectManager, EventPublisher eventPublisher, UserPickerResourceHelper userPickerResourceHelper, JiraBaseUrls jiraBaseUrls, ColumnService columnService, XsrfInvocationChecker xsrfInvocationChecker, UserManager userManager, I18nHelper.BeanFactory beanFactory, ApplicationRoleManager applicationRoleManager, ApplicationRoleBeanConverter applicationRoleBeanConverter, UpdateUserApplicationHelper updateUserApplicationHelper, ResponseFactory responseFactory, ApplicationProperties applicationProperties, DuplicatedUsersHelper duplicatedUsersHelper, LoginService loginService, DateTimeFormatterFactory dateTimeFormatterFactory) {
        this.userService = userService;
        this.userManager = userManager;
        this.passwordPolicyManager = passwordPolicyManager;
        this.userPropertyManager = userPropertyManager;
        this.permissionManager = permissionManager;
        this.globalPermissionManager = globalPermissionManager;
        this.projectService = projectService;
        this.issueService = issueService;
        this.projectManager = projectManager;
        this.avatarManager = avatarManager;
        this.eventPublisher = eventPublisher;
        this.userPickerHelper = userPickerResourceHelper;
        this.jiraBaseUrls = jiraBaseUrls;
        this.columnService = columnService;
        this.beanFactory = beanFactory;
        this.updateUserApplicationHelper = updateUserApplicationHelper;
        this.responseFactory = responseFactory;
        this.duplicatedUsersHelper = duplicatedUsersHelper;
        this.avatarResourceHelper = new AvatarResourceHelper(jiraAuthenticationContext, avatarManager, avatarService, avatarPickerHelper, attachmentHelper, userManager);
        this.userUtil = userUtil;
        this.i18n = i18nHelper;
        this.emailFormatter = emailFormatter;
        this.authContext = jiraAuthenticationContext;
        this.timeZoneManager = timeZoneManager;
        this.avatarService = avatarService;
        this.xsrfChecker = xsrfInvocationChecker;
        this.applicationRoleManager = applicationRoleManager;
        this.applicationRoleBeanConverter = applicationRoleBeanConverter;
        this.applicationProperties = applicationProperties;
        this.loginService = loginService;
        this.dateTimeFormatterFactory = dateTimeFormatterFactory;
    }

    @GET
    @Operation(summary = "Get user by username or key", description = "Returns a user.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "name", description = "the username", required = true), @Parameter(name = "key", description = "user key"), @Parameter(name = "includeDeleted", description = "whether deleted users should be returned (flag available to users with global ADMIN rights)")})
    @ApiResponses({@ApiResponse(description = "Returns a user.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller does not have permission to perform operation.", responseCode = "403"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response getUser(@QueryParam("username") String str, @QueryParam("key") String str2, @QueryParam("includeDeleted") @DefaultValue("false") boolean z) {
        ApplicationUser loggedInUser = this.authContext.getLoggedInUser();
        if (loggedInUser == null) {
            throw new NotAuthorisedWebException(ErrorCollection.of(this.i18n.getText("rest.authentication.no.user.logged.in")));
        }
        if (z) {
            mustBeAdmin(loggedInUser);
        }
        return Response.ok(buildUserBean(str, str2, z, loggedInUser)).cacheControl(CacheControl.never()).build();
    }

    @GET
    @Path("search")
    @Operation(summary = "Find users by username", description = "Finds users.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "A query string used to search username, name or e-mail address", required = true), @Parameter(name = "startAt", description = "The index of the first user to return (0-based)"), @Parameter(name = "maxResults", description = "The maximum number of users to return (defaults to 50). The maximum allowed value is 1000. If you specify a value that is higher than this number, your search results will be truncated."), @Parameter(name = "includeActive", description = "If true, then active users are included in the results (default true)"), @Parameter(name = "includeInactive", description = "If true, then inactive users are included in the results (default false)"), @Parameter(name = "uriInfo", description = "Context used for creating urls in user objects")})
    @ApiResponses({@ApiResponse(description = "Returns a list of users.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if an invalid parameter value was provided with more details in the response body.", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response findUsers(@QueryParam("username") String str, @QueryParam("startAt") Integer num, @QueryParam("maxResults") Integer num2, @QueryParam("includeActive") Boolean bool, @QueryParam("includeInactive") Boolean bool2, @Context UriInfo uriInfo) {
        Integer verifyAndAdjustMaxResults = verifyAndAdjustMaxResults(num2);
        Integer verifyAndAdjustStartAt = verifyAndAdjustStartAt(num);
        return Response.ok(makeUserBeans(this.userPickerHelper.limitUserSearch(verifyAndAdjustStartAt, verifyAndAdjustMaxResults, this.userPickerHelper.findUsers(str, bool, bool2, false, null, Integer.valueOf(getSearchLimit(verifyAndAdjustStartAt.intValue(), verifyAndAdjustMaxResults.intValue()))), null))).cacheControl(CacheControl.never()).build();
    }

    private int getSearchLimit(int i, int i2) {
        int i3;
        String defaultBackedString = this.applicationProperties.getDefaultBackedString(USER_SEARCH_RESULTS_LIMIT);
        try {
            i3 = Integer.parseInt(defaultBackedString);
        } catch (NumberFormatException e) {
            log.error("The user search limit value '{}' can't be parsed to an integer, using {} as the limit. Adjust the '{}' property to remove this message.", new Object[]{defaultBackedString, 1000, USER_SEARCH_RESULTS_LIMIT});
            i3 = 1000;
        }
        int i4 = i + i2;
        if (i4 < 0 || i4 > i3) {
            throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.user.search.requested.limit.too.big", String.valueOf(i4), String.valueOf(i3)));
        }
        return i4;
    }

    @GET
    @Path("picker")
    @Operation(summary = "Find users for picker by query", description = "Returns a list of users matching query with highlighting.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "query", description = "A string used to search username, Name or e-mail address", required = true), @Parameter(name = "maxResults", description = "The maximum number of users to return (defaults to 50). The maximum allowed value is 1000. If you specify a value that is higher than this number, your search results will be truncated."), @Parameter(name = "showAvatar", description = "If true, then avatars are included in the results"), @Parameter(name = "exclude", description = "List of users to be excluded from the search results")})
    @AnonymousSiteAccess
    @ApiResponses({@ApiResponse(description = "Returns a list of users matching query with highlighting.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserPickerResultsBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response findUsersForPicker(@QueryParam("query") String str, @QueryParam("maxResults") Integer num, @QueryParam("showAvatar") Boolean bool, @QueryParam("exclude") List<String> list) {
        return Response.ok(this.userPickerHelper.findUsersAsBean(str, num, bool, list)).cacheControl(CacheControl.never()).build();
    }

