package com.atlassian.stash.internal.permission;

import com.atlassian.bitbucket.auth.Authentication;
import com.atlassian.bitbucket.event.CancelableEvent;
import com.atlassian.bitbucket.event.cluster.ClusterNodeAddedEvent;
import com.atlassian.bitbucket.event.cluster.ClusterNodeRejoinedEvent;
import com.atlassian.bitbucket.event.permission.PermissionEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionEvent;
import com.atlassian.bitbucket.event.user.GroupCleanupEvent;
import com.atlassian.bitbucket.event.user.UserCleanupEvent;
import com.atlassian.bitbucket.permission.EffectivePermission;
import com.atlassian.bitbucket.permission.EffectivePermissionsChangedEvent;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionCheck;
import com.atlassian.bitbucket.permission.PermissionVote;
import com.atlassian.bitbucket.permission.PermissionVoter;
import com.atlassian.bitbucket.permission.PermissionVoterProvider;
import com.atlassian.bitbucket.user.AbstractApplicationUserVisitor;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.DetailedUser;
import com.atlassian.bitbucket.user.ServiceUser;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.MoreStreams;
import com.atlassian.bitbucket.util.PagedIterable;
import com.atlassian.cache.Cache;
import com.atlassian.cache.CacheFactory;
import com.atlassian.cache.CacheSettingsBuilder;
import com.atlassian.cache.CachedReference;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.event.api.EventListener;
import com.atlassian.fugue.Pair;
import com.atlassian.stash.internal.permission.GrantedPermissionVoter;
import com.atlassian.stash.internal.user.EffectivePermissionDao;
import com.atlassian.stash.internal.user.InternalUserUtils;
import com.atlassian.stash.internal.user.ProjectPermissionDao;
import com.google.common.base.Preconditions;
import java.util.Collections;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

@Component("grantedPermissionVoterProvider")
@Order(1)
/* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/GrantedPermissionVoterProvider.class */
public class GrantedPermissionVoterProvider implements PermissionVoterProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) GrantedPermissionVoterProvider.class);
    private final CachedReference<GrantedPermissionVoter> defaultPermissions;
    private final Cache<String, GrantedPermissionVoter> groupPermissions;
    private final EffectivePermissionDao effectivePermissionDao;
    private final ProjectPermissionDao projectPermissionDao;
    private final Cache<Integer, GrantedPermissionVoter> userPermissions;
    private int maxPermissionsPageSize = 1000;
    private UserService userService;
    private volatile long cacheVersion;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/GrantedPermissionVoterProvider$NormalUserPermissionVoterCalculator.class */
    public class NormalUserPermissionVoterCalculator implements PermissionVoterCalculator {
        private final ApplicationUser user;

        private NormalUserPermissionVoterCalculator(ApplicationUser applicationUser) {
            this.user = applicationUser;
        }

        @Override // com.atlassian.stash.internal.permission.GrantedPermissionVoterProvider.PermissionVoterCalculator
        public GrantedPermissionVoter calculate() {
            return new GrantedPermissionVoter.Builder().addAll((GrantedPermissionVoter) GrantedPermissionVoterProvider.this.defaultPermissions.get()).addAll(GrantedPermissionVoterProvider.this.getGroupsPermissions(GrantedPermissionVoterProvider.this.loadGroupsByUser(this.user))).addAll(GrantedPermissionVoterProvider.this.getUserPermissions(Integer.valueOf(this.user.getId()))).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/GrantedPermissionVoterProvider$PermissionVoterCalculator.class */
    public interface PermissionVoterCalculator {
        GrantedPermissionVoter calculate();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/GrantedPermissionVoterProvider$RecalculatingPermissionVoter.class */
    public class RecalculatingPermissionVoter implements PermissionVoter {
        private final PermissionVoterCalculator calculator;
        private final ApplicationUser user;
        private volatile Pair<GrantedPermissionVoter, Long> voterAndVersion;

        private RecalculatingPermissionVoter(ApplicationUser applicationUser) {
            this.user = applicationUser;
            this.calculator = newCalculatorForUserType(applicationUser);
            this.voterAndVersion = Pair.pair(GrantedPermissionVoter.NO_PERMS, -1L);
        }

