package com.atlassian.plugin.connect.confluence.auth;

import com.atlassian.confluence.cache.ThreadLocalCache;
import com.atlassian.confluence.event.events.space.SpaceCreateEvent;
import com.atlassian.confluence.security.PermissionManager;
import com.atlassian.confluence.security.SpacePermission;
import com.atlassian.confluence.security.SpacePermissionManager;
import com.atlassian.confluence.security.administrators.EditPermissionsAdministrator;
import com.atlassian.confluence.security.administrators.PermissionsAdministratorBuilder;
import com.atlassian.confluence.spaces.Space;
import com.atlassian.confluence.spaces.SpaceManager;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.confluence.user.UserAccessor;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.plugin.connect.api.ConnectAddonAccessor;
import com.atlassian.plugin.connect.crowd.spi.CrowdAddonUserProvisioningService;
import com.atlassian.plugin.connect.crowd.usermanagement.ConnectAddonUserUtil;
import com.atlassian.plugin.connect.modules.beans.AuthenticationBean;
import com.atlassian.plugin.connect.modules.beans.AuthenticationType;
import com.atlassian.plugin.connect.modules.beans.ConnectAddonBean;
import com.atlassian.plugin.connect.modules.beans.nested.ScopeName;
import com.atlassian.plugin.connect.modules.beans.nested.ScopeUtil;
import com.atlassian.plugin.spring.scanner.annotation.component.ConfluenceComponent;
import com.atlassian.plugin.spring.scanner.annotation.export.ExportAsDevService;
import com.atlassian.sal.api.component.ComponentLocator;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.atlassian.sal.api.user.UserManager;
import com.atlassian.sal.api.user.UserProfile;
import com.atlassian.user.User;
import com.google.common.base.Objects;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.UnmodifiableIterator;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.annotation.Autowired;

@ConfluenceComponent
@ExportAsDevService
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-plugin-1.1.100.jar:com/atlassian/plugin/connect/confluence/auth/ConfluenceAddonUserProvisioningService.class */
public class ConfluenceAddonUserProvisioningService implements CrowdAddonUserProvisioningService, DisposableBean {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConfluenceAddonUserProvisioningService.class);
    private static final ImmutableSet<String> DEFAULT_GROUPS_ALWAYS_EXPECTED = ImmutableSet.of("_licensed-confluence");
    private static final ImmutableSet<String> DEFAULT_GROUPS_ONE_OR_MORE_EXPECTED = ImmutableSet.of("confluence-users", "users");
    private static final ImmutableSet<String> SPACE_ADMIN_PERMISSIONS = ImmutableSet.of("EDITSPACE", "CREATEATTACHMENT", "COMMENT", "EDITBLOG", "REMOVEPAGE", "REMOVEATTACHMENT", "REMOVECOMMENT", "REMOVEBLOG", "SETSPACEPERMISSIONS");
    private final PermissionManager confluencePermissionManager;
    private final SpacePermissionManager spacePermissionManager;
    private final SpaceManager spaceManager;
    private final UserAccessor userAccessor;
    private final UserManager userManager;
    private final EventPublisher eventPublisher;
    private final ConnectAddonAccessor connectAddonAccessor;
    private final TransactionTemplate transactionTemplate;

    @Autowired
    public ConfluenceAddonUserProvisioningService(PermissionManager permissionManager, SpacePermissionManager spacePermissionManager, SpaceManager spaceManager, UserAccessor userAccessor, UserManager userManager, EventPublisher eventPublisher, ConnectAddonAccessor connectAddonAccessor, TransactionTemplate transactionTemplate) {
        this.confluencePermissionManager = permissionManager;
        this.spacePermissionManager = spacePermissionManager;
        this.spaceManager = spaceManager;
        this.userAccessor = userAccessor;
        this.userManager = userManager;
        this.eventPublisher = eventPublisher;
        this.connectAddonAccessor = connectAddonAccessor;
        this.transactionTemplate = transactionTemplate;
        eventPublisher.register(this);
    }