    @GET
    @Path("assignable/search")
    @Operation(summary = "Find assignable users by username", description = "Returns a list of users that match the search string. This resource cannot be accessed anonymously. Please note that this resource should be called with an issue key when a list of assignable users is retrieved. For create only a project key should be supplied. The list of assignable users may be incorrect if it's called with the project key for editing.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username", required = true), @Parameter(name = "issueKey", description = "the issue key for the issue being edited we need to find assignable users for."), @Parameter(name = "projectKey", description = "the key of the project we are finding assignable users for"), @Parameter(name = "maxResults", description = "the maximum number of users to return (defaults to 50). The maximum allowed value is 100. If you specify a value that is higher than this number, your search results will be truncated.")})
    @ApiResponses({@ApiResponse(description = "Returns a list of users that match the search string.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response findAssignableUsers(@QueryParam("username") String str, @QueryParam("project") String str2, @QueryParam("issueKey") String str3, @QueryParam("maxResults") @DefaultValue("50") Integer num, @QueryParam("actionDescriptorId") Integer num2, @Context UriInfo uriInfo) {
        Integer verifyAndAdjustMaxResults = verifyAndAdjustMaxResults(num, Integer.valueOf(MAX_USERS_RETURNED_FOR_OPTIMISED_LOOKUP));
        return Response.ok(makeUserBeans(this.userPickerHelper.limitUserSearch(0, verifyAndAdjustMaxResults, findAssignableUsers(str, str2, str3, verifyAndAdjustMaxResults.intValue()), null))).cacheControl(CacheControl.never()).build();
    }

    @GET
    @Path("duplicated/count")
    @Operation(summary = "Get duplicated users count", description = "Returns a list of users that match the search string. This resource cannot be accessed anonymously.\nDuplicated means that the user has an account in more than one directory\nand either more than one account is active or the only active account does not belong to the directory\nwith the highest priority.\nThe data returned by this endpoint is cached for 10 minutes and the cache is flushed when any User Directory\nis added, removed, enabled, disabled, or synchronized.\nA System Administrator can also flush the cache manually.\nRelated JAC ticket: https://jira.atlassian.com/browse/JRASERVER-68797", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "flush", description = "if set to true forces cache flush, user must be sysadmin for this parameter to have an effect.")
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returns a list of users that match the search string.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response getDuplicatedUsersCount(@QueryParam("flush") boolean z) {
        ApplicationUser loggedInUser = this.authContext.getLoggedInUser();
        mustBeAdmin(loggedInUser);
        if (this.globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, loggedInUser) && z) {
            this.duplicatedUsersHelper.flushCache();
        }
        return Response.ok(new DuplicatedUsersCountBean(this.duplicatedUsersHelper.getDuplicatedUserToDirectoryMapping().userCount())).build();
    }

    @GET
    @Path("duplicated/list")
    @Operation(summary = "Get duplicated users mapping", description = "Returns duplicated users mapped to their directories with an indication if their accounts are active or not.\nDuplicated means that the user has an account in more than one directory and either more than one account is active\nor the only active account does not belong to the directory with the highest priority.\nThe data returned by this endpoint is cached for 10 minutes and the cache is flushed when any User Directory\nis added, removed, enabled, disabled, or synchronized.\nA System Administrator can also flush the cache manually.\nRelated JAC ticket: https://jira.atlassian.com/browse/JRASERVER-68797", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "flush", description = "if set to true forces cache flush, user must be sysadmin for this parameter to have an effect.")
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returns all avatars which are visible for the currently logged in user.", responseCode = "200", content = {@Content(schema = @Schema(implementation = AvatarBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if user is not an admin.", responseCode = "403"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Response getDuplicatedUsersMapping(@QueryParam("flush") boolean z) {
        ApplicationUser loggedInUser = this.authContext.getLoggedInUser();
        mustBeAdmin(loggedInUser);
        if (this.globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, loggedInUser) && z) {
            this.duplicatedUsersHelper.flushCache();
        }
        return Response.ok(DuplicatedUsersMapBeanFactory.getBean(this.duplicatedUsersHelper.getDuplicatedUserToDirectoryMapping())).build();
    }

    @Operation(summary = "Create new user", description = "Create user. By default created user will not be notified with email. If password field is not set then password will be randomly generated.", security = {@SecurityRequirement(name = "basic")})
    @POST
    @WebSudoRequired
    @RequestBody(description = "User details", required = true, content = {@Content(schema = @Schema(implementation = UserWriteBean.class), mediaType = "application/json")})
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returned if the user was created.", responseCode = "201", content = {@Content(schema = @Schema(implementation = UserWriteBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the request is invalid.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller user does not have permission to create the user.", responseCode = "403"), @ApiResponse(description = "Returned if the user was not created because of other error.", responseCode = "500")})
    public Response createUser(UserWriteBean userWriteBean) {
        ApplicationUser user = this.authContext.getUser();
        mustBeAdmin(user);
        UserService.CreateUserRequest sendNotification = UserService.CreateUserRequest.withUserDetails(user, userWriteBean.getName(), userWriteBean.getPassword(), userWriteBean.getEmailAddress(), userWriteBean.getDisplayName()).confirmPassword(userWriteBean.getPassword()).sendNotification(userWriteBean.getNotification() != null && Boolean.parseBoolean(userWriteBean.getNotification()));
        if (userWriteBean.getApplicationKeys() != null) {
            ImmutableList copyOf = ImmutableList.copyOf(Iterables.transform(userWriteBean.getApplicationKeys(), ApplicationKeys.TO_APPLICATION_KEY));
            ImmutableList copyOf2 = ImmutableList.copyOf(Iterables.transform(Eithers.filterLeft(copyOf), str -> {
                return this.i18n.getText("application.role.rest.bad.key", str);
            }));
            if (!copyOf2.isEmpty()) {
                throw new BadRequestWebException(ErrorCollection.of((Collection<String>) copyOf2));
            }
            sendNotification = sendNotification.withApplicationAccess(ImmutableSet.copyOf(Eithers.filterRight(copyOf)));
        }
        UserService.CreateUserValidationResult validateCreateUser = this.userService.validateCreateUser(sendNotification);
        if (!validateCreateUser.isValid()) {
            throw new BadRequestWebException(ErrorCollection.of(validateCreateUser.getErrorCollection()));
        }
        try {
            this.userService.createUser(validateCreateUser);
            UserBean buildUserBean = buildUserBean(userWriteBean.getName(), null, false, user);
            return Response.status(Response.Status.CREATED).location(buildUserBean.getSelf()).entity(buildUserBean).cacheControl(CacheControl.never()).build();
        } catch (CreateException e) {
            throw new ServerErrorWebException(ErrorCollection.of(e.getLocalizedMessage()));
        } catch (PermissionException e2) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("error.no-permission")));
        }
    }

