package com.atlassian.stash.internal.user;

import com.atlassian.bitbucket.AuthorisationException;
import com.atlassian.bitbucket.ForbiddenException;
import com.atlassian.bitbucket.IntegrityException;
import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.RequestCanceledException;
import com.atlassian.bitbucket.ServerException;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.event.permission.GlobalPermissionGrantRequestedEvent;
import com.atlassian.bitbucket.event.permission.GlobalPermissionGrantedEvent;
import com.atlassian.bitbucket.event.permission.GlobalPermissionModificationRequestedEvent;
import com.atlassian.bitbucket.event.permission.GlobalPermissionModifiedEvent;
import com.atlassian.bitbucket.event.permission.GlobalPermissionRevocationRequestedEvent;
import com.atlassian.bitbucket.event.permission.GlobalPermissionRevokedEvent;
import com.atlassian.bitbucket.event.permission.PermissionEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionGrantRequestedEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionGrantedEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionModificationRequestedEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionModifiedEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionRevocationRequestedEvent;
import com.atlassian.bitbucket.event.permission.ProjectPermissionRevokedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionGrantRequestedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionGrantedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionModificationRequestedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionModifiedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionRevocationRequestedEvent;
import com.atlassian.bitbucket.event.permission.RepositoryPermissionRevokedEvent;
import com.atlassian.bitbucket.event.user.GroupCleanupEvent;
import com.atlassian.bitbucket.event.user.UserCleanupEvent;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.license.LicenseService;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionAdminService;
import com.atlassian.bitbucket.permission.PermissionGrantCanceledException;
import com.atlassian.bitbucket.permission.PermissionModificationCanceledException;
import com.atlassian.bitbucket.permission.PermissionRevocationCanceledException;
import com.atlassian.bitbucket.permission.PermissionService;
import com.atlassian.bitbucket.permission.PermissionValidationService;
import com.atlassian.bitbucket.permission.PermittedGroup;
import com.atlassian.bitbucket.permission.PermittedUser;
import com.atlassian.bitbucket.permission.SetPermissionRequest;
import com.atlassian.bitbucket.project.Project;
import com.atlassian.bitbucket.project.ProjectType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.Page;
import com.atlassian.bitbucket.util.PageProvider;
import com.atlassian.bitbucket.util.PageRequest;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.bitbucket.util.PagedIterable;
import com.atlassian.bitbucket.util.SimpleCancelState;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService;
import com.atlassian.stash.experimental.user.PermittedGroupGlobalSearchRequest;
import com.atlassian.stash.experimental.user.PermittedGroupProjectSearchRequest;
import com.atlassian.stash.experimental.user.PermittedGroupRepositorySearchRequest;
import com.atlassian.stash.experimental.user.PermittedGroupSearchRequest;
import com.atlassian.stash.experimental.user.PermittedUserGlobalSearchRequest;
import com.atlassian.stash.experimental.user.PermittedUserProjectSearchRequest;
import com.atlassian.stash.experimental.user.PermittedUserRepositorySearchRequest;
import com.atlassian.stash.experimental.user.PermittedUserSearchRequest;
import com.atlassian.stash.experimental.user.ProjectPermission;
import com.atlassian.stash.experimental.user.ProjectPermissionRequest;
import com.atlassian.stash.experimental.user.ProjectPermissionSearchRequest;
import com.atlassian.stash.experimental.user.RepositoryPermission;
import com.atlassian.stash.experimental.user.RepositoryPermissionRequest;
import com.atlassian.stash.experimental.user.RepositoryPermissionSearchRequest;
import com.atlassian.stash.internal.CommonValidations;
import com.atlassian.stash.internal.InternalConverter;
import com.atlassian.stash.internal.annotation.Secured;
import com.atlassian.stash.internal.annotation.Unsecured;
import com.atlassian.stash.internal.page.PageConstants;
import com.atlassian.stash.internal.user.InternalGlobalPermission;
import com.atlassian.stash.internal.user.InternalProjectPermission;
import com.atlassian.stash.internal.user.InternalRepositoryPermission;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.collect.Iterables;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@AvailableToPlugins(interfaces = {PermissionAdminService.class, ExperimentalPermissionAdminService.class})
@Service("permissionAdminService")
/* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/user/DefaultPermissionAdminService.class */
public class DefaultPermissionAdminService implements ExperimentalPermissionAdminService {
    public static final int INTERNAL_PAGE_LIMIT = 500;
    private static final Comparator<String> CASE_INSENSITIVE_COMPARATOR = IdentifierUtils::compareToInLowerCase;
    private static final Comparator<ApplicationUser> CASE_INSENSITIVE_NAME_COMPARATOR = (applicationUser, applicationUser2) -> {
        return IdentifierUtils.compareToInLowerCase(applicationUser.getName(), applicationUser2.getName());
    };
    private final EventPublisher eventPublisher;
    private final GlobalPermissionDao globalPermissionDao;
    private final ProjectPermissionDao projectPermissionDao;
    private final RepositoryPermissionDao repositoryPermissionDao;
    private final I18nService i18nService;
    private final LicenseService licenseService;
    private final PermissionService permissionService;
    private final PermissionValidationService permissionValidationService;
    private final AuthenticationContext authenticationContext;
    private final InternalUserService userService;

    @Value(PageConstants.MAX_GROUPS)
    private int maxGroups;

    @Value(PageConstants.MAX_USERS)
    private int maxUsers;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/user/DefaultPermissionAdminService$PermissionActionVisitor.class */
    public interface PermissionActionVisitor<T> {
        /* renamed from: visitPermissionGranted */
        T visitPermissionGranted2();

        /* renamed from: visitPermissionModified */
        T visitPermissionModified2();

        /* renamed from: visitPermissionRevoked */
        T visitPermissionRevoked2();
    }

