package com.atlassian.bamboo.security;

import com.atlassian.bamboo.configuration.AdministrationConfiguration;
import com.atlassian.bamboo.configuration.AdministrationConfigurationAccessor;
import com.atlassian.bamboo.configuration.AdministrationConfigurationPersister;
import com.atlassian.bamboo.persistence.TransactionAndHibernateTemplate;
import com.atlassian.bamboo.security.acegi.acls.BambooAclHelper;
import com.atlassian.bamboo.security.acegi.acls.BambooAclUpdateHelper;
import com.atlassian.bamboo.security.acegi.acls.BambooPermission;
import com.atlassian.bamboo.security.acegi.acls.HibernateMutableAclService;
import com.atlassian.bamboo.user.Authority;
import com.atlassian.bamboo.user.BambooUserManager;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMultimap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Multimap;
import com.google.common.collect.Sets;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.acls.MutableAcl;
import org.jetbrains.annotations.NotNull;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:com/atlassian/bamboo/security/DefaultGlobalPermissionsService.class */
public class DefaultGlobalPermissionsService implements GlobalPermissionsService {
    private static final Multimap<BambooPermission, BambooPermission> PERMISSION_DEPENDENCIES = ImmutableMultimap.builder().put(BambooPermission.SOX_COMPLIANCE, BambooPermission.READ).put(BambooPermission.CREATE, BambooPermission.READ).put(BambooPermission.CREATE_REPOSITORY, BambooPermission.READ).put(BambooPermission.RESTRICTEDADMINISTRATION, BambooPermission.CREATE).put(BambooPermission.RESTRICTEDADMINISTRATION, BambooPermission.CREATE_REPOSITORY).put(BambooPermission.ADMINISTRATION, BambooPermission.RESTRICTEDADMINISTRATION).build();
    private final TransactionAndHibernateTemplate hibernateTemplate;
    private final HibernateMutableAclService aclService;
    private final BambooAclHelper aclHelper;
    private final BambooAclUpdateHelper aclUpdateHelper;
    private final AdministrationConfigurationAccessor administrationConfigurationAccessor;
    private final AdministrationConfigurationPersister administrationConfigurationPersister;
    private final BambooUserManager bambooUserManager;
    private final BambooPermissionManager bambooPermissionManager;

    @Autowired
    public DefaultGlobalPermissionsService(TransactionAndHibernateTemplate transactionAndHibernateTemplate, HibernateMutableAclService hibernateMutableAclService, BambooAclHelper bambooAclHelper, BambooAclUpdateHelper bambooAclUpdateHelper, AdministrationConfigurationAccessor administrationConfigurationAccessor, AdministrationConfigurationPersister administrationConfigurationPersister, BambooUserManager bambooUserManager, BambooPermissionManager bambooPermissionManager) {
        this.hibernateTemplate = transactionAndHibernateTemplate;
        this.aclService = hibernateMutableAclService;
        this.aclHelper = bambooAclHelper;
        this.aclUpdateHelper = bambooAclUpdateHelper;
        this.administrationConfigurationAccessor = administrationConfigurationAccessor;
        this.administrationConfigurationPersister = administrationConfigurationPersister;
        this.bambooUserManager = bambooUserManager;
        this.bambooPermissionManager = bambooPermissionManager;
    }

    @NotNull
    private MutableAcl getAcl() {
        return this.aclService.getAclOfGlobalPermission();
    }

    @NotNull
    public Iterable<String> listUsersWithGlobalPermissions() {
        hasPermissions();
        return this.aclHelper.listUsersWithPermissions(getAcl(), supportedPermissions());
    }

    @NotNull
    public List<BambooPermission> getUserGlobalPermissions(@NotNull String str) {
        hasPermissions();
        return this.aclHelper.getUserPermissions(getAcl(), str, supportedPermissions());
    }

    public boolean addUserGlobalPermissions(@NotNull String str, @NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            validateGlobalPermissions(list);
            validateUser(str);
            hasPermissionsToChange(list);
            validateDependenciesAfterGranting(getUserGlobalPermissions(str), list);
            return Boolean.valueOf(addGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createUserPermissionKey(str, bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    public boolean removeUserGlobalPermissions(@NotNull String str, @NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            validateUser(str);
            hasPermissionsToChange(list);
            validateDependenciesAfterRevoking(getUserGlobalPermissions(str), list);
            return Boolean.valueOf(removeGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createUserPermissionKey(str, bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    @NotNull
    public Iterable<String> listGroupsWithGlobalPermissions() {
        hasPermissions();
        return this.aclHelper.listGroupsWithPermissions(getAcl(), supportedPermissions());
    }

