package com.atlassian.stash.internal.plugin.hooks.verifycommitsignature;

import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.commit.Commit;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureState;
import com.atlassian.bitbucket.dmz.signature.verification.SignatureVerificationResult;
import com.atlassian.bitbucket.hook.repository.CommitAddedDetails;
import com.atlassian.bitbucket.hook.repository.MergeHookRequest;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHook;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHookCommitCallback;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHookContext;
import com.atlassian.bitbucket.hook.repository.RepositoryHookCommitFilter;
import com.atlassian.bitbucket.hook.repository.RepositoryHookRequest;
import com.atlassian.bitbucket.hook.repository.RepositoryHookResult;
import com.atlassian.bitbucket.hook.repository.StandardRepositoryHookTrigger;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.StandardRefType;
import com.atlassian.bitbucket.scm.git.command.GitRefCommandFactory;
import com.atlassian.bitbucket.scm.git.hook.GitRepositoryHookTrigger;
import com.atlassian.bitbucket.scm.git.ref.GitAnnotatedTag;
import com.atlassian.bitbucket.scm.git.ref.GitAnnotatedTagCallback;
import com.atlassian.bitbucket.scm.git.ref.GitResolveAnnotatedTagsCommandParameters;
import com.atlassian.bitbucket.scm.signed.StandardSignableObjectType;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.MoreCollectors;
import com.atlassian.bitbucket.util.ShaUtils;
import com.atlassian.stash.internal.plugin.hooks.verifycommitsignature.SignatureVerificationHelper;
import com.google.common.collect.ImmutableSet;
import java.time.Instant;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/VerifyCommitSignatureHook.class */
public class VerifyCommitSignatureHook implements PreRepositoryHook<RepositoryHookRequest> {
    static final String PREFIX = "bitbucket.plugins.hooks.verifycommitsignature.error.";
    static final String PROP_ALLOW_FILE_EDIT = "plugin.bundled.hooks.allow.file.edit";
    static final String PROP_ALLOW_REBASE = "plugin.bundled.hooks.allow.rebase";
    private static final boolean DEFAULT_ALLOW_FILE_EDIT = true;
    private static final boolean DEFAULT_ALLOW_REBASE = true;
    private static final Logger log = LoggerFactory.getLogger(VerifyCommitSignatureHook.class);
    private final boolean allowFileEdit;
    private final boolean allowRebase;
    private final AuthenticationContext authenticationContext;
    private final I18nService i18nService;
    private final GitRefCommandFactory refCommandFactory;
    private final SignatureVerificationHelper signatureVerificationHelper;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.atlassian.stash.internal.plugin.hooks.verifycommitsignature.VerifyCommitSignatureHook$1, reason: invalid class name */
    /* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/VerifyCommitSignatureHook$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState = new int[SignatureState.values().length];

        static {
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD_BUT_OUT_OF_DATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD_BUT_UNKNOWN_VALIDITY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD_BUT_REVOKED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD_BUT_MADE_AFTER_EXPIRY.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.GOOD_BUT_MADE_BEFORE_VALIDITY.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.BAD.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.ERROR.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.SIGNATURE_NOT_FOUND.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[SignatureState.PUBLIC_KEY_NOT_FOUND.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    /* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/VerifyCommitSignatureHook$CommitAnalyzer.class */
    private class CommitAnalyzer implements PreRepositoryHookCommitCallback {
        private final RepositoryHookResult.Builder builder = new RepositoryHookResult.Builder();
        private final RepositoryHookRequest hookRequest;
        private final boolean signatureRequired;
        private SignatureVerificationHelper.SignedObjectsCallControl signedObjectsCallControl;

        CommitAnalyzer(RepositoryHookRequest repositoryHookRequest, boolean z) {
            this.hookRequest = repositoryHookRequest;
            this.signatureRequired = z;
        }

        @Nonnull
        public RepositoryHookResult getResult() {
            return this.builder.build();
        }