    @Autowired
    public DefaultPermissionAdminService(InternalUserService internalUserService, GlobalPermissionDao globalPermissionDao, ProjectPermissionDao projectPermissionDao, RepositoryPermissionDao repositoryPermissionDao, AuthenticationContext authenticationContext, PermissionService permissionService, PermissionValidationService permissionValidationService, I18nService i18nService, LicenseService licenseService, EventPublisher eventPublisher) {
        this.userService = internalUserService;
        this.globalPermissionDao = globalPermissionDao;
        this.projectPermissionDao = projectPermissionDao;
        this.repositoryPermissionDao = repositoryPermissionDao;
        this.authenticationContext = authenticationContext;
        this.permissionService = permissionService;
        this.permissionValidationService = permissionValidationService;
        this.i18nService = i18nService;
        this.licenseService = licenseService;
        this.eventPublisher = eventPublisher;
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<ProjectPermission> searchProjects(@Nonnull ProjectPermissionSearchRequest projectPermissionSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(projectPermissionSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        return this.projectPermissionDao.findHighestPermissionsForUser(projectPermissionSearchRequest.getUser().getId(), pageRequest);
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<RepositoryPermission> searchRepositories(@Nonnull RepositoryPermissionSearchRequest repositoryPermissionSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(repositoryPermissionSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        return this.repositoryPermissionDao.findHighestPermissionsForUser(repositoryPermissionSearchRequest.getUser().getId(), pageRequest);
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @Secured("Secured internally using the PermissionValidationService")
    public Page<PermittedUser> searchUsers(@Nonnull PermittedUserSearchRequest permittedUserSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(permittedUserSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        final PageRequest buildRestrictedPageRequest = pageRequest.buildRestrictedPageRequest(this.maxUsers);
        return (Page) permittedUserSearchRequest.accept(new PermittedUserSearchRequest.Visitor<Page<PermittedUser>>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public Page<PermittedUser> visit(@Nonnull PermittedUserGlobalSearchRequest permittedUserGlobalSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForGlobal(Permission.ADMIN);
                return DefaultPermissionAdminService.this.globalPermissionDao.findHighestPermissionPerUser(permittedUserGlobalSearchRequest.getUserType(), permittedUserGlobalSearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public Page<PermittedUser> visit(@Nonnull PermittedUserProjectSearchRequest permittedUserProjectSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForProject(permittedUserProjectSearchRequest.getProject(), Permission.PROJECT_ADMIN);
                return DefaultPermissionAdminService.this.projectPermissionDao.findHighestPermissionPerUser(permittedUserProjectSearchRequest.getProject().getId(), permittedUserProjectSearchRequest.getUserType(), permittedUserProjectSearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public Page<PermittedUser> visit(@Nonnull PermittedUserRepositorySearchRequest permittedUserRepositorySearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForRepository(permittedUserRepositorySearchRequest.getRepository(), Permission.REPO_ADMIN);
                return DefaultPermissionAdminService.this.repositoryPermissionDao.findHighestPermissionPerUser(permittedUserRepositorySearchRequest.getRepository().getId(), permittedUserRepositorySearchRequest.getUserType(), permittedUserRepositorySearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }
        });
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @Secured("Secured internally using the PermissionValidationService")
    public Page<PermittedGroup> searchGroups(@Nonnull PermittedGroupSearchRequest permittedGroupSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(permittedGroupSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        final PageRequest buildRestrictedPageRequest = pageRequest.buildRestrictedPageRequest(this.maxGroups);
        return (Page) permittedGroupSearchRequest.accept(new PermittedGroupSearchRequest.Visitor<Page<PermittedGroup>>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public Page<PermittedGroup> visit(@Nonnull PermittedGroupGlobalSearchRequest permittedGroupGlobalSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForGlobal(Permission.ADMIN);
                return DefaultPermissionAdminService.this.globalPermissionDao.findHighestPermissionPerGroup(permittedGroupGlobalSearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public Page<PermittedGroup> visit(@Nonnull PermittedGroupProjectSearchRequest permittedGroupProjectSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForProject(permittedGroupProjectSearchRequest.getProject(), Permission.PROJECT_ADMIN);
                return DefaultPermissionAdminService.this.projectPermissionDao.findHighestPermissionPerGroup(permittedGroupProjectSearchRequest.getProject().getId(), permittedGroupProjectSearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public Page<PermittedGroup> visit(@Nonnull PermittedGroupRepositorySearchRequest permittedGroupRepositorySearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForRepository(permittedGroupRepositorySearchRequest.getRepository(), Permission.REPO_ADMIN);
                return DefaultPermissionAdminService.this.repositoryPermissionDao.findHighestPermissionPerGroup(permittedGroupRepositorySearchRequest.getRepository().getId(), permittedGroupRepositorySearchRequest.getNameFilter(), buildRestrictedPageRequest);
            }
        });
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @Secured("Secured internally using the PermissionValidationService")
    public Page<ApplicationUser> searchUsersLacking(@Nonnull PermittedUserSearchRequest permittedUserSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(permittedUserSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        return getUsersWithoutPermission(withoutUsers((PageProvider) permittedUserSearchRequest.accept(new PermittedUserSearchRequest.Visitor<PageProvider<ApplicationUser>>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public PageProvider<ApplicationUser> visit(@Nonnull PermittedUserGlobalSearchRequest permittedUserGlobalSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForGlobal(Permission.ADMIN);
                return pageRequest2 -> {
                    return DefaultPermissionAdminService.this.globalPermissionDao.findUsersWithPermission(permittedUserGlobalSearchRequest.getUserType(), pageRequest2);
                };
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public PageProvider<ApplicationUser> visit(@Nonnull PermittedUserProjectSearchRequest permittedUserProjectSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForProject(permittedUserProjectSearchRequest.getProject(), Permission.PROJECT_ADMIN);