    @NotNull
    public List<BambooPermission> getGroupGlobalPermissions(@NotNull String str) {
        hasPermissions();
        return this.aclHelper.getGroupPermissions(getAcl(), str, supportedPermissions());
    }

    public boolean addGroupGlobalPermissions(@NotNull String str, @NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            validateGlobalPermissions(list);
            validateGroup(str);
            hasPermissionsToChange(list);
            validateDependenciesAfterGranting(getGroupGlobalPermissions(str), list);
            return Boolean.valueOf(addGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createGroupPermissionKey(str, bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    public boolean removeGroupGlobalPermissions(@NotNull String str, @NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            validateGroup(str);
            hasPermissionsToChange(list);
            validateDependenciesAfterRevoking(getGroupGlobalPermissions(str), list);
            return Boolean.valueOf(removeGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createGroupPermissionKey(str, bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    @NotNull
    public List<BambooPermission> getLoggedInGlobalPermissions() {
        hasPermissions();
        return this.aclHelper.getLoggedInPermissions(getAcl(), supportedPermissions());
    }

    public boolean addLoggedInGlobalPermissions(@NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            validateGlobalPermissions(list);
            hasPermissionsToChange(list);
            validateDependenciesAfterGranting(getLoggedInGlobalPermissions(), list);
            return Boolean.valueOf(addGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createRolePermissionKey(Authority.USER.getAuthority(), bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    public boolean removeLoggedInGlobalPermissions(@NotNull List<BambooPermission> list) {
        return ((Boolean) withExclusiveLock(() -> {
            hasPermissionsToChange(list);
            validateDependenciesAfterRevoking(getLoggedInGlobalPermissions(), list);
            return Boolean.valueOf(removeGlobalPermissionKeys((List) list.stream().map(bambooPermission -> {
                return BambooAclUpdateHelper.createRolePermissionKey(Authority.USER.getAuthority(), bambooPermission.getName());
            }).collect(Collectors.toList())));
        })).booleanValue();
    }

    @NotNull
    public List<BambooPermission> getAnonymousGlobalPermissions() {
        hasPermissions();
        return this.aclHelper.getAnonymousPermissions(getAcl(), supportedPermissions());
    }

    public boolean addAnonymousGlobalPermissions() {
        return ((Boolean) withExclusiveLock(() -> {
            hasPermissionsToChange(Collections.singletonList(BambooPermission.READ));
            AdministrationConfiguration administrationConfiguration = this.administrationConfigurationAccessor.getAdministrationConfiguration();
            administrationConfiguration.setEnableAnonymousAccess(true);
            this.administrationConfigurationPersister.saveAdministrationConfiguration(administrationConfiguration);
            return Boolean.valueOf(addGlobalPermissionKeys(Collections.singletonList(BambooAclUpdateHelper.createRolePermissionKey(Authority.ANONYMOUS.getAuthority(), BambooPermission.READ.getName()))));
        })).booleanValue();
    }

    public boolean removeAnonymousGlobalPermissions() {
        return ((Boolean) withExclusiveLock(() -> {
            hasPermissionsToChange(Collections.singletonList(BambooPermission.READ));
            AdministrationConfiguration administrationConfiguration = this.administrationConfigurationAccessor.getAdministrationConfiguration();
            administrationConfiguration.setEnableAnonymousAccess(false);
            this.administrationConfigurationPersister.saveAdministrationConfiguration(administrationConfiguration);
            return Boolean.valueOf(removeGlobalPermissionKeys(Collections.singletonList(BambooAclUpdateHelper.createRolePermissionKey(Authority.ANONYMOUS.getAuthority(), BambooPermission.READ.getName()))));
        })).booleanValue();
    }

    @NotNull
    public Collection<BambooPermission> supportedPermissions() {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        builder.add(new BambooPermission[]{BambooPermission.READ, BambooPermission.CREATE, BambooPermission.CREATE_REPOSITORY, BambooPermission.ADMINISTRATION});
        AdministrationConfiguration administrationConfiguration = this.administrationConfigurationAccessor.getAdministrationConfiguration();
        if (administrationConfiguration.isSoxComplianceModeEnabled()) {
            builder.add(BambooPermission.SOX_COMPLIANCE);
        }
        if (administrationConfiguration.isEnableRestrictedAdmin()) {
            builder.add(BambooPermission.RESTRICTEDADMINISTRATION);
        }
        return PermissionsServiceUtils.PERMISSIONS_ORDERING.sortedCopy(builder.build());
    }

