package com.atlassian.stash.internal.repository.ref.restriction;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.commit.CommitService;
import com.atlassian.bitbucket.commit.CommitsBetweenRequest;
import com.atlassian.bitbucket.event.repository.RepositoryDeletedEvent;
import com.atlassian.bitbucket.event.user.GroupCleanupEvent;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.license.LimitExceededException;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionService;
import com.atlassian.bitbucket.permission.PermissionValidationService;
import com.atlassian.bitbucket.project.Project;
import com.atlassian.bitbucket.repository.MinimalRef;
import com.atlassian.bitbucket.repository.NoSuchRepositoryException;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.RepositorySupplier;
import com.atlassian.bitbucket.repository.SimpleRefChange;
import com.atlassian.bitbucket.repository.ref.restriction.AccessGrant;
import com.atlassian.bitbucket.repository.ref.restriction.AccessGrantVisitor;
import com.atlassian.bitbucket.repository.ref.restriction.AccessKeyAccessGrant;
import com.atlassian.bitbucket.repository.ref.restriction.GroupAccessGrant;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessRequest;
import com.atlassian.bitbucket.repository.ref.restriction.RefAccessType;
import com.atlassian.bitbucket.repository.ref.restriction.RefMatcherProvider;
import com.atlassian.bitbucket.repository.ref.restriction.RefMatcherProviderRegistry;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestriction;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionAddedEvent;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionDeletedEvent;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionType;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionUpdatedEvent;
import com.atlassian.bitbucket.repository.ref.restriction.RestrictionMatchRequest;
import com.atlassian.bitbucket.repository.ref.restriction.RestrictionSearchRequest;
import com.atlassian.bitbucket.repository.ref.restriction.SetRestrictionRequest;
import com.atlassian.bitbucket.repository.ref.restriction.UnknownRefMatcher;
import com.atlassian.bitbucket.repository.ref.restriction.UserAccessGrant;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.ssh.SshAccessKeyService;
import com.atlassian.bitbucket.ssh.event.SshKeyDeletedEvent;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.ApplicationUserEquality;
import com.atlassian.bitbucket.user.EscalatedSecurityContext;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.MoreCollectors;
import com.atlassian.bitbucket.util.Page;
import com.atlassian.bitbucket.util.PageRequest;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.bitbucket.util.PagedIterable;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.atlassian.stash.internal.repository.ref.restriction.dao.AoAccessGrant;
import com.atlassian.stash.internal.repository.ref.restriction.dao.AoRefRestriction;
import com.atlassian.stash.internal.repository.ref.restriction.dao.RefRestrictionDao;
import com.google.common.collect.ArrayListMultimap;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Multimap;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.commons.collections.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/stash/internal/repository/ref/restriction/DefaultRefRestrictionService.class */
public class DefaultRefRestrictionService implements RefRestrictionService {
    private static final Logger log = LoggerFactory.getLogger(DefaultRefRestrictionService.class);
    private static final int USER_GROUP_LIMIT = 500;
    private final int maxResourcesPerRepo;
    private final int maxGrantedAccessPerResource;
    private final AuthenticationContext authenticationContext;
    private final CommitService commitService;
    private final RefRestrictionDao dao;
    private final EventPublisher eventPublisher;
    private final I18nService i18nService;
    private final PermissionService permissionService;
    private final RepositorySupplier repositorySupplier;
    private final SshAccessKeyService sshAccessKeyService;
    private final Function<AoRefRestriction, RefRestriction> toRefRestriction;
    private final TransactionTemplate transactionTemplate;
    private final UserService userService;
    private final PermissionValidationService validationService;
    private final EscalatedSecurityContext withRepoAdmin;
    private final EscalatedSecurityContext withRepoRead;

