package com.atlassian.bitbucket.internal.gpg.hook;

import com.atlassian.applinks.internal.common.rest.model.applink.RestApplicationLink;
import com.atlassian.bitbucket.Product;
import com.atlassian.bitbucket.auth.AuthenticationContext;
import com.atlassian.bitbucket.commit.Commit;
import com.atlassian.bitbucket.hook.repository.CommitAddedDetails;
import com.atlassian.bitbucket.hook.repository.MergeHookRequest;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHook;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHookCommitCallback;
import com.atlassian.bitbucket.hook.repository.PreRepositoryHookContext;
import com.atlassian.bitbucket.hook.repository.RepositoryHookCommitFilter;
import com.atlassian.bitbucket.hook.repository.RepositoryHookRequest;
import com.atlassian.bitbucket.hook.repository.RepositoryHookResult;
import com.atlassian.bitbucket.hook.repository.StandardRepositoryHookTrigger;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.gpg.GpgConstants;
import com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifier;
import com.atlassian.bitbucket.internal.gpg.GpgSignatureVerifierFactory;
import com.atlassian.bitbucket.internal.gpg.SignatureState;
import com.atlassian.bitbucket.repository.RefChange;
import com.atlassian.bitbucket.repository.RefChangeType;
import com.atlassian.bitbucket.repository.Repository;
import com.atlassian.bitbucket.repository.StandardRefType;
import com.atlassian.bitbucket.scm.git.hook.GitRepositoryHookTrigger;
import com.atlassian.bitbucket.scm.signed.StandardSignableObjectType;
import com.atlassian.bitbucket.server.ApplicationPropertiesService;
import com.atlassian.bitbucket.user.ApplicationUser;
import com.atlassian.bitbucket.user.UserType;
import com.atlassian.bitbucket.util.MoreCollectors;
import com.atlassian.bitbucket.util.ShaUtils;
import java.util.Collection;
import java.util.List;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-gpg-6.0.0.jar:com/atlassian/bitbucket/internal/gpg/hook/VerifyGpgSignatureHook.class */
public class VerifyGpgSignatureHook implements PreRepositoryHook<RepositoryHookRequest> {
    static final String PREFIX = "bitbucket.plugins.hooks.verify.signature.error.";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) VerifyGpgSignatureHook.class);
    private final AuthenticationContext authenticationContext;
    private final GpgSignatureVerifierFactory gpgSignatureVerifierFactory;
    private final I18nService i18nService;
    private final boolean allowFileEdit;
    private final boolean allowRebase;

    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/bitbucket-gpg-6.0.0.jar:com/atlassian/bitbucket/internal/gpg/hook/VerifyGpgSignatureHook$CommitAnalyzer.class */
    private class CommitAnalyzer implements PreRepositoryHookCommitCallback {
        private final RepositoryHookResult.Builder builder = new RepositoryHookResult.Builder();
        private final GpgSignatureVerifier gpgSignatureVerifier;
        private final RepositoryHookRequest hookRequest;
        private final boolean signatureRequired;

        CommitAnalyzer(GpgSignatureVerifier gpgSignatureVerifier, RepositoryHookRequest repositoryHookRequest, boolean z) {
            this.gpgSignatureVerifier = gpgSignatureVerifier;
            this.hookRequest = repositoryHookRequest;
            this.signatureRequired = z;
        }

        @Override // com.atlassian.bitbucket.hook.repository.PreRepositoryHookCommitCallback
        @Nonnull
        public RepositoryHookResult getResult() {
            return this.builder.build();
        }

        @Override // com.atlassian.bitbucket.hook.repository.RepositoryHookCommitCallback
        public boolean onCommitAdded(@Nonnull CommitAddedDetails commitAddedDetails) {
            if (!commitAddedDetails.isAddedToRepository()) {
                return true;
            }
            Commit commit = commitAddedDetails.getCommit();
            String displayId = commit.getDisplayId();
            SignatureState verify = this.gpgSignatureVerifier.verify(StandardSignableObjectType.COMMIT, commit.getId());
            VerifyGpgSignatureHook.log.trace("[{}] Commit {} verified as {}", this.hookRequest.getRepository(), displayId, verify);
            this.builder.add(VerifyGpgSignatureHook.this.checkSignatureState(verify, displayId, this.signatureRequired && !isBitbucketCommit(commit)));
            return !this.builder.isRejected();
        }

        @Override // com.atlassian.bitbucket.hook.repository.RepositoryHookCommitCallback
        public void onEnd() {
            this.gpgSignatureVerifier.onEnd();
        }

        @Override // com.atlassian.bitbucket.hook.repository.RepositoryHookCommitCallback
        public void onStart() {
            this.gpgSignatureVerifier.onStart();
        }

        private boolean isBitbucketCommit(Commit commit) {
            if (!(this.hookRequest instanceof MergeHookRequest)) {
                return false;
            }
            return ShaUtils.hashesMatch(commit.getId(), ((MergeHookRequest) this.hookRequest).getMergeHash().orElse(null));
        }
    }

    public VerifyGpgSignatureHook(AuthenticationContext authenticationContext, GpgSignatureVerifierFactory gpgSignatureVerifierFactory, I18nService i18nService, ApplicationPropertiesService applicationPropertiesService) {
        this.authenticationContext = authenticationContext;
        this.gpgSignatureVerifierFactory = gpgSignatureVerifierFactory;
        this.i18nService = i18nService;
        this.allowFileEdit = applicationPropertiesService.getPluginProperty(GpgConstants.PROP_ALLOW_FILE_EDIT, true);
        this.allowRebase = applicationPropertiesService.getPluginProperty(GpgConstants.PROP_ALLOW_REBASE, true);
    }

