package com.atlassian.stash.internal.repository.ref.restriction;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.event.branch.BranchCreationRequestedEvent;
import com.atlassian.bitbucket.event.branch.BranchDeletionRequestedEvent;
import com.atlassian.bitbucket.event.content.FileEditRequestedEvent;
import com.atlassian.bitbucket.event.repository.RefChangeRequestedEvent;
import com.atlassian.bitbucket.event.tag.TagCreationRequestedEvent;
import com.atlassian.bitbucket.event.tag.TagDeletionRequestedEvent;
import com.atlassian.bitbucket.hook.HookResponse;
import com.atlassian.bitbucket.hook.PreReceiveHook;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.pull.PullRequestRef;
import com.atlassian.bitbucket.repository.MinimalRef;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.SimpleRefChange;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessRequest;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessType;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionType;
import com.atlassian.bitbucket.repository.ref.restriction.RestrictionMatchRequest;
import com.atlassian.bitbucket.scm.pull.MergeRequest;
import com.atlassian.bitbucket.scm.pull.MergeRequestCheck;
import com.atlassian.bitbucket.user.EscalatedSecurityContext;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.event.api.EventListener;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Multimap;
import com.google.common.collect.Ordering;
import com.google.common.collect.TreeMultimap;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.Nonnull;

/* loaded from: input_file:com/atlassian/stash/internal/repository/ref/restriction/RestrictionEnforcer.class */
public class RestrictionEnforcer implements PreReceiveHook, MergeRequestCheck {
    private static final Comparator<RefChange> REF_CHANGE_COMPARATOR = (refChange, refChange2) -> {
        return refChange.getRef().getId().compareTo(refChange2.getRef().getId());
    };
    private final AuthenticationContext authenticationContext;
    private final I18nService i18nService;
    private final RefRestrictionService restrictionService;
    private final EscalatedSecurityContext withRepoAdmin;
    private final String SEPARATOR_LINE = "----------------------------------------------------\n";
    private final String BOUNCER_ASCII_ART = "                            *%%%%%.                            \n                        %%%         %%%                        \n                     ,%#               %%                      \n                    %%                   %%                    \n                   %#                     %%                   \n                  %%                       %                   \n                  %(                       %%                  \n                  %%%%%%%%%%%%%%%%%%%%%%%%%%%                  \n                %#%*%#///////%# %%///////%%%%%%                \n               ,% %*%%******%#   %%******%(%%,%                \n                 %%/ %%/**%%/%%%%%%%(**#%( %%#                 \n                  %%          %%%          %(                  \n                   %                      .%                   \n                   *%        %%%%%       .%                    \n                     %#                 %%                     \n                      .%%            .%%                       \n                      .%%.%%,     %%%.%%/                      \n                %%%%%%##%.  #%%%%%.  .%((%%%%%%                \n            %%#(((((((((%%,         #%%(((((((((#%%.           \n      %%%((((((((((((((((((%%%, .%%%((((((((((((((((((#%%*     \n    %%(((((((((((((((((((((((((%(((((((((((((((((((((((((#%.   \n  ,%(((((((((((((((((((((((((((((((((((((((((((((((((((((((%#  \n  %#((((((((((((((((((((((((((((((((((((((((((((((((((((((((%  \n  %%%%%%%%%%%%%(((((((((((((((((((((((((((((((((%%%%%%%%%%%%%  \n %%            %####((((((###%%%%%%%%#(((((((((%            ,% \n,%             %%%%%%#.               %%%((((((%*            %%\n#%                                       %%%#                %%\n.%                             .%%%%%%%%%                    %#\n %                         #%%%                              % \n %                     %%%%                                  %*\n/%************/#%%%%%%######%%*                        ..,*/(%%\n              %%######(((((((##################%%              \n              %%######(((((((((((((((((((((((((%%              \n//////////////%%%%%%%%#########################%%/////////  ///";