        public RepositoryHookResult maybeVerifyTags() {
            List list = (List) this.hookRequest.getRefChanges().stream().filter(this::isTagAddOrUpdate).collect(MoreCollectors.toImmutableList());
            if (list.isEmpty()) {
                return RepositoryHookResult.accepted();
            }
            Repository repository = this.hookRequest.getRepository();
            TagSignatureCallback tagSignatureCallback = new TagSignatureCallback(VerifyCommitSignatureHook.this, repository, null);
            VerifyCommitSignatureHook.this.refCommandFactory.resolveAnnotatedTags(repository, new GitResolveAnnotatedTagsCommandParameters.Builder().tagIds((Iterable) list.stream().map((v0) -> {
                return v0.getToHash();
            }).collect(MoreCollectors.toImmutableList())).maxMessageLength(0).build(), tagSignatureCallback).call();
            Set<GitAnnotatedTag> result = tagSignatureCallback.getResult();
            RepositoryHookResult.Builder builder = new RepositoryHookResult.Builder();
            try {
                onStart();
                if (result.size() != list.size()) {
                    Set set = (Set) list.stream().filter(refChange -> {
                        return result.stream().map((v0) -> {
                            return v0.getHash();
                        }).noneMatch(str -> {
                            return str.equals(refChange.getToHash());
                        });
                    }).collect(MoreCollectors.toImmutableSet());
                    VerifyCommitSignatureHook.log.debug("[{}] Not all the tags that we want to verify the signature of were annotated tags, they could potentially be lightweight tags instead", repository);
                    Iterator it = set.iterator();
                    while (it.hasNext()) {
                        addVerifiedObject(builder, ((RefChange) it.next()).getRef().getDisplayId(), repository, SignatureState.SIGNATURE_NOT_FOUND);
                    }
                }
                for (GitAnnotatedTag gitAnnotatedTag : result) {
                    Instant instant = (Instant) gitAnnotatedTag.getTaggerTimestamp().orElse(null);
                    Optional<SignatureVerificationResult> verify = this.signedObjectsCallControl.verify(StandardSignableObjectType.TAG, gitAnnotatedTag.getHash(), instant != null ? Date.from(instant) : null);
                    if (!verify.isPresent()) {
                        RepositoryHookResult reject = VerifyCommitSignatureHook.reject(VerifyCommitSignatureHook.this.i18nService, "system", gitAnnotatedTag.getDisplayId());
                        onEnd();
                        return reject;
                    }
                    addVerifiedObject(builder, gitAnnotatedTag.getDisplayId(), repository, verify.get().getSignatureState());
                }
                return builder.build();
            } finally {
                onEnd();
            }
        }

        public boolean onCommitAdded(@Nonnull CommitAddedDetails commitAddedDetails) {
            if (!commitAddedDetails.isAddedToRepository()) {
                return true;
            }
            Commit commit = commitAddedDetails.getCommit();
            String displayId = commit.getDisplayId();
            Optional<SignatureVerificationResult> verify = this.signedObjectsCallControl.verify(StandardSignableObjectType.COMMIT, commit.getId(), commit.getCommitterTimestamp());
            if (verify.isPresent()) {
                VerifyCommitSignatureHook.log.trace("[{}] Commit {} verified as {}", new Object[]{this.hookRequest.getRepository(), displayId, verify.get().getSignatureState()});
                this.builder.add(VerifyCommitSignatureHook.this.checkSignatureState(verify.get().getSignatureState(), displayId, this.signatureRequired && !isBitbucketCommit(commit)));
            } else {
                this.builder.add(VerifyCommitSignatureHook.reject(VerifyCommitSignatureHook.this.i18nService, "system", displayId));
            }
            return !this.builder.isRejected();
        }

        public void onEnd() {
            this.signedObjectsCallControl.close();
        }

        public void onStart() {
            this.signedObjectsCallControl = VerifyCommitSignatureHook.this.signatureVerificationHelper.runSignedObjects(this.hookRequest.getRepository());
        }

        private void addVerifiedObject(RepositoryHookResult.Builder builder, String str, Repository repository, SignatureState signatureState) {
            VerifyCommitSignatureHook.log.trace("[{}] Tag {} verified as {}", new Object[]{repository, str, signatureState});
            builder.add(VerifyCommitSignatureHook.this.checkSignatureState(signatureState, str, this.signatureRequired));
        }

        private boolean isBitbucketCommit(Commit commit) {
            if (!(this.hookRequest instanceof MergeHookRequest)) {
                return false;
            }
            return ShaUtils.hashesMatch(commit.getId(), (String) this.hookRequest.getMergeHash().orElse(null));
        }

        private boolean isTagAddOrUpdate(RefChange refChange) {
            return refChange.getType() != RefChangeType.DELETE && refChange.getRef().getType() == StandardRefType.TAG;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/stash/internal/plugin/hooks/verifycommitsignature/VerifyCommitSignatureHook$TagSignatureCallback.class */
    public class TagSignatureCallback implements GitAnnotatedTagCallback {
        private final ImmutableSet.Builder<GitAnnotatedTag> annotatedTags;
        private final Repository repository;

        private TagSignatureCallback(Repository repository) {
            this.annotatedTags = ImmutableSet.builder();
            this.repository = repository;
        }

        public boolean onMissing(@Nonnull String str) {
            VerifyCommitSignatureHook.log.warn("[{}] tag {} was not found", this.repository, str);
            return true;
        }

        public boolean onTag(@Nonnull GitAnnotatedTag gitAnnotatedTag) {
            this.annotatedTags.add(gitAnnotatedTag);
            return true;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Set<GitAnnotatedTag> getResult() {
            return this.annotatedTags.build();
        }