    public DefaultRefRestrictionService(ApplicationPropertiesService applicationPropertiesService, AuthenticationContext authenticationContext, CommitService commitService, EventPublisher eventPublisher, I18nService i18nService, PermissionService permissionService, PermissionValidationService permissionValidationService, RefRestrictionDao refRestrictionDao, RefMatcherProviderRegistry refMatcherProviderRegistry, RepositorySupplier repositorySupplier, SecurityService securityService, SshAccessKeyService sshAccessKeyService, TransactionTemplate transactionTemplate, UserService userService) {
        this.authenticationContext = authenticationContext;
        this.commitService = commitService;
        this.dao = refRestrictionDao;
        this.eventPublisher = eventPublisher;
        this.i18nService = i18nService;
        this.permissionService = permissionService;
        this.repositorySupplier = repositorySupplier;
        this.sshAccessKeyService = sshAccessKeyService;
        this.transactionTemplate = transactionTemplate;
        this.userService = userService;
        this.validationService = permissionValidationService;
        this.maxResourcesPerRepo = applicationPropertiesService.getPluginProperty(RestrictionConstants.PROPERTY_MAX_RESOURCES, 100);
        this.maxGrantedAccessPerResource = applicationPropertiesService.getPluginProperty(RestrictionConstants.PROPERTY_MAX_GRANTED_ACCESS_PER_RESOURCE, 50);
        this.withRepoAdmin = securityService.withPermission(Permission.REPO_ADMIN, "Ref restrictions");
        this.withRepoRead = securityService.withPermission(Permission.REPO_READ, "Ref restrictions");
        this.toRefRestriction = aoRefRestriction -> {
            Repository repositoryOrThrow = getRepositoryOrThrow(aoRefRestriction.getRepositoryId().intValue());
            List<AccessGrant> accessGrant = toAccessGrant(aoRefRestriction.getAccessGrants(), repositoryOrThrow);
            for (RefMatcherProvider refMatcherProvider : refMatcherProviderRegistry.getProviders()) {
                if (refMatcherProvider.getType().getId().equals(aoRefRestriction.getMatcherType())) {
                    return new SimpleRefRestriction(aoRefRestriction.getId().intValue(), aoRefRestriction.getRepositoryId().intValue(), refMatcherProvider.create(repositoryOrThrow, aoRefRestriction.getMatcherId()), RefRestrictionType.forId(aoRefRestriction.getType()), accessGrant);
                }
            }
            return new SimpleRefRestriction(aoRefRestriction.getId().intValue(), aoRefRestriction.getRepositoryId().intValue(), new UnknownRefMatcher.Builder().matcherId(aoRefRestriction.getMatcherId()).typeId(aoRefRestriction.getType()).build(), RefRestrictionType.forId(aoRefRestriction.getType()), accessGrant);
        };
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    @Nullable
    public RefRestriction getById(int i) {
        return (RefRestriction) this.transactionTemplate.execute(() -> {
            AoRefRestriction byId = this.dao.getById(i);
            if (byId == null) {
                return null;
            }
            Repository byId2 = this.repositorySupplier.getById(byId.getRepositoryId().intValue());
            if (byId2 != null) {
                this.validationService.validateForRepository(byId2, Permission.REPO_ADMIN);
                return this.toRefRestriction.apply(byId);
            }
            log.info("Repository with ID {} does not exist, cleaning up ref restriction: \\{id: {}, type: {}, value: {}\\}", new Object[]{byId.getRepositoryId(), byId.getId(), byId.getMatcherType(), byId.getMatcherId()});
            this.dao.delete(byId);
            return null;
        });
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    @Nonnull
    public Multimap<RefChange, RefRestriction> match(@Nonnull final RestrictionMatchRequest restrictionMatchRequest) {
        Objects.requireNonNull(restrictionMatchRequest, "request");
        Repository repository = restrictionMatchRequest.getRepository();
        ArrayListMultimap create = ArrayListMultimap.create();
        Iterable<RefRestriction> values = search(new RestrictionSearchRequest.Builder(repository).types(restrictionMatchRequest.getTypes()).build(), PageUtils.newRequest(0, this.maxResourcesPerRepo)).getValues();
        AccessGrantVisitor<Boolean> accessGrantVisitor = new AccessGrantVisitor<Boolean>() { // from class: com.atlassian.stash.internal.repository.ref.restriction.DefaultRefRestrictionService.1
            private Set<String> lowerCasedGroups;

