package si.irm.mm.ejb.user;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.chrono.ChronoLocalDate;
import java.util.Base64;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ejb.EJB;
import javax.ejb.LocalBean;
import javax.ejb.Stateless;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;
import javax.persistence.TemporalType;
import javax.persistence.TypedQuery;
import org.jose4j.jwe.ContentEncryptionAlgorithmIdentifiers;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jsoup.nodes.DocumentType;
import si.irm.common.enums.YesNoKey;
import si.irm.common.messages.Translations;
import si.irm.common.utils.DateUtils;
import si.irm.common.utils.Logger;
import si.irm.common.utils.NumberUtils;
import si.irm.common.utils.StringUtils;
import si.irm.common.utils.Utils;
import si.irm.mm.ejb.SettingsEJBLocal;
import si.irm.mm.ejb.util.UtilsEJBLocal;
import si.irm.mm.entities.RestApiClient;
import si.irm.mm.enums.SNastavitveNaziv;
import si.irm.mm.exceptions.CheckException;
import si.irm.mm.messages.TransKey;
import si.irm.mm.util.CommonUtils;
import si.irm.mm.util.QueryUtils;
import si.irm.mm.utils.data.MarinaProxy;

@LocalBean
@Stateless
/* loaded from: input_file:MarinaMaster.jar:si/irm/mm/ejb/user/RestApiClientEJB.class */
public class RestApiClientEJB implements RestApiClientEJBLocal {
    public static final String JWT_ISSUER = "marina-master.com";
    public static final String JWT_CLAIM_APP_CODE = "appcode";
    public static final String JWT_CLAIM_ID = "id";
    public static final String JWT_CLAIM_CLIENT_ID = "clientid";
    public static final String JWT_KEYID = "marina-master";
    public static final String ALGORITHM_IDENTIFIER = "RS512";
    private static final String RSA_ALGORITHM = "RSA";
    private static final int MIN_KEY_SIZE = 1024;
    private static final int DEFAULT_KEY_SIZE = 2048;
    private static final String KEY_FILENAME = "at_key.pem";
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final Base64.Encoder BASE64_ENCODER = Base64.getUrlEncoder().withoutPadding();
    private static final int MIN_CLIENT_ID_LENGTH = 20;
    private static final int MIN_CLIENT_SECRET_LENGTH = 40;
    private static final int EXPIRATION_TIME_HOURS = 1;

    @PersistenceContext
    private EntityManager em;

    @EJB
    private UtilsEJBLocal utilsEJB;

    @EJB
    private SettingsEJBLocal settingsEJB;

    /* loaded from: input_file:MarinaMaster.jar:si/irm/mm/ejb/user/RestApiClientEJB$TokenResponse.class */
    public static class TokenResponse {
        private String token;
        private LocalDateTime expiresOn;

        public TokenResponse(String str, LocalDateTime localDateTime) {
            this.token = str;
            this.expiresOn = localDateTime;
        }

        public String getToken() {
            return this.token;
        }

        public LocalDateTime getExpiresOn() {
            return this.expiresOn;
        }
    }

    @Override // si.irm.mm.ejb.user.RestApiClientEJBLocal
    public boolean isValidJWT(String str) {
        return getRestApiClientFromJWT(str) != null;
    }

    private RestApiClient getRestApiClientFromJWT(String str) {
        RestApiClient restApiClient = null;
        try {
            restApiClient = validateClaimsAndGetRestApiClient(verifyAndDecodeJWT(str, loadKeyPair(false).getPrivate()));
        } catch (Exception e) {
            Logger.error("getRestApiClientFromJWT", CommonUtils.getFirstNonEmptyExceptionMessage(e), e);
        }
        return restApiClient;
    }

    private RestApiClient validateClaimsAndGetRestApiClient(JwtClaims jwtClaims) throws Exception {
        if (!"marina-master.com".equals(jwtClaims.getIssuer())) {
            Logger.error("validateClaimsAndGetRestApiClient", "Invalid issuer: " + jwtClaims.getIssuer());
            return null;
        }
        Long longFromStringOrNull = NumberUtils.getLongFromStringOrNull(jwtClaims.getClaimValueAsString("id"));
        if (longFromStringOrNull == null) {
            Logger.error("validateClaimsAndGetRestApiClient", "Invalid id: " + jwtClaims.getClaimValueAsString("id"));
            return null;
        }
        RestApiClient restApiClient = (RestApiClient) this.utilsEJB.findEntity(RestApiClient.class, longFromStringOrNull);
        if (restApiClient != null && YesNoKey.isEngYes(restApiClient.getActive())) {
            if (claimsValidForRestApiClient(restApiClient, jwtClaims)) {
                return restApiClient;
            }
            return null;
        }
        if (restApiClient == null) {
            Logger.error("validateClaimsAndGetRestApiClient", "REST API Client not found, id: " + longFromStringOrNull);
            return null;
        }
        Logger.error("validateClaimsAndGetRestApiClient", "REST API CLient is not active, id: " + longFromStringOrNull);
        return null;
    }

