package org.rhq.enterprise.server.auth;

import java.io.Serializable;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Resource;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ejb.Timeout;
import javax.ejb.Timer;
import javax.ejb.TimerConfig;
import javax.ejb.TimerService;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.interceptor.ExcludeDefaultInterceptors;
import javax.persistence.EntityExistsException;
import javax.persistence.EntityManager;
import javax.persistence.NoResultException;
import javax.persistence.PersistenceContext;
import javax.persistence.Query;
import javax.security.auth.login.LoginContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.crypto.CryptoUtil;
import org.jboss.security.auth.callback.UsernamePasswordHandler;
import org.rhq.core.domain.auth.Principal;
import org.rhq.core.domain.auth.Subject;
import org.rhq.core.domain.authz.Permission;
import org.rhq.core.domain.authz.Role;
import org.rhq.core.domain.common.composite.SystemSetting;
import org.rhq.core.domain.common.composite.SystemSettings;
import org.rhq.core.domain.configuration.Configuration;
import org.rhq.core.domain.configuration.PropertySimple;
import org.rhq.core.domain.criteria.RoleCriteria;
import org.rhq.core.domain.criteria.SavedSearchCriteria;
import org.rhq.core.domain.criteria.SubjectCriteria;
import org.rhq.core.domain.resource.group.ResourceGroup;
import org.rhq.core.domain.search.SavedSearch;
import org.rhq.core.domain.server.PersistenceUtility;
import org.rhq.core.domain.util.PageControl;
import org.rhq.core.domain.util.PageList;
import org.rhq.enterprise.server.RHQConstants;
import org.rhq.enterprise.server.alert.AlertNotificationManagerLocal;
import org.rhq.enterprise.server.authz.AuthorizationManagerLocal;
import org.rhq.enterprise.server.authz.PermissionException;
import org.rhq.enterprise.server.authz.RequiredPermission;
import org.rhq.enterprise.server.authz.RoleManagerLocal;
import org.rhq.enterprise.server.content.RepoManagerLocal;
import org.rhq.enterprise.server.core.CustomJaasDeploymentServiceMBean;
import org.rhq.enterprise.server.exception.LoginException;
import org.rhq.enterprise.server.resource.group.LdapGroupManagerLocal;
import org.rhq.enterprise.server.resource.group.ResourceGroupManagerLocal;
import org.rhq.enterprise.server.search.SavedSearchManagerLocal;
import org.rhq.enterprise.server.system.SystemManagerLocal;
import org.rhq.enterprise.server.util.CriteriaQueryGenerator;
import org.rhq.enterprise.server.util.CriteriaQueryRunner;

@Stateless
/* loaded from: input_file:org/rhq/enterprise/server/auth/SubjectManagerBean.class */
public class SubjectManagerBean implements SubjectManagerLocal, SubjectManagerRemote {

    @PersistenceContext(unitName = RHQConstants.PERSISTENCE_UNIT_NAME)
    private EntityManager entityManager;

    @EJB
    private AuthorizationManagerLocal authorizationManager;

    @EJB
    private ResourceGroupManagerLocal resourceGroupManager;

    @EJB
    private LdapGroupManagerLocal ldapManager;

    @EJB
    private SystemManagerLocal systemManager;

    @EJB
    private AlertNotificationManagerLocal alertNotificationManager;

    @EJB
    private RoleManagerLocal roleManager;

    @EJB
    private RepoManagerLocal repoManager;

    @EJB
    private SavedSearchManagerLocal savedSearchManager;

    @Resource
    private TimerService timerService;
    private final Log log = LogFactory.getLog(SubjectManagerBean.class);
    private SessionManager sessionManager = SessionManager.getInstance();

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public void scheduleSessionPurgeJob() {
        for (Timer timer : this.timerService.getTimers()) {
            this.log.debug("Found timer - attempting to cancel: " + timer.toString());
            try {
                timer.cancel();
            } catch (Exception e) {
                this.log.warn("Failed in attempting to cancel timer: " + timer.toString());
            }
        }
        this.timerService.createIntervalTimer(60000L, 60000L, new TimerConfig((Serializable) null, false));
    }