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.bitbucket.repository.ref.restriction.AccessGrantVisitor
            public Boolean visit(@Nonnull AccessKeyAccessGrant accessKeyAccessGrant) {
                return Boolean.valueOf(ApplicationUserEquality.equals(restrictionMatchRequest.getUser(), accessKeyAccessGrant.getAccessKey().getKey().getUser()));
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.bitbucket.repository.ref.restriction.AccessGrantVisitor
            public Boolean visit(@Nonnull GroupAccessGrant groupAccessGrant) {
                return Boolean.valueOf(getGroups().contains(IdentifierUtils.toLowerCase(groupAccessGrant.getGroup())));
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.bitbucket.repository.ref.restriction.AccessGrantVisitor
            public Boolean visit(@Nonnull UserAccessGrant userAccessGrant) {
                return Boolean.valueOf(ApplicationUserEquality.equals(restrictionMatchRequest.getUser(), userAccessGrant.getUser()));
            }

            private Set<String> getGroups() {
                if (this.lowerCasedGroups == null) {
                    this.lowerCasedGroups = DefaultRefRestrictionService.this.getLowerCasedGroupsForUser(restrictionMatchRequest.getUser());
                }
                return this.lowerCasedGroups;
            }
        };
        ArrayList arrayList = new ArrayList();
        for (RefChange refChange : restrictionMatchRequest.getRefChanges()) {
            MinimalRef ref = refChange.getRef();
            Page page = null;
            EnumSet noneOf = EnumSet.noneOf(RefRestrictionType.class);
            for (RefRestriction refRestriction : values) {
                if (refRestriction.getMatcher().matches(ref)) {
                    if (!refRestriction.getAccessGrants().stream().anyMatch(accessGrant -> {
                        return ((Boolean) accessGrant.accept(accessGrantVisitor)).booleanValue();
                    })) {
                        switch (refRestriction.getType()) {
                            case NO_DELETES:
                                if (refChange.getType() == RefChangeType.DELETE) {
                                    arrayList.add(refRestriction);
                                    break;
                                } else {
                                    break;
                                }
                            case FAST_FORWARD_ONLY:
                                if (refChange.getType() != RefChangeType.UPDATE) {
                                    break;
                                } else {
                                    if (page == null) {
                                        page = this.commitService.getCommitsBetween(new CommitsBetweenRequest.Builder(repository).include(refChange.getFromHash(), new String[0]).exclude(refChange.getToHash(), new String[0]).build(), PageUtils.newRequest(0, 1));
                                    }
                                    if (page.getSize() > 0) {
                                        arrayList.add(refRestriction);
                                        break;
                                    } else {
                                        break;
                                    }
                                }
                            case PULL_REQUEST_ONLY:
                                if (refChange.getType() == RefChangeType.UPDATE) {
                                    arrayList.add(refRestriction);
                                    break;
                                } else {
                                    break;
                                }
                            case READ_ONLY:
                                arrayList.add(refRestriction);
                                break;
                        }
                    } else {
                        noneOf.add(refRestriction.getType());
                    }
                }
            }
            arrayList.stream().filter(refRestriction2 -> {
                return !noneOf.contains(refRestriction2.getType());
            }).forEach(refRestriction3 -> {
                create.put(refChange, refRestriction3);
            });
            arrayList.clear();
        }
        return create;
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    public boolean hasPermission(@Nonnull RefAccessRequest refAccessRequest) {
        Objects.requireNonNull(refAccessRequest, "request");
        if (CollectionUtils.isEmpty(refAccessRequest.getRefs())) {
            return true;
        }
        if (!this.permissionService.hasRepositoryPermission(refAccessRequest.getRepository(), Permission.REPO_WRITE)) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        refAccessRequest.getRefs().forEach(minimalRef -> {
            arrayList.add(new SimpleRefChange.Builder().fromHash("fromHash").toHash("toHash").ref(minimalRef).type(mapToRefChangeType(refAccessRequest.getAccessType())).build());
        });
        RestrictionMatchRequest.Builder refChanges = new RestrictionMatchRequest.Builder(refAccessRequest.getRepository(), refAccessRequest.getAccessType() == RefAccessType.DELETE ? ImmutableList.of(RefRestrictionType.NO_DELETES, RefRestrictionType.READ_ONLY) : ImmutableList.of(RefRestrictionType.READ_ONLY)).user(this.authenticationContext.getCurrentUser()).refChanges(arrayList);
        return ((Multimap) this.withRepoAdmin.call(() -> {
            return match(refChanges.build());
        })).isEmpty();
    }