        /* synthetic */ TagSignatureCallback(VerifyCommitSignatureHook verifyCommitSignatureHook, Repository repository, AnonymousClass1 anonymousClass1) {
            this(repository);
        }
    }

    public VerifyCommitSignatureHook(AuthenticationContext authenticationContext, I18nService i18nService, ApplicationPropertiesService applicationPropertiesService, GitRefCommandFactory gitRefCommandFactory, SignatureVerificationHelper signatureVerificationHelper) {
        this.authenticationContext = authenticationContext;
        this.i18nService = i18nService;
        this.refCommandFactory = gitRefCommandFactory;
        this.signatureVerificationHelper = signatureVerificationHelper;
        this.allowFileEdit = applicationPropertiesService.getPluginProperty(PROP_ALLOW_FILE_EDIT, true);
        this.allowRebase = applicationPropertiesService.getPluginProperty(PROP_ALLOW_REBASE, true);
    }

    @Nonnull
    public RepositoryHookResult preUpdate(@Nonnull PreRepositoryHookContext preRepositoryHookContext, @Nonnull RepositoryHookRequest repositoryHookRequest) {
        if (isOnlyDeletes(repositoryHookRequest)) {
            return RepositoryHookResult.accepted();
        }
        boolean isNormalUser = isNormalUser();
        Repository repository = repositoryHookRequest.getRepository();
        if (StandardRepositoryHookTrigger.FILE_EDIT.equals(repositoryHookRequest.getTrigger())) {
            if (!this.allowFileEdit && isNormalUser) {
                return reject(this.i18nService, "file.edit", new String[0]);
            }
            log.trace("[{}] Skipping commit verification for in-browser edit", repository);
            return RepositoryHookResult.accepted();
        }
        if (GitRepositoryHookTrigger.REBASE.equals(repositoryHookRequest.getTrigger()) || isRebaseMerge(repositoryHookRequest)) {
            if (!this.allowRebase && isNormalUser) {
                return reject(this.i18nService, "rebase", new String[0]);
            }
            log.trace("[{}] Skipping commit verification for in-app rebase", repository);
            return RepositoryHookResult.accepted();
        }
        RepositoryHookResult maybeVerifyTags = new CommitAnalyzer(repositoryHookRequest, isNormalUser).maybeVerifyTags();
        if (maybeVerifyTags.isRejected()) {
            return maybeVerifyTags;
        }
        preRepositoryHookContext.registerCommitCallback(new CommitAnalyzer(repositoryHookRequest, isNormalUser), RepositoryHookCommitFilter.ADDED_TO_REPOSITORY, new RepositoryHookCommitFilter[0]);
        return RepositoryHookResult.accepted();
    }

    private static boolean isOnlyDeletes(RepositoryHookRequest repositoryHookRequest) {
        Collection refChanges = repositoryHookRequest.getRefChanges();
        return !refChanges.isEmpty() && refChanges.stream().map((v0) -> {
            return v0.getType();
        }).allMatch(refChangeType -> {
            return refChangeType == RefChangeType.DELETE;
        });
    }

    private static boolean isRebaseMerge(RepositoryHookRequest repositoryHookRequest) {
        if (!(repositoryHookRequest instanceof MergeHookRequest)) {
            return false;
        }
        MergeHookRequest mergeHookRequest = (MergeHookRequest) repositoryHookRequest;
        return "git".equals(mergeHookRequest.getRepository().getScmId()) && ((Boolean) mergeHookRequest.getStrategyId().map(str -> {
            return Boolean.valueOf("rebase-ff-only".equals(str) || "rebase-no-ff".equals(str));
        }).orElse(false)).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public RepositoryHookResult checkSignatureState(SignatureState signatureState, String str, boolean z) {
        switch (AnonymousClass1.$SwitchMap$com$atlassian$bitbucket$dmz$signature$verification$SignatureState[signatureState.ordinal()]) {
            case 1:
            case 2:
                return RepositoryHookResult.accepted();
            case 3:
                return reject(this.i18nService, "unknown", str);
            case 4:
                return reject(this.i18nService, "revoked", str);
            case 5:
                return reject(this.i18nService, "expired", str);
            case 6:
                return reject(this.i18nService, "before.validity", str);
            case 7:
                return reject(this.i18nService, "bad", str);
            case 8:
                return reject(this.i18nService, "error", str);
            case 9:
                return z ? reject(this.i18nService, "no.signature", str) : RepositoryHookResult.accepted();
            case 10:
                return reject(this.i18nService, "no.key", str, Product.NAME);
            default:
                return reject(this.i18nService, "system", str);
        }
    }

    private boolean isNormalUser() {
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        return currentUser != null && currentUser.getType() == UserType.NORMAL;
    }

    public static RepositoryHookResult reject(I18nService i18nService, String str, String... strArr) {
        return RepositoryHookResult.rejected(i18nService.getMessage("bitbucket.plugins.hooks.verifycommitsignature.error.summary", new Object[0]), i18nService.getMessage(PREFIX + str, strArr));
    }
}
