package com.atlassian.plugin.connect.jira.auth;

import com.atlassian.crowd.exception.ApplicationNotFoundException;
import com.atlassian.crowd.exception.ApplicationPermissionException;
import com.atlassian.crowd.exception.GroupNotFoundException;
import com.atlassian.crowd.exception.InvalidAuthenticationException;
import com.atlassian.crowd.exception.OperationFailedException;
import com.atlassian.crowd.exception.UserNotFoundException;
import com.atlassian.jira.application.ApplicationRole;
import com.atlassian.jira.application.ApplicationRoleManager;
import com.atlassian.jira.bc.projectroles.ProjectRoleService;
import com.atlassian.jira.permission.PermissionSchemeManager;
import com.atlassian.jira.permission.ProjectPermission;
import com.atlassian.jira.project.Project;
import com.atlassian.jira.project.ProjectManager;
import com.atlassian.jira.scheme.SchemeEntity;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.PermissionManager;
import com.atlassian.jira.security.plugin.ProjectPermissionKey;
import com.atlassian.jira.security.roles.ProjectRole;
import com.atlassian.jira.security.roles.ProjectRoleImpl;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.user.util.UserManager;
import com.atlassian.jira.util.ErrorCollection;
import com.atlassian.jira.util.SimpleErrorCollection;
import com.atlassian.plugin.connect.api.lifecycle.ConnectAddonInitException;
import com.atlassian.plugin.connect.crowd.permissions.ConnectCrowdPermissions;
import com.atlassian.plugin.connect.crowd.spi.CrowdAddonUserProvisioningService;
import com.atlassian.plugin.connect.crowd.usermanagement.ConnectAddonUserGroupProvisioningService;
import com.atlassian.plugin.connect.modules.beans.nested.ScopeName;
import com.atlassian.plugin.connect.modules.beans.nested.ScopeUtil;
import com.atlassian.plugin.spring.scanner.annotation.component.JiraComponent;
import com.atlassian.plugin.spring.scanner.annotation.export.ExportAsDevService;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.ofbiz.core.entity.GenericEntityException;
import org.ofbiz.core.entity.GenericValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

@JiraComponent
@ExportAsDevService
/* loaded from: input_file:com/atlassian/plugin/connect/jira/auth/JiraAddonUserProvisioningService.class */
public class JiraAddonUserProvisioningService implements CrowdAddonUserProvisioningService {
    private static final String CONNECT_PROJECT_ACCESS_PROJECT_ROLE_NAME = "atlassian-addons-project-access";
    private static final String CONNECT_PROJECT_ACCESS_PROJECT_ROLE_DESC = "A project role that represents Connect add-ons declaring a scope that requires more than read issue permissions";
    private static final String ADDON_ADMIN_USER_GROUP_KEY = "atlassian-addons-admin";
    private static final String ADMIN_APPLICATION_ID_ROLES_ENABLED = "jira-admin";
    private static final String PRODUCT_ID = "jira";
    private static final String SYSTEM_GROUP_ATTRIBUTE = "synch.system";
    private static final int ADMIN_PERMISSION = 0;
    private final GlobalPermissionManager jiraPermissionManager;
    private final PermissionSchemeManager permissionSchemeManager;
    private final ProjectManager projectManager;
    private final ProjectRoleService projectRoleService;
    private final UserManager userManager;
    private final ConnectAddonUserGroupProvisioningService connectAddonUserGroupProvisioningService;
    private final TransactionTemplate transactionTemplate;
    private final PermissionManager jiraProjectPermissionManager;
    private final ConnectCrowdPermissions connectCrowdPermissions;
    private final ApplicationRoleManager applicationRoleManager;
    private static final ImmutableSet<String> DEFAULT_GROUPS_ALWAYS_EXPECTED = ImmutableSet.of();
    private static final ImmutableSet<String> DEFAULT_GROUPS_ONE_OR_MORE_EXPECTED = ImmutableSet.of("jira-users", "users");
    private static final Logger log = LoggerFactory.getLogger(JiraAddonUserProvisioningService.class);