    @Override // com.atlassian.bitbucket.hook.repository.PreRepositoryHook
    @Nonnull
    public RepositoryHookResult preUpdate(@Nonnull PreRepositoryHookContext preRepositoryHookContext, @Nonnull RepositoryHookRequest repositoryHookRequest) {
        if (isOnlyDeletes(repositoryHookRequest)) {
            return RepositoryHookResult.accepted();
        }
        boolean isNormalUser = isNormalUser();
        Repository repository = repositoryHookRequest.getRepository();
        if (StandardRepositoryHookTrigger.FILE_EDIT.equals(repositoryHookRequest.getTrigger())) {
            if (!this.allowFileEdit && isNormalUser) {
                return reject("file.edit", new String[0]);
            }
            log.trace("[{}] Skipping GPG verification for in-browser edit", repository);
            return RepositoryHookResult.accepted();
        }
        if (GitRepositoryHookTrigger.REBASE.equals(repositoryHookRequest.getTrigger()) || isRebaseMerge(repositoryHookRequest)) {
            if (!this.allowRebase && isNormalUser) {
                return reject("rebase", new String[0]);
            }
            log.trace("[{}] Skipping GPG verification for in-app rebase", repository);
            return RepositoryHookResult.accepted();
        }
        RepositoryHookResult verifyTags = verifyTags(repositoryHookRequest, isNormalUser);
        if (verifyTags.isRejected()) {
            return verifyTags;
        }
        preRepositoryHookContext.registerCommitCallback(new CommitAnalyzer(this.gpgSignatureVerifierFactory.getVerifier(repository), repositoryHookRequest, isNormalUser), RepositoryHookCommitFilter.ADDED_TO_REPOSITORY, new RepositoryHookCommitFilter[0]);
        return RepositoryHookResult.accepted();
    }

    private static boolean isRebaseMerge(RepositoryHookRequest repositoryHookRequest) {
        if (!(repositoryHookRequest instanceof MergeHookRequest)) {
            return false;
        }
        MergeHookRequest mergeHookRequest = (MergeHookRequest) repositoryHookRequest;
        return "git".equals(mergeHookRequest.getRepository().getScmId()) && ((Boolean) mergeHookRequest.getStrategyId().map(str -> {
            return Boolean.valueOf("rebase-ff-only".equals(str) || "rebase-no-ff".equals(str));
        }).orElse(false)).booleanValue();
    }

    private static boolean isTagAddOrUpdate(RefChange refChange) {
        return refChange.getType() != RefChangeType.DELETE && refChange.getRef().getType() == StandardRefType.TAG;
    }

    private static boolean isOnlyDeletes(RepositoryHookRequest repositoryHookRequest) {
        Collection<RefChange> refChanges = repositoryHookRequest.getRefChanges();
        return !refChanges.isEmpty() && refChanges.stream().map((v0) -> {
            return v0.getType();
        }).allMatch(refChangeType -> {
            return refChangeType == RefChangeType.DELETE;
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public RepositoryHookResult checkSignatureState(SignatureState signatureState, String str, boolean z) {
        switch (signatureState) {
            case GOOD:
            case GOOD_BUT_KEY_HAS_EXPIRED:
            case GOOD_BUT_UNKNOWN_VALIDITY:
                return RepositoryHookResult.accepted();
            case GOOD_BUT_MADE_WITH_REVOKED_KEY:
                return reject("revoked", str);
            case GOOD_BUT_MADE_BY_EXPIRED_KEY:
                return reject("expired.key", str);
            case BAD:
                return reject("bad", str);
            case CANNOT_BE_CHECKED:
                return reject("cannot.be.checked", str);
            case SIGNATURE_NOT_FOUND:
                return z ? reject("no.signature", str) : RepositoryHookResult.accepted();
            case PUBLIC_KEY_NOT_FOUND:
                return reject("no.key", str, Product.NAME);
            default:
                return reject(RestApplicationLink.SYSTEM, str);
        }
    }

    private boolean isNormalUser() {
        ApplicationUser currentUser = this.authenticationContext.getCurrentUser();
        return currentUser != null && currentUser.getType() == UserType.NORMAL;
    }

    private RepositoryHookResult reject(String str, String... strArr) {
        return RepositoryHookResult.rejected(this.i18nService.getMessage("bitbucket.plugins.hooks.verify.signature.error.summary", new Object[0]), this.i18nService.getMessage(PREFIX + str, strArr));
    }

    private RepositoryHookResult verifyTags(RepositoryHookRequest repositoryHookRequest, boolean z) {
        List<RefChange> list = (List) repositoryHookRequest.getRefChanges().stream().filter(VerifyGpgSignatureHook::isTagAddOrUpdate).collect(MoreCollectors.toImmutableList());
        if (list.isEmpty()) {
            return RepositoryHookResult.accepted();
        }
        Repository repository = repositoryHookRequest.getRepository();
        GpgSignatureVerifier verifier = this.gpgSignatureVerifierFactory.getVerifier(repository);
        RepositoryHookResult.Builder builder = new RepositoryHookResult.Builder();
        try {
            verifier.onStart();
            for (RefChange refChange : list) {
                SignatureState verify = verifier.verify(StandardSignableObjectType.TAG, refChange.getToHash());
                log.trace("[{}] Tag {} verified as {}", repository, refChange.getRef().getDisplayId(), verify);
                builder.add(checkSignatureState(verify, refChange.getRef().getDisplayId(), z));
            }
            return builder.build();
        } finally {
            verifier.onEnd();
        }
    }
}
