package com.atlassian.bitbucket.internal.accesstokens;

import com.atlassian.bitbucket.ForbiddenException;
import com.atlassian.bitbucket.NoSuchEntityException;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.event.project.ProjectDeletedEvent;
import com.atlassian.bitbucket.event.repository.RepositoryDeletedEvent;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.accesstokens.AccessTokenCreateRequest;
import com.atlassian.bitbucket.internal.accesstokens.AccessTokenSearchRequest;
import com.atlassian.bitbucket.internal.accesstokens.auth.AccessTokenAuthConstants;
import com.atlassian.bitbucket.internal.accesstokens.auth.AccessTokenAuthenticationService;
import com.atlassian.bitbucket.internal.accesstokens.event.ScopeAccessTokenCreatedEvent;
import com.atlassian.bitbucket.internal.accesstokens.event.ScopeAccessTokenDeletedEvent;
import com.atlassian.bitbucket.internal.accesstokens.event.ScopeAccessTokenModifiedEvent;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionAdminService;
import com.atlassian.bitbucket.permission.PermissionValidationService;
import com.atlassian.bitbucket.permission.SetPermissionRequest;
import com.atlassian.bitbucket.project.ProjectService;
import com.atlassian.bitbucket.repository.RepositoryService;
import com.atlassian.bitbucket.scope.ProjectScope;
import com.atlassian.bitbucket.scope.RepositoryScope;
import com.atlassian.bitbucket.scope.Scope;
import com.atlassian.bitbucket.scope.ScopeType;
import com.atlassian.bitbucket.scope.ScopeVisitor;
import com.atlassian.bitbucket.scope.Scopes;
import com.atlassian.bitbucket.server.FeatureManager;
import com.atlassian.bitbucket.server.StandardFeature;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.bitbucket.user.ServiceUser;
import com.atlassian.bitbucket.user.ServiceUserCreateRequest;
import com.atlassian.bitbucket.user.UserAdminService;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.Page;
import com.atlassian.bitbucket.util.PageRequest;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.bitbucket.validation.ArgumentValidationException;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.google.common.collect.ImmutableSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Component("scopeAccessTokenService")
/* loaded from: input_file:com/atlassian/bitbucket/internal/accesstokens/DefaultScopeAccessTokenService.class */
public class DefaultScopeAccessTokenService implements AccessTokenService<Scope> {
    private static final String ACCESS_TOKEN_USER_PREFIX = "access-token-user";
    private static final String SERVICE_USER_DISPLAY_NAME_FORMAT_PROJECT = "Access Token User - %s";
    private static final String SERVICE_USER_DISPLAY_NAME_FORMAT_REPO = "Access Token User - %s %s";
    private static final String SERVICE_USER_LABEL = "access-token";
    private static final String USERNAME_PARTS_SEPARATOR = "/";
    private static final String SERVICE_USER_NAME_FORMAT = "access-token-user/%s/%s";
    private final AccessTokenAuthenticationService accessTokenAuthenticationService;
    private final AuthenticationContext authenticationContext;
    private final AccessTokenService<ApplicationUser> delegate;
    private final EventPublisher eventPublisher;
    private final FeatureManager featureManager;
    private final I18nService i18nService;
    private final PermissionAdminService permissionAdminService;
    private final PermissionValidationService permissionValidationService;
    private final ProjectService projectService;
    private final RepositoryService repositoryService;
    private final SecurityService securityService;
    private final TransactionTemplate transactionTemplate;
    private final UserAdminService userAdminService;
    private final UserService userService;
    private static final Set<Permission> ALLOWED_PROJECT_PERMISSIONS = ImmutableSet.of(Permission.PROJECT_ADMIN, Permission.PROJECT_WRITE, Permission.PROJECT_READ, Permission.REPO_ADMIN, Permission.REPO_WRITE, Permission.REPO_READ, new Permission[0]);
    private static final Set<Permission> ALLOWED_REPO_PERMISSIONS = ImmutableSet.of(Permission.REPO_ADMIN, Permission.REPO_WRITE, Permission.REPO_READ);
    private static final Logger log = LoggerFactory.getLogger(DefaultScopeAccessTokenService.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.atlassian.bitbucket.internal.accesstokens.DefaultScopeAccessTokenService$5, reason: invalid class name */
    /* loaded from: input_file:com/atlassian/bitbucket/internal/accesstokens/DefaultScopeAccessTokenService$5.class */
    public static /* synthetic */ class AnonymousClass5 {
        static final /* synthetic */ int[] $SwitchMap$com$atlassian$bitbucket$scope$ScopeType = new int[ScopeType.values().length];