    /* JADX WARN: Type inference failed for: r1v11, types: [java.time.ZonedDateTime] */
    private boolean claimsValidForRestApiClient(RestApiClient restApiClient, JwtClaims jwtClaims) throws Exception {
        if (!restApiClient.getClientName().equals(jwtClaims.getSubject())) {
            Logger.error("claimsValidForRestApiClient id = " + restApiClient.getId(), "Subject mismatch: " + jwtClaims.getSubject());
            return false;
        }
        if (!restApiClient.getClientId().equals(jwtClaims.getClaimValue(JWT_CLAIM_CLIENT_ID))) {
            Logger.error("claimsValidForRestApiClient id = " + restApiClient.getId(), "ClientId mismatch: " + jwtClaims.getClaimValue(JWT_CLAIM_CLIENT_ID));
            return false;
        }
        if (!NumericDate.fromMilliseconds(restApiClient.getValidFrom().getTime()).equals(jwtClaims.getNotBefore())) {
            Logger.error("claimsValidForRestApiClient id = " + restApiClient.getId(), "Valid from mismatch: " + jwtClaims.getNotBefore());
            return false;
        }
        LocalDate now = LocalDate.now();
        if (now.isBefore(DateUtils.convertDateToLocalDate(restApiClient.getValidFrom()))) {
            Logger.error("claimsValidForRestApiClient id = " + restApiClient.getId(), "Token is not valid yet: " + restApiClient.getValidFrom());
            return false;
        }
        if (!jwtClaims.getExpirationTime().isAfter(NumericDate.fromMilliseconds(now.atTime(23, 59, 59).atZone(ZoneId.systemDefault()).toInstant().toEpochMilli()))) {
            return true;
        }
        Logger.error("claimsValidForRestApiClient id = " + restApiClient.getId(), "Token expired: " + new Date(jwtClaims.getExpirationTime().getValueInMillis()));
        return false;
    }

    private JwtClaims verifyAndDecodeJWT(String str, PrivateKey privateKey) throws Exception {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setCompactSerialization(str);
        jsonWebEncryption.setKey(privateKey);
        return JwtClaims.parse(jsonWebEncryption.getPayload());
    }

    @Override // si.irm.mm.ejb.user.RestApiClientEJBLocal
    public void checkAndInsertOrUpdateRestApiClient(MarinaProxy marinaProxy, RestApiClient restApiClient) throws CheckException {
        setDefaultRestApiClientValues(marinaProxy, restApiClient);
        if (restApiClient.isNew() || restApiClient.getResetCredentials()) {
            initCredentials(restApiClient);
        }
        checkRestApiClient(marinaProxy, restApiClient);
        if (restApiClient.isNew()) {
            this.utilsEJB.insertEntity(marinaProxy, restApiClient);
        } else {
            this.utilsEJB.updateEntity(marinaProxy, restApiClient);
        }
    }

    private void initCredentials(RestApiClient restApiClient) {
        byte[] bArr = new byte[16];
        SECURE_RANDOM.nextBytes(bArr);
        restApiClient.setClientId(BASE64_ENCODER.encodeToString(bArr));
        byte[] bArr2 = new byte[32];
        SECURE_RANDOM.nextBytes(bArr2);
        restApiClient.setClientSecret(BASE64_ENCODER.encodeToString(bArr2));
    }

    private void setDefaultRestApiClientValues(MarinaProxy marinaProxy, RestApiClient restApiClient) throws CheckException {
        if (StringUtils.isBlank(restApiClient.getActive())) {
            restApiClient.setActive(YesNoKey.NO.engVal());
        }
    }

