package com.atlassian.bitbucket.internal.accesstokens;

import com.atlassian.bitbucket.AuthorisationException;
import com.atlassian.bitbucket.NoSuchEntityException;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.event.user.UserCleanupEvent;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.accesstokens.dao.AccessTokenDao;
import com.atlassian.bitbucket.internal.accesstokens.dao.AoAccessToken;
import com.atlassian.bitbucket.internal.accesstokens.event.AccessTokenCreatedEvent;
import com.atlassian.bitbucket.internal.accesstokens.event.AccessTokenDeletedEvent;
import com.atlassian.bitbucket.internal.accesstokens.event.AccessTokenModifiedEvent;
import com.atlassian.bitbucket.internal.accesstokens.event.AccessTokenSummaryEvent;
import com.atlassian.bitbucket.internal.accesstokens.exception.CreateTokenFailedException;
import com.atlassian.bitbucket.internal.accesstokens.exception.TokenLimitExceededException;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionService;
import com.atlassian.bitbucket.permission.PermissionValidationService;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserService;
import com.atlassian.bitbucket.util.Page;
import com.atlassian.bitbucket.util.PageRequest;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.bitbucket.validation.ArgumentValidationException;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.sal.api.transaction.TransactionTemplate;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-access-tokens-6.0.0.jar:com/atlassian/bitbucket/internal/accesstokens/DefaultAccessTokenService.class */
public class DefaultAccessTokenService implements InternalAccessTokenService {
    static final int DEFAULT_MAX_TOKENS_PER_USER = 100;
    static final String MAX_TOKENS_PER_USER_PROPERTY_KEY = "plugin.bitbucket-access-tokens.max.tokens.per.user";
    private static final int MAX_CREATE_RETRIES = 10;
    private static final Set<Permission> allowablePermission = ImmutableSet.of(Permission.PROJECT_ADMIN, Permission.PROJECT_WRITE, Permission.PROJECT_READ, Permission.REPO_ADMIN, Permission.REPO_WRITE, Permission.REPO_READ, new Permission[0]);
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultAccessTokenService.class);
    private final AccessTokenDao accessTokenDao;
    private final AccessTokenGenerator accessTokenGenerator;
    private final AuthenticationContext authenticationContext;
    private final DateProvider dateProvider;
    private final EventPublisher eventPublisher;
    private final I18nService i18nService;
    private final int maxTokensPerUser;
    private final PermissionService permissionService;
    private final PermissionValidationService permissionValidationService;
    private final TransactionTemplate transactionTemplate;
    private final UserService userService;

    @Autowired
    public DefaultAccessTokenService(@Nonnull AccessTokenDao accessTokenDao, @Nonnull AccessTokenGenerator accessTokenGenerator, @Nonnull ApplicationPropertiesService applicationPropertiesService, @Nonnull AuthenticationContext authenticationContext, @Nonnull EventPublisher eventPublisher, @Nonnull I18nService i18nService, @Nonnull PermissionService permissionService, @Nonnull PermissionValidationService permissionValidationService, @Nonnull TransactionTemplate transactionTemplate, @Nonnull UserService userService) {
        this(accessTokenDao, accessTokenGenerator, applicationPropertiesService, authenticationContext, new DefaultDateProvider(), eventPublisher, i18nService, permissionService, permissionValidationService, transactionTemplate, userService);
    }