                return pageRequest2 -> {
                    return DefaultPermissionAdminService.this.projectPermissionDao.findUsersWithPermission(permittedUserProjectSearchRequest.getProject().getId(), permittedUserProjectSearchRequest.getUserType(), pageRequest2);
                };
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedUserSearchRequest.Visitor
            public PageProvider<ApplicationUser> visit(@Nonnull PermittedUserRepositorySearchRequest permittedUserRepositorySearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForRepository(permittedUserRepositorySearchRequest.getRepository(), Permission.REPO_ADMIN);
                return pageRequest2 -> {
                    return DefaultPermissionAdminService.this.repositoryPermissionDao.findUsersWithPermission(permittedUserRepositorySearchRequest.getRepository().getId(), permittedUserRepositorySearchRequest.getUserType(), pageRequest2);
                };
            }
        })), permittedUserSearchRequest.getUserType(), permittedUserSearchRequest.getNameFilter(), pageRequest);
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @Nonnull
    @Secured("Secured internally using the PermissionValidationService")
    public Page<String> searchGroupsLacking(@Nonnull PermittedGroupSearchRequest permittedGroupSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(permittedGroupSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        return getGroupsWithoutPermission(permittedGroupSearchRequest.getNameFilter(), withoutGroups((PageProvider) permittedGroupSearchRequest.accept(new PermittedGroupSearchRequest.Visitor<PageProvider<String>>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public PageProvider<String> visit(@Nonnull PermittedGroupGlobalSearchRequest permittedGroupGlobalSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForGlobal(Permission.ADMIN);
                GlobalPermissionDao globalPermissionDao = DefaultPermissionAdminService.this.globalPermissionDao;
                globalPermissionDao.getClass();
                return globalPermissionDao::findGroupsWithPermission;
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public PageProvider<String> visit(@Nonnull PermittedGroupProjectSearchRequest permittedGroupProjectSearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForProject(permittedGroupProjectSearchRequest.getProject(), Permission.PROJECT_ADMIN);
                return pageRequest2 -> {
                    return DefaultPermissionAdminService.this.projectPermissionDao.findGroupsWithPermission(permittedGroupProjectSearchRequest.getProject().getId(), pageRequest2);
                };
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.atlassian.stash.experimental.user.PermittedGroupSearchRequest.Visitor
            public PageProvider<String> visit(@Nonnull PermittedGroupRepositorySearchRequest permittedGroupRepositorySearchRequest) {
                DefaultPermissionAdminService.this.permissionValidationService.validateForRepository(permittedGroupRepositorySearchRequest.getRepository(), Permission.REPO_ADMIN);
                return pageRequest2 -> {
                    return DefaultPermissionAdminService.this.repositoryPermissionDao.findGroupsWithPermission(permittedGroupRepositorySearchRequest.getRepository().getId(), pageRequest2);
                };
            }
        })), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedUser> findUsersWithGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        return searchUsers(new PermittedUserSearchRequest.Builder().nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<ApplicationUser> findUsersWithoutGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        return searchUsersLacking(new PermittedUserSearchRequest.Builder().nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedGroup> findGroupsWithGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        return searchGroups(new PermittedGroupSearchRequest.Builder().nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<String> findGroupsWithoutGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        return searchGroupsLacking(new PermittedGroupSearchRequest.Builder().nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedUser> findUsersWithProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        return searchUsers(new PermittedUserSearchRequest.Builder().project(project).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @Unsecured("Secured internally in searchUsersLacking()")
    public Page<ApplicationUser> findLicensedUsersWithoutProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        return PageUtils.filterPages(pageRequest2 -> {
            return searchUsersLacking(new PermittedUserSearchRequest.Builder().project(project).nameFilter(str).build(), pageRequest2);
        }, licensedOnly(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedGroup> findGroupsWithProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        return searchGroups(new PermittedGroupSearchRequest.Builder().project(project).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<String> findGroupsWithoutProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        return searchGroupsLacking(new PermittedGroupSearchRequest.Builder().project(project).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<PermittedUser> findUsersWithRepositoryPermission(@Nonnull Repository repository, String str, @Nonnull PageRequest pageRequest) {
        return searchUsers(new PermittedUserSearchRequest.Builder().repository(repository).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @Unsecured("Secured internally in searchUsersLacking()")
    public Page<ApplicationUser> findLicensedUsersWithoutRepositoryPermission(@Nonnull Repository repository, String str, @Nonnull PageRequest pageRequest) {
        return PageUtils.filterPages(pageRequest2 -> {
            return searchUsersLacking(new PermittedUserSearchRequest.Builder().repository(repository).nameFilter(str).build(), pageRequest2);
        }, licensedOnly(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<PermittedGroup> findGroupsWithRepositoryPermission(@Nonnull Repository repository, String str, @Nonnull PageRequest pageRequest) {
        return searchGroups(new PermittedGroupSearchRequest.Builder().repository(repository).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<String> findGroupsWithoutRepositoryPermission(@Nonnull Repository repository, String str, @Nonnull PageRequest pageRequest) {
        return searchGroupsLacking(new PermittedGroupSearchRequest.Builder().repository(repository).nameFilter(str).build(), pageRequest);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        Permission doRevokeAllGlobalPermissions = doRevokeAllGlobalPermissions(str);
        if (doRevokeAllGlobalPermissions != null) {
            fireGlobalPermissionRequestedEvent(doRevokeAllGlobalPermissions, null, str, null);
            fireGlobalPermissionEvent(doRevokeAllGlobalPermissions, null, str, null);
        }
    }

