package com.atlassian.stash.internal.permission;

import com.atlassian.bitbucket.auth.Authentication;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionCheck;
import com.atlassian.bitbucket.permission.PermissionService;
import com.atlassian.bitbucket.permission.PermissionVote;
import com.atlassian.bitbucket.permission.PermissionVoter;
import com.atlassian.bitbucket.permission.PermissionVoterProvider;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;

/* JADX INFO: Access modifiers changed from: package-private */
@Component
@Order(4)
/* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/UserAdminVoterProvider.class */
public class UserAdminVoterProvider implements PermissionVoterProvider {
    private final PermissionService permissionService;

    /* loaded from: input_file:WEB-INF/lib/bitbucket-service-impl-5.16.0.jar:com/atlassian/stash/internal/permission/UserAdminVoterProvider$UserAdminVoter.class */
    private class UserAdminVoter implements PermissionVoter {
        private final Supplier<Permission> highestGlobalPermission;
        private final ApplicationUser requestingUser;

        private UserAdminVoter(ApplicationUser applicationUser) {
            this.requestingUser = applicationUser;
            this.highestGlobalPermission = Suppliers.memoize(() -> {
                return UserAdminVoterProvider.this.permissionService.getHighestGlobalPermission(applicationUser);
            });
        }

        @Override // com.atlassian.bitbucket.permission.PermissionVoter
        @Nonnull
        public PermissionVote vote(@Nonnull PermissionCheck permissionCheck) {
            if (permissionCheck.getPermission() != Permission.USER_ADMIN || permissionCheck.getResult() != PermissionVote.ABSTAIN) {
                return PermissionVote.ABSTAIN;
            }
            Optional<Object> filter = permissionCheck.getResource().filter(obj -> {
                return obj instanceof ApplicationUser;
            });
            Class<ApplicationUser> cls = ApplicationUser.class;
            ApplicationUser.class.getClass();
            ApplicationUser applicationUser = (ApplicationUser) filter.map(cls::cast).orElse(null);
            if (applicationUser == null) {
                return isSysadmin() ? PermissionVote.GRANT : PermissionVote.ABSTAIN;
            }
            if (applicationUser.getId() != this.requestingUser.getId() && !isSysadmin()) {
                return (!isAdmin() || UserAdminVoterProvider.this.permissionService.hasGlobalPermission(applicationUser, Permission.SYS_ADMIN)) ? PermissionVote.ABSTAIN : PermissionVote.GRANT;
            }
            return PermissionVote.GRANT;
        }

        private boolean isAdmin() {
            Permission permission = this.highestGlobalPermission.get();
            return permission != null && (permission == Permission.ADMIN || permission.getInheritedPermissions().contains(Permission.ADMIN));
        }

        private boolean isSysadmin() {
            Permission permission = this.highestGlobalPermission.get();
            return permission != null && (permission == Permission.SYS_ADMIN || permission.getInheritedPermissions().contains(Permission.SYS_ADMIN));
        }
    }

    @Autowired
    UserAdminVoterProvider(@Lazy PermissionService permissionService) {
        this.permissionService = permissionService;
    }

    @Override // com.atlassian.bitbucket.permission.PermissionVoterProvider
    public PermissionVoter create(@Nonnull Authentication authentication) {
        return (PermissionVoter) authentication.getUser().filter((v0) -> {
            return v0.isActive();
        }).map(applicationUser -> {
            return new UserAdminVoter(applicationUser);
        }).orElse(null);
    }
}