    @Autowired
    public JiraAddonUserProvisioningService(GlobalPermissionManager globalPermissionManager, ProjectManager projectManager, UserManager userManager, PermissionSchemeManager permissionSchemeManager, ProjectRoleService projectRoleService, ConnectAddonUserGroupProvisioningService connectAddonUserGroupProvisioningService, TransactionTemplate transactionTemplate, PermissionManager permissionManager, ConnectCrowdPermissions connectCrowdPermissions, ApplicationRoleManager applicationRoleManager) {
        this.jiraProjectPermissionManager = permissionManager;
        this.connectCrowdPermissions = connectCrowdPermissions;
        this.jiraPermissionManager = (GlobalPermissionManager) Preconditions.checkNotNull(globalPermissionManager);
        this.projectManager = (ProjectManager) Preconditions.checkNotNull(projectManager);
        this.userManager = (UserManager) Preconditions.checkNotNull(userManager);
        this.permissionSchemeManager = (PermissionSchemeManager) Preconditions.checkNotNull(permissionSchemeManager);
        this.projectRoleService = (ProjectRoleService) Preconditions.checkNotNull(projectRoleService);
        this.connectAddonUserGroupProvisioningService = (ConnectAddonUserGroupProvisioningService) Preconditions.checkNotNull(connectAddonUserGroupProvisioningService);
        this.transactionTemplate = transactionTemplate;
        this.applicationRoleManager = applicationRoleManager;
    }

    public Set<String> getDefaultProductGroupsAlwaysExpected() {
        return DEFAULT_GROUPS_ALWAYS_EXPECTED;
    }

    public Set<String> getDefaultProductGroupsOneOrMoreExpected() {
        HashSet hashSet = new HashSet();
        Set roles = this.applicationRoleManager.getRoles();
        if (!roles.isEmpty()) {
            Iterator it = roles.iterator();
            while (it.hasNext()) {
                hashSet.addAll((Collection) ((ApplicationRole) it.next()).getDefaultGroups().stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toList()));
            }
        }
        if (roles.isEmpty() || hashSet.isEmpty()) {
            throw new ConnectAddonInitException("No application roles were present, we expect at least one to be on an instance");
        }
        return hashSet;
    }

    public void provisionAddonUserForScopes(String str, Set<ScopeName> set, Set<ScopeName> set2) throws ConnectAddonInitException {
        this.transactionTemplate.execute(SubvertedPermissionsTransactionTemplate.subvertPermissions(() -> {
            provisionAddonUserForScopesInTransaction(str, set, set2);
            return null;
        }));
    }

    private void provisionAddonUserForScopesInTransaction(String str, Set<ScopeName> set, Set<ScopeName> set2) throws ConnectAddonInitException {
        ApplicationUser userByName = this.userManager.getUserByName(str);
        if (ADMIN_PERMISSION == userByName) {
            throw new IllegalArgumentException(String.format("Cannot provision non-existent user '%s': please create it first!", str));
        }
        boolean z = set.isEmpty() && adminGroupExists();
        boolean z2 = set.isEmpty() && projectRoleExists();
        if (z || ScopeUtil.isTransitionDownFromAdmin(set, set2)) {
            removeUserFromGlobalAdmins(userByName);
        }
        if (z2 || ScopeUtil.isTransitionDownToRead(set, set2)) {
            removeProjectPermissions(userByName);
        }
        if (ScopeUtil.isTransitionUpToAdmin(set, set2)) {
            makeUserGlobalAdmin(userByName);
        }
        if (ScopeUtil.isTransitionDownToRead(set, set2)) {
            return;
        }
        updateProjectPermissions(userByName);
    }

    private boolean projectRoleExists() {
        return ADMIN_PERMISSION != this.projectRoleService.getProjectRoleByName(CONNECT_PROJECT_ACCESS_PROJECT_ROLE_NAME, new SimpleErrorCollection());
    }

    private boolean adminGroupExists() throws ConnectAddonInitException {
        try {
            return ADMIN_PERMISSION != this.connectAddonUserGroupProvisioningService.findGroupByKey(ADDON_ADMIN_USER_GROUP_KEY);
        } catch (ApplicationNotFoundException | ApplicationPermissionException | InvalidAuthenticationException e) {
            throw new ConnectAddonInitException(e);
        }
    }

    private void makeUserGlobalAdmin(ApplicationUser applicationUser) throws ConnectAddonInitException {
        try {
            ensureGroupExistsAndIsAdmin(ADDON_ADMIN_USER_GROUP_KEY);
            this.connectAddonUserGroupProvisioningService.ensureUserIsInGroup(applicationUser.getName(), ADDON_ADMIN_USER_GROUP_KEY);
        } catch (GroupNotFoundException | ApplicationNotFoundException | OperationFailedException | ApplicationPermissionException | UserNotFoundException | InvalidAuthenticationException e) {
            throw new ConnectAddonInitException(e);
        }
    }

    private void removeUserFromGlobalAdmins(ApplicationUser applicationUser) throws ConnectAddonInitException {
        try {
            this.connectAddonUserGroupProvisioningService.removeUserFromGroup(applicationUser.getName(), ADDON_ADMIN_USER_GROUP_KEY);
        } catch (OperationFailedException | ApplicationNotFoundException | ApplicationPermissionException | UserNotFoundException | GroupNotFoundException | InvalidAuthenticationException e) {
            throw new ConnectAddonInitException(e);
        }
    }