    @Timeout
    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public void purgeTimedOutSessions() {
        try {
            this.sessionManager.purgeTimedOutSessions();
        } catch (Throwable th) {
            this.log.error("Failed to purge timed out sessions - will try again later. Cause: " + th);
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject loadUserConfiguration(Integer num) {
        Subject subject = (Subject) this.entityManager.find(Subject.class, num);
        Configuration userConfiguration = subject.getUserConfiguration();
        if (userConfiguration != null && userConfiguration.getProperties() != null) {
            userConfiguration.getProperties().size();
        }
        if (subject.getRoles() != null) {
            subject.getRoles().size();
        }
        return subject;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject updateSubject(Subject subject, Subject subject2) {
        Set<Permission> explicitGlobalPermissions = this.authorizationManager.getExplicitGlobalPermissions(subject);
        if (!subject.equals(subject2) && !explicitGlobalPermissions.contains(Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You [" + subject.getName() + "] do not have permission to update user [" + subject2.getName() + "].");
        }
        if (this.authorizationManager.isSystemSuperuser(subject2) && !subject2.getFactive()) {
            throw new PermissionException("You cannot disable system user [" + subject2.getName() + "] - it must always be active.");
        }
        Subject subject3 = (Subject) this.entityManager.find(Subject.class, Integer.valueOf(subject2.getId()));
        subject2.setRoles(subject3.getRoles());
        subject2.setLdapRoles(subject3.getLdapRoles());
        subject2.setOwnedGroups(subject3.getOwnedGroups());
        return (Subject) this.entityManager.merge(subject2);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject createSubject(Subject subject, Subject subject2, String str) throws SubjectException, EntityExistsException {
        if (getSubjectByName(subject2.getName()) != null) {
            throw new EntityExistsException("A user named [" + subject2.getName() + "] already exists.");
        }
        if (subject2.getFsystem()) {
            throw new SubjectException("Cannot create new system users: " + subject2.getName());
        }
        this.entityManager.persist(subject2);
        createPrincipal(subject, subject2.getName(), str);
        return subject2;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject updateSubject(Subject subject, Subject subject2, String str) {
        boolean contains = this.authorizationManager.getExplicitGlobalPermissions(subject).contains(Permission.MANAGE_SECURITY);
        if (!subject.equals(subject2) && !contains) {
            throw new PermissionException("You [" + subject.getName() + "] do not have permission to update user [" + subject2.getName() + "].");
        }
        boolean isSystemSuperuser = this.authorizationManager.isSystemSuperuser(subject2);
        if (!subject2.getFactive() && isSystemSuperuser) {
            throw new PermissionException("You cannot disable the system user [" + subject2.getName() + "].");
        }
        Subject subjectById = getSubjectById(subject2.getId());
        if (subjectById == null) {
            throw new IllegalArgumentException("No user exists with id [" + subject2.getId() + "].");
        }
        if (!subjectById.getName().equals(subject2.getName())) {
            throw new IllegalArgumentException("You cannot change a user's username.");
        }
        Set roles = subject2.getRoles();
        if (roles != null) {
            HashSet hashSet = new HashSet((Collection) this.roleManager.findRolesBySubject(subject2.getId(), PageControl.getUnlimitedInstance()));
            if ((roles.containsAll(hashSet) && hashSet.containsAll(roles)) ? false : true) {
                int[] iArr = new int[roles.size()];
                int i = 0;
                Iterator it = roles.iterator();
                while (it.hasNext()) {
                    int i2 = i;
                    i++;
                    iArr[i2] = ((Role) it.next()).getId();
                }
                this.roleManager.setAssignedSubjectRoles(subject, subject2.getId(), iArr);
            }
        }
        boolean z = false;
        Set ldapRoles = subject2.getLdapRoles();
        if (ldapRoles == null) {
            ldapRoles = Collections.emptySet();
        }
        if (ldapRoles != null) {
            RoleCriteria roleCriteria = new RoleCriteria();
            roleCriteria.addFilterLdapSubjectId(Integer.valueOf(subject2.getId()));
            roleCriteria.clearPaging();
            PageList<Role> findRolesByCriteria = this.roleManager.findRolesByCriteria(subject, roleCriteria);
            z = (findRolesByCriteria.containsAll(ldapRoles) && ldapRoles.containsAll(findRolesByCriteria)) ? false : true;
        }
        boolean isUserWithPrincipal = isUserWithPrincipal(subject2.getName());
        if (z) {
            if (!contains) {
                throw new PermissionException("You cannot change the LDAP roles assigned to [" + subject2.getName() + "] - only a user with the MANAGE_SECURITY permission can do so.");
            }
            if (isUserWithPrincipal) {
                throw new PermissionException("You cannot set LDAP roles on non-LDAP user [" + subject2.getName() + "].");
            }
        }
        if (str != null) {
            if (!isUserWithPrincipal(subject2.getName())) {
                throw new IllegalArgumentException("You cannot set a password for an LDAP user.");
            }
            changePasswordInternal(subject2.getName(), str);
        }
        return (Subject) this.entityManager.merge(subject2);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getOverlord() {
        return this.sessionManager.getOverlord();
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject getSubjectByName(String str) {
        SubjectCriteria subjectCriteria = new SubjectCriteria();
        subjectCriteria.addFilterName(str);
        subjectCriteria.setStrict(true);
        PageList<Subject> findSubjectsByCriteria = findSubjectsByCriteria(getOverlord(), subjectCriteria);
        if (findSubjectsByCriteria.isEmpty()) {
            return null;
        }
        return (Subject) findSubjectsByCriteria.get(0);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public Subject createSubject(Subject subject, Subject subject2) throws SubjectException {
        if (getSubjectByName(subject2.getName()) != null) {
            throw new EntityExistsException("A user named [" + subject2.getName() + "] already exists.");
        }
        if (subject2.getFsystem()) {
            throw new SubjectException("Cannot create new system subjects: " + subject2.getName());
        }
        subject2.setRoles((Set) null);
        subject2.setLdapRoles((Set) null);
        subject2.setOwnedGroups((List) null);
        Configuration userConfiguration = subject2.getUserConfiguration();
        if (userConfiguration != null) {
            subject2.setUserConfiguration((Configuration) this.entityManager.merge(userConfiguration));
        }
        this.entityManager.persist(subject2);
        return subject2;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getSubjectById(int i) {
        return (Subject) this.entityManager.find(Subject.class, Integer.valueOf(i));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject login(String str, String str2) throws LoginException {
        if (str2 == null) {
            throw new LoginException("No password was given");
        }
        _checkAuthentication(str, str2);
        Subject subjectByName = getSubjectByName(str);
        if (subjectByName != null) {
            if (!subjectByName.getFactive()) {
                throw new LoginException("User account has been disabled.");
            }
            subjectByName.getRoles().size();
        } else {
            if (!isLdapAuthenticationEnabled()) {
                throw new IllegalStateException("Somehow you authenticated with a principal that has no associated subject. Your account is invalid.");
            }
            subjectByName = new Subject();
            subjectByName.setId(0);
            subjectByName.setName(str);
            subjectByName.setFactive(true);
            subjectByName.setFsystem(false);
        }
        return this.sessionManager.put(subjectByName);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject checkAuthentication(String str, String str2) {
        try {
            _checkAuthentication(str, str2);
            return getSubjectByName(str);
        } catch (LoginException e) {
            return null;
        }
    }