        @Override // com.atlassian.bitbucket.permission.PermissionVoter
        @Nonnull
        public PermissionVote vote(@Nonnull PermissionCheck permissionCheck) {
            return permissionCheck.getResult() == PermissionVote.GRANT ? PermissionVote.ABSTAIN : getVoter().vote(permissionCheck);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public GrantedPermissionVoter getVoter() {
            Long right = this.voterAndVersion.right();
            if (GrantedPermissionVoterProvider.this.cacheInvalidatedSince(this.voterAndVersion.right().longValue())) {
                if (right != null && right.longValue() != -1) {
                    GrantedPermissionVoterProvider.log.debug("Permission voter for user {} has expired and will be recalculated", this.user.getName());
                }
                this.voterAndVersion = recalculate();
            }
            return this.voterAndVersion.left();
        }

        private PermissionVoterCalculator newCalculatorForUserType(ApplicationUser applicationUser) {
            return (PermissionVoterCalculator) applicationUser.accept(new AbstractApplicationUserVisitor<PermissionVoterCalculator>() { // from class: com.atlassian.stash.internal.permission.GrantedPermissionVoterProvider.RecalculatingPermissionVoter.1
                @Override // com.atlassian.bitbucket.user.AbstractApplicationUserVisitor, com.atlassian.bitbucket.user.ApplicationUserVisitor
                public PermissionVoterCalculator visit(@Nonnull DetailedUser detailedUser) {
                    return visit((ApplicationUser) detailedUser);
                }

                @Override // com.atlassian.bitbucket.user.AbstractApplicationUserVisitor, com.atlassian.bitbucket.user.ApplicationUserVisitor
                public PermissionVoterCalculator visit(@Nonnull ServiceUser serviceUser) {
                    return new ServiceUserPermissionVoterCalculator(serviceUser);
                }

                @Override // com.atlassian.bitbucket.user.AbstractApplicationUserVisitor, com.atlassian.bitbucket.user.ApplicationUserVisitor
                public PermissionVoterCalculator visit(@Nonnull ApplicationUser applicationUser2) {
                    return new NormalUserPermissionVoterCalculator(applicationUser2);
                }
            });
        }

        private Pair<GrantedPermissionVoter, Long> recalculate() {
            return Pair.pair(this.calculator.calculate(), Long.valueOf(GrantedPermissionVoterProvider.this.cacheVersion));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/GrantedPermissionVoterProvider$ServiceUserPermissionVoterCalculator.class */
    public class ServiceUserPermissionVoterCalculator implements PermissionVoterCalculator {
        private final ServiceUser user;

        private ServiceUserPermissionVoterCalculator(ServiceUser serviceUser) {
            this.user = serviceUser;
        }

        @Override // com.atlassian.stash.internal.permission.GrantedPermissionVoterProvider.PermissionVoterCalculator
        public GrantedPermissionVoter calculate() {
            return new GrantedPermissionVoter.Builder().addAll(GrantedPermissionVoterProvider.this.getUserPermissions(Integer.valueOf(this.user.getId()))).add(Permission.LICENSED_USER, null).build();
        }
    }

    @Autowired
    public GrantedPermissionVoterProvider(CacheFactory cacheFactory, EffectivePermissionDao effectivePermissionDao, ProjectPermissionDao projectPermissionDao, @Value("${permissions.cache.projectDefaults.ttl}") int i, @Value("${permissions.cache.groups.max}") int i2, @Value("${permissions.cache.groups.ttl}") int i3, @Value("${permissions.cache.users.max}") int i4, @Value("${permissions.cache.users.ttl}") int i5) {
        this.defaultPermissions = cacheFactory.getCachedReference("bb.internal.defaultPermissions", this::loadDefaultPermissions, new CacheSettingsBuilder().expireAfterWrite(i, TimeUnit.SECONDS).remote().replicateAsynchronously().replicateViaInvalidation().build());
        this.groupPermissions = cacheFactory.getCache("bb.internal.groupPermissions", this::loadGroupPermissions, new CacheSettingsBuilder().expireAfterWrite(i3, TimeUnit.SECONDS).maxEntries(i2).remote().replicateAsynchronously().replicateViaInvalidation().build());
        this.userPermissions = cacheFactory.getCache("bb.internal.userPermissions", this::loadUserPermissions, new CacheSettingsBuilder().expireAfterWrite(i5, TimeUnit.SECONDS).maxEntries(i4).remote().replicateAsynchronously().replicateViaInvalidation().build());
        this.effectivePermissionDao = effectivePermissionDao;
        this.projectPermissionDao = projectPermissionDao;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionVoterProvider
    public PermissionVoter create(@Nonnull Authentication authentication) {
        return (PermissionVoter) authentication.getUser().filter(InternalUserUtils::isInternalUser).map(applicationUser -> {
            return new RecalculatingPermissionVoter(applicationUser);
        }).orElse(null);
    }

    @Nonnull
    public Iterable<EffectivePermission> getEffectivePermissions(@Nonnull ApplicationUser applicationUser) {
        return InternalUserUtils.isInternalUser(applicationUser) ? new RecalculatingPermissionVoter(applicationUser).getVoter() : Collections.emptySet();
    }