    DefaultAccessTokenService(@Nonnull AccessTokenDao accessTokenDao, @Nonnull AccessTokenGenerator accessTokenGenerator, @Nonnull ApplicationPropertiesService applicationPropertiesService, @Nonnull AuthenticationContext authenticationContext, @Nonnull DateProvider dateProvider, @Nonnull EventPublisher eventPublisher, @Nonnull I18nService i18nService, @Nonnull PermissionService permissionService, @Nonnull PermissionValidationService permissionValidationService, @Nonnull TransactionTemplate transactionTemplate, @Nonnull UserService userService) {
        this.accessTokenDao = accessTokenDao;
        this.accessTokenGenerator = accessTokenGenerator;
        this.authenticationContext = authenticationContext;
        this.dateProvider = dateProvider;
        this.eventPublisher = eventPublisher;
        this.i18nService = i18nService;
        this.maxTokensPerUser = applicationPropertiesService.getPluginProperty(MAX_TOKENS_PER_USER_PROPERTY_KEY, 100);
        this.permissionService = permissionService;
        this.permissionValidationService = permissionValidationService;
        this.transactionTemplate = transactionTemplate;
        this.userService = userService;
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.InternalAccessTokenService
    @Nonnull
    public Optional<AccessToken> authenticate(@Nonnull AuthenticateAccessTokenRequest authenticateAccessTokenRequest) {
        Objects.requireNonNull(authenticateAccessTokenRequest, "request");
        String token = authenticateAccessTokenRequest.getToken();
        if (!this.accessTokenGenerator.isValidToken(token)) {
            return Optional.empty();
        }
        String id = this.accessTokenGenerator.getId(token);
        return (Optional) this.transactionTemplate.execute(() -> {
            return this.accessTokenDao.getById(id).flatMap(aoAccessToken -> {
                ApplicationUser userById;
                if (this.accessTokenGenerator.authenticateToken(token, aoAccessToken.getHashedToken()) && (userById = this.userService.getUserById(aoAccessToken.getUserId())) != null) {
                    if (!this.userService.isUserActive(userById)) {
                        log.info("User \"{}\" attempted to authenticate via a personal access token, but is no longer active in the underlying user directory. The request has been blocked.", userById.getName());
                        return Optional.empty();
                    }
                    Optional<ApplicationUser> user = authenticateAccessTokenRequest.getUser();
                    if (!user.isPresent() || user.get().getId() == userById.getId()) {
                        this.accessTokenDao.updateLastAuthenticated(aoAccessToken, this.dateProvider.getDate());
                        return Optional.of(SimpleAccessToken.builder(aoAccessToken, userById).build());
                    }
                    log.warn("The user provided on the request, {}, does not match the user associated with token {}, {}", user.get(), id, userById);
                    return Optional.empty();
                }
                return Optional.empty();
            });
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public RawAccessToken create(@Nonnull CreateAccessTokenRequest createAccessTokenRequest) {
        Objects.requireNonNull(createAccessTokenRequest, "request");
        validateAllowablePermissions(createAccessTokenRequest.getPermissions());
        ApplicationUser user = createAccessTokenRequest.getUser();
        this.permissionValidationService.validateForUser(user, Permission.USER_ADMIN);
        if (user.equals(this.authenticationContext.getCurrentUser())) {
            return (RawAccessToken) this.transactionTemplate.execute(() -> {
                if (this.accessTokenDao.countForUser(user) >= this.maxTokensPerUser) {
                    throw new TokenLimitExceededException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.too.many", Integer.valueOf(this.maxTokensPerUser)));
                }
                int i = 0;
                while (i < 10) {
                    i++;
                    String generateToken = this.accessTokenGenerator.generateToken();
                    String id = this.accessTokenGenerator.getId(generateToken);
                    if (!this.accessTokenDao.getById(id).isPresent()) {
                        RawAccessToken build = SimpleRawAccessToken.builder(this.accessTokenDao.create(SimpleHashedAccessToken.builder(id, this.accessTokenGenerator.hashToken(generateToken)).createdDate(this.dateProvider.getDate()).name(createAccessTokenRequest.getName()).permissions(createAccessTokenRequest.getPermissions()).user(user).build()), user, generateToken).build();
                        this.eventPublisher.publish(new AccessTokenCreatedEvent(this, build.toAccessToken()));
                        return build;
                    }
                }
                throw new CreateTokenFailedException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.create", new Object[0]));
            });
        }
        throw new AuthorisationException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.create.unauthorized", new Object[0]));
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    public boolean deleteById(@Nonnull String str) {
        Objects.requireNonNull(str, "tokenId");
        this.permissionValidationService.validateAuthenticated();
        return ((Boolean) this.transactionTemplate.execute(() -> {
            Optional<AoAccessToken> byId = this.accessTokenDao.getById(str);
            if (!byId.isPresent()) {
                return false;
            }
            AoAccessToken aoAccessToken = byId.get();
            ApplicationUser userOrThrow = getUserOrThrow(aoAccessToken.getUserId());
            this.permissionValidationService.validateForUser(userOrThrow, Permission.USER_ADMIN);
            this.accessTokenDao.delete(aoAccessToken);
            this.eventPublisher.publish(new AccessTokenDeletedEvent(this, SimpleAccessToken.builder(aoAccessToken, userOrThrow).build()));
            return true;
        })).booleanValue();
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public Optional<AccessToken> getById(@Nonnull String str) {
        return getTokenById(str, true);
    }