    @Override // com.atlassian.plugin.connect.crowd.spi.CrowdAddonUserProvisioningService
    public void provisionAddonUserForScopes(String str, Set<ScopeName> set, Set<ScopeName> set2) {
        ThreadLocalCache.init();
        try {
            this.transactionTemplate.execute(() -> {
                this.confluencePermissionManager.withExemption(() -> {
                    provisionAddonUserForScopeInTransaction(str, set, set2);
                });
                return null;
            });
        } finally {
            ThreadLocalCache.dispose();
        }
    }

    private void provisionAddonUserForScopeInTransaction(String str, Set<ScopeName> set, Set<ScopeName> set2) {
        ConfluenceUser confluenceUser = getConfluenceUser(str);
        boolean isEmpty = set.isEmpty();
        if (isEmpty || ScopeUtil.isTransitionDownFromAdmin(set, set2)) {
            removeUserFromGlobalAdmins(confluenceUser);
        }
        if (isEmpty || ScopeUtil.isTransitionDownToReadOrLess(set, set2)) {
            removeSpaceAdminPermissions(confluenceUser);
        }
        if (ScopeUtil.isTransitionUpToAdmin(set, set2)) {
            grantAddonUserGlobalAdmin(confluenceUser);
        }
        if (ScopeUtil.isTransitionUpFromReadOrLess(set, set2)) {
            grantAddonUserSpaceAdmin(confluenceUser);
        }
    }

    @Override // com.atlassian.plugin.connect.crowd.spi.CrowdAddonUserProvisioningService
    public Set<String> getDefaultProductGroupsAlwaysExpected() {
        return DEFAULT_GROUPS_ALWAYS_EXPECTED;
    }

    @Override // com.atlassian.plugin.connect.crowd.spi.CrowdAddonUserProvisioningService
    public Set<String> getDefaultProductGroupsOneOrMoreExpected() {
        return DEFAULT_GROUPS_ONE_OR_MORE_EXPECTED;
    }

    private ConfluenceUser getConfluenceUser(String str) {
        UserProfile userProfile = this.userManager.getUserProfile(str);
        if (userProfile == null) {
            throw new IllegalStateException("User for user key " + str + " does not exist");
        }
        return this.userAccessor.getExistingUserByKey(userProfile.getUserKey());
    }

    private void grantAddonUserGlobalAdmin(ConfluenceUser confluenceUser) {
        setGlobalAdmin(confluenceUser, true);
    }

    private void removeUserFromGlobalAdmins(ConfluenceUser confluenceUser) {
        setGlobalAdmin(confluenceUser, false);
    }

    private void setGlobalAdmin(ConfluenceUser confluenceUser, boolean z) {
        EditPermissionsAdministrator buildEditGlobalPermissionAdministrator = ((PermissionsAdministratorBuilder) ComponentLocator.getComponent(PermissionsAdministratorBuilder.class, "permissionsAdministratorBuilder")).buildEditGlobalPermissionAdministrator((User) null, Arrays.asList(confluenceUser.getName()), Collections.emptyList());
        if (z) {
            log.info("Making user '{}' a Confluence administrator.", confluenceUser.getName());
            buildEditGlobalPermissionAdministrator.addPermission(SpacePermission.createUserSpacePermission("ADMINISTRATECONFLUENCE", (Space) null, confluenceUser));
        } else {
            log.info("Removing Confluence administrator access from user '{}'.", confluenceUser.getName());
            removePermission(buildEditGlobalPermissionAdministrator, confluenceUser, "ADMINISTRATECONFLUENCE");
        }
    }

    private void removePermission(EditPermissionsAdministrator editPermissionsAdministrator, ConfluenceUser confluenceUser, String str) {
        boolean z = false;
        Iterator it = this.spacePermissionManager.getGlobalPermissions(str).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            SpacePermission spacePermission = (SpacePermission) it.next();
            if (null != spacePermission && null != spacePermission.getUserSubject() && null != spacePermission.getUserSubject().getKey() && spacePermission.getUserSubject().getKey().getStringValue().equals(confluenceUser.getKey().getStringValue())) {
                log.info("Removing Confluence permission '{}' from user '{}'.", str, confluenceUser.getName());
                editPermissionsAdministrator.removePermission(spacePermission);
                z = true;
                break;
            }
        }
        if (z) {
            return;
        }
        log.warn("Did not remove Confluence permission '{}' from user '{}' because it did not exist.", str, confluenceUser.getName());
    }