    private Permission doRevokeAllGlobalPermissions(String str) {
        if (this.permissionService.hasGlobalPermission(str, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.revoke.insufficient.permission", str));
        }
        Permission permission = null;
        for (Permission permission2 : Permission.getGlobalPermissions()) {
            if (this.globalPermissionDao.hasPermissionEntry(buildPermission(permission2, str, null)) && revokeGlobalPermission(permission2, str)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull ApplicationUser applicationUser) {
        Objects.requireNonNull(applicationUser, "user");
        Permission doRevokeAllGlobalPermissions = doRevokeAllGlobalPermissions(applicationUser);
        if (doRevokeAllGlobalPermissions != null) {
            fireGlobalPermissionRequestedEvent(doRevokeAllGlobalPermissions, null, null, applicationUser);
            fireGlobalPermissionEvent(doRevokeAllGlobalPermissions, null, null, applicationUser);
        }
    }

    private Permission doRevokeAllGlobalPermissions(ApplicationUser applicationUser) {
        if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalPermission(applicationUser, Permission.SYS_ADMIN)) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.revoke.insufficient.permission", applicationUser.getDisplayName()));
        }
        Permission permission = null;
        for (Permission permission2 : Permission.getGlobalPermissions()) {
            if (this.globalPermissionDao.hasPermissionEntry(buildPermission(permission2, null, applicationUser)) && revokeGlobalPermission(permission2, applicationUser)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull String str) {
        Objects.requireNonNull(project, "project");
        CommonValidations.validateGroup(str);
        Permission doRevokeAllProjectPermissions = doRevokeAllProjectPermissions(project, str);
        if (doRevokeAllProjectPermissions != null) {
            fireProjectPermissionRequestedEvent(project, doRevokeAllProjectPermissions, null, str, null);
            fireProjectPermissionEvent(project, doRevokeAllProjectPermissions, null, str, null);
        }
    }

    private Permission doRevokeAllProjectPermissions(Project project, String str) {
        Permission permission = null;
        for (Permission permission2 : Permission.getPermissionsOn(Project.class)) {
            if (revokeProjectPermission(permission2, project, str)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull ApplicationUser applicationUser) {
        Objects.requireNonNull(project, "project");
        Objects.requireNonNull(applicationUser, "user");
        Permission doRevokeAllProjectPermissions = doRevokeAllProjectPermissions(project, applicationUser);
        if (doRevokeAllProjectPermissions != null) {
            fireProjectPermissionRequestedEvent(project, doRevokeAllProjectPermissions, null, null, applicationUser);
            fireProjectPermissionEvent(project, doRevokeAllProjectPermissions, null, null, applicationUser);
        }
    }

    private Permission doRevokeAllProjectPermissions(Project project, ApplicationUser applicationUser) {
        Permission permission = null;
        for (Permission permission2 : Permission.getPermissionsOn(Project.class)) {
            if (revokeProjectPermission(permission2, project, applicationUser)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void revokeAllRepositoryPermissions(@Nonnull Repository repository, @Nonnull String str) {
        Objects.requireNonNull(repository, "repository");
        CommonValidations.validateGroup(str);
        Permission doRevokeAllRepositoryPermissions = doRevokeAllRepositoryPermissions(repository, str);
        if (doRevokeAllRepositoryPermissions != null) {
            fireRepositoryPermissionRequestedEvent(repository, doRevokeAllRepositoryPermissions, null, str, null);
            fireRepositoryPermissionEvent(repository, doRevokeAllRepositoryPermissions, null, str, null);
        }
    }

    private Permission doRevokeAllRepositoryPermissions(Repository repository, String str) {
        Permission permission = null;
        for (Permission permission2 : Permission.getPermissionsOn(Repository.class)) {
            if (revokeRepositoryPermission(permission2, repository, str)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void revokeAllRepositoryPermissions(@Nonnull Repository repository, @Nonnull ApplicationUser applicationUser) {
        Objects.requireNonNull(repository, "repository");
        Objects.requireNonNull(applicationUser, "user");
        Permission doRevokeAllRepositoryPermissions = doRevokeAllRepositoryPermissions(repository, applicationUser);
        if (doRevokeAllRepositoryPermissions != null) {
            fireRepositoryPermissionRequestedEvent(repository, doRevokeAllRepositoryPermissions, null, null, applicationUser);
            fireRepositoryPermissionEvent(repository, doRevokeAllRepositoryPermissions, null, null, applicationUser);
        }
    }

    private Permission doRevokeAllRepositoryPermissions(Repository repository, ApplicationUser applicationUser) {
        Permission permission = null;
        for (Permission permission2 : Permission.getPermissionsOn(Repository.class)) {
            if (revokeRepositoryPermission(permission2, repository, applicationUser)) {
                permission = Permission.max(permission, permission2);
            }
        }
        return permission;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @Secured("Permissions checks done internally")
    public void setPermission(@Nonnull SetPermissionRequest setPermissionRequest) {
        Permission permission = setPermissionRequest.getPermission();
        if ((permission.isGlobal() && !this.permissionService.hasGlobalPermission(Permission.max(permission, Permission.ADMIN))) || (permission.isResource(Project.class) && !this.permissionService.hasProjectPermission(setPermissionRequest.getProject(), Permission.PROJECT_ADMIN)) || (permission.isResource(Repository.class) && !this.permissionService.hasRepositoryPermission(setPermissionRequest.getRepository(), Permission.REPO_ADMIN))) {
            throw new AuthorisationException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.usercannotgrantpermission", permission));
        }
        doSetPermission(setPermissionRequest);
    }