    @Operation(summary = "Update user details", description = "Modify user. The 'value' fields present will override the existing value. Fields skipped in request will not be changed.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username", required = true), @Parameter(name = "key", description = "user key")})
    @WebSudoRequired
    @RequestBody(description = "User details", required = true, content = {@Content(schema = @Schema(implementation = UserWriteBean.class), mediaType = "application/json")})
    @ExperimentalApi
    @PUT
    @ApiResponses({@ApiResponse(description = "Returned if the user exists and the caller has permission to edit it.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserWriteBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the request is invalid.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller user does not have permission to edit the user.", responseCode = "403"), @ApiResponse(description = "Returned if the caller does have permission to edit the user but the user does not exist.", responseCode = "404")})
    public Response updateUser(@QueryParam("username") String str, @QueryParam("key") String str2, UserWriteBean userWriteBean) {
        ApplicationUser user = this.authContext.getUser();
        mustBeAdmin(user);
        if (StringUtils.isBlank(userWriteBean.getName()) && StringUtils.isBlank(userWriteBean.getEmailAddress()) && StringUtils.isBlank(userWriteBean.getDisplayName()) && Objects.isNull(userWriteBean.isActive())) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("rest.myself.error.no.value.found.to.be.changed")));
        }
        if (StringUtils.length(userWriteBean.getDisplayName()) > MAX_LENGTH) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("rest.myself.error.field.too.long", "displayName", Integer.toString(MAX_LENGTH))));
        }
        if (StringUtils.length(userWriteBean.getEmailAddress()) > MAX_LENGTH) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("rest.myself.error.field.too.long", "emailAddress", Integer.toString(MAX_LENGTH))));
        }
        if (StringUtils.isNotBlank(userWriteBean.getEmailAddress()) && !TextUtils.verifyEmail(userWriteBean.getEmailAddress())) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("admin.errors.invalid.email")));
        }
        ApplicationUser userByUsernameOrKey = getUserByUsernameOrKey(str, str2, false);
        ImmutableUser.Builder newUser = ImmutableUser.newUser(userByUsernameOrKey.getDirectoryUser());
        newUser.name((String) StringUtils.defaultIfBlank(userWriteBean.getName(), userByUsernameOrKey.getName()));
        newUser.emailAddress((String) StringUtils.defaultIfBlank(userWriteBean.getEmailAddress(), userByUsernameOrKey.getEmailAddress()));
        newUser.displayName((String) StringUtils.defaultIfBlank(userWriteBean.getDisplayName(), userByUsernameOrKey.getDisplayName()));
        newUser.active(((Boolean) Optional.ofNullable(userWriteBean.isActive()).orElse(Boolean.valueOf(userByUsernameOrKey.isActive()))).booleanValue());
        UserService.UpdateUserValidationResult validateUpdateUser = this.userService.validateUpdateUser(new DelegatingApplicationUser(userByUsernameOrKey.getId(), userByUsernameOrKey.getKey(), newUser.toUser()));
        if (!validateUpdateUser.isValid()) {
            throw new BadRequestWebException(ErrorCollection.of(validateUpdateUser.getErrorCollection()));
        }
        this.userService.updateUser(validateUpdateUser);
        return Response.ok(buildUserBean(null, userByUsernameOrKey.getKey(), false, user)).cacheControl(CacheControl.never()).build();
    }

    @Path("password")
    @Operation(summary = "Update user password", description = "Modify user password.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username", required = true), @Parameter(name = "key", description = "user key")})
    @WebSudoRequired
    @RequestBody(description = "Password details", required = true, content = {@Content(schema = @Schema(implementation = PasswordBean.class), mediaType = "application/json")})
    @ExperimentalApi
    @PUT
    @ApiResponses({@ApiResponse(description = "Returned if the user exists and the caller has permission to edit it.", responseCode = "204"), @ApiResponse(description = "Returned if the request is invalid.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller does not have permission to change the user password.", responseCode = "403"), @ApiResponse(description = "Returned if the caller does have permission to change user password but the user does not exist.", responseCode = "404")})
    public Response changeUserPassword(@QueryParam("username") String str, @QueryParam("key") String str2, PasswordBean passwordBean) {
        ApplicationUser user = this.authContext.getUser();
        mustBeAdmin(user);
        ApplicationUser userByUsernameOrKey = getUserByUsernameOrKey(str, str2, false);
        nonSysAdminCannotModifySysAdmin(user, userByUsernameOrKey);
        String password = passwordBean.getPassword();
        if (StringUtils.isBlank(password)) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("changepassword.new.password.required")));
        }
        if (!this.passwordPolicyManager.checkPolicy(userByUsernameOrKey, (String) null, password).isEmpty()) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("changepassword.new.password.rejected")));
        }
        try {
            this.userUtil.changePassword(userByUsernameOrKey, password);
            return Response.noContent().cacheControl(CacheControl.never()).build();
        } catch (OperationNotPermittedException | PermissionException e) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("admin.errors.cannot.edit.user.directory.read.only")));
        } catch (InvalidCredentialException e2) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("changepassword.new.password.rejected")));
        } catch (UserNotFoundException e3) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("changepassword.could.not.find.user")));
        }
    }

    @DELETE
    @Operation(summary = "Delete user", description = "Removes user and its references (like project roles associations, watches, history). Note: user references will not be removed if multiple User Directories are used and there is a user with the same name existing in another directory (shadowing user).", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username", required = true), @Parameter(name = "key", description = "user key")})
    @WebSudoRequired
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returned if the user was deleted successfully.", responseCode = "204"), @ApiResponse(description = "Returned if the request is invalid or some other server error occurred.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller does not have permission to remove the user.", responseCode = "403"), @ApiResponse(description = "Returned if the caller does have permission to remove user but the user does not exist.", responseCode = "404")})
    public Response removeUser(@QueryParam("username") String str, @QueryParam("key") String str2) {
        ApplicationUser user = this.authContext.getUser();
        mustBeAdmin(user);
        UserService.DeleteUserValidationResult validateDeleteUser = this.userService.validateDeleteUser(user, getUserByUsernameOrKey(str, str2, false));
        if (!validateDeleteUser.isValid()) {
            throw new BadRequestWebException(ErrorCollection.of(validateDeleteUser.getErrorCollection()));
        }
        try {
            this.userService.removeUser(user, validateDeleteUser);
            return Response.noContent().cacheControl(CacheControl.never()).build();
        } catch (Exception e) {
            throw new BadRequestWebException(ErrorCollection.of(validateDeleteUser.getErrorCollection()));
        }
    }

    private void mustBeAdmin(ApplicationUser applicationUser) {
        if (applicationUser == null) {
            throw new NotAuthorisedWebException(ErrorCollection.of(this.i18n.getText("rest.authentication.no.user.logged.in")));
        }
        if (!this.permissionManager.hasPermission(0, applicationUser)) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("rest.authorization.admin.required")));
        }
    }

