package com.atlassian.stash.internal.repository.ref.restriction;

import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.event.content.FileEditRequestedEvent;
import com.atlassian.bitbucket.hook.repository.MergeHookRequest;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHook;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHookContext;
import com.atlassian.bitbucket.hook.repository.RepositoryHookRequest;
import com.atlassian.bitbucket.hook.repository.RepositoryHookResult;
import com.atlassian.bitbucket.hook.repository.StandardRepositoryHookTrigger;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.repository.Branch;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.RepositoryRef;
import com.atlassian.bitbucket.repository.SimpleRefChange;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionService;
import com.atlassian.bitbucket.repository.ref.restriction.RefRestrictionType;
import com.atlassian.bitbucket.repository.ref.restriction.RestrictionMatchRequest;
import com.atlassian.bitbucket.user.EscalatedSecurityContext;
import com.atlassian.bitbucket.user.SecurityService;
import com.atlassian.event.api.EventListener;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Multimap;
import com.google.common.collect.Ordering;
import com.google.common.collect.TreeMultimap;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.Nonnull;

/* loaded from: input_file:com/atlassian/stash/internal/repository/ref/restriction/RestrictionEnforcer.class */
public class RestrictionEnforcer implements PreRepositoryHook<RepositoryHookRequest> {
    private static final String BOUNCER_ASCII_ART = "                            *%%%%%.                            \n                        %%%         %%%                        \n                     ,%#               %%                      \n                    %%                   %%                    \n                   %#                     %%                   \n                  %%                       %                   \n                  %(                       %%                  \n                  %%%%%%%%%%%%%%%%%%%%%%%%%%%                  \n                %#%*%#///////%# %%///////%%%%%%                \n               ,% %*%%******%#   %%******%(%%,%                \n                 %%/ %%/**%%/%%%%%%%(**#%( %%#                 \n                  %%          %%%          %(                  \n                   %                      .%                   \n                   *%        %%%%%       .%                    \n                     %#                 %%                     \n                      .%%            .%%                       \n                      .%%.%%,     %%%.%%/                      \n                %%%%%%##%.  #%%%%%.  .%((%%%%%%                \n            %%#(((((((((%%,         #%%(((((((((#%%.           \n      %%%((((((((((((((((((%%%, .%%%((((((((((((((((((#%%*     \n    %%(((((((((((((((((((((((((%(((((((((((((((((((((((((#%.   \n  ,%(((((((((((((((((((((((((((((((((((((((((((((((((((((((%#  \n  %#((((((((((((((((((((((((((((((((((((((((((((((((((((((((%  \n  %%%%%%%%%%%%%(((((((((((((((((((((((((((((((((%%%%%%%%%%%%%  \n %%            %####((((((###%%%%%%%%#(((((((((%            ,% \n,%             %%%%%%#.               %%%((((((%*            %%\n#%                                       %%%#                %%\n.%                             .%%%%%%%%%                    %#\n %                         #%%%                              % \n %                     %%%%                                  %*\n/%************/#%%%%%%######%%*                        ..,*/(%%\n              %%######(((((((##################%%              \n              %%######(((((((((((((((((((((((((%%              \n//////////////%%%%%%%%#########################%%/////////  ///";
    private static final String SEPARATOR_LINE = "----------------------------------------------------\n";
    private final AuthenticationContext authenticationContext;
    private final I18nService i18nService;
    private final RefRestrictionService restrictionService;
    private final EscalatedSecurityContext withRepoAdmin;

    public RestrictionEnforcer(AuthenticationContext authenticationContext, I18nService i18nService, RefRestrictionService refRestrictionService, SecurityService securityService) {
        this.authenticationContext = authenticationContext;
        this.i18nService = i18nService;
        this.restrictionService = refRestrictionService;
        this.withRepoAdmin = securityService.withPermission(Permission.REPO_ADMIN, "For branch permission");
    }