    private void doSetPermission(@Nonnull SetPermissionRequest setPermissionRequest) {
        Permission permission = setPermissionRequest.getPermission();
        Project project = setPermissionRequest.getProject();
        Repository repository = setPermissionRequest.getRepository();
        Set<ApplicationUser> users = setPermissionRequest.getUsers();
        Set<String> groups = setPermissionRequest.getGroups();
        CommonValidations.validateGrantablePermission(permission);
        if (permission.isGlobal()) {
            for (ApplicationUser applicationUser : users) {
                Permission doRevokeAllGlobalPermissions = doRevokeAllGlobalPermissions(applicationUser);
                fireGlobalPermissionRequestedEvent(doRevokeAllGlobalPermissions, permission, null, applicationUser);
                grantGlobalPermission(permission, applicationUser);
                fireGlobalPermissionEvent(doRevokeAllGlobalPermissions, permission, null, applicationUser);
            }
            for (String str : groups) {
                Permission doRevokeAllGlobalPermissions2 = doRevokeAllGlobalPermissions(str);
                fireGlobalPermissionRequestedEvent(doRevokeAllGlobalPermissions2, permission, str, null);
                grantGlobalPermission(permission, str);
                fireGlobalPermissionEvent(doRevokeAllGlobalPermissions2, permission, str, null);
            }
            return;
        }
        if (permission.isResource(Project.class)) {
            for (ApplicationUser applicationUser2 : users) {
                Permission doRevokeAllProjectPermissions = doRevokeAllProjectPermissions(project, applicationUser2);
                fireProjectPermissionRequestedEvent(project, doRevokeAllProjectPermissions, permission, null, applicationUser2);
                grantPermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).user(InternalConverter.convertToInternalUser(applicationUser2)).build());
                fireProjectPermissionEvent(project, doRevokeAllProjectPermissions, permission, null, applicationUser2);
            }
            for (String str2 : groups) {
                Permission doRevokeAllProjectPermissions2 = doRevokeAllProjectPermissions(project, str2);
                fireProjectPermissionRequestedEvent(project, doRevokeAllProjectPermissions2, permission, str2, null);
                grantPermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).group(str2).build());
                fireProjectPermissionEvent(project, doRevokeAllProjectPermissions2, permission, str2, null);
            }
            return;
        }
        if (!permission.isResource(Repository.class)) {
            throw new ServerException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotgrantunknownpermission", Product.NAME, permission));
        }
        for (ApplicationUser applicationUser3 : users) {
            Permission doRevokeAllRepositoryPermissions = doRevokeAllRepositoryPermissions(repository, applicationUser3);
            fireRepositoryPermissionRequestedEvent(repository, doRevokeAllRepositoryPermissions, permission, null, applicationUser3);
            grantPermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).user(InternalConverter.convertToInternalUser(applicationUser3)).build());
            fireRepositoryPermissionEvent(repository, doRevokeAllRepositoryPermissions, permission, null, applicationUser3);
        }
        for (String str3 : groups) {
            Permission doRevokeAllRepositoryPermissions2 = doRevokeAllRepositoryPermissions(repository, str3);
            fireRepositoryPermissionRequestedEvent(repository, doRevokeAllRepositoryPermissions2, permission, str3, null);
            grantPermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).group(str3).build());
            fireRepositoryPermissionEvent(repository, doRevokeAllRepositoryPermissions2, permission, str3, null);
        }
    }

    private PageProvider<ApplicationUser> createUserProvider(UserType userType, String str) {
        return pageRequest -> {
            return PageUtils.asPageOf(ApplicationUser.class, userType == UserType.NORMAL ? this.userService.findUsersByName(str, pageRequest) : this.userService.findServiceUsersByName(str, pageRequest));
        };
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public boolean hasAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        Objects.requireNonNull(project, "project");
        return this.projectPermissionDao.hasPermissionEntry(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build());
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @PreAuthorize("hasProjectPermission(#request.project, 'PROJECT_ADMIN')")
    public Permission getProjectPermission(@Nonnull ProjectPermissionRequest projectPermissionRequest) {
        Objects.requireNonNull(projectPermissionRequest, "request");
        return this.projectPermissionDao.getHighestPermissionForUser(projectPermissionRequest.getUser().getId(), projectPermissionRequest.getProject().getId());
    }

    @Override // com.atlassian.stash.experimental.user.ExperimentalPermissionAdminService
    @PreAuthorize("hasRepositoryPermission(#request.repository, 'REPO_ADMIN')")
    public Permission getRepositoryPermission(@Nonnull RepositoryPermissionRequest repositoryPermissionRequest) {
        Objects.requireNonNull(repositoryPermissionRequest, "request");
        return this.repositoryPermissionDao.getHighestPermissionForUser(repositoryPermissionRequest.getUser().getId(), repositoryPermissionRequest.getRepository().getId());
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull ApplicationUser applicationUser) {
        this.licenseService.validateCanLicenseUser(applicationUser, permission);
        grantPermission(buildPermission(permission, null, applicationUser));
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        this.licenseService.validateCanLicenseGroup(str, permission);
        grantPermission(buildPermission(permission, str, null));
    }

    private void grantPermission(InternalGlobalPermission internalGlobalPermission) {
        if (this.globalPermissionDao.hasPermissionEntry(internalGlobalPermission)) {
            return;
        }
        this.globalPermissionDao.create(internalGlobalPermission);
    }

    private boolean grantPermission(InternalProjectPermission internalProjectPermission) {
        if (internalProjectPermission.getProject().getType() == ProjectType.PERSONAL) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.personalproject.grant", new Object[0]));
        }
        if (this.projectPermissionDao.hasPermissionEntry(internalProjectPermission)) {
            return false;
        }
        this.projectPermissionDao.create(internalProjectPermission);
        return true;
    }

    private void grantPermission(InternalRepositoryPermission internalRepositoryPermission) {
        if (this.repositoryPermissionDao.hasPermissionEntry(internalRepositoryPermission)) {
            return;
        }
        this.repositoryPermissionDao.create(internalRepositoryPermission);
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void grantAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        Objects.requireNonNull(project, "project");
        InternalProjectPermission build = new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build();
        Permission highestDefaultPermission = this.projectPermissionDao.getHighestDefaultPermission(project.getId());
        if (grantPermission(build)) {
            if (highestDefaultPermission == null || highestDefaultPermission.getImplyingPermissions().contains(permission)) {
                fireProjectPermissionRequestedEvent(project, highestDefaultPermission, permission, null, null);
                fireProjectPermissionEvent(project, highestDefaultPermission, permission, null, null);
            }
        }
    }