    private void nonSysAdminCannotModifySysAdmin(ApplicationUser applicationUser, ApplicationUser applicationUser2) {
        boolean hasPermission = this.permissionManager.hasPermission(44, applicationUser);
        if (this.permissionManager.hasPermission(44, applicationUser2) && !hasPermission) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("error.no-permission")));
        }
    }

    private List<ApplicationUser> findAssignableUsers(String str, String str2, String str3, int i) {
        ApplicationUser loggedInUser = this.authContext.getLoggedInUser();
        UserSearchIssueContext issueContext = getIssueContext(str3, str2);
        if (checkLoggedUserPermission(loggedInUser, issueContext, ProjectPermissions.ASSIGN_ISSUES)) {
            return this.userPickerHelper.findTopAssignableUsers(str, issueContext, Integer.valueOf(i), true);
        }
        throw new NotAuthorisedWebException();
    }

    private boolean checkLoggedUserPermission(ApplicationUser applicationUser, UserSearchIssueContext userSearchIssueContext, ProjectPermissionKey projectPermissionKey) {
        return this.permissionManager.hasPermission(projectPermissionKey, userSearchIssueContext.getProject(), applicationUser);
    }

    @GET
    @Path("viewissue/search")
    @Operation(summary = "Find users with browse permission", description = "Returns a list of active users that match the search string. This resource cannot be accessed anonymously and requires the Browse Users global permission. Given an issue key this resource will provide a list of users that match the search string and have the browse issue permission for the issue provided.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username filter, no users returned if left blank", required = true), @Parameter(name = "issueKey", description = "the issue key for the issue being edited we need to find viewable users for."), @Parameter(name = "projectKey", description = "the optional project key to search for users with if no issueKey is supplied."), @Parameter(name = "maxResults", description = "the maximum number of users to return (defaults to 50). The maximum allowed value is 100. If you specify a value that is higher than this number, your search results will be truncated.")})
    @ApiResponses({@ApiResponse(description = "Returns a list of users that match the search string.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if no project or issue key was provided", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested issue or project is not found.", responseCode = "404")})
    public Response findUsersWithBrowsePermission(@QueryParam("username") String str, @QueryParam("issueKey") String str2, @QueryParam("projectKey") String str3, @QueryParam("maxResults") Integer num, @Context UriInfo uriInfo) {
        Integer verifyAndAdjustMaxResults = verifyAndAdjustMaxResults(num, Integer.valueOf(MAX_USERS_RETURNED_FOR_OPTIMISED_LOOKUP));
        return Response.ok(makeUserBeans(this.userPickerHelper.limitUserSearch(0, verifyAndAdjustMaxResults, this.userPickerHelper.findUsersWithBrowsePermission(str, getIssueContext(str2, str3), verifyAndAdjustMaxResults, false), null))).cacheControl(CacheControl.never()).build();
    }

    @VisibleForTesting
    List<ApplicationUser> findUsersWithPermission(Iterable<Integer> iterable, String str, Either<Project, Issue> either, boolean z, Integer num) {
        return this.userPickerHelper.findUsers(str, true, false, z, (Predicate) either.fold(project -> {
            return createProjectPredicate(iterable, project);
        }, issue -> {
            return createIssuePredicate(iterable, issue);
        }), num);
    }

    @VisibleForTesting
    UserSearchIssueContext getIssueContext(String str, String str2) {
        if (StringUtils.isNotBlank(str)) {
            IssueService.IssueResult issue = this.issueService.getIssue(this.authContext.getUser(), str);
            if (issue.isValid()) {
                return UserSearchIssueContext.create(issue.getIssue());
            }
            throw new RESTException(Response.Status.NOT_FOUND, ErrorCollection.of(issue.getErrorCollection()));
        }
        if (!StringUtils.isNotBlank(str2)) {
            throw createWebException(this.authContext.getI18nHelper().getText("rest.must.provide.project.or.issue"), ErrorCollection.Reason.VALIDATION_FAILED);
        }
        Project projectObjByKey = this.projectManager.getProjectObjByKey(str2);
        if (projectObjByKey == null) {
            throw new RESTException(Response.Status.NOT_FOUND, com.atlassian.jira.rest.api.util.ErrorCollection.of(this.authContext.getI18nHelper().getText("rest.must.provide.valid.project")));
        }
        return UserSearchIssueContext.createForNewIssue(Collections.singleton(projectObjByKey));
    }

    @VisibleForTesting
    Either<Project, Issue> getIssueOrProject(String str, String str2) {
        if (StringUtils.isNotBlank(str)) {
            IssueService.IssueResult issue = this.issueService.getIssue(this.authContext.getUser(), str);
            if (issue.isValid()) {
                return Either.right(issue.getIssue());
            }
            throw new RESTException(Response.Status.NOT_FOUND, com.atlassian.jira.rest.api.util.ErrorCollection.of(issue.getErrorCollection()));
        }
        if (!StringUtils.isNotBlank(str2)) {
            throw createWebException(this.authContext.getI18nHelper().getText("rest.must.provide.project.or.issue"), ErrorCollection.Reason.VALIDATION_FAILED);
        }
        Project projectObjByKey = this.projectManager.getProjectObjByKey(str2);
        if (projectObjByKey == null) {
            throw new RESTException(Response.Status.NOT_FOUND, com.atlassian.jira.rest.api.util.ErrorCollection.of(this.authContext.getI18nHelper().getText("rest.must.provide.valid.project")));
        }
        return Either.left(projectObjByKey);
    }

    @VisibleForTesting
    Predicate<User> createProjectPredicate(Iterable<Integer> iterable, Project project) {
        return user -> {
            Iterator it = iterable.iterator();
            while (it.hasNext()) {
                if (!this.permissionManager.hasPermission(new ProjectPermissionKey(((Integer) it.next()).intValue()), project, ApplicationUsers.from(user), true)) {
                    return false;
                }
            }
            return true;
        };
    }

    @VisibleForTesting
    Predicate<User> createIssuePredicate(Iterable<Integer> iterable, Issue issue) {
        return user -> {
            Iterator it = iterable.iterator();
            while (it.hasNext()) {
                if (!this.permissionManager.hasPermission(((Integer) it.next()).intValue(), issue, ApplicationUsers.from(user))) {
                    return false;
                }
            }
            return true;
        };
    }

    private Integer verifyAndAdjustMaxResults(Integer num, Integer num2) {
        if (num == null) {
            return 50;
        }
        if (num.intValue() > num2.intValue()) {
            return num2;
        }
        if (num.intValue() < 0) {
            throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.negative.maxresults", num));
        }
        return num;
    }

    private Integer verifyAndAdjustMaxResults(Integer num) {
        return verifyAndAdjustMaxResults(num, 1000);
    }

    private Integer verifyAndAdjustStartAt(Integer num) {
        if (num == null) {
            return 0;
        }
        if (num.intValue() < 0) {
            throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.negative.startat", num));
        }
        return num;
    }