        static {
            try {
                $SwitchMap$com$atlassian$bitbucket$scope$ScopeType[ScopeType.PROJECT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$scope$ScopeType[ScopeType.REPOSITORY.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Autowired
    DefaultScopeAccessTokenService(AccessTokenAuthenticationService accessTokenAuthenticationService, AuthenticationContext authenticationContext, @Qualifier("internalAccessTokenService") AccessTokenService<ApplicationUser> accessTokenService, EventPublisher eventPublisher, FeatureManager featureManager, I18nService i18nService, PermissionValidationService permissionValidationService, PermissionAdminService permissionAdminService, RepositoryService repositoryService, ProjectService projectService, SecurityService securityService, TransactionTemplate transactionTemplate, UserAdminService userAdminService, UserService userService) {
        this.accessTokenAuthenticationService = accessTokenAuthenticationService;
        this.authenticationContext = authenticationContext;
        this.delegate = accessTokenService;
        this.eventPublisher = eventPublisher;
        this.featureManager = featureManager;
        this.i18nService = i18nService;
        this.permissionValidationService = permissionValidationService;
        this.permissionAdminService = permissionAdminService;
        this.repositoryService = repositoryService;
        this.projectService = projectService;
        this.securityService = securityService;
        this.transactionTemplate = transactionTemplate;
        this.userAdminService = userAdminService;
        this.userService = userService;
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public RawAccessToken create(@Nonnull AccessTokenCreateRequest<Scope> accessTokenCreateRequest) {
        this.featureManager.requireEnabled(StandardFeature.PROJECT_REPO_ACCESS_TOKENS);
        Scope scope = (Scope) ((AccessTokenCreateRequest) Objects.requireNonNull(accessTokenCreateRequest, "request")).getEntity();
        validateScope(scope);
        validateAdminPermission(scope);
        validatePermissions(scope, accessTokenCreateRequest.getPermissions());
        validateCurrentUserIsNotToken();
        ApplicationUser orCreateServiceUser = getOrCreateServiceUser(accessTokenCreateRequest.getEntity());
        AccessTokenCreateRequest build = new AccessTokenCreateRequest.Builder(orCreateServiceUser).expiryDays(accessTokenCreateRequest.getExpiryDays().orElse(null)).name(accessTokenCreateRequest.getName()).permissions(accessTokenCreateRequest.getPermissions()).build();
        RawAccessToken rawAccessToken = (RawAccessToken) this.securityService.impersonating(orCreateServiceUser, String.format("Creating access token for %s", accessTokenCreateRequest.getEntity())).call(() -> {
            return this.delegate.create(build);
        });
        this.eventPublisher.publish(new ScopeAccessTokenCreatedEvent(this, scope, rawAccessToken.toAccessToken()));
        return rawAccessToken;
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public Optional<AccessToken> deleteById(@Nonnull String str) {
        Scope scopeByTokenId = getScopeByTokenId((String) Objects.requireNonNull(str, "tokenId"));
        validateAdminPermission(scopeByTokenId);
        validateCurrentUserIsNotToken();
        return deleteById(str, scopeByTokenId).map(accessToken -> {
            this.eventPublisher.publish(new ScopeAccessTokenDeletedEvent(this, scopeByTokenId, accessToken));
            return accessToken;
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public Optional<AccessToken> getById(@Nonnull String str) {
        Scope scopeByTokenId = getScopeByTokenId((String) Objects.requireNonNull(str, "tokenId"));
        validateAdminPermission(scopeByTokenId);
        return (Optional) this.securityService.withPermission(Permission.USER_ADMIN, String.format("Getting access token %s for %s", str, scopeByTokenId)).call(() -> {
            return this.delegate.getById(str);
        });
    }

    @EventListener
    public void onProjectDeletedEvent(ProjectDeletedEvent projectDeletedEvent) {
        deleteTokens(Scopes.project(projectDeletedEvent.getProject()));
    }