    private boolean revokeRepositoryPermission(@Nonnull Permission permission, @Nonnull Repository repository, @Nonnull ApplicationUser applicationUser) {
        Objects.requireNonNull(repository, "repository");
        CommonValidations.validateRepositoryPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        boolean z = !applicationUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            z = currentUserHasImpliedRepositoryPermission(permission, repository);
        }
        if (!z) {
            z = this.permissionService.hasRepositoryPermissionThroughGroupMembership(repository, permission, Collections.emptySet());
        }
        if (z) {
            return revokePermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).user(InternalConverter.convertToInternalUser(applicationUser)).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokeownrepositorypermission", repository.getName()));
    }

    private boolean revokeRepositoryPermission(@Nonnull Permission permission, @Nonnull Repository repository, @Nonnull String str) {
        Objects.requireNonNull(repository, "repository");
        CommonValidations.validateRepositoryPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        boolean z = currentUser == null || !this.userService.isUserInGroup(currentUser, str);
        if (!z) {
            z = currentUserHasImpliedRepositoryPermission(permission, repository);
        }
        if (!z) {
            z = this.permissionService.hasDirectRepositoryUserPermission(repository, permission);
        }
        if (!z) {
            z = this.permissionService.hasRepositoryPermissionThroughGroupMembership(repository, permission, Collections.singleton(str));
        }
        if (z) {
            return revokePermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).group(str).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokegrouprepositorypermission", repository.getName(), str));
    }

    private boolean currentUserHasImpliedRepositoryPermission(Permission permission, Repository repository) {
        return Iterables.any(permission.getImplyingPermissions(), permission2 -> {
            if (permission2.isGlobal()) {
                return this.permissionService.hasGlobalPermission(permission2);
            }
            if (permission2.isResource(Project.class)) {
                return this.permissionService.hasProjectPermission(repository.getProject(), permission2);
            }
            if (permission2.isResource(Repository.class)) {
                return this.permissionService.hasRepositoryPermission(repository, permission2);
            }
            return false;
        });
    }

    private boolean revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull ApplicationUser applicationUser) {
        boolean z = !applicationUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.emptySet());
        }
        if (z) {
            return revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).user(InternalConverter.convertToInternalUser(applicationUser)).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokeownprojectpermission", project.getName()));
    }

    private boolean revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull String str) {
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        boolean z = currentUser == null || !this.userService.isUserInGroup(currentUser, str);
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasDirectProjectUserPermission(project, permission);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.singleton(str));
        }
        if (z) {
            return revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).group(str).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokegroupprojectpermission", project.getName(), str));
    }

    private boolean currentUserHasImpliedProjectPermission(Permission permission, Project project) {
        return Iterables.any(permission.getImplyingPermissions(), permission2 -> {
            if (permission2.isGlobal()) {
                return this.permissionService.hasGlobalPermission(permission2);
            }
            if (permission2.isResource(Project.class)) {
                return this.permissionService.hasProjectPermission(project, permission2);
            }
            return false;
        });
    }

    private boolean revokeGlobalPermission(@Nonnull Permission permission, @Nonnull ApplicationUser applicationUser) {
        boolean z = !applicationUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            Iterator<Permission> it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission(it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.emptySet());
        }
        if (z) {
            return revokePermission(new InternalGlobalPermission.Builder().permission(permission).user(InternalConverter.convertToInternalUser(applicationUser)).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokeownpermission", new Object[0]));
    }

    private boolean revokePermission(InternalGlobalPermission internalGlobalPermission) {
        return this.globalPermissionDao.revoke(internalGlobalPermission) > 0;
    }

    private boolean revokePermission(InternalProjectPermission internalProjectPermission) {
        if (internalProjectPermission.getProject().getType() == ProjectType.PERSONAL) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.personalproject.revoke", new Object[0]));
        }
        return this.projectPermissionDao.revoke(internalProjectPermission) > 0;
    }

    private boolean revokePermission(InternalRepositoryPermission internalRepositoryPermission) {
        return this.repositoryPermissionDao.revoke(internalRepositoryPermission) > 0;
    }

    private boolean revokeGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        InternalApplicationUser convertToInternalUser = InternalConverter.convertToInternalUser(this.authenticationContext.getCurrentUser());
        boolean z = convertToInternalUser == null || !this.userService.isUserInGroup(convertToInternalUser, str);
        if (!z) {
            Iterator<Permission> it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission(it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasDirectGlobalUserPermission(permission);
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.singleton(str));
        }
        if (z) {
            return revokePermission(new InternalGlobalPermission.Builder().permission(permission).group(str).build());
        }
        throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cantrevokegrouppermission", str));
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        Objects.requireNonNull(project, "project");
        if (revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build())) {
            Permission highestDefaultPermission = this.projectPermissionDao.getHighestDefaultPermission(project.getId());
            if (highestDefaultPermission == null || highestDefaultPermission.getImplyingPermissions().contains(permission)) {
                fireProjectPermissionRequestedEvent(project, permission, highestDefaultPermission, null, null);
                fireProjectPermissionEvent(project, permission, highestDefaultPermission, null, null);
            }
        }
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("not isCurrentUser(#username) and (hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#username, 'SYS_ADMIN')))")
    public void revokeAllUserPermissions(@Nonnull String str) {
        CommonValidations.validateUser(str);
        ApplicationUser userByName = this.userService.getUserByName(str, true);
        if (userByName != null) {
            revokeAllUserPermissions(userByName);
        }
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("not isCurrentUser(#user) and (hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#user, 'SYS_ADMIN')))")
    public void revokeAllUserPermissions(@Nonnull ApplicationUser applicationUser) {
        Objects.requireNonNull(applicationUser, "user");
        this.globalPermissionDao.revokeAll(applicationUser.getId());
        this.projectPermissionDao.revokeAll(applicationUser.getId());
        this.repositoryPermissionDao.revokeAll(applicationUser.getId());
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGroupPermissions(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        canRemovePermissionsFromGroup(str);
        this.globalPermissionDao.revokeAll(str);
        this.projectPermissionDao.revokeAll(str);
        this.repositoryPermissionDao.revokeAll(str);
    }