    @NotNull
    public Collection<BambooPermission> editablePermissions() {
        return this.bambooPermissionManager.hasGlobalPermission(BambooPermission.ADMINISTRATION) ? supportedPermissions() : (Collection) supportedPermissions().stream().filter(bambooPermission -> {
            return !BambooPermission.ADMINISTRATION.equals(bambooPermission);
        }).collect(Collectors.toList());
    }

    @NotNull
    public Collection<BambooPermission> permissionDependencies(@NotNull BambooPermission bambooPermission) {
        Collection<BambooPermission> supportedPermissions = supportedPermissions();
        Stream flatMap = ((Collection) PERMISSION_DEPENDENCIES.asMap().getOrDefault(bambooPermission, Collections.emptyList())).stream().flatMap(bambooPermission2 -> {
            return Stream.concat(Stream.of(bambooPermission2), permissionDependencies(bambooPermission2).stream());
        });
        supportedPermissions.getClass();
        return (Collection) flatMap.filter((v1) -> {
            return r1.contains(v1);
        }).collect(Collectors.toSet());
    }

    private boolean addGlobalPermissionKeys(List<String> list) {
        return this.aclHelper.addPermissionKeys(getAcl(), list);
    }

    private boolean removeGlobalPermissionKeys(List<String> list) {
        MutableAcl acl = getAcl();
        Stream<String> stream = this.aclHelper.calculatePermissionKeysAfterRemoval(acl, list).stream();
        BambooAclUpdateHelper bambooAclUpdateHelper = this.aclUpdateHelper;
        bambooAclUpdateHelper.getClass();
        Stream<R> map = stream.map(bambooAclUpdateHelper::getPermission);
        Class<BambooPermission> cls = BambooPermission.class;
        BambooPermission.class.getClass();
        if (map.map((v1) -> {
            return r1.cast(v1);
        }).filter(bambooPermission -> {
            return bambooPermission.equals(BambooPermission.ADMINISTRATION);
        }).findAny().isPresent()) {
            return this.aclHelper.removePermissionKeys(acl, list);
        }
        throw new IllegalStateException("At least one administrator must be defined for the Bamboo instance");
    }

    private void validateGlobalPermissions(List<BambooPermission> list) throws IllegalArgumentException {
        PermissionsServiceUtils.validatePermissions(list, supportedPermissions(), "global");
    }

    private void validateUser(String str) {
        PermissionsServiceUtils.validateUser(str, this.bambooUserManager);
    }

    private void validateGroup(String str) {
        PermissionsServiceUtils.validateGroup(str, this.bambooUserManager);
    }

    private void validateDependenciesAfterGranting(List<BambooPermission> list, List<BambooPermission> list2) {
        PermissionsServiceUtils.validateDependenciesAfterGranting(Sets.union(new HashSet(list), new HashSet(list2)), this::permissionDependencies);
    }

    private void validateDependenciesAfterRevoking(List<BambooPermission> list, List<BambooPermission> list2) {
        PermissionsServiceUtils.validateDependenciesAfterRevoking(Sets.difference(new HashSet(list), new HashSet(list2)), this::permissionDependencies);
    }

    private void hasPermissions() {
        hasPermissionsToChange(Collections.emptyList());
    }

    private void hasPermissionsToChange(List<BambooPermission> list) {
        if (!this.bambooPermissionManager.hasGlobalPermission(BambooPermission.RESTRICTEDADMINISTRATION)) {
            throw new AccessDeniedException("Not allowed to change global permissions");
        }
        if (this.bambooPermissionManager.hasGlobalPermission(BambooPermission.ADMINISTRATION)) {
            return;
        }
        Collection<BambooPermission> editablePermissions = editablePermissions();
        for (BambooPermission bambooPermission : list) {
            if (!editablePermissions.contains(bambooPermission)) {
                throw new AccessDeniedException(String.format("You have insufficient rights to grant or revoke the %s permission", bambooPermission.getName()));
            }
        }
    }

    @VisibleForTesting
    <T> T withExclusiveLock(Supplier<T> supplier) {
        T t;
        synchronized (this) {
            t = (T) this.hibernateTemplate.execute(transactionStatus -> {
                return supplier.get();
            });
        }
        return t;
    }
}