    @Override // si.irm.mm.ejb.user.RestApiClientEJBLocal
    public TokenResponse getJWTTokenForUserCredentials(String str, String str2) {
        RestApiClient restApiClient;
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2) || (restApiClient = getRestApiClient(str)) == null || !isRestApiClientValid(restApiClient, str2)) {
            return null;
        }
        return generateToken(restApiClient);
    }

    private boolean isRestApiClientValid(RestApiClient restApiClient, String str) {
        if (!str.equals(restApiClient.getClientSecret())) {
            Logger.error(getClass().getName(), "Client secret check failed.");
            return false;
        }
        if (!restApiClient.isClientActive()) {
            Logger.error(getClass().getName(), "Client inactive.");
            return false;
        }
        LocalDate now = LocalDate.now();
        LocalDate convertDateToLocalDate = DateUtils.convertDateToLocalDate(restApiClient.getValidFrom());
        LocalDate convertDateToLocalDate2 = DateUtils.convertDateToLocalDate(restApiClient.getValidTo());
        if (now.compareTo((ChronoLocalDate) convertDateToLocalDate) >= 0 && now.compareTo((ChronoLocalDate) convertDateToLocalDate2) <= 0) {
            return true;
        }
        Logger.error(getClass().getName(), "ValidFrom/ValidTo check failed.");
        return false;
    }

    private RestApiClient getRestApiClient(String str) {
        List resultList = this.em.createNamedQuery(RestApiClient.QUERY_NAME_GET_BY_CLIENT_ID, RestApiClient.class).setParameter("clientId", str).getResultList();
        if (resultList.size() > 0) {
            Logger.error(getClass().getName(), "getRestApiClient: result count = " + resultList.size());
        }
        if (resultList.size() == 1) {
            return (RestApiClient) resultList.get(0);
        }
        return null;
    }

    /* JADX WARN: Type inference failed for: r1v11, types: [java.time.ZonedDateTime] */
    /* JADX WARN: Type inference failed for: r1v3, types: [java.time.ZonedDateTime] */
    private TokenResponse generateToken(RestApiClient restApiClient) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer("marina-master.com");
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBefore(NumericDate.fromMilliseconds(restApiClient.getValidFromTime().atZone(ZoneId.systemDefault()).toInstant().toEpochMilli()));
        LocalDateTime plusHours = LocalDateTime.now().plusHours(1L);
        if (plusHours.isAfter(restApiClient.getValidToTime())) {
            plusHours = restApiClient.getValidToTime();
        }
        jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(plusHours.atZone(ZoneId.systemDefault()).toInstant().toEpochMilli()));
        jwtClaims.setSubject(restApiClient.getClientName());
        jwtClaims.setClaim("appcode", restApiClient.getAppCode());
        jwtClaims.setClaim("id", restApiClient.getId());
        jwtClaims.setClaim(JWT_CLAIM_CLIENT_ID, restApiClient.getClientId());
        jwtClaims.setGeneratedJwtId();
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setPayload(jwtClaims.toJson());
            jsonWebEncryption.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
            jsonWebEncryption.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_256_GCM);
            jsonWebEncryption.setKey(loadKeyPair(true).getPublic());
            jsonWebEncryption.setDoKeyValidation(false);
            return new TokenResponse(jsonWebEncryption.getCompactSerialization(), plusHours);
        } catch (Exception e) {
            Logger.error("generateToken", CommonUtils.getFirstNonEmptyExceptionMessage(e), e);
            return null;
        }
    }

    private KeyPair loadKeyPair(boolean z) throws Exception {
        String marinaMarinaStringSetting = this.settingsEJB.getMarinaMarinaStringSetting(SNastavitveNaziv.AT_KEY_FILE);
        boolean z2 = false;
        if (marinaMarinaStringSetting == null || "".equals(marinaMarinaStringSetting.trim())) {
            marinaMarinaStringSetting = String.valueOf(System.getProperty("jboss.server.config.dir")) + "/" + KEY_FILENAME;
            z2 = true;
        }
        if (Files.exists(Paths.get(marinaMarinaStringSetting, new String[0]), new LinkOption[0])) {
            return loadKeyPairFromFile(marinaMarinaStringSetting);
        }
        if (!z || !z2) {
            throw new CheckException(Translations.get(TransKey.ERROR_MFA_KEY_FILE_NOT_FOUND, marinaMarinaStringSetting));
        }
        generateNewKey(marinaMarinaStringSetting);
        return loadKeyPairFromFile(marinaMarinaStringSetting);
    }

    private KeyPair loadKeyPairFromFile(String str) throws Exception {
        String str2 = new String(Files.readAllBytes(Paths.get(str, new String[0])));
        return new KeyPair(KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(extractKey(str2, DocumentType.PUBLIC_KEY)))), KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(extractKey(str2, "PRIVATE")))));
    }