    private void canRemovePermissionsFromGroup(String str) {
        try {
            canDeleteGroup(str);
        } catch (ForbiddenException e) {
            throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotdeletegroup", "You cannot remove the permissions of the group {0} as it has System Administrator privileges, and you are not a System Administrator.", str));
        } catch (IntegrityException e2) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotremovepermissionsgroup", new Object[0]));
        }
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canRemoveUserFromGroup(@Nonnull String str, @Nonnull String str2) {
        CommonValidations.validateUser(str);
        CommonValidations.validateGroup(str2);
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser == null || !IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            if (this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str2) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
                throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotremoveuser", str, str2));
            }
        } else if (this.userService.isUserInGroup(currentUser, str2) && !canRemoveCurrentUserFromGroup(str2)) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotremoveself", new Object[0]));
        }
    }

    private boolean canRemoveCurrentUserFromGroup(String str) {
        return this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str) ? this.permissionService.hasDirectGlobalUserPermission(Permission.SYS_ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.SYS_ADMIN, Collections.singleton(str)) : !this.permissionService.hasGlobalGroupPermission(Permission.ADMIN, str) || this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) || this.permissionService.hasDirectGlobalUserPermission(Permission.ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.ADMIN, Collections.singleton(str));
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canAddUserToGroup(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotaddusertogroup", str));
        }
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteGroup(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && this.userService.isUserInGroup(currentUser, str)) {
            if (!canRemoveCurrentUserFromGroup(str)) {
                throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotremovegroup", new Object[0]));
            }
        } else if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotdeletegroup", str));
        }
    }

    @Override // com.atlassian.bitbucket.permission.PermissionAdminService
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteUser(@Nonnull String str) {
        CommonValidations.validateUser(str);
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            throw new IntegrityException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.selfdelete", new Object[0]));
        }
        ApplicationUser userByName = this.userService.getUserByName(str);
        if (userByName != null && this.permissionService.hasGlobalPermission(userByName, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new ForbiddenException(this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.cannotdeleteuser", userByName.getName()));
        }
    }

    @EventListener
    public void onGroupDeleted(GroupCleanupEvent groupCleanupEvent) {
        this.globalPermissionDao.revokeAll(groupCleanupEvent.getGroup());
        this.projectPermissionDao.revokeAll(groupCleanupEvent.getGroup());
        this.repositoryPermissionDao.revokeAll(groupCleanupEvent.getGroup());
    }

    @EventListener
    public void onUserDeleted(UserCleanupEvent userCleanupEvent) {
        this.globalPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId());
        this.projectPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId());
        this.repositoryPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId());
    }

    private InternalGlobalPermission buildPermission(Permission permission, String str, ApplicationUser applicationUser) {
        return new InternalGlobalPermission.Builder().permission(permission).user(InternalConverter.convertToInternalUser(applicationUser)).group(str).build();
    }

    private void fireGlobalPermissionEvent(final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<PermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.5
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted */
            public PermissionEvent visitPermissionGranted2() {
                return new GlobalPermissionGrantedEvent(DefaultPermissionAdminService.this, permission2, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified */
            public PermissionEvent visitPermissionModified2() {
                return new GlobalPermissionModifiedEvent(DefaultPermissionAdminService.this, permission, permission2, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked */
            public PermissionEvent visitPermissionRevoked2() {
                return new GlobalPermissionRevokedEvent(DefaultPermissionAdminService.this, permission, str, applicationUser);
            }
        }));
    }

    private void fireGlobalPermissionRequestedEvent(final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        final SimpleCancelState simpleCancelState = new SimpleCancelState();
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<PermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.6
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted */
            public PermissionEvent visitPermissionGranted2() {
                return new GlobalPermissionGrantRequestedEvent(DefaultPermissionAdminService.this, permission2, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified */
            public PermissionEvent visitPermissionModified2() {
                return new GlobalPermissionModificationRequestedEvent(DefaultPermissionAdminService.this, permission, permission2, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked */
            public PermissionEvent visitPermissionRevoked2() {
                return new GlobalPermissionRevocationRequestedEvent(DefaultPermissionAdminService.this, permission, str, applicationUser, simpleCancelState);
            }
        }));
        maybeCancelRequest(permission, permission2, simpleCancelState);
    }

    private void fireProjectPermissionEvent(final Project project, final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<ProjectPermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.7
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted */
            public ProjectPermissionEvent visitPermissionGranted2() {
                return new ProjectPermissionGrantedEvent(DefaultPermissionAdminService.this, permission2, project, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified */
            public ProjectPermissionEvent visitPermissionModified2() {
                return new ProjectPermissionModifiedEvent(DefaultPermissionAdminService.this, permission, permission2, project, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked */
            public ProjectPermissionEvent visitPermissionRevoked2() {
                return new ProjectPermissionRevokedEvent(DefaultPermissionAdminService.this, permission, project, str, applicationUser);
            }
        }));
    }

    private void fireProjectPermissionRequestedEvent(final Project project, final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        final SimpleCancelState simpleCancelState = new SimpleCancelState();
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<PermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.8
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted */
            public PermissionEvent visitPermissionGranted2() {
                return new ProjectPermissionGrantRequestedEvent(DefaultPermissionAdminService.this, permission2, project, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified */
            public PermissionEvent visitPermissionModified2() {
                return new ProjectPermissionModificationRequestedEvent(DefaultPermissionAdminService.this, permission, permission2, project, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked */
            public PermissionEvent visitPermissionRevoked2() {
                return new ProjectPermissionRevocationRequestedEvent(DefaultPermissionAdminService.this, permission, project, str, applicationUser, simpleCancelState);
            }
        }));
        maybeCancelRequest(permission, permission2, simpleCancelState);
    }