    public RestrictionEnforcer(AuthenticationContext authenticationContext, I18nService i18nService, RefRestrictionService refRestrictionService, SecurityService securityService) {
        this.authenticationContext = authenticationContext;
        this.i18nService = i18nService;
        this.restrictionService = refRestrictionService;
        this.withRepoAdmin = securityService.withPermission(Permission.REPO_ADMIN, "For branch permission");
    }

    public boolean onReceive(@Nonnull Repository repository, @Nonnull Collection<RefChange> collection, @Nonnull HookResponse hookResponse) {
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(repository, Collections.emptyList()).user(this.authenticationContext.getCurrentUser()).refChanges(collection).build();
        Multimap multimap = (Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        });
        if (multimap.isEmpty()) {
            return true;
        }
        TreeMultimap create = TreeMultimap.create(REF_CHANGE_COMPARATOR, Ordering.natural());
        for (Map.Entry entry : multimap.entries()) {
            RefChange refChange = (RefChange) entry.getKey();
            String id = refChange.getRef().getId();
            switch (r0.getType()) {
                case NO_DELETES:
                    create.put(refChange, this.i18nService.getMessage("bitbucket.branch.permission.reject.no.delete", new Object[]{id}));
                    break;
                case FAST_FORWARD_ONLY:
                    create.put(refChange, this.i18nService.getMessage("bitbucket.branch.permission.reject.fast.forward.only", new Object[]{id}));
                    break;
                case PULL_REQUEST_ONLY:
                    create.put(refChange, this.i18nService.getMessage("bitbucket.branch.permission.reject.pull.request.only", new Object[]{id}));
                    break;
                case READ_ONLY:
                    create.put(refChange, this.i18nService.getMessage("bitbucket.branch.permission.reject.read.only", new Object[]{id}));
                    break;
            }
        }
        if (!create.isEmpty()) {
            hookResponse.out().append((CharSequence) "                            *%%%%%.                            \n                        %%%         %%%                        \n                     ,%#               %%                      \n                    %%                   %%                    \n                   %#                     %%                   \n                  %%                       %                   \n                  %(                       %%                  \n                  %%%%%%%%%%%%%%%%%%%%%%%%%%%                  \n                %#%*%#///////%# %%///////%%%%%%                \n               ,% %*%%******%#   %%******%(%%,%                \n                 %%/ %%/**%%/%%%%%%%(**#%( %%#                 \n                  %%          %%%          %(                  \n                   %                      .%                   \n                   *%        %%%%%       .%                    \n                     %#                 %%                     \n                      .%%            .%%                       \n                      .%%.%%,     %%%.%%/                      \n                %%%%%%##%.  #%%%%%.  .%((%%%%%%                \n            %%#(((((((((%%,         #%%(((((((((#%%.           \n      %%%((((((((((((((((((%%%, .%%%((((((((((((((((((#%%*     \n    %%(((((((((((((((((((((((((%(((((((((((((((((((((((((#%.   \n  ,%(((((((((((((((((((((((((((((((((((((((((((((((((((((((%#  \n  %#((((((((((((((((((((((((((((((((((((((((((((((((((((((((%  \n  %%%%%%%%%%%%%(((((((((((((((((((((((((((((((((%%%%%%%%%%%%%  \n %%            %####((((((###%%%%%%%%#(((((((((%            ,% \n,%             %%%%%%#.               %%%((((((%*            %%\n#%                                       %%%#                %%\n.%                             .%%%%%%%%%                    %#\n %                         #%%%                              % \n %                     %%%%                                  %*\n/%************/#%%%%%%######%%*                        ..,*/(%%\n              %%######(((((((##################%%              \n              %%######(((((((((((((((((((((((((%%              \n//////////////%%%%%%%%#########################%%/////////  ///");
            hookResponse.out().append((CharSequence) "\n").append((CharSequence) "----------------------------------------------------\n");
            Iterator it = create.values().iterator();
            while (it.hasNext()) {
                hookResponse.out().append((CharSequence) it.next()).append((CharSequence) "\n");
            }
            hookResponse.out().println(this.i18nService.getMessage("bitbucket.branch.permission.check.settings.administrator", new Object[0]));
            hookResponse.out().append((CharSequence) "----------------------------------------------------\n").append((CharSequence) "\n");
        }
        return create.isEmpty();
    }