    private static String extractKey(String str, String str2) throws IOException {
        Matcher matcher = Pattern.compile("-----BEGIN " + str2 + " KEY-----(.*?)-----END " + str2 + " KEY-----", 32).matcher(str);
        if (matcher.find()) {
            return matcher.group(1).replaceAll("\\s", "");
        }
        throw new IOException("Invalid " + str2 + " Key Format in PEM file");
    }

    private void generateNewKey(String str) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        Integer marinaMarinaIntegerSetting = this.settingsEJB.getMarinaMarinaIntegerSetting(SNastavitveNaziv.AT_KEY_SIZE);
        keyPairGenerator.initialize(Integer.valueOf((marinaMarinaIntegerSetting == null || marinaMarinaIntegerSetting.intValue() < 1024) ? 2048 : marinaMarinaIntegerSetting.intValue()).intValue(), new SecureRandom());
        saveKeyPairToFile(keyPairGenerator.generateKeyPair(), str);
    }

    private void saveKeyPairToFile(KeyPair keyPair, String str) throws Exception {
        Files.write(Paths.get(str, new String[0]), ("-----BEGIN PRIVATE KEY-----\n" + Base64.getEncoder().encodeToString(keyPair.getPrivate().getEncoded()) + "\n-----END PRIVATE KEY-----\n\n-----BEGIN PUBLIC KEY-----\n" + Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()) + "\n-----END PUBLIC KEY-----").getBytes(), new OpenOption[0]);
    }

    private void checkRestApiClient(MarinaProxy marinaProxy, RestApiClient restApiClient) throws CheckException {
        if (StringUtils.isBlank(restApiClient.getClientName())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.REST_API_CLIENT_NAME)));
        }
        if (StringUtils.isBlank(restApiClient.getAppCode())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.APPLICATION_NS)));
        }
        if (restApiClient.getValidFrom() == null) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.VALID_FROM)));
        }
        if (restApiClient.getValidTo() == null) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.VALID_TO)));
        }
        if (restApiClient.getValidFrom().after(restApiClient.getValidTo())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_LOWER_THAN_ANOTHER_VALUE, marinaProxy.getTranslation(TransKey.VALID_FROM), marinaProxy.getTranslation(TransKey.VALID_TO)));
        }
        if (StringUtils.isBlank(restApiClient.getActive())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.ACTIVE_A_1SM)));
        }
        if (StringUtils.isBlank(restApiClient.getClientId())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.REST_API_CLIENT_ID)));
        }
        if (StringUtils.isBlank(restApiClient.getClientSecret())) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_MUST_BE_INSERTED, marinaProxy.getTranslation(TransKey.REST_API_CLIENT_SECRET)));
        }
        if (restApiClient.getClientId().length() < 20) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_IS_EMPTY_OR_IN_WRONG_FORMAT, marinaProxy.getTranslation(TransKey.REST_API_CLIENT_ID)));
        }
        if (restApiClient.getClientSecret().length() < 40) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.VALUE_IS_EMPTY_OR_IN_WRONG_FORMAT, marinaProxy.getTranslation(TransKey.REST_API_CLIENT_SECRET)));
        }
        if (getCountByClientId(restApiClient) > 0) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.ERROR_DUPLICATE_CLIENT_ID));
        }
        if (getCountByAppCodeAndClientName(restApiClient) > 0) {
            throw new CheckException(marinaProxy.getTranslation(TransKey.ERROR_DUPLICATE_APP_CLIENT_NAME));
        }
    }

    private long getCountByAppCodeAndClientName(RestApiClient restApiClient) {
        String str;
        str = "SELECT COUNT(r) FROM RestApiClient r WHERE r.clientName = :clientName AND r.appCode = :appCode";
        TypedQuery parameter = this.em.createQuery(restApiClient.isNew() ? "SELECT COUNT(r) FROM RestApiClient r WHERE r.clientName = :clientName AND r.appCode = :appCode" : String.valueOf(str) + " AND r.id <> :id", Long.class).setParameter(RestApiClient.CLIENT_NAME, restApiClient.getClientName()).setParameter("appCode", restApiClient.getAppCode());
        if (!restApiClient.isNew()) {
            parameter = parameter.setParameter("id", restApiClient.getId());
        }
        return ((Long) Optional.ofNullable((Long) QueryUtils.getSingleResultOrNull(parameter)).orElse(0L)).longValue();
    }