    @EventListener
    public void onGroupDeleted(GroupCleanupEvent groupCleanupEvent) {
        this.transactionTemplate.execute(() -> {
            this.dao.deleteForGroup(groupCleanupEvent.getGroup());
            return null;
        });
    }

    @EventListener
    public void onRepositoryDeleted(RepositoryDeletedEvent repositoryDeletedEvent) {
        this.transactionTemplate.execute(() -> {
            this.dao.deleteForRepository(repositoryDeletedEvent.getRepository().getId());
            return null;
        });
    }

    @EventListener
    public void onSshKeyDeleted(SshKeyDeletedEvent sshKeyDeletedEvent) {
        this.transactionTemplate.execute(() -> {
            this.dao.deleteForAccessKey(sshKeyDeletedEvent.getKey().getId().intValue());
            return null;
        });
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    public boolean removeRefRestriction(int i) {
        return ((Boolean) this.transactionTemplate.execute(() -> {
            return Boolean.valueOf(tryDeleteRestriction(this.dao.getById(i)));
        })).booleanValue();
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    @Nonnull
    public Page<RefRestriction> search(@Nonnull RestrictionSearchRequest restrictionSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(restrictionSearchRequest, "request");
        this.validationService.validateForRepository(restrictionSearchRequest.getRepository(), Permission.REPO_ADMIN);
        PageRequest newRequest = PageUtils.newRequest(pageRequest.getStart(), Math.min(this.maxResourcesPerRepo, pageRequest.getLimit()));
        return (Page) this.transactionTemplate.execute(() -> {
            return this.dao.find(restrictionSearchRequest.getRepository().getId(), restrictionSearchRequest.getTypes(), restrictionSearchRequest.getMatcher(), restrictionSearchRequest.getMatcherTypes(), newRequest).transform(this.toRefRestriction);
        });
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    @Nonnull
    public RefRestriction setRestriction(@Nonnull SetRestrictionRequest setRestrictionRequest) {
        return (RefRestriction) this.transactionTemplate.execute(() -> {
            Repository repository = setRestrictionRequest.getRepository();
            this.validationService.validateForRepository(repository, Permission.REPO_ADMIN);
            validateAccessGrantsWithinResourceLimits(Integer.valueOf(setRestrictionRequest.getGroupGrants().size() + setRestrictionRequest.getUserGrants().size() + setRestrictionRequest.getAccessKeyGrants().size()));
            List list = (List) setRestrictionRequest.getAccessKeyGrants().stream().map((v0) -> {
                return v0.getKey();
            }).map((v0) -> {
                return v0.getId();
            }).collect(MoreCollectors.toImmutableList());
            List list2 = (List) setRestrictionRequest.getUserGrants().stream().map((v0) -> {
                return v0.getId();
            }).collect(MoreCollectors.toImmutableList());
            List<String> groupGrants = setRestrictionRequest.getGroupGrants();
            AoRefRestriction aoRefRestriction = this.dao.get(setRestrictionRequest.getRepositoryId(), setRestrictionRequest.getType(), setRestrictionRequest.getMatcher());
            if (aoRefRestriction != null) {
                RefRestriction apply = this.toRefRestriction.apply(this.dao.setAccessGrants(aoRefRestriction, groupGrants, list2, list));
                this.eventPublisher.publish(new RefRestrictionUpdatedEvent(this, repository, apply));
                return apply;
            }
            validateWithinResourceLimits(repository);
            RefRestriction apply2 = this.toRefRestriction.apply(this.dao.create(setRestrictionRequest.getRepositoryId(), setRestrictionRequest.getType(), setRestrictionRequest.getMatcher(), groupGrants, list2, list));
            this.eventPublisher.publish(new RefRestrictionAddedEvent(this, repository, apply2));
            return apply2;
        });
    }