    private void _checkAuthentication(String str, String str2) throws LoginException {
        try {
            LoginContext loginContext = new LoginContext(CustomJaasDeploymentServiceMBean.RHQ_USER_SECURITY_DOMAIN, new UsernamePasswordHandler(str, str2.toCharArray()));
            loginContext.login();
            loginContext.getSubject().getPrincipals().iterator().next();
            loginContext.logout();
        } catch (javax.security.auth.login.LoginException e) {
            throw new LoginException(e.getMessage());
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject processSubjectForLdap(Subject subject, String str) throws LoginException {
        if (subject != null) {
            boolean isUserWithPrincipal = isUserWithPrincipal(subject.getName());
            this.log.debug("Processing subject '" + subject.getName() + "' for LDAP check, userHasPrincipal:" + isUserWithPrincipal);
            if (isUserWithPrincipal) {
                return subject;
            }
            if (!isLdapAuthenticationEnabled()) {
                throw new LoginException("You are authenticated for LDAP, but LDAP is not configured.");
            }
            try {
                if (!subject.getName().equals(this.sessionManager.getSubject(subject.getSessionId().intValue()).getName())) {
                    throw new LoginException("User session not valid. Login to proceed.");
                }
                if (subject.getId() == 0) {
                    SubjectCriteria subjectCriteria = new SubjectCriteria();
                    subjectCriteria.setCaseSensitive(false);
                    subjectCriteria.setStrict(true);
                    subjectCriteria.fetchRoles(false);
                    subjectCriteria.fetchConfiguration(false);
                    subjectCriteria.addFilterName(subject.getName());
                    PageList<Subject> findSubjectsByCriteria = findSubjectsByCriteria(getOverlord(), subjectCriteria);
                    if (findSubjectsByCriteria.isEmpty() || ((Subject) findSubjectsByCriteria.get(0)).getName().equals(subject.getName())) {
                        Subject overlord = getOverlord();
                        this.log.debug("registering new LDAP-authenticated subject [" + subject.getName() + "]");
                        createSubject(overlord, subject);
                        subject.setFactive(true);
                        logout(subject.getSessionId().intValue());
                        subject = login(subject.getName(), str);
                        prepopulateLdapFields(subject);
                        Configuration configuration = new Configuration();
                        configuration.put(new PropertySimple("isNewUser", true));
                        subject.setUserConfiguration(configuration);
                    } else {
                        Subject subject2 = (Subject) findSubjectsByCriteria.get(0);
                        this.log.info("Located existing ldap account with different case for [" + subject2.getName() + "]. Attempting to authenticate with that account instead.");
                        logout(subject.getSessionId().intValue());
                        subject = login(subject2.getName(), str);
                        this.log.debug("Logged in as [" + subject2.getName() + "] with session id [" + subject.getSessionId() + "]");
                    }
                }
                if (isLdapAuthorizationEnabled()) {
                    ArrayList arrayList = new ArrayList(this.ldapManager.findAvailableGroupsFor(subject.getName()));
                    this.log.debug("Updating LDAP authorization data for user [" + subject.getName() + "] with LDAP groups [" + arrayList + "]...");
                    this.ldapManager.assignRolesToLdapSubject(subject.getId(), arrayList);
                }
            } catch (SessionNotFoundException e) {
                throw new LoginException("User session not valid. Login to proceed.");
            } catch (SessionTimeoutException e2) {
                throw new LoginException("User session not valid. Login to proceed.");
            }
        }
        return subject;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void logout(Subject subject) {
        try {
            this.sessionManager.invalidate(getSubjectByNameAndSessionId(subject.getName(), subject.getSessionId().intValue()).getSessionId().intValue());
        } catch (Exception e) {
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public void logout(int i) {
        this.sessionManager.invalidate(i);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void createPrincipal(Subject subject, String str, String str2) throws SubjectException {
        createPrincipal(subject, new Principal(str, CryptoUtil.createPasswordHash("MD5", "base64", (String) null, (String) null, str2)));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void createPrincipal(Subject subject, Principal principal) throws SubjectException {
        try {
            this.entityManager.persist(principal);
        } catch (Exception e) {
            throw new SubjectException("Failed to create " + principal + ".", e);
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void changePassword(Subject subject, String str, String str2) {
        if (!subject.getName().equals(str) && !this.authorizationManager.hasGlobalPermission(subject, Permission.MANAGE_SECURITY)) {
            throw new PermissionException("You do not have permission to change the password for user [" + str + "]");
        }
        changePasswordInternal(str, str2);
    }