    @EventListener
    public void onRepositoryDeletedEvent(RepositoryDeletedEvent repositoryDeletedEvent) {
        deleteTokens(Scopes.repository(repositoryDeletedEvent.getRepository()));
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public Page<AccessToken> search(@Nonnull AccessTokenSearchRequest<Scope> accessTokenSearchRequest, @Nonnull PageRequest pageRequest) {
        Scope scope = (Scope) ((AccessTokenSearchRequest) Objects.requireNonNull(accessTokenSearchRequest, "request")).getEntity();
        validateAdminPermission(scope);
        validateScope(scope);
        ApplicationUser serviceUser = getServiceUser(accessTokenSearchRequest.getEntity());
        if (serviceUser == null) {
            return PageUtils.createEmptyPage(pageRequest);
        }
        AccessTokenSearchRequest build = new AccessTokenSearchRequest.Builder(serviceUser).build();
        return (Page) this.securityService.withPermission(Permission.USER_ADMIN, String.format("Searching access tokens for %s", accessTokenSearchRequest.getEntity())).call(() -> {
            return this.delegate.search(build, pageRequest);
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public AccessToken update(@Nonnull AccessTokenUpdateRequest accessTokenUpdateRequest) {
        this.featureManager.requireEnabled(StandardFeature.PROJECT_REPO_ACCESS_TOKENS);
        Scope scopeByTokenId = getScopeByTokenId(((AccessTokenUpdateRequest) Objects.requireNonNull(accessTokenUpdateRequest, "request")).getId());
        validateScope(scopeByTokenId);
        validateAdminPermission(scopeByTokenId);
        validateCurrentUserIsNotToken();
        validatePermissions(scopeByTokenId, accessTokenUpdateRequest.getPermissions());
        AccessToken orElseThrow = getById(accessTokenUpdateRequest.getId()).orElseThrow(() -> {
            return new NoSuchEntityException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.notfound", new Object[]{accessTokenUpdateRequest.getId()}));
        });
        AccessToken accessToken = (AccessToken) this.securityService.withPermission(Permission.USER_ADMIN, String.format("Updating access tokens %s for %s", accessTokenUpdateRequest.getId(), scopeByTokenId)).call(() -> {
            return this.delegate.update(accessTokenUpdateRequest);
        });
        this.eventPublisher.publish(new ScopeAccessTokenModifiedEvent(this, scopeByTokenId, accessToken, orElseThrow));
        return accessToken;
    }

    private Optional<AccessToken> deleteById(String str, Scope scope) {
        return (Optional) this.securityService.withPermission(Permission.USER_ADMIN, String.format("Deleting access token %s for %s", str, scope)).call(() -> {
            return this.delegate.deleteById(str);
        });
    }

    private void deleteTokens(Scope scope) {
        if (getServiceUser(scope) == null) {
            return;
        }
        this.transactionTemplate.execute(() -> {
            PageUtils.toStream(pageRequest -> {
                return search(new AccessTokenSearchRequest.Builder(scope).build(), pageRequest);
            }, 100).forEach(accessToken -> {
                deleteById(accessToken.getId(), scope).ifPresent(accessToken -> {
                    this.eventPublisher.publish(new ScopeAccessTokenDeletedEvent(this, scope, accessToken));
                });
            });
            return null;
        });
    }

    private ApplicationUser getOrCreateServiceUser(Scope scope) {
        String usernameFromScope = getUsernameFromScope(scope);
        ApplicationUser serviceUser = getServiceUser(usernameFromScope);
        if (serviceUser != null) {
            return serviceUser;
        }
        ServiceUser createServiceUser = this.userAdminService.createServiceUser(new ServiceUserCreateRequest.Builder().active(true).displayName(getServiceUserDisplayName(scope)).name(usernameFromScope).label(SERVICE_USER_LABEL).build());
        final SetPermissionRequest.Builder user = new SetPermissionRequest.Builder().user(createServiceUser);
        scope.accept(new ScopeVisitor<Void>() { // from class: com.atlassian.bitbucket.internal.accesstokens.DefaultScopeAccessTokenService.1
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Void m3visit(@Nonnull ProjectScope projectScope) {
                user.projectPermission(Permission.PROJECT_ADMIN, projectScope.getProject());
                return null;
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Void m2visit(@Nonnull RepositoryScope repositoryScope) {
                user.repositoryPermission(Permission.REPO_ADMIN, repositoryScope.getRepository());
                return null;
            }
        });
        this.permissionAdminService.setPermission(user.build());
        return createServiceUser;
    }

    private Scope getScopeByTokenId(String str) {
        AccessToken orElseThrow = this.accessTokenAuthenticationService.unAuthenticatedGetById(str).orElseThrow(() -> {
            return new NoSuchEntityException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.tokenId.notexist", new Object[0]));
        });
        if (orElseThrow.getUser().getType() == UserType.SERVICE) {
            return getScopeFromUsername(orElseThrow.getUser().getName()).orElseThrow(() -> {
                return new ArgumentValidationException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.tokenId.invalid", new Object[0]));
            });
        }
        throw new ArgumentValidationException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.tokenId.notscope", new Object[0]));
    }