    @GET
    @Path("permission/search")
    @Deprecated
    @Operation(summary = "Find users with all specified permissions", description = "Returns a list of active users that match the search string and have all specified permissions for the project or issue. This resource can be accessed by users with ADMINISTER_PROJECT permission for the project or global ADMIN or SYSADMIN rights. This endpoint can cause serious performance issues and will be removed in Jira 9.0.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username filter, list includes all users if unspecified", required = true), @Parameter(name = "permissions", description = "comma separated list of permissions for project or issue returned users must have"), @Parameter(name = "issueKey", description = "the issue key for the issue for which returned users have specified permissions."), @Parameter(name = "projectKey", description = "the optional project key to search for users with if no issueKey is supplied."), @Parameter(name = "startAt", description = "the index of the first user to return (0-based)"), @Parameter(name = "maxResults", description = "the maximum number of users to return (defaults to 50). The maximum allowed value is 1000. If you specify a value that is higher than this number, your search results will be truncated.")})
    @ApiResponses({@ApiResponse(description = "Returns a list of users that match the search string.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if no project or issue key was provided or when permissions list is empty or contains an invalid entry", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the current user does not have admin rights for the project.", responseCode = "403"), @ApiResponse(description = "Returned if the requested issue or project is not found.", responseCode = "404")})
    public Response findUsersWithAllPermissions(@QueryParam("username") String str, @QueryParam("permissions") String str2, @QueryParam("issueKey") String str3, @QueryParam("projectKey") String str4, @QueryParam("startAt") Integer num, @QueryParam("maxResults") Integer num2) {
        logDeprecationWarningRespectingMinimumInterval();
        if (StringUtils.isBlank(str2)) {
            throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.missing.permission.string"));
        }
        Integer verifyAndAdjustMaxResults = verifyAndAdjustMaxResults(num2);
        Integer verifyAndAdjustStartAt = verifyAndAdjustStartAt(num);
        Either<Project, Issue> issueOrProject = getIssueOrProject(str3, str4);
        Project project = (Project) issueOrProject.left().on((v0) -> {
            return v0.getProjectObject();
        });
        ApplicationUser user = this.authContext.getUser();
        if (this.permissionManager.hasPermission(44, user) || this.permissionManager.hasPermission(0, user) || this.permissionManager.hasPermission(ProjectPermissions.ADMINISTER_PROJECTS, project, user)) {
            return Response.ok(makeUserBeans(this.userPickerHelper.limitUserSearch(verifyAndAdjustStartAt, verifyAndAdjustMaxResults, findUsersWithPermission(parsePermissions(str2), str, issueOrProject, true, Integer.valueOf(verifyAndAdjustStartAt.intValue() + verifyAndAdjustMaxResults.intValue())), null))).cacheControl(CacheControl.never()).build();
        }
        throw new ForbiddenWebException();
    }

    private synchronized void logDeprecationWarningRespectingMinimumInterval() {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis - this.lastLogTime >= TimeUnit.MINUTES.toMillis(5L)) {
            log.warn("Endpoint /rest/user/permission/search can cause serious performance issues and will be removed in Jira 9.0.");
            this.lastLogTime = currentTimeMillis;
        }
    }

    @VisibleForTesting
    ImmutableList<Integer> parsePermissions(String str) {
        return ImmutableList.copyOf(Iterables.transform(ImmutableList.copyOf(StringUtils.split(str, ",")), str2 -> {
            try {
                return Integer.valueOf(Permissions.Permission.valueOf(str2).getId());
            } catch (IllegalArgumentException e) {
                throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.invalid.permission.string", str2));
            }
        }));
    }

    @GET
    @Path("assignable/multiProjectSearch")
    @Operation(summary = "Find bulk assignable users", description = "Returns a list of users that match the search string and can be assigned issues for all the given projects.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "the username", required = true), @Parameter(name = "projectKeys", description = "the keys of the projects we are finding assignable users for, comma-separated"), @Parameter(name = "maxResults", description = "the maximum number of users to return (defaults to 50). The maximum allowed value is 100. If you specify a value that is higher than this number, your search results will be truncated."), @Parameter(name = "uriInfo", description = "Context used for constructing user objects")})
    @AnonymousSiteAccess
    @ApiResponses({@ApiResponse(description = "Returns a list of users that match the search string.", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404"), @ApiResponse(description = "Returned if the current user has no permission to browse project.", responseCode = "403")})
    public Response findBulkAssignableUsers(@QueryParam("username") String str, @QueryParam("projectKeys") String str2, @QueryParam("maxResults") @DefaultValue("50") Integer num, @Context UriInfo uriInfo) {
        if (StringUtils.isBlank(str2)) {
            throw new RESTException(Response.Status.BAD_REQUEST, this.authContext.getI18nHelper().getText("rest.missing.field", "projectKeys"));
        }
        String[] split = str2.split(",");
        ArrayList arrayList = new ArrayList(split.length);
        for (String str3 : split) {
            ProjectService.GetProjectResult projectByKeyForAction = this.projectService.getProjectByKeyForAction(this.authContext.getUser(), str3, ProjectAction.VIEW_PROJECT);
            if (projectByKeyForAction.getErrorCollection().hasAnyErrors()) {
                return Response.status(Response.Status.NOT_FOUND).entity(com.atlassian.jira.rest.api.util.ErrorCollection.of(projectByKeyForAction.getErrorCollection())).cacheControl(CacheControl.never()).build();
            }
            if (this.permissionManager.hasPermission(ProjectPermissions.ASSIGN_ISSUES, projectByKeyForAction.getProject(), this.authContext.getLoggedInUser())) {
                arrayList.add(projectByKeyForAction.getProject());
            }
        }
        Integer verifyAndAdjustMaxResults = verifyAndAdjustMaxResults(num, Integer.valueOf(MAX_USERS_RETURNED_FOR_OPTIMISED_LOOKUP));
        int min = (int) Math.min(2147483647L, verifyAndAdjustMaxResults.intValue() + 100);
        return Response.ok(makeUserBeans(this.userPickerHelper.limitUserSearch(0, verifyAndAdjustMaxResults, (List) arrayList.stream().map(project -> {
            return findAssignableUsers(str, project.getKey(), null, min);
        }).reduce(UserSearchUtilities::intersectionRespectingLowerUsername).orElseGet(ImmutableList::of), null))).cacheControl(CacheControl.never()).build();
    }