    private void ensureGroupExistsAndIsAdmin(String str) throws ConnectAddonInitException, OperationFailedException, ApplicationNotFoundException, ApplicationPermissionException, InvalidAuthenticationException, GroupNotFoundException {
        if (this.connectAddonUserGroupProvisioningService.ensureGroupExists(str)) {
            giveAdminPermission(str);
        } else {
            if (groupHasAdminPermission(str)) {
                return;
            }
            if (!shouldGiveGroupAdminPermission(str)) {
                throw new ConnectAddonInitException(String.format("Group '%s' already exists and is NOT an administrators group. Cannot make it an administrators group because that would elevate the privileges of existing users in this group. Consequently, add-on users that need to be admins cannot be made admins by adding them to this group and making it an administrators group. Aborting user setup.", str), "connect.install.error.addon.admin.permission");
            }
            giveAdminPermission(str);
        }
    }

    private boolean shouldGiveGroupAdminPermission(String str) throws OperationFailedException, GroupNotFoundException, ApplicationPermissionException, InvalidAuthenticationException {
        return this.connectAddonUserGroupProvisioningService.doesGroupContainAttribute(str, SYSTEM_GROUP_ATTRIBUTE) && this.connectAddonUserGroupProvisioningService.isGroupEmpty(str);
    }

    private void giveAdminPermission(String str) throws ConnectAddonInitException {
        if (this.connectCrowdPermissions.giveAdminPermission(str, PRODUCT_ID, ADMIN_APPLICATION_ID_ROLES_ENABLED) == ConnectCrowdPermissions.GrantResult.REMOTE_GRANT_FAILED) {
            throw new ConnectAddonInitException(String.format("Failed to grant '%s' administrative rights through the Remote UM REST API", str));
        }
        ensureGroupHasAdminPermission(str);
    }

    private void ensureGroupHasAdminPermission(String str) {
        if (groupHasAdminPermission(str)) {
            return;
        }
        if (this.jiraPermissionManager.addPermission(ADMIN_PERMISSION, str)) {
            log.info("Granted admin permission to group '{}'.", str);
        } else {
            log.warn("Failed to grant '{}' administrative rights through the deprecated jira API", str);
        }
    }

    private boolean groupHasAdminPermission(String str) {
        Preconditions.checkNotNull(str);
        return Iterables.any(this.jiraPermissionManager.getGroupsWithPermission(ADMIN_PERMISSION), group -> {
            return ADMIN_PERMISSION != group && str.equals(group.getName());
        });
    }

    private void updateProjectPermissions(ApplicationUser applicationUser) throws ConnectAddonInitException {
        SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        ProjectRole orCreateProjectRole = getOrCreateProjectRole(simpleErrorCollection);
        if (ADMIN_PERMISSION != orCreateProjectRole) {
            addUserToProjectRoleDefaults(applicationUser, orCreateProjectRole, simpleErrorCollection);
            Iterator<Project> it = getAllProjects().iterator();
            while (it.hasNext()) {
                Project next = it.next();
                if (!this.projectRoleService.getProjectRoleActors(orCreateProjectRole, next, simpleErrorCollection).contains(applicationUser)) {
                    this.projectRoleService.addActorsToProjectRole(Collections.singleton(applicationUser.getKey()), orCreateProjectRole, next, "atlassian-user-role-actor", simpleErrorCollection);
                    log.info("Added user '{}' to project '{}' role '{}'", new Object[]{applicationUser.getName(), ADMIN_PERMISSION == next ? null : next.getKey(), orCreateProjectRole.getName()});
                }
            }
        }
        if (simpleErrorCollection.hasAnyErrors()) {
            throw new ConnectAddonInitException(generateErrorMessage(simpleErrorCollection));
        }
    }

    private void removeProjectPermissions(ApplicationUser applicationUser) throws ConnectAddonInitException {
        SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        ProjectRole projectRoleByName = this.projectRoleService.getProjectRoleByName(CONNECT_PROJECT_ACCESS_PROJECT_ROLE_NAME, simpleErrorCollection);
        if (ADMIN_PERMISSION != projectRoleByName) {
            removeUserFromProjectRoleDefaults(applicationUser, projectRoleByName, simpleErrorCollection);
            Iterator<Project> it = getAllProjects().iterator();
            while (it.hasNext()) {
                Project next = it.next();
                this.projectRoleService.removeActorsFromProjectRole(Collections.singleton(applicationUser.getKey()), projectRoleByName, next, "atlassian-user-role-actor", simpleErrorCollection);
                log.info("Removed user '{}' from project '{}' role '{}'", new Object[]{applicationUser.getName(), ADMIN_PERMISSION == next ? null : next.getKey(), projectRoleByName.getName()});
            }
        }
        if (simpleErrorCollection.hasAnyErrors()) {
            throw new ConnectAddonInitException(generateErrorMessage(simpleErrorCollection));
        }
    }