    private Optional<Scope> getScopeFromUsername(String str) {
        String[] split = str.split(USERNAME_PARTS_SEPARATOR);
        if (split.length != 3) {
            log.trace("Provided username, {}, does not match access token username pattern (must contain 2 ':')", str);
            return Optional.empty();
        }
        if (!ACCESS_TOKEN_USER_PREFIX.equals(split[0])) {
            log.trace("Provided username, {}, does not match access token username pattern (must start with {}:')", str, ACCESS_TOKEN_USER_PREFIX);
            return Optional.empty();
        }
        String str2 = split[1];
        if (StringUtils.isBlank(str2)) {
            log.trace("Provided username, {}, does not contain a scope type.", str);
            return Optional.empty();
        }
        try {
            try {
                ScopeType fromId = ScopeType.fromId(Integer.parseInt(str2));
                String str3 = split[2];
                if (StringUtils.isBlank(str3)) {
                    log.trace("Provided username, {}, does not contain a resource ID.", str);
                    return Optional.empty();
                }
                try {
                    int parseInt = Integer.parseInt(str3);
                    switch (AnonymousClass5.$SwitchMap$com$atlassian$bitbucket$scope$ScopeType[fromId.ordinal()]) {
                        case 1:
                            return Optional.ofNullable(this.projectService.getById(parseInt)).map(Scopes::project);
                        case 2:
                            return Optional.ofNullable(this.repositoryService.getById(parseInt)).map(Scopes::repository);
                        default:
                            log.trace("Provided scope type, {}, is not supported.", fromId.name());
                            return Optional.empty();
                    }
                } catch (NumberFormatException e) {
                    log.trace("Provided resource ID, {}, is not an integer.", str3);
                    return Optional.empty();
                }
            } catch (IllegalArgumentException e2) {
                log.trace("Provided scope type, {}, is not a known scope type.", str2);
                return Optional.empty();
            }
        } catch (NumberFormatException e3) {
            log.trace("Provided scope type, {}, is not an integer.", str2);
            return Optional.empty();
        }
    }

    private ApplicationUser getServiceUser(Scope scope) {
        return getServiceUser(getUsernameFromScope(scope));
    }

    private ApplicationUser getServiceUser(String str) {
        return this.userService.getServiceUserByName(str);
    }

    private String getServiceUserDisplayName(Scope scope) {
        return (String) scope.accept(new ScopeVisitor<String>() { // from class: com.atlassian.bitbucket.internal.accesstokens.DefaultScopeAccessTokenService.2
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public String m5visit(@Nonnull ProjectScope projectScope) {
                return String.format(DefaultScopeAccessTokenService.SERVICE_USER_DISPLAY_NAME_FORMAT_PROJECT, projectScope.getProject().getName());
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public String m4visit(@Nonnull RepositoryScope repositoryScope) {
                return String.format(DefaultScopeAccessTokenService.SERVICE_USER_DISPLAY_NAME_FORMAT_REPO, repositoryScope.getProject().getName(), repositoryScope.getRepository().getName());
            }
        });
    }

    private String getUsernameFromScope(Scope scope) {
        return String.format(SERVICE_USER_NAME_FORMAT, Integer.valueOf(scope.getType().getId()), scope.getResourceId().map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
    }

    private void validateAdminPermission(Scope scope) {
        scope.accept(new ScopeVisitor<Void>() { // from class: com.atlassian.bitbucket.internal.accesstokens.DefaultScopeAccessTokenService.3
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Void m7visit(@Nonnull ProjectScope projectScope) {
                DefaultScopeAccessTokenService.this.permissionValidationService.validateForProject(projectScope.getProject(), Permission.PROJECT_ADMIN);
                return null;
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Void m6visit(@Nonnull RepositoryScope repositoryScope) {
                DefaultScopeAccessTokenService.this.permissionValidationService.validateForRepository(repositoryScope.getRepository(), Permission.REPO_ADMIN);
                return null;
            }
        });
    }

    private void validateCurrentUserIsNotToken() {
        if (this.authenticationContext.getProperties().containsKey(AccessTokenAuthConstants.TOKEN_ID_KEY)) {
            throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.token.forbidden", new Object[0]));
        }
    }

    private void validatePermissions(Scope scope, final Set<Permission> set) {
        if (!((Boolean) scope.accept(new ScopeVisitor<Boolean>() { // from class: com.atlassian.bitbucket.internal.accesstokens.DefaultScopeAccessTokenService.4
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Boolean m9visit(@Nonnull ProjectScope projectScope) {
                return Boolean.valueOf(DefaultScopeAccessTokenService.ALLOWED_PROJECT_PERMISSIONS.containsAll(set));
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public Boolean m8visit(@Nonnull RepositoryScope repositoryScope) {
                return Boolean.valueOf(DefaultScopeAccessTokenService.ALLOWED_REPO_PERMISSIONS.containsAll(set));
            }
        })).booleanValue()) {
            throw new ArgumentValidationException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.permissions.invalid", new Object[]{scope.getType().name(), set.stream().map((v0) -> {
                return v0.name();
            }).collect(Collectors.joining(", "))}));
        }
    }

    private void validateScope(Scope scope) {
        if (scope.getType() == ScopeType.GLOBAL) {
            throw new ArgumentValidationException(this.i18nService.createKeyedMessage("bitbucket.scope.access.tokens.scope.invalid", new Object[0]));
        }
    }
}
