package com.atlassian.stash.internal.repository.ref.restriction;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.commit.CommitService;
import com.atlassian.bitbucket.commit.CommitsBetweenRequest;
import com.atlassian.bitbucket.event.branch.BranchCreationRequestedEvent;
import com.atlassian.bitbucket.event.branch.BranchDeletionRequestedEvent;
import com.atlassian.bitbucket.hook.HookResponse;
import com.atlassian.bitbucket.hook.PreReceiveHook;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.pull.PullRequestRef;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessRequest;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessType;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService;
import com.atlassian.bitbucket.repository.ref.restriction.RestrictionMatchRequest;
import com.atlassian.bitbucket.scm.pull.MergeRequest;
import com.atlassian.bitbucket.scm.pull.MergeRequestCheck;
import com.atlassian.bitbucket.user.EscalatedSecurityContext;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.event.api.EventListener;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Multimap;
import com.google.common.collect.Ordering;
import com.google.common.collect.TreeMultimap;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.Nonnull;

/* loaded from: input_file:com/atlassian/stash/internal/repository/ref/restriction/RestrictionEnforcer.class */
public class RestrictionEnforcer implements PreReceiveHook, MergeRequestCheck {
    private static final Comparator<RefChange> REF_CHANGE_COMPARATOR = (refChange, refChange2) -> {
        return refChange.getRef().getId().compareTo(refChange2.getRef().getId());
    };

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_REJECT_NO_DELETE = "bitbucket.branch.permission.reject.no.delete";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_REJECT_FAST_FORWARD_ONLY = "bitbucket.branch.permission.reject.fast.forward.only";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_REJECT_PULL_REQUEST_ONLY = "bitbucket.branch.permission.reject.pull.request.only";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_REJECT_READ_ONLY = "bitbucket.branch.permission.reject.read.only";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_CHECK_SETTINGS_ADMINISTRATOR = "bitbucket.branch.permission.check.settings.administrator";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_BRANCH_PERMISSION_MERGE_CHECK_SUMMARY = "bitbucket.branch.permission.branch.permission.merge.check.summary";

    @VisibleForTesting
    static final String STASH_BRANCH_PERMISSION_BRANCH_PERMISSION_MERGE_CHECK = "bitbucket.branch.permission.branch.permission.merge.check";
    private final AuthenticationContext authenticationContext;
    private final CommitService commitService;
    private final I18nService i18nService;
    private final RefRestrictionService restrictionService;
    private final EscalatedSecurityContext withRepoAdmin;
    private final String SEPARATOR_LINE = "----------------------------------------------------\n";
    private final String BOUNCER_ASCII_ART = "                            *%%%%%.                            \n                        %%%         %%%                        \n                     ,%#               %%                      \n                    %%                   %%                    \n                   %#                     %%                   \n                  %%                       %                   \n                  %(                       %%                  \n                  %%%%%%%%%%%%%%%%%%%%%%%%%%%                  \n                %#%*%#///////%# %%///////%%%%%%                \n               ,% %*%%******%#   %%******%(%%,%                \n                 %%/ %%/**%%/%%%%%%%(**#%( %%#                 \n                  %%          %%%          %(                  \n                   %                      .%                   \n                   *%        %%%%%       .%                    \n                     %#                 %%                     \n                      .%%            .%%                       \n                      .%%.%%,     %%%.%%/                      \n                %%%%%%##%.  #%%%%%.  .%((%%%%%%                \n            %%#(((((((((%%,         #%%(((((((((#%%.           \n      %%%((((((((((((((((((%%%, .%%%((((((((((((((((((#%%*     \n    %%(((((((((((((((((((((((((%(((((((((((((((((((((((((#%.   \n  ,%(((((((((((((((((((((((((((((((((((((((((((((((((((((((%#  \n  %#((((((((((((((((((((((((((((((((((((((((((((((((((((((((%  \n  %%%%%%%%%%%%%(((((((((((((((((((((((((((((((((%%%%%%%%%%%%%  \n %%            %####((((((###%%%%%%%%#(((((((((%            ,% \n,%             %%%%%%#.               %%%((((((%*            %%\n#%                                       %%%#                %%\n.%                             .%%%%%%%%%                    %#\n %                         #%%%                              % \n %                     %%%%                                  %*\n/%************/#%%%%%%######%%*                        ..,*/(%%\n              %%######(((((((##################%%              \n              %%######(((((((((((((((((((((((((%%              \n//////////////%%%%%%%%#########################%%/////////  ///";