    @GET
    @Path("avatars")
    @Operation(summary = "Get all avatars for user", description = "Returns all avatars which are visible for the currently logged in user.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "username", description = "username", required = true)
    @ApiResponses({@ApiResponse(description = "Returns a map containing a list of avatars for both custom an system avatars", responseCode = "200", content = {@Content(schema = @Schema(implementation = AvatarBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if an error occurs while retrieving the list of avatars.", responseCode = "500"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404")})
    public Map<String, List<AvatarBean>> getAllAvatars(@QueryParam("username") String str) {
        ApplicationUser applicationUser = getApplicationUser(str);
        Long l = null;
        Avatar avatar = this.avatarService.getAvatar(this.authContext.getUser(), applicationUser);
        if (avatar != null) {
            l = avatar.getId();
        }
        return this.avatarResourceHelper.getAllAvatars(IconType.USER_ICON_TYPE, applicationUser.getKey(), l);
    }

    @Path("avatar")
    @Operation(summary = "Create avatar from temporary", description = "Converts temporary avatar into a real avatar", security = {@SecurityRequirement(name = "basic")})
    @POST
    @Parameter(name = "username", description = "username", required = true)
    @RequestBody(description = "Cropping instructions", required = true, content = {@Content(schema = @Schema(implementation = AvatarCroppingBean.class), mediaType = "application/json")})
    @ApiResponses({@ApiResponse(description = "Returns created avatar", responseCode = "201", content = {@Content(schema = @Schema(implementation = AvatarBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the cropping coordinates are invalid", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the currently authenticated user does not have permission to pick avatar", responseCode = "403"), @ApiResponse(description = "Returned if user from parameter does not exist", responseCode = "404"), @ApiResponse(description = "Returned if an error occurs while converting temporary avatar to real avatar", responseCode = "500")})
    public Response createAvatarFromTemporary(@QueryParam("username") String str, AvatarCroppingBean avatarCroppingBean) {
        XsrfCheckResult checkWebRequestInvocation = this.xsrfChecker.checkWebRequestInvocation(ExecutingHttpRequest.get());
        if (checkWebRequestInvocation.isRequired() && !checkWebRequestInvocation.isValid()) {
            throw new XsrfCheckFailedException();
        }
        return this.avatarResourceHelper.createAvatarFromTemporary(IconType.USER_ICON_TYPE, getApplicationUser(str).getKey(), avatarCroppingBean);
    }

    @Path("avatar")
    @Operation(summary = "Update user avatar", description = "Updates the avatar for the user.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "username", description = "username", required = true)
    @RequestBody(description = "New avatar details", required = true, content = {@Content(schema = @Schema(implementation = AvatarBean.class), mediaType = "application/json")})
    @PUT
    @ApiResponses({@ApiResponse(description = "Returns updated avatar", responseCode = "200", content = {@Content(schema = @Schema(implementation = AvatarBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the avatar details are invalid", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the currently authenticated user does not have permission to update avatar", responseCode = "403"), @ApiResponse(description = "Returned if user from parameter does not exist", responseCode = "404"), @ApiResponse(description = "Returned if an error occurs while updating the avatar", responseCode = "500")})
    public Response updateUserAvatar(@QueryParam("username") String str, AvatarBean avatarBean) {
        Long l;
        Long valueOf;
        ApplicationUser applicationUser = getApplicationUser(str);
        PropertySet propertySet = this.userPropertyManager.getPropertySet(applicationUser);
        String id = avatarBean.getId();
        if (id == null) {
            valueOf = null;
        } else {
            try {
                valueOf = Long.valueOf(id);
            } catch (NumberFormatException e) {
                l = null;
            }
        }
        l = valueOf;
        if (!this.avatarManager.hasPermissionToEdit(this.authContext.getUser(), applicationUser)) {
            throw new ForbiddenWebException();
        }
        propertySet.setLong("user.avatar.id", l.longValue());
        this.eventPublisher.publish(new UserAvatarUpdatedEvent(applicationUser, l));
        return Response.status(Response.Status.NO_CONTENT).cacheControl(CacheControl.never()).build();
    }

    @Path("avatar/temporary")
    @Operation(summary = "Store temporary avatar", description = "Creates temporary avatar. Creating a temporary avatar is part of a 3-step process in uploading a new\navatar for a user: upload, crop, confirm.\nThe following examples shows these three steps using curl.\nThe cookies (session) need to be preserved between requests, hence the use of -b and -c.\nThe id created in step 2 needs to be passed to step 3\n(you can simply pass the whole response of step 2 as the request of step 3).\ncurl -c cookiejar.txt -X POST -u admin:admin -H \"X-Atlassian-Token: no-check\" \\\n  -H \"Content-Type: image/png\" --data-binary @mynewavatar.png \\\n  'http://localhost:8090/jira/rest/api/2/user/avatar/temporary?username=admin&amp;filename=mynewavatar.png'\ncurl -b cookiejar.txt -X POST -u admin:admin -H \"X-Atlassian-Token: no-check\" \\\n  -H \"Content-Type: application/json\" --data '{\"cropperWidth\": \"65\",\"cropperOffsetX\": \"10\",\"cropperOffsetY\": \"16\"}' \\\n  -o tmpid.json \\\n  http://localhost:8090/jira/rest/api/2/user/avatar?username=admin\ncurl -b cookiejar.txt -X PUT -u admin:admin -H \"X-Atlassian-Token: no-check\" \\\n  -H \"Content-Type: application/json\" --data-binary @tmpid.json \\\n  http://localhost:8090/jira/rest/api/2/user/avatar?username=admin", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "username", required = true), @Parameter(name = "filename", description = "name of file being uploaded", required = true), @Parameter(name = "size", description = "size of file", required = true)})
    @POST
    @RequestBody(description = "The file data", required = true, content = {@Content(mediaType = "application/octet-stream")})
    @Consumes({"*/*"})
    @ApiResponses({@ApiResponse(description = "Returns temporary avatar cropping instructions", responseCode = "201", content = {@Content(schema = @Schema(implementation = AvatarCroppingBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the currently authenticated user does not have permission to store the avatar or XSRF token is invalid.", responseCode = "403"), @ApiResponse(description = "Returned if the user passed in parameter does not exist.", responseCode = "404"), @ApiResponse(description = "Returned if an error occurs while converting temporary avatar to real avatar", responseCode = "500")})
    public Response storeTemporaryAvatar(@QueryParam("username") String str, @QueryParam("filename") String str2, @QueryParam("size") Long l, @Context HttpServletRequest httpServletRequest) {
        XsrfCheckResult checkWebRequestInvocation = this.xsrfChecker.checkWebRequestInvocation(ExecutingHttpRequest.get());
        if (checkWebRequestInvocation.isRequired() && !checkWebRequestInvocation.isValid()) {
            throw new XsrfCheckFailedException();
        }
        return this.avatarResourceHelper.storeTemporaryAvatar(IconType.USER_ICON_TYPE, getApplicationUser(str).getKey(), str2, l, httpServletRequest);
    }