    private void addUserToProjectRoleDefaults(ApplicationUser applicationUser, ProjectRole projectRole, ErrorCollection errorCollection) {
        if (this.projectRoleService.getDefaultRoleActors(projectRole, errorCollection).contains(applicationUser)) {
            return;
        }
        this.projectRoleService.addDefaultActorsToProjectRole(Collections.singleton(applicationUser.getKey()), projectRole, "atlassian-user-role-actor", errorCollection);
        log.info("Added user '{}' to default project role '{}'.", applicationUser.getName(), ADMIN_PERMISSION == projectRole ? null : projectRole.getName());
    }

    private void removeUserFromProjectRoleDefaults(ApplicationUser applicationUser, ProjectRole projectRole, ErrorCollection errorCollection) {
        this.projectRoleService.removeDefaultActorsFromProjectRole(Collections.singleton(applicationUser.getKey()), projectRole, "atlassian-user-role-actor", errorCollection);
        log.info("Removed user '{}' from default project role '{}'.", applicationUser.getName(), ADMIN_PERMISSION == projectRole ? null : projectRole.getName());
    }

    private ProjectRole getOrCreateProjectRole(ErrorCollection errorCollection) {
        ProjectRole projectRoleByName = this.projectRoleService.getProjectRoleByName(CONNECT_PROJECT_ACCESS_PROJECT_ROLE_NAME, errorCollection);
        if (ADMIN_PERMISSION == projectRoleByName) {
            projectRoleByName = this.projectRoleService.createProjectRole(new ProjectRoleImpl(CONNECT_PROJECT_ACCESS_PROJECT_ROLE_NAME, CONNECT_PROJECT_ACCESS_PROJECT_ROLE_DESC), errorCollection);
            if (ADMIN_PERMISSION != projectRoleByName) {
                associateProjectRoleWithPermissionSchemes(projectRoleByName, errorCollection);
            }
        }
        return projectRoleByName;
    }

    private void associateProjectRoleWithPermissionSchemes(ProjectRole projectRole, ErrorCollection errorCollection) {
        String l = projectRole.getId().toString();
        try {
            for (GenericValue genericValue : getSchemes(errorCollection)) {
                Iterator it = this.jiraProjectPermissionManager.getAllProjectPermissions().iterator();
                while (it.hasNext()) {
                    ProjectPermissionKey projectPermissionKey = new ProjectPermissionKey(((ProjectPermission) it.next()).getKey());
                    if (!permissionExists(genericValue, projectPermissionKey, "projectrole", l)) {
                        SchemeEntity schemeEntity = new SchemeEntity("projectrole", l, projectPermissionKey);
                        this.permissionSchemeManager.createSchemeEntity(genericValue, schemeEntity);
                        log.debug("Associated project role '{}' with permission scheme '{}'.", projectRole.getName(), schemeEntity.getSchemeId());
                    }
                }
            }
        } catch (GenericEntityException e) {
            errorCollection.addErrorMessage("Could not add project role atlassian-addons-project-access to permission schemes");
            log.error("Could not add project role atlassian-addons-project-access to permission schemes", e);
        }
    }

    public List<Project> getAllProjects() {
        return this.projectManager.getProjectObjects();
    }

    private boolean permissionExists(GenericValue genericValue, ProjectPermissionKey projectPermissionKey, String str, String str2) throws GenericEntityException {
        return !this.permissionSchemeManager.getEntities(genericValue, projectPermissionKey, str, str2).isEmpty();
    }

    public List<GenericValue> getSchemes(ErrorCollection errorCollection) {
        try {
            return this.permissionSchemeManager.getSchemes();
        } catch (GenericEntityException e) {
            errorCollection.addErrorMessage("Schemes could not be loaded and the project role atlassian-addons-project-access was not added to any permission schemes");
            log.error("Error while loading schemes", e);
            return ImmutableList.of();
        }
    }

    private String generateErrorMessage(ErrorCollection errorCollection) {
        StringBuilder sb = new StringBuilder();
        int i = ADMIN_PERMISSION;
        for (String str : errorCollection.getErrorMessages()) {
            int i2 = i;
            i++;
            sb.append(i2);
            sb.append("> ");
            sb.append(str);
            sb.append("\n");
        }
        for (Map.Entry entry : errorCollection.getErrors().entrySet()) {
            int i3 = i;
            i++;
            sb.append(i3);
            sb.append("> ");
            sb.append((String) entry.getKey());
            sb.append(": ");
            sb.append((String) entry.getValue());
            sb.append("\n");
        }
        return sb.toString();
    }
}