    public void check(@Nonnull MergeRequest mergeRequest) {
        PullRequestRef toRef = mergeRequest.getPullRequest().getToRef();
        if (canMergePullRequest(mergeRequest.getPullRequest().getFromRef(), toRef)) {
            return;
        }
        mergeRequest.veto(this.i18nService.getMessage("bitbucket.branch.permission.branch.permission.merge.check.summary", new Object[0]), this.i18nService.getMessage("bitbucket.branch.permission.branch.permission.merge.check", new Object[]{toRef.getDisplayId()}));
    }

    @EventListener
    public void onFileEditRequested(FileEditRequestedEvent fileEditRequestedEvent) {
        MinimalRef branch = fileEditRequestedEvent.getBranch();
        if (this.restrictionService.hasPermission(new RefAccessRequest.Builder(fileEditRequestedEvent.getRepository(), RefAccessType.UPDATE).ref(branch).build())) {
            return;
        }
        fileEditRequestedEvent.cancel(this.i18nService.createKeyedMessage("bitbucket.branch.permission.cancel.fileedit", new Object[]{fileEditRequestedEvent.getPath(), branch.getDisplayId()}));
    }

    @EventListener
    public void onBranchCreationRequested(BranchCreationRequestedEvent branchCreationRequestedEvent) {
        cancelIfNoCreatePermission(branchCreationRequestedEvent.getBranch(), branchCreationRequestedEvent);
    }

    @EventListener
    public void onBranchDeletionRequested(BranchDeletionRequestedEvent branchDeletionRequestedEvent) {
        cancelIfNoDeletePermission(branchDeletionRequestedEvent.getBranch(), branchDeletionRequestedEvent);
    }

    @EventListener
    public void onTagCreationRequested(TagCreationRequestedEvent tagCreationRequestedEvent) {
        cancelIfNoCreatePermission(tagCreationRequestedEvent.getTag(), tagCreationRequestedEvent);
    }

    @EventListener
    public void onTagDeletionRequested(TagDeletionRequestedEvent tagDeletionRequestedEvent) {
        cancelIfNoDeletePermission(tagDeletionRequestedEvent.getTag(), tagDeletionRequestedEvent);
    }

    private void cancelIfNoCreatePermission(MinimalRef minimalRef, RefChangeRequestedEvent refChangeRequestedEvent) {
        if (this.restrictionService.hasPermission(new RefAccessRequest.Builder(refChangeRequestedEvent.getRepository(), RefAccessType.CREATE).ref(minimalRef).build())) {
            return;
        }
        refChangeRequestedEvent.cancel(this.i18nService.createKeyedMessage("bitbucket.branch.permission.cancel.read.only", new Object[]{minimalRef.getDisplayId()}));
    }

    private void cancelIfNoDeletePermission(MinimalRef minimalRef, RefChangeRequestedEvent refChangeRequestedEvent) {
        if (this.restrictionService.hasPermission(new RefAccessRequest.Builder(refChangeRequestedEvent.getRepository(), RefAccessType.DELETE).ref(minimalRef).build())) {
            return;
        }
        refChangeRequestedEvent.cancel(this.i18nService.createKeyedMessage("bitbucket.branch.permission.reject.no.delete", new Object[]{minimalRef.getDisplayId()}));
    }

    private boolean canMergePullRequest(PullRequestRef pullRequestRef, PullRequestRef pullRequestRef2) {
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(pullRequestRef2.getRepository(), ImmutableList.of(RefRestrictionType.READ_ONLY)).refChange(new SimpleRefChange.Builder().from(pullRequestRef).to(pullRequestRef2).type(RefChangeType.UPDATE).build()).user(this.authenticationContext.getCurrentUser()).build();
        return ((Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        })).isEmpty();
    }
}