    @Path("avatar/temporary")
    @Operation(summary = "Store temporary avatar using multipart", description = "Creates temporary avatar using multipart. The response is sent back as JSON stored in a textarea. This is because the client uses remote iframing to submit avatars using multipart. So we must send them a valid HTML page back from which the client parses the JSON from.\nCreating a temporary avatar is part of a 3-step process in uploading a new avatar for a user: upload, crop, confirm. This endpoint allows you to use a multipart upload instead of sending the image directly as the request body.\nYou *must* use \"avatar\" as the name of the upload parameter:\ncurl -c cookiejar.txt -X POST -u admin:admin -H \"X-Atlassian-Token: no-check\" \\\n  -F \"avatar=@mynewavatar.png;type=image/png\" \\\n  'http://localhost:8090/jira/rest/api/2/user/avatar/temporary?username=admin'", security = {@SecurityRequirement(name = "basic")})
    @POST
    @RequestBody(description = "The file data", required = true, content = {@Content(mediaType = "multipart/form-data")})
    @Consumes({"multipart/form-data"})
    @Produces({"text/html"})
    @Parameter(name = "username", description = "username", required = true)
    @ApiResponses({@ApiResponse(description = "Returns temporary avatar cropping instructions embeded in HTML page. Error messages will also be embeded in the page.", responseCode = "201", content = {@Content(schema = @Schema(implementation = AvatarCroppingBean.class), mediaType = "text/html")}), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the currently authenticated user does not have permission to store the avatar or XSRF token is invalid.", responseCode = "403"), @ApiResponse(description = "Returned if user does NOT exist", responseCode = "404"), @ApiResponse(description = "Returned if an error occurs while converting temporary avatar to real avatar", responseCode = "500")})
    public Response storeTemporaryAvatarUsingMultiPart(@QueryParam("username") String str, @MultipartFormParam("avatar") FilePart filePart, @Context HttpServletRequest httpServletRequest) {
        XsrfCheckResult checkWebRequestInvocation = this.xsrfChecker.checkWebRequestInvocation(ExecutingHttpRequest.get());
        if (checkWebRequestInvocation.isRequired() && !checkWebRequestInvocation.isValid()) {
            throw new XsrfCheckFailedException();
        }
        return this.avatarResourceHelper.storeTemporaryAvatarUsingMultiPart(IconType.USER_ICON_TYPE, getApplicationUser(str).getKey(), filePart, httpServletRequest);
    }

    @Path("avatar/{id}")
    @DELETE
    @Operation(summary = "Delete avatar", description = "Deletes avatar", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "username", required = true), @Parameter(name = "id", description = "database id for avatar", required = true)})
    @ApiResponses({@ApiResponse(description = "Returned if the avatar is successfully deleted.", responseCode = "204"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the currently authenticated user does not have permission to delete the avatar.", responseCode = "403"), @ApiResponse(description = "Returned if the avatar does not exist.", responseCode = "404")})
    public Response deleteAvatar(@QueryParam("username") String str, @PathParam("id") Long l) {
        return this.avatarResourceHelper.deleteAvatar(l);
    }

    @GET
    @Path("columns")
    @Operation(summary = "Get default columns for user", description = "Returns the default columns for the given user. Admin permission will be required to get columns for a user other than the currently logged in user.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "username", description = "username", required = true)
    @ApiResponses({@ApiResponse(description = "Returns a list of columns for configured for the given user", responseCode = "200", content = {@Content(schema = @Schema(implementation = ColumnOptions.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the current user is not permitted to request the columns for the given user.", responseCode = "401"), @ApiResponse(description = "Returned if the requested user is not found.", responseCode = "404"), @ApiResponse(description = "Returned if an error occurs while retrieving the column configuration.", responseCode = "500")})
    public Response defaultColumns(@QueryParam("username") String str) {
        ApplicationUser user = this.authContext.getUser();
        ServiceOutcome columnLayout = this.columnService.getColumnLayout(user, str == null ? user : getApplicationUser(str));
        if (columnLayout.isValid()) {
            return Response.ok(ColumnOptions.toColumnOptions(((ColumnLayout) columnLayout.getReturnedValue()).getColumnLayoutItems())).cacheControl(CacheControl.never()).build();
        }
        throw new RESTException(com.atlassian.jira.rest.api.util.ErrorCollection.of(columnLayout.getErrorCollection()));
    }

    @Path("columns")
    @Operation(summary = "Set default columns for user", description = "Sets the default columns for the given user. Admin permission will be required to get columns for a user other than the currently logged in user.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "username", required = true), @Parameter(name = "columns", description = "list of column ids", required = true)})
    @AnonymousSiteAccess
    @Consumes({"application/x-www-form-urlencoded"})
    @PUT
    @ApiResponses({@ApiResponse(description = "Returned when the columns is saved successfully", responseCode = "200"), @ApiResponse(description = "Returned if an error occurs while retrieving the column configuration.", responseCode = "500")})
    public Response setColumnsUrlEncoded(@FormParam("username") String str, @FormParam("columns") List<String> list) {
        ApplicationUser user = this.authContext.getUser();
        ServiceResult columns = this.columnService.setColumns(user, str == null ? user : getApplicationUser(str), list);
        if (columns.isValid()) {
            return Response.ok().cacheControl(CacheControl.never()).build();
        }
        throw new RESTException(com.atlassian.jira.rest.api.util.ErrorCollection.of(columns.getErrorCollection()));
    }

    @Path("columns")
    @Operation(summary = "Set columns for logged in user", description = "Sets the default columns for the currently logged in user.", security = {@SecurityRequirement(name = "basic")})
    @RequestBody(description = "List of column ids", required = true, content = {@Content(schema = @Schema(implementation = ColumnsBean.class), mediaType = "application/json")})
    @AnonymousSiteAccess
    @Consumes({"application/json"})
    @PUT
    @ApiResponses({@ApiResponse(description = "Returned when the columns are saved successfully", responseCode = "200"), @ApiResponse(description = "Returned if an error occurs while setting the column configuration.", responseCode = "500")})
    public Response setColumns(ColumnsBean columnsBean) {
        ApplicationUser loggedInUser = this.authContext.getLoggedInUser();
        ServiceResult columns = this.columnService.setColumns(loggedInUser, loggedInUser, columnsBean.getColumns());
        if (columns.isValid()) {
            return Response.ok().cacheControl(CacheControl.never()).build();
        }
        throw new RESTException(com.atlassian.jira.rest.api.util.ErrorCollection.of(columns.getErrorCollection()));
    }