    @Override // com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService
    @Nonnull
    public List<RefRestriction> setRestrictions(@Nonnull Collection<SetRestrictionRequest> collection) {
        return (List) this.transactionTemplate.execute(() -> {
            return (List) collection.stream().map(this::setRestriction).collect(Collectors.toList());
        });
    }

    private Map<Integer, ApplicationUser> findUsers(Set<Integer> set) {
        if (set.isEmpty()) {
            return Collections.emptyMap();
        }
        Set<ApplicationUser> usersById = this.userService.getUsersById(set, true);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        for (ApplicationUser applicationUser : usersById) {
            builder.put(Integer.valueOf(applicationUser.getId()), applicationUser);
        }
        return builder.build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<String> getLowerCasedGroupsForUser(ApplicationUser applicationUser) {
        return (applicationUser == null || applicationUser.getType() != UserType.NORMAL) ? Collections.emptySet() : Sets.newHashSet(new PagedIterable(pageRequest -> {
            return this.userService.findGroupsByUser(applicationUser.getName(), pageRequest);
        }, PageUtils.newRequest(0, USER_GROUP_LIMIT)));
    }

    private Repository getRepositoryOrThrow(int i) {
        Repository repository = (Repository) this.withRepoRead.call(() -> {
            return this.repositorySupplier.getById(i);
        });
        if (repository == null) {
            throw new NoSuchRepositoryException(this.i18nService.getKeyedText("bitbucket.branch.permission.no.repository", "There is no repository with ID {0}", new Object[]{Integer.valueOf(i)}), (Project) null);
        }
        return repository;
    }

    private boolean tryDeleteRestriction(AoRefRestriction aoRefRestriction) {
        Repository byId;
        if (aoRefRestriction == null || (byId = this.repositorySupplier.getById(aoRefRestriction.getRepositoryId().intValue())) == null) {
            return false;
        }
        this.validationService.validateForRepository(byId, Permission.REPO_ADMIN);
        this.dao.delete(aoRefRestriction);
        this.eventPublisher.publish(new RefRestrictionDeletedEvent(this, byId, this.toRefRestriction.apply(aoRefRestriction)));
        return true;
    }

    private List<AccessGrant> toAccessGrant(AoAccessGrant[] aoAccessGrantArr, Repository repository) {
        Map<Integer, ApplicationUser> findUsers = findUsers((Set) Lists.newArrayList(aoAccessGrantArr).stream().map((v0) -> {
            return v0.getUserId();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet()));
        ArrayList newArrayList = Lists.newArrayList();
        for (AoAccessGrant aoAccessGrant : aoAccessGrantArr) {
            if (aoAccessGrant.getUserId() != null) {
                newArrayList.add(new SimpleUserAccessGrant(findUsers.get(aoAccessGrant.getUserId())));
            } else if (aoAccessGrant.getAccessKeyId() != null) {
                Optional map = this.sshAccessKeyService.getByKeyAndRepository(aoAccessGrant.getAccessKeyId().intValue(), repository).map(SimpleAccessKeyAccessGrant::new);
                newArrayList.getClass();
                map.ifPresent((v1) -> {
                    r1.add(v1);
                });
            } else {
                newArrayList.add(new SimpleGroupAccessGrant(aoAccessGrant.getGroup()));
            }
        }
        return newArrayList;
    }

    private void validateWithinResourceLimits(Repository repository) {
        if (this.dao.count(repository.getId()) >= this.maxResourcesPerRepo) {
            throw new LimitExceededException(this.i18nService.createKeyedMessage("bitbucket.branch.permission.too.many.restricted.refs", new Object[]{Integer.valueOf(this.maxResourcesPerRepo)}));
        }
    }

    private void validateAccessGrantsWithinResourceLimits(Integer num) {
        if (num.intValue() > this.maxGrantedAccessPerResource) {
            throw new LimitExceededException(this.i18nService.createKeyedMessage("bitbucket.branch.permission.too.many.permitted.entities", new Object[]{Integer.valueOf(this.maxGrantedAccessPerResource)}));
        }
    }

    private static RefChangeType mapToRefChangeType(RefAccessType refAccessType) {
        switch (refAccessType) {
            case DELETE:
                return RefChangeType.DELETE;
            case UPDATE:
                return RefChangeType.UPDATE;
            case CREATE:
                return RefChangeType.ADD;
            default:
                throw new IllegalStateException("Unknown RefAccessType: " + refAccessType);
        }
    }
}