    private void fireRepositoryPermissionEvent(final Repository repository, final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<RepositoryPermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.9
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted */
            public RepositoryPermissionEvent visitPermissionGranted2() {
                return new RepositoryPermissionGrantedEvent(DefaultPermissionAdminService.this, permission2, repository, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified */
            public RepositoryPermissionEvent visitPermissionModified2() {
                return new RepositoryPermissionModifiedEvent(DefaultPermissionAdminService.this, permission, permission2, repository, str, applicationUser);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked */
            public RepositoryPermissionEvent visitPermissionRevoked2() {
                return new RepositoryPermissionRevokedEvent(DefaultPermissionAdminService.this, permission, repository, str, applicationUser);
            }
        }));
    }

    private void fireRepositoryPermissionRequestedEvent(final Repository repository, final Permission permission, final Permission permission2, final String str, final ApplicationUser applicationUser) {
        final SimpleCancelState simpleCancelState = new SimpleCancelState();
        this.eventPublisher.publish(visitPermissionAction(permission, permission2, new PermissionActionVisitor<RepositoryPermissionEvent>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.10
            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionGranted, reason: merged with bridge method [inline-methods] */
            public RepositoryPermissionEvent visitPermissionGranted2() {
                return new RepositoryPermissionGrantRequestedEvent(DefaultPermissionAdminService.this, permission2, repository, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionModified, reason: merged with bridge method [inline-methods] */
            public RepositoryPermissionEvent visitPermissionModified2() {
                return new RepositoryPermissionModificationRequestedEvent(DefaultPermissionAdminService.this, permission, permission2, repository, str, applicationUser, simpleCancelState);
            }

            @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
            /* renamed from: visitPermissionRevoked, reason: merged with bridge method [inline-methods] */
            public RepositoryPermissionEvent visitPermissionRevoked2() {
                return new RepositoryPermissionRevocationRequestedEvent(DefaultPermissionAdminService.this, permission, repository, str, applicationUser, simpleCancelState);
            }
        }));
        maybeCancelRequest(permission, permission2, simpleCancelState);
    }

    private Page<ApplicationUser> getUsersWithoutPermission(Predicate<ApplicationUser> predicate, UserType userType, String str, PageRequest pageRequest) {
        PageProvider<ApplicationUser> createUserProvider = createUserProvider(userType, str);
        UserPageFilter userPageFilter = new UserPageFilter(str);
        return PageUtils.filterPages(createUserProvider, userPageFilter.and(predicate), pageRequest.buildRestrictedPageRequest(this.maxUsers));
    }

    private Page<String> getGroupsWithoutPermission(String str, Predicate<String> predicate, PageRequest pageRequest) {
        PageProvider pageProvider = pageRequest2 -> {
            return this.userService.findGroupsByName(str, pageRequest2);
        };
        GroupPageFilter groupPageFilter = new GroupPageFilter(str);
        Page filterPages = PageUtils.filterPages(pageProvider, groupPageFilter.and(predicate), pageRequest.buildRestrictedPageRequest(this.maxGroups));
        Function<String, String> function = IdentifierUtils.TO_LOWER_CASE;
        function.getClass();
        return filterPages.transform((v1) -> {
            return r1.apply(v1);
        });
    }

    private void maybeCancelRequest(Permission permission, Permission permission2, final SimpleCancelState simpleCancelState) {
        if (simpleCancelState.isCanceled()) {
            throw ((RequestCanceledException) visitPermissionAction(permission, permission2, new PermissionActionVisitor<RequestCanceledException>() { // from class: com.atlassian.stash.internal.user.DefaultPermissionAdminService.11
                @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
                /* renamed from: visitPermissionGranted */
                public RequestCanceledException visitPermissionGranted2() {
                    return new PermissionGrantCanceledException(DefaultPermissionAdminService.this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.grantcanceled", new Object[0]), simpleCancelState.getCancelMessages());
                }

                @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
                /* renamed from: visitPermissionModified */
                public RequestCanceledException visitPermissionModified2() {
                    return new PermissionModificationCanceledException(DefaultPermissionAdminService.this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.modificationcanceled", new Object[0]), simpleCancelState.getCancelMessages());
                }

                @Override // com.atlassian.stash.internal.user.DefaultPermissionAdminService.PermissionActionVisitor
                /* renamed from: visitPermissionRevoked */
                public RequestCanceledException visitPermissionRevoked2() {
                    return new PermissionRevocationCanceledException(DefaultPermissionAdminService.this.i18nService.createKeyedMessage("bitbucket.service.permissionadmin.revocationcanceled", new Object[0]), simpleCancelState.getCancelMessages());
                }
            }));
        }
    }

    @VisibleForTesting
    static Predicate<String> withoutGroups(PageProvider<String> pageProvider) {
        return new InIteratorPredicate(CASE_INSENSITIVE_COMPARATOR, new PagedIterable(pageProvider, 500).iterator()).negate();
    }

    @VisibleForTesting
    static Predicate<ApplicationUser> withoutUsers(PageProvider<ApplicationUser> pageProvider) {
        return new InIteratorPredicate(CASE_INSENSITIVE_NAME_COMPARATOR, new PagedIterable(pageProvider, 500).iterator()).negate();
    }

    private static <T> T visitPermissionAction(Permission permission, Permission permission2, PermissionActionVisitor<T> permissionActionVisitor) {
        return permission == null ? permissionActionVisitor.visitPermissionGranted2() : permission2 == null ? permissionActionVisitor.visitPermissionRevoked2() : permissionActionVisitor.visitPermissionModified2();
    }

    private Predicate<ApplicationUser> licensedOnly() {
        return applicationUser -> {
            return this.permissionService.hasGlobalPermission(applicationUser, Permission.LICENSED_USER);
        };
    }
}