    public RestrictionEnforcer(AuthenticationContext authenticationContext, CommitService commitService, I18nService i18nService, RefRestrictionService refRestrictionService, SecurityService securityService) {
        this.authenticationContext = authenticationContext;
        this.commitService = commitService;
        this.i18nService = i18nService;
        this.restrictionService = refRestrictionService;
        this.withRepoAdmin = securityService.withPermission(Permission.REPO_ADMIN, "For branch permission");
    }

    public boolean onReceive(@Nonnull Repository repository, @Nonnull Collection<RefChange> collection, @Nonnull HookResponse hookResponse) {
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(repository).user(this.authenticationContext.getCurrentUser()).refChanges(collection).build();
        Multimap multimap = (Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        });
        if (multimap.isEmpty()) {
            return true;
        }
        TreeMultimap create = TreeMultimap.create(REF_CHANGE_COMPARATOR, Ordering.natural());
        for (Map.Entry entry : multimap.entries()) {
            RefChange refChange = (RefChange) entry.getKey();
            String id = refChange.getRef().getId();
            switch (r0.getType()) {
                case NO_DELETES:
                    if (refChange.getType() == RefChangeType.DELETE) {
                        create.put(refChange, this.i18nService.getMessage(STASH_BRANCH_PERMISSION_REJECT_NO_DELETE, new Object[]{id}));
                        break;
                    } else {
                        break;
                    }
                case FAST_FORWARD_ONLY:
                    if (refChange.getType() == RefChangeType.UPDATE && this.commitService.getCommitsBetween(new CommitsBetweenRequest.Builder(repository).include(refChange.getFromHash(), new String[0]).exclude(refChange.getToHash(), new String[0]).build(), PageUtils.newRequest(0, 1)).getSize() > 0) {
                        create.put(refChange, this.i18nService.getMessage(STASH_BRANCH_PERMISSION_REJECT_FAST_FORWARD_ONLY, new Object[]{id}));
                        break;
                    }
                    break;
                case PULL_REQUEST_ONLY:
                    if (refChange.getType() == RefChangeType.UPDATE) {
                        create.put(refChange, this.i18nService.getMessage(STASH_BRANCH_PERMISSION_REJECT_PULL_REQUEST_ONLY, new Object[]{id}));
                        break;
                    } else {
                        break;
                    }
                case READ_ONLY:
                    create.put(refChange, this.i18nService.getMessage(STASH_BRANCH_PERMISSION_REJECT_READ_ONLY, new Object[]{id}));
                    break;
            }
        }
        if (!create.isEmpty()) {
            hookResponse.out().append((CharSequence) "                            *%%%%%.                            \n                        %%%         %%%                        \n                     ,%#               %%                      \n                    %%                   %%                    \n                   %#                     %%                   \n                  %%                       %                   \n                  %(                       %%                  \n                  %%%%%%%%%%%%%%%%%%%%%%%%%%%                  \n                %#%*%#///////%# %%///////%%%%%%                \n               ,% %*%%******%#   %%******%(%%,%                \n                 %%/ %%/**%%/%%%%%%%(**#%( %%#                 \n                  %%          %%%          %(                  \n                   %                      .%                   \n                   *%        %%%%%       .%                    \n                     %#                 %%                     \n                      .%%            .%%                       \n                      .%%.%%,     %%%.%%/                      \n                %%%%%%##%.  #%%%%%.  .%((%%%%%%                \n            %%#(((((((((%%,         #%%(((((((((#%%.           \n      %%%((((((((((((((((((%%%, .%%%((((((((((((((((((#%%*     \n    %%(((((((((((((((((((((((((%(((((((((((((((((((((((((#%.   \n  ,%(((((((((((((((((((((((((((((((((((((((((((((((((((((((%#  \n  %#((((((((((((((((((((((((((((((((((((((((((((((((((((((((%  \n  %%%%%%%%%%%%%(((((((((((((((((((((((((((((((((%%%%%%%%%%%%%  \n %%            %####((((((###%%%%%%%%#(((((((((%            ,% \n,%             %%%%%%#.               %%%((((((%*            %%\n#%                                       %%%#                %%\n.%                             .%%%%%%%%%                    %#\n %                         #%%%                              % \n %                     %%%%                                  %*\n/%************/#%%%%%%######%%*                        ..,*/(%%\n              %%######(((((((##################%%              \n              %%######(((((((((((((((((((((((((%%              \n//////////////%%%%%%%%#########################%%/////////  ///");
            hookResponse.out().append((CharSequence) "\n").append((CharSequence) "----------------------------------------------------\n");
            Iterator it = create.values().iterator();
            while (it.hasNext()) {
                hookResponse.out().append((CharSequence) it.next()).append((CharSequence) "\n");
            }
            hookResponse.out().println(this.i18nService.getMessage(STASH_BRANCH_PERMISSION_CHECK_SETTINGS_ADMINISTRATOR, new Object[0]));
            hookResponse.out().append((CharSequence) "----------------------------------------------------\n").append((CharSequence) "\n");
        }
        return create.isEmpty();
    }