    private void changePasswordInternal(String str, String str2) {
        Query createNamedQuery = this.entityManager.createNamedQuery("Principal.findByUsername");
        createNamedQuery.setParameter("principal", str);
        ((Principal) createNamedQuery.getSingleResult()).setPassword(CryptoUtil.createPasswordHash("MD5", "BASE64", (String) null, (String) null, str2));
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public boolean isUserWithPrincipal(String str) {
        try {
            Query createNamedQuery = this.entityManager.createNamedQuery("Principal.findByUsername");
            createNamedQuery.setParameter("principal", str);
            return ((Principal) createNamedQuery.getSingleResult()) != null;
        } catch (NoResultException e) {
            return false;
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Collection<String> findAllUsersWithPrincipals() {
        List resultList = this.entityManager.createNamedQuery("Principal.findAllUsers").getResultList();
        ArrayList arrayList = new ArrayList();
        Iterator it = resultList.iterator();
        while (it.hasNext()) {
            arrayList.add(((Principal) it.next()).getPrincipal());
        }
        return arrayList;
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject loginUnauthenticated(String str) throws LoginException {
        if ("admin".equals(str)) {
            return getOverlord();
        }
        Subject subjectByName = getSubjectByName(str);
        if (subjectByName == null) {
            throw new LoginException("User account does not exist. [" + str + "]");
        }
        if (subjectByName.getFactive()) {
            return this.sessionManager.put(subjectByName, 120000L);
        }
        throw new LoginException("User account has been disabled. [" + str + "]");
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public void deleteUsers(Subject subject, int[] iArr) {
        for (int i : iArr) {
            Integer valueOf = Integer.valueOf(i);
            Subject subjectById = getSubjectById(valueOf.intValue());
            if (subject.getName().equals(subjectById.getName())) {
                throw new PermissionException("You cannot remove yourself: " + subjectById.getName());
            }
            if (this.authorizationManager.isSystemSuperuser(subjectById)) {
                throw new PermissionException("You cannot delete a system root user - they must always exist");
            }
            Set roles = subjectById.getRoles();
            subjectById.setRoles(new HashSet());
            Iterator it = roles.iterator();
            while (it.hasNext()) {
                ((Role) it.next()).removeSubject(subjectById);
            }
            if (isUserWithPrincipal(subjectById.getName())) {
                deletePrincipal(subjectById);
            }
            List ownedGroups = subjectById.getOwnedGroups();
            if (null != ownedGroups && !ownedGroups.isEmpty()) {
                int size = ownedGroups.size();
                int[] iArr2 = new int[size];
                for (int i2 = 0; i2 < size; i2++) {
                    iArr2[i2] = ((ResourceGroup) ownedGroups.get(i2)).getId();
                }
                try {
                    this.resourceGroupManager.deleteResourceGroups(subject, iArr2);
                } catch (Throwable th) {
                    if (this.log.isDebugEnabled()) {
                        this.log.error("Error deleting owned group " + Arrays.toString(iArr2), th);
                    } else {
                        this.log.error("Error deleting owned group " + Arrays.toString(iArr2) + ": " + th.getMessage());
                    }
                }
            }
            SavedSearchCriteria savedSearchCriteria = new SavedSearchCriteria();
            savedSearchCriteria.addFilterSubjectId(valueOf);
            savedSearchCriteria.clearPaging();
            Iterator it2 = this.savedSearchManager.findSavedSearchesByCriteria(subject, savedSearchCriteria).iterator();
            while (it2.hasNext()) {
                this.savedSearchManager.deleteSavedSearch(subject, ((SavedSearch) it2.next()).getId().intValue());
            }
            this.alertNotificationManager.cleanseAlertNotificationBySubject(subjectById.getId());
            this.repoManager.removeOwnershipOfSubject(subjectById.getId());
            this.entityManager.remove(subjectById);
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public void deleteSubjects(Subject subject, int[] iArr) {
        deleteUsers(subject, iArr);
    }