    private void grantAddonUserSpaceAdmin(ConfluenceUser confluenceUser) {
        Iterator it = this.spaceManager.getAllSpaces().iterator();
        while (it.hasNext()) {
            grantAddonUserAdminToSpace((Space) it.next(), confluenceUser);
        }
    }

    private void grantAddonUserAdminToSpace(Space space, ConfluenceUser confluenceUser) {
        UnmodifiableIterator<String> it = SPACE_ADMIN_PERMISSIONS.iterator();
        while (it.hasNext()) {
            grantAddonUserPermissionToSpace(it.next(), space, confluenceUser);
        }
    }

    private void grantAddonUserPermissionToSpace(String str, Space space, ConfluenceUser confluenceUser) {
        SpacePermission spacePermission = new SpacePermission(str, space, (String) null, confluenceUser);
        if (this.spacePermissionManager.permissionExists(spacePermission)) {
            log.info("Add-on user {} already has {} permission on space {}", confluenceUser.getName(), str, space.getKey());
        } else {
            this.spacePermissionManager.savePermission(spacePermission);
        }
    }

    private void removeSpaceAdminPermissions(ConfluenceUser confluenceUser) {
        Iterator it = this.spaceManager.getAllSpaces().iterator();
        while (it.hasNext()) {
            removeAddonUserAdminFromSpace((Space) it.next(), confluenceUser);
        }
    }

    private void removeAddonUserAdminFromSpace(Space space, ConfluenceUser confluenceUser) {
        UnmodifiableIterator<String> it = SPACE_ADMIN_PERMISSIONS.iterator();
        while (it.hasNext()) {
            removeAddonUserPermissionFromSpace(it.next(), space, confluenceUser);
        }
    }

    private void removeAddonUserPermissionFromSpace(String str, Space space, ConfluenceUser confluenceUser) {
        Set set = (Set) space.getPermissions().stream().filter(spacePermission -> {
            return spacePermission.isUserPermission() && Objects.equal(spacePermission.getUserSubject(), confluenceUser) && StringUtils.equals(spacePermission.getType(), str);
        }).collect(Collectors.toSet());
        SpacePermissionManager spacePermissionManager = this.spacePermissionManager;
        spacePermissionManager.getClass();
        set.forEach(spacePermissionManager::removePermission);
    }

    @EventListener
    public void spaceCreated(SpaceCreateEvent spaceCreateEvent) {
        for (ConnectAddonBean connectAddonBean : fetchAddonsWithSpaceAdminScope()) {
            AuthenticationBean authentication = connectAddonBean.getAuthentication();
            if (authentication != null && !AuthenticationType.NONE.equals(authentication.getType())) {
                String usernameForAddon = ConnectAddonUserUtil.usernameForAddon(connectAddonBean.getKey());
                try {
                    grantAddonUserSpaceAdmin(getConfluenceUser(usernameForAddon));
                } catch (Exception e) {
                    log.error("Could not add user '{}' to new spaces", usernameForAddon, e);
                }
            }
        }
    }

    private Iterable<ConnectAddonBean> fetchAddonsWithSpaceAdminScope() {
        return Iterables.filter(this.connectAddonAccessor.getAllAddons(), connectAddonBean -> {
            Set<ScopeName> normalize = ScopeUtil.normalize(connectAddonBean.getScopes());
            return normalize.contains(ScopeName.SPACE_ADMIN) && !normalize.contains(ScopeName.ADMIN);
        });
    }

    @Override // org.springframework.beans.factory.DisposableBean
    public void destroy() throws Exception {
        this.eventPublisher.unregister(this);
    }
}