    @Path("columns")
    @Consumes({"*/*"})
    @DELETE
    @Operation(summary = "Reset default columns to system default", description = "Reset the default columns for the given user to the system default. Admin permission will be required to get columns for a user other than the currently logged in user.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "username", description = "username", required = true)
    @ApiResponses({@ApiResponse(description = "Returned when the columns are reset successfully", responseCode = "204"), @ApiResponse(description = "Returned if the current user is not permitted to request the columns for the given user.", responseCode = "401"), @ApiResponse(description = "Returned if an error occurs while resetting the column configuration.", responseCode = "500")})
    public Response resetColumns(@QueryParam("username") String str) {
        ApplicationUser user = this.authContext.getUser();
        ServiceResult resetColumns = this.columnService.resetColumns(user, str == null ? user : getApplicationUser(str));
        if (resetColumns.isValid()) {
            return Response.noContent().cacheControl(CacheControl.never()).build();
        }
        throw new RESTException(com.atlassian.jira.rest.api.util.ErrorCollection.of(resetColumns.getErrorCollection()));
    }

    @Path("application")
    @Operation(summary = "Add user to application", description = "Add user to given application. Admin permission will be required to perform this operation.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "username", required = true), @Parameter(name = "applicationKey", description = "application key", required = true)})
    @POST
    @WebSudoRequired
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returned if the user exists, the caller has permission to add user to application and user was successfully added to application.", responseCode = "200"), @ApiResponse(description = "Returned if the request is invalid.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller user does not have permission to add user to application.", responseCode = "403")})
    public Response addUserToApplication(@QueryParam("username") String str, @QueryParam("applicationKey") String str2) {
        UpdateUserApplicationHelper.ApplicationUpdateResult addUserToApplication = this.updateUserApplicationHelper.addUserToApplication(str, str2);
        return !addUserToApplication.isValid() ? this.responseFactory.errorResponse(addUserToApplication.getErrorCollection()) : Response.ok().cacheControl(CacheControl.never()).build();
    }

    @Path("application")
    @DELETE
    @Operation(summary = "Remove user from application", description = "Remove user from given application. Admin permission will be required to perform this operation.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "username", description = "username", required = true), @Parameter(name = "applicationKey", description = "application key", required = true)})
    @WebSudoRequired
    @ExperimentalApi
    @ApiResponses({@ApiResponse(description = "Returned if the user exists, the caller has permission to remove user from application and the user was successfully removed from application.", responseCode = "204"), @ApiResponse(description = "Returned if the request is invalid.", responseCode = "400"), @ApiResponse(description = "Returned if the user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the caller user does not have permission to remove user from application.", responseCode = "403")})
    public Response removeUserFromApplication(@QueryParam("username") String str, @QueryParam("applicationKey") String str2) {
        UpdateUserApplicationHelper.ApplicationUpdateResult removeUserFromApplication = this.updateUserApplicationHelper.removeUserFromApplication(str, str2);
        return !removeUserFromApplication.isValid() ? this.responseFactory.errorResponse(removeUserFromApplication.getErrorCollection()) : this.responseFactory.noContent();
    }

    private UserBean buildUserBean(String str, String str2, boolean z, ApplicationUser applicationUser) {
        ApplicationUser userByUsernameOrKey = getUserByUsernameOrKey(str, str2, z);
        String username = userByUsernameOrKey.getUsername();
        return UserBeanBuilder.fullBuilder(this.jiraBaseUrls, this.emailFormatter, this.avatarService, this.beanFactory, this.userManager, applicationUser).user(userByUsernameOrKey).groups(new ArrayList(this.userUtil.getGroupNamesForUser(username))).timeZone(this.timeZoneManager.getTimeZoneforUser(userByUsernameOrKey)).applicationRoles(this.applicationRoleManager.getRolesForUser(userByUsernameOrKey)).lastLoginTime(getFormattedLastLoginTime(username)).buildFull(this.applicationRoleBeanConverter);
    }

    private ApplicationUser getUserByUsernameOrKey(String str, String str2, boolean z) {
        if (str == null && str2 == null) {
            throw new RESTException(Response.Status.NOT_FOUND, com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.no.username.or.key.param")));
        }
        if (str != null && str2 != null) {
            throw new RESTException(Response.Status.BAD_REQUEST, com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.too.many.params")));
        }
        ApplicationUser userByKeyEvenWhenUnknown = z ? str2 != null ? this.userManager.getUserByKeyEvenWhenUnknown(str2) : this.userManager.getUserByNameEvenWhenUnknown(str) : str2 != null ? this.userManager.getUserByKey(str2) : this.userManager.getUserByName(str);
        if (userByKeyEvenWhenUnknown == null) {
            if (str != null) {
                throw new NotFoundWebException(com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.not.found", str)));
            }
            throw new NotFoundWebException(com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.not.found.with.key", str2)));
        }
        if (z) {
            if ((this.userManager.isUserExisting(userByKeyEvenWhenUnknown) || this.userManager.isUserDeleted(userByKeyEvenWhenUnknown)) ? false : true) {
                if (str != null) {
                    throw new NotFoundWebException(com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.not.found", str)));
                }
                throw new NotFoundWebException(com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.not.found.with.key", str2)));
            }
        }
        return userByKeyEvenWhenUnknown;
    }

    private ApplicationUser getApplicationUser(String str) {
        if (str == null) {
            throw new RESTException(Response.Status.BAD_REQUEST, com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.no.username.param")));
        }
        ApplicationUser userByName = this.userManager.getUserByName(str);
        if (userByName == null) {
            throw new NotFoundWebException(com.atlassian.jira.rest.api.util.ErrorCollection.of(this.i18n.getText("rest.user.error.not.found", str)));
        }
        return userByName;
    }

    private List<UserBean> makeUserBeans(Collection<ApplicationUser> collection) {
        ArrayList arrayList = new ArrayList(collection.size());
        for (ApplicationUser applicationUser : collection) {
            arrayList.add(UserBeanBuilder.midBuilder(this.jiraBaseUrls, this.emailFormatter, this.beanFactory, this.userManager, this.authContext.getLoggedInUser()).user(applicationUser).timeZone(this.timeZoneManager.getTimeZoneforUser(applicationUser)).buildMid());
        }
        return arrayList;
    }

    private String getFormattedLastLoginTime(String str) {
        Long lastLoginTime;
        LoginInfo loginInfo = this.loginService.getLoginInfo(str);
        return (loginInfo == null || (lastLoginTime = loginInfo.getLastLoginTime()) == null) ? "" : this.dateTimeFormatterFactory.formatter().forLoggedInUser().withStyle(DateTimeStyle.ISO_8601_DATE_TIME).format(new Date(lastLoginTime.longValue()));
    }

    private RESTException createWebException(String str, ErrorCollection.Reason reason) {
        SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        simpleErrorCollection.addErrorMessage(str, reason);
        return new RESTException(com.atlassian.jira.rest.api.util.ErrorCollection.of((com.atlassian.jira.util.ErrorCollection) simpleErrorCollection));
    }
}