    public void check(@Nonnull MergeRequest mergeRequest) {
        PullRequestRef toRef = mergeRequest.getPullRequest().getToRef();
        if (canUpdate(toRef)) {
            return;
        }
        mergeRequest.veto(this.i18nService.getMessage(STASH_BRANCH_PERMISSION_BRANCH_PERMISSION_MERGE_CHECK_SUMMARY, new Object[0]), this.i18nService.getMessage(STASH_BRANCH_PERMISSION_BRANCH_PERMISSION_MERGE_CHECK, new Object[]{toRef.getDisplayId()}));
    }

    @EventListener
    public void onBranchDeletionRequested(BranchDeletionRequestedEvent branchDeletionRequestedEvent) {
        if (this.restrictionService.hasPermission(new RefAccessRequest.Builder(branchDeletionRequestedEvent.getRepository(), RefAccessType.DELETE).ref(branchDeletionRequestedEvent.getBranch()).build())) {
            return;
        }
        branchDeletionRequestedEvent.cancel(this.i18nService.createKeyedMessage(STASH_BRANCH_PERMISSION_REJECT_NO_DELETE, new Object[]{branchDeletionRequestedEvent.getBranch().getDisplayId()}));
    }

    @EventListener
    public void onBranchCreationRequested(BranchCreationRequestedEvent branchCreationRequestedEvent) {
        if (this.restrictionService.hasPermission(new RefAccessRequest.Builder(branchCreationRequestedEvent.getRepository(), RefAccessType.CREATE).ref(branchCreationRequestedEvent.getBranch()).build())) {
            return;
        }
        branchCreationRequestedEvent.cancel(this.i18nService.createKeyedMessage(STASH_BRANCH_PERMISSION_REJECT_READ_ONLY, new Object[]{branchCreationRequestedEvent.getBranch().getDisplayId()}));
    }

    private boolean canUpdate(PullRequestRef pullRequestRef) {
        return this.restrictionService.hasPermission(new RefAccessRequest.Builder(pullRequestRef.getRepository(), RefAccessType.UPDATE).ref(pullRequestRef).build());
    }
}