    @EventListener
    public void onEffectivePermissionsChanged(EffectivePermissionsChangedEvent effectivePermissionsChangedEvent) {
        markCacheUpdated();
    }

    @EventListener
    public void onGroupCleanup(GroupCleanupEvent groupCleanupEvent) {
        this.groupPermissions.remove(IdentifierUtils.toLowerCase(groupCleanupEvent.getGroup()));
        markCacheUpdated();
    }

    @EventListener
    public void onClusterNodeAdded(ClusterNodeAddedEvent clusterNodeAddedEvent) {
        if (clusterNodeAddedEvent.isMaybeNetworkPartitionResolved()) {
            log.debug("Invalidating all permission caches because node {} {}joined the cluster", clusterNodeAddedEvent.getAddedNode().getAddress(), clusterNodeAddedEvent instanceof ClusterNodeRejoinedEvent ? "re" : "");
            this.defaultPermissions.reset();
            this.groupPermissions.removeAll();
            this.userPermissions.removeAll();
            markCacheUpdated();
        }
    }

    @EventListener
    public void onPermissionsChanged(PermissionEvent permissionEvent) {
        if (permissionEvent instanceof CancelableEvent) {
            return;
        }
        ApplicationUser affectedUser = permissionEvent.getAffectedUser();
        String affectedGroup = permissionEvent.getAffectedGroup();
        if (affectedUser != null) {
            this.userPermissions.remove(Integer.valueOf(affectedUser.getId()));
        } else if (StringUtils.isNotBlank(affectedGroup)) {
            this.groupPermissions.remove(IdentifierUtils.toLowerCase(affectedGroup));
        } else if (permissionEvent instanceof ProjectPermissionEvent) {
            this.defaultPermissions.reset();
        }
        markCacheUpdated();
    }

    @EventListener
    public void onUserCleanup(UserCleanupEvent userCleanupEvent) {
        ApplicationUser deletedUser = userCleanupEvent.getDeletedUser();
        if (deletedUser != null) {
            this.userPermissions.remove(Integer.valueOf(deletedUser.getId()));
        }
    }

    @Value("${page.max.granted.permissions}")
    public void setMaxPermissionsPageSize(int i) {
        this.maxPermissionsPageSize = i;
    }

    @Autowired
    public void setUserService(UserService userService) {
        this.userService = userService;
    }

    public void warmCaches() {
        this.defaultPermissions.get();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GrantedPermissionVoter getGroupsPermissions(Iterable<String> iterable) {
        GrantedPermissionVoter.Builder builder = new GrantedPermissionVoter.Builder();
        Stream map = MoreStreams.streamIterable(iterable).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map(IdentifierUtils::toLowerCase);
        Cache<String, GrantedPermissionVoter> cache = this.groupPermissions;
        cache.getClass();
        Stream map2 = map.map((v1) -> {
            return r1.get(v1);
        });
        builder.getClass();
        map2.forEach(builder::addAll);
        return builder.build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GrantedPermissionVoter getUserPermissions(Integer num) {
        return this.userPermissions.get(num);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean cacheInvalidatedSince(long j) {
        return this.cacheVersion != j;
    }

    private GrantedPermissionVoter loadDefaultPermissions() {
        GrantedPermissionVoter.Builder builder = new GrantedPermissionVoter.Builder();
        this.projectPermissionDao.getDefaultPermissions().forEach((num, permission) -> {
            builder.add(permission, num);
        });
        return builder.build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Iterable<String> loadGroupsByUser(ApplicationUser applicationUser) {
        Preconditions.checkArgument(applicationUser.getType() == UserType.NORMAL, "only normal users have groups");
        return new PagedIterable(pageRequest -> {
            return this.userService.findGroupsByUser(applicationUser.getName(), pageRequest);
        }, this.maxPermissionsPageSize);
    }

    private GrantedPermissionVoter loadGroupPermissions(String str) {
        return new GrantedPermissionVoter.Builder().addInternalPermissions(new PagedIterable(pageRequest -> {
            return this.effectivePermissionDao.findByGroup(str, pageRequest);
        }, this.maxPermissionsPageSize)).build();
    }

    private GrantedPermissionVoter loadUserPermissions(Integer num) {
        return new GrantedPermissionVoter.Builder().addInternalPermissions(new PagedIterable(pageRequest -> {
            return this.effectivePermissionDao.findByUserId(num, pageRequest);
        }, this.maxPermissionsPageSize)).build();
    }

    private void markCacheUpdated() {
        this.cacheVersion++;
    }
}