    private void deletePrincipal(Subject subject) throws PermissionException {
        if (this.authorizationManager.isSystemSuperuser(subject)) {
            throw new PermissionException("You cannot delete the principal for the root user [" + subject.getName() + "]");
        }
        Query createNamedQuery = this.entityManager.createNamedQuery("Principal.findByUsername");
        createNamedQuery.setParameter("principal", subject.getName());
        this.entityManager.remove((Principal) createNamedQuery.getSingleResult());
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    public Subject getSubjectBySessionId(int i) throws Exception {
        return this.sessionManager.getSubject(i);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public Subject getSubjectByNameAndSessionId(String str, int i) throws Exception {
        Subject subjectBySessionId = getSubjectBySessionId(i);
        if (str.equals(subjectBySessionId.getName())) {
            return subjectBySessionId;
        }
        throw new SessionNotFoundException();
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @ExcludeDefaultInterceptors
    public boolean isValidSessionId(int i, String str, int i2) {
        try {
            Subject subject = this.sessionManager.getSubject(i);
            if (str.equals(subject.getName())) {
                if (i2 == subject.getId()) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            return false;
        }
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal
    @RequiredPermission(Permission.MANAGE_SECURITY)
    public PageList<Subject> findAvailableSubjectsForRole(Subject subject, Integer num, Integer[] numArr, PageControl pageControl) {
        pageControl.initDefaultOrderingField("s.name");
        String str = (numArr == null || numArr.length == 0) ? "Subject.findAvailableSubjectsForRole" : "Subject.findAvailableSubjectsForRoleWithExcludes";
        Query createCountQuery = PersistenceUtility.createCountQuery(this.entityManager, str, "distinct s");
        Query createQueryWithOrderBy = PersistenceUtility.createQueryWithOrderBy(this.entityManager, str, pageControl);
        createCountQuery.setParameter("roleId", num);
        createQueryWithOrderBy.setParameter("roleId", num);
        if (numArr != null && numArr.length > 0) {
            List asList = Arrays.asList(numArr);
            createCountQuery.setParameter("excludes", asList);
            createQueryWithOrderBy.setParameter("excludes", asList);
        }
        long longValue = ((Long) createCountQuery.getSingleResult()).longValue();
        List resultList = createQueryWithOrderBy.getResultList();
        Iterator it = resultList.iterator();
        while (it.hasNext()) {
            ((Subject) it.next()).getRoles().size();
        }
        return new PageList<>(resultList, (int) longValue, pageControl);
    }