    @EventListener
    public void onUserDeleted(@Nonnull UserCleanupEvent userCleanupEvent) {
        ApplicationUser deletedUser = userCleanupEvent.getDeletedUser();
        this.transactionTemplate.execute(() -> {
            PageUtils.toStream(pageRequest -> {
                return this.accessTokenDao.searchByUser(deletedUser, pageRequest);
            }, 100).forEach(aoAccessToken -> {
                this.accessTokenDao.delete(aoAccessToken);
                this.eventPublisher.publish(new AccessTokenDeletedEvent(this, SimpleAccessToken.builder(aoAccessToken, deletedUser).build()));
            });
            return null;
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.InternalAccessTokenService
    @Nonnull
    public void publishAnalyticsSummary(@Nonnull Duration duration) {
        Objects.requireNonNull(duration, "interval");
        AccessTokenSummaryEvent accessTokenSummaryEvent = (AccessTokenSummaryEvent) this.transactionTemplate.execute(() -> {
            return new AccessTokenSummaryEvent(this, this.accessTokenDao.countAll(), this.accessTokenDao.countByAuthenticatedSince(Date.from(this.dateProvider.getZonedDateTime().minus((TemporalAmount) duration).toInstant())), duration);
        });
        if (accessTokenSummaryEvent.getAuthenticatedRecently() > 0) {
            this.eventPublisher.publish(accessTokenSummaryEvent);
        }
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public Page<AccessToken> search(@Nonnull AccessTokenSearchRequest accessTokenSearchRequest, @Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(accessTokenSearchRequest, "request");
        Objects.requireNonNull(pageRequest, "pageRequest");
        ApplicationUser user = accessTokenSearchRequest.getUser();
        if (!this.permissionService.hasGlobalPermission(Permission.ADMIN)) {
            this.permissionValidationService.validateForUser(user, Permission.USER_ADMIN);
        }
        return (Page) this.transactionTemplate.execute(() -> {
            return this.accessTokenDao.searchByUser(user, pageRequest).transform(aoAccessToken -> {
                return SimpleAccessToken.builder(aoAccessToken, user).build();
            });
        });
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.InternalAccessTokenService
    @Nonnull
    public Optional<AccessToken> unAuthenticatedGetById(@Nonnull String str) {
        return getTokenById(str, false);
    }

    @Override // com.atlassian.bitbucket.internal.accesstokens.AccessTokenService
    @Nonnull
    public AccessToken update(@Nonnull UpdateAccessTokenRequest updateAccessTokenRequest) {
        Objects.requireNonNull(updateAccessTokenRequest, "request");
        validateAllowablePermissions(updateAccessTokenRequest.getPermissions());
        this.permissionValidationService.validateAuthenticated();
        return (AccessToken) this.transactionTemplate.execute(() -> {
            AoAccessToken orElseThrow = this.accessTokenDao.getById(updateAccessTokenRequest.getId()).orElseThrow(() -> {
                return new NoSuchEntityException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.notfound", updateAccessTokenRequest.getId()));
            });
            ApplicationUser userOrThrow = getUserOrThrow(orElseThrow.getUserId());
            this.permissionValidationService.validateForUser(userOrThrow, Permission.USER_ADMIN);
            AccessToken build = SimpleAccessToken.builder(orElseThrow, userOrThrow).build();
            AccessToken build2 = SimpleAccessToken.builder(this.accessTokenDao.update(orElseThrow, updateAccessTokenRequest.getName().orElse(null), updateAccessTokenRequest.getPermissions()), userOrThrow).build();
            this.eventPublisher.publish(new AccessTokenModifiedEvent(this, build2, build));
            return build2;
        });
    }

    private Optional<AccessToken> getTokenById(String str, boolean z) {
        Objects.requireNonNull(str, "tokenId");
        if (z) {
            this.permissionValidationService.validateAuthenticated();
        }
        return (Optional) this.transactionTemplate.execute(() -> {
            return this.accessTokenDao.getById(str).flatMap(aoAccessToken -> {
                ApplicationUser userById = this.userService.getUserById(aoAccessToken.getUserId());
                if (userById == null) {
                    return Optional.empty();
                }
                if (z && !this.permissionService.hasGlobalPermission(Permission.ADMIN)) {
                    this.permissionValidationService.validateForUser(userById, Permission.USER_ADMIN);
                }
                return Optional.of(SimpleAccessToken.builder(aoAccessToken, userById).build());
            });
        });
    }

    private ApplicationUser getUserOrThrow(int i) {
        ApplicationUser userById = this.userService.getUserById(i, true);
        if (userById == null) {
            throw new NoSuchEntityException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.nosuchuser", Integer.valueOf(i)));
        }
        return userById;
    }

    private void validateAllowablePermissions(@Nonnull Set<Permission> set) {
        Sets.SetView difference = Sets.difference(set, allowablePermission);
        if (!difference.isEmpty()) {
            throw new ArgumentValidationException(this.i18nService.createKeyedMessage("bitbucket.access.tokens.error.bad.permissions", Integer.valueOf(difference.size()), StringUtils.join(difference, ", ")));
        }
    }
}