    @Nonnull
    public RepositoryHookResult preUpdate(@Nonnull PreRepositoryHookContext preRepositoryHookContext, @Nonnull RepositoryHookRequest repositoryHookRequest) {
        StandardRepositoryHookTrigger trigger = repositoryHookRequest.getTrigger();
        if (trigger == StandardRepositoryHookTrigger.MERGE) {
            return RepositoryHookResult.accepted();
        }
        Repository repository = repositoryHookRequest.getRepository();
        Collection refChanges = repositoryHookRequest.getRefChanges();
        if (repositoryHookRequest.isDryRun() && (repositoryHookRequest instanceof MergeHookRequest)) {
            return preUpdateMergeDryRun((MergeHookRequest) repositoryHookRequest);
        }
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(repository, Collections.emptyList()).user(this.authenticationContext.getCurrentUser()).refChanges(refChanges).build();
        Multimap multimap = (Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        });
        if (multimap.isEmpty()) {
            return RepositoryHookResult.accepted();
        }
        TreeMultimap create = TreeMultimap.create(Comparator.comparing(refChange -> {
            return refChange.getRef().getId();
        }), Ordering.natural());
        for (Map.Entry entry : multimap.entries()) {
            RefChange refChange2 = (RefChange) entry.getKey();
            String id = refChange2.getRef().getId();
            switch (r0.getType()) {
                case NO_DELETES:
                    create.put(refChange2, this.i18nService.getMessage("bitbucket.branch.permission.reject.no.delete", new Object[]{id}));
                    break;
                case FAST_FORWARD_ONLY:
                    create.put(refChange2, this.i18nService.getMessage("bitbucket.branch.permission.reject.fast.forward.only", new Object[]{id}));
                    break;
                case PULL_REQUEST_ONLY:
                    if (trigger != StandardRepositoryHookTrigger.PULL_REQUEST_MERGE) {
                        create.put(refChange2, this.i18nService.getMessage("bitbucket.branch.permission.reject.pull.request.only", new Object[]{id}));
                        break;
                    } else {
                        break;
                    }
                case READ_ONLY:
                    create.put(refChange2, this.i18nService.getMessage("bitbucket.branch.permission.reject.read.only", new Object[]{id}));
                    break;
            }
        }
        if (create.isEmpty()) {
            return RepositoryHookResult.accepted();
        }
        String message = this.i18nService.getMessage("bitbucket.branch.permission.check.settings.administrator", new Object[0]);
        if (!repositoryHookRequest.getScmHookDetails().isPresent()) {
            RepositoryHookResult.Builder builder = new RepositoryHookResult.Builder();
            Iterator it = create.values().iterator();
            while (it.hasNext()) {
                builder.veto((String) it.next(), message);
            }
            return builder.build();
        }
        StringBuilder append = new StringBuilder().append(BOUNCER_ASCII_ART).append("\n").append(SEPARATOR_LINE);
        Iterator it2 = create.values().iterator();
        while (it2.hasNext()) {
            append.append((String) it2.next()).append("\n");
        }
        append.append(message).append("\n");
        append.append(SEPARATOR_LINE).append("\n");
        String sb = append.toString();
        return RepositoryHookResult.rejected(sb, sb);
    }

    @EventListener
    public void onFileEditRequested(FileEditRequestedEvent fileEditRequestedEvent) {
        Branch branch = fileEditRequestedEvent.getBranch();
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(fileEditRequestedEvent.getRepository(), ImmutableList.of(RefRestrictionType.READ_ONLY, RefRestrictionType.PULL_REQUEST_ONLY)).user(this.authenticationContext.getCurrentUser()).refChange(new SimpleRefChange.Builder().fromHash("fromHash").toHash("toHash").ref(branch).type(RefChangeType.UPDATE).build()).build();
        if (((Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        })).isEmpty()) {
            return;
        }
        fileEditRequestedEvent.cancel(this.i18nService.createKeyedMessage("bitbucket.branch.permission.cancel.fileedit", new Object[]{fileEditRequestedEvent.getPath(), branch.getDisplayId()}));
    }

    private boolean canMerge(RepositoryRef repositoryRef, RepositoryRef repositoryRef2) {
        RestrictionMatchRequest build = new RestrictionMatchRequest.Builder(repositoryRef2.getRepository(), ImmutableList.of(RefRestrictionType.READ_ONLY)).refChange(new SimpleRefChange.Builder().from(repositoryRef).to(repositoryRef2).type(RefChangeType.UPDATE).build()).user(this.authenticationContext.getCurrentUser()).build();
        return ((Multimap) this.withRepoAdmin.call(() -> {
            return this.restrictionService.match(build);
        })).isEmpty();
    }

    private RepositoryHookResult preUpdateMergeDryRun(@Nonnull MergeHookRequest mergeHookRequest) {
        RepositoryRef toRef = mergeHookRequest.getToRef();
        return !canMerge(mergeHookRequest.getFromRef(), toRef) ? RepositoryHookResult.rejected(this.i18nService.getMessage("bitbucket.branch.permission.branch.permission.merge.check.summary", new Object[0]), this.i18nService.getMessage("bitbucket.branch.permission.branch.permission.merge.check", new Object[]{toRef.getDisplayId()})) : RepositoryHookResult.accepted();
    }
}