    @Override // org.rhq.enterprise.server.auth.SubjectManagerLocal, org.rhq.enterprise.server.auth.SubjectManagerRemote
    public PageList<Subject> findSubjectsByCriteria(Subject subject, SubjectCriteria subjectCriteria) {
        PageList<Subject> execute = new CriteriaQueryRunner(subjectCriteria, new CriteriaQueryGenerator(subject, subjectCriteria), this.entityManager).execute();
        if (!(this.authorizationManager.isSystemSuperuser(subject) || this.authorizationManager.hasGlobalPermission(subject, Permission.MANAGE_SECURITY) || this.authorizationManager.hasGlobalPermission(subject, Permission.VIEW_USERS))) {
            if (execute.contains(subject)) {
                Subject subject2 = (Subject) execute.get(execute.indexOf(subject));
                execute.clear();
                execute.add(subject2);
            } else {
                execute.clear();
            }
            execute.setTotalSize(execute.size());
        }
        return execute;
    }

    private boolean isLdapAuthenticationEnabled() {
        String str = (String) this.systemManager.getUnmaskedSystemSettings(true).get(SystemSetting.LDAP_BASED_JAAS_PROVIDER);
        if (str != null) {
            return Boolean.valueOf(str).booleanValue();
        }
        return false;
    }

    private boolean isLdapAuthorizationEnabled() {
        SystemSettings unmaskedSystemSettings = this.systemManager.getUnmaskedSystemSettings(true);
        String str = (String) unmaskedSystemSettings.get(SystemSetting.LDAP_GROUP_FILTER);
        String str2 = (String) unmaskedSystemSettings.get(SystemSetting.LDAP_GROUP_MEMBER);
        return (str != null && str.trim().length() > 0) || (str2 != null && str2.trim().length() > 0);
    }

    private void prepopulateLdapFields(Subject subject) {
        Map<String, String> findLdapUserDetails = this.ldapManager.findLdapUserDetails(subject.getName());
        subject.setFirstName(findLdapUserDetails.get("givenName") != null ? findLdapUserDetails.get("givenName") : findLdapUserDetails.get("gn"));
        subject.setLastName(findLdapUserDetails.get("sn") != null ? findLdapUserDetails.get("sn") : findLdapUserDetails.get("surname"));
        subject.setPhoneNumber(findLdapUserDetails.get("telephoneNumber"));
        subject.setEmailAddress(findLdapUserDetails.get("mail") != null ? findLdapUserDetails.get("mail") : findLdapUserDetails.get("rfc822Mailbox"));
        subject.setDepartment(findLdapUserDetails.get("ou") != null ? findLdapUserDetails.get("ou") : findLdapUserDetails.get("organizationalUnitName"));
    }
}