    private long getCountByClientId(RestApiClient restApiClient) {
        String str;
        str = "SELECT COUNT(r) FROM RestApiClient r WHERE r.clientId = :clientId";
        TypedQuery parameter = this.em.createQuery(restApiClient.isNew() ? "SELECT COUNT(r) FROM RestApiClient r WHERE r.clientId = :clientId" : String.valueOf(str) + " AND r.id <> :id", Long.class).setParameter("clientId", restApiClient.getClientId());
        if (!restApiClient.isNew()) {
            parameter = parameter.setParameter("id", restApiClient.getId());
        }
        return ((Long) Optional.ofNullable((Long) QueryUtils.getSingleResultOrNull(parameter)).orElse(0L)).longValue();
    }

    @Override // si.irm.mm.ejb.user.RestApiClientEJBLocal
    public Long getRestApiClientFilterResultsCount(MarinaProxy marinaProxy, RestApiClient restApiClient) {
        return (Long) QueryUtils.getSingleResultOrNull(setParametersAndReturnQuery(marinaProxy, Long.class, restApiClient, createQueryStringWithoutSortCondition(restApiClient, true)));
    }

    @Override // si.irm.mm.ejb.user.RestApiClientEJBLocal
    public List<RestApiClient> getRestApiClientFilterResultList(MarinaProxy marinaProxy, int i, int i2, RestApiClient restApiClient, LinkedHashMap<String, Boolean> linkedHashMap) {
        return QueryUtils.getResultList(setParametersAndReturnQuery(marinaProxy, RestApiClient.class, restApiClient, String.valueOf(createQueryStringWithoutSortCondition(restApiClient, false)) + getSortCriteria(marinaProxy, "R", linkedHashMap)), i, i2);
    }

    public String getSortCriteria(MarinaProxy marinaProxy, String str, LinkedHashMap<String, Boolean> linkedHashMap) {
        if (!Utils.isNullOrEmpty(linkedHashMap)) {
            return QueryUtils.createSortCriteria(str, "id", linkedHashMap);
        }
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        linkedHashMap2.put(RestApiClient.CLIENT_NAME, true);
        return QueryUtils.createSortCriteria(str, "id", linkedHashMap2);
    }

    private <T> TypedQuery<T> setParametersAndReturnQuery(MarinaProxy marinaProxy, Class<T> cls, RestApiClient restApiClient, String str) {
        TypedQuery<T> createQuery = this.em.createQuery(str, cls);
        if (!StringUtils.isBlank(restApiClient.getAppCode())) {
            createQuery.setParameter("appCode", restApiClient.getAppCode());
        }
        if (!StringUtils.isBlank(restApiClient.getClientName())) {
            createQuery.setParameter("nuser", restApiClient.getClientName());
        }
        if (restApiClient.getValidFrom() != null) {
            createQuery.setParameter("validFrom", restApiClient.getValidFrom(), TemporalType.DATE);
        }
        if (restApiClient.getValidTo() != null) {
            createQuery.setParameter("validTo", restApiClient.getValidTo(), TemporalType.DATE);
        }
        if (StringUtils.getBoolFromStr(restApiClient.getActive(), true)) {
            createQuery.setParameter("active", restApiClient.getActive());
        }
        return createQuery;
    }

    private String createQueryStringWithoutSortCondition(RestApiClient restApiClient, boolean z) {
        StringBuilder sb = new StringBuilder();
        if (z) {
            sb.append("SELECT COUNT(R) FROM RestApiClient R ");
        } else {
            sb.append("SELECT R FROM RestApiClient R ");
        }
        String str = " WHERE ";
        if (!StringUtils.isBlank(restApiClient.getAppCode())) {
            sb.append(str).append(" R.appCode = :appCode ");
            str = " AND ";
        }
        if (!StringUtils.isBlank(restApiClient.getClientName())) {
            sb.append(str).append(" R.nuser = :nuser ");
            str = " AND ";
        }
        if (restApiClient.getValidFrom() != null) {
            sb.append(str).append(" R.validFrom = :validFrom ");
            str = " AND ";
        }
        if (restApiClient.getValidTo() != null) {
            sb.append(str).append(" R.validTo = :validTo ");
            str = " AND ";
        }
        if (StringUtils.getBoolFromStr(restApiClient.getActive(), true)) {
            sb.append(str).append(" R.active = :active ");
        }
        return sb.toString();
    }
}
