package com.atlassian.jira.upgrade.tasks.role;

import com.atlassian.crowd.embedded.api.Group;
import com.atlassian.crowd.embedded.api.GroupWithAttributes;
import com.atlassian.crowd.embedded.impl.ImmutableGroup;
import com.atlassian.jira.application.ApplicationKeys;
import com.atlassian.jira.auditing.AssociatedItem;
import com.atlassian.jira.config.properties.ApplicationProperties;
import com.atlassian.jira.util.lang.Pair;
import com.google.common.base.Joiner;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:WEB-INF/classes/com/atlassian/jira/upgrade/tasks/role/MoveJira6xABPServiceDeskPermissions.class */
public class MoveJira6xABPServiceDeskPermissions extends MigrationTask {
    public static final String PROPERTY_SERVICEDESK_NOT_MIGRATED_GROUPS = "renaissance.migration.servicedesk.not.migrated.groups";
    private static final String GROUP_ATTR_SERVICE_DESK = "synch.created.by.jira.service.desk";
    private static final String GROUP_ATTR_SERVICE_DESK_VALUE = "synch.created.by.jira.service.desk";
    private static final Group GROUP_SD_AGENTS = new ImmutableGroup("service-desk-agents");
    private final MigrationGroupService migrationGroupService;
    private final GlobalPermissionDao globalPermissionDao;
    private final ApplicationProperties applicationProperties;

    /* JADX INFO: Access modifiers changed from: package-private */
    public MoveJira6xABPServiceDeskPermissions(MigrationGroupService migrationGroupService, GlobalPermissionDao globalPermissionDao, ApplicationProperties applicationProperties) {
        this.migrationGroupService = migrationGroupService;
        this.globalPermissionDao = globalPermissionDao;
        this.applicationProperties = applicationProperties;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.atlassian.jira.upgrade.tasks.role.MigrationTask
    public MigrationState migrate(MigrationState migrationState, boolean z) {
        Set<Group> groupsWithSdAgentPermission = this.globalPermissionDao.groupsWithSdAgentPermission();
        ArrayList arrayList = new ArrayList();
        for (Group group : groupsWithSdAgentPermission) {
            Pair<MigrationState, Boolean> checkGroupAndMigrate = checkGroupAndMigrate(group, migrationState);
            if (!checkGroupAndMigrate.second().booleanValue()) {
                arrayList.add(group.getName());
            }
            migrationState = checkGroupAndMigrate.first();
        }
        return migrationState.withAfterSaveTask(() -> {
            saveNotMigratedGroups(arrayList);
        });
    }

    private Pair<MigrationState, Boolean> checkGroupAndMigrate(Group group, MigrationState migrationState) {
        Set<UserWithPermissions> usersInGroup = this.migrationGroupService.getUsersInGroup(group);
        boolean z = true;
        boolean z2 = false;
        for (UserWithPermissions userWithPermissions : usersInGroup) {
            boolean z3 = userWithPermissions.hasAdminPermission() || userWithPermissions.hasUsePermission();
            z &= z3;
            z2 |= z3;
        }
        if (z) {
            return Pair.of(migrationState.changeApplicationRole(ApplicationKeys.SERVICE_DESK, applicationRole -> {
                return migrateGroup(applicationRole, group);
            }).log(new AuditEntry(getClass(), "Group added to Service Desk: " + group.getName(), "Group was migrated as all users have both JIRA USE and Agent permissions", AssociatedItem.Type.APPLICATION_ROLE, ApplicationKeys.SERVICE_DESK.value(), new MigrationChangedValue(group.getName(), "USE (permission), Agent (permission)", ApplicationKeys.SERVICE_DESK.value() + " (role)"))), true);
        }
        if (!z2) {
            return Pair.of(migrationState.log(new AuditEntry(MoveJira6xABPServiceDeskPermissions.class, "Service Desk not migrated", "There are " + usersInGroup.size() + " users with Service Desk Agent permission who do not have JIRA USE permission. In order to avoid allowing these users to log in, the group '" + group.getName() + "' has not been assigned to Service Desk.", AssociatedItem.Type.APPLICATION_ROLE)), true);
        }
        StringBuilder append = new StringBuilder().append("Service Desk Migration - cannot add Service Desk application role to group: '").append(group.getName()).append("'\n").append("Group contains users with misconfigured permissions - not all users in the group are ").append("able to log in to JIRA, migration would cause privilege escalation.\n").append("Affected users:\n");
        String str = "";
        Iterator<UserWithPermissions> it2 = usersInGroup.iterator();
        while (it2.hasNext()) {
            append.append(str).append(it2.next().getUser().getName());
            str = ", ";
        }
        return Pair.of(migrationState.log(new AuditEntry(MoveJira6xABPServiceDeskPermissions.class, "Service Desk not migrated", append.toString(), AssociatedItem.Type.APPLICATION_ROLE, null, Collections.emptyList(), AuditEntrySeverity.WARNING)), false);
    }

    private ApplicationRole migrateGroup(ApplicationRole applicationRole, Group group) {
        ApplicationRole addGroup = applicationRole.addGroup(group);
        if (shouldSetGroupAsDefault(group)) {
            addGroup = addGroup.addGroupAsDefault(group);
        }
        return addGroup;
    }

    private boolean shouldSetGroupAsDefault(Group group) {
        GroupWithAttributes groupWithAttributes = this.migrationGroupService.getGroupWithAttributes(group);
        return !this.globalPermissionDao.groupsWithAdminPermission().contains(group) && groupWithAttributes != null && GROUP_SD_AGENTS.equals(group) && "synch.created.by.jira.service.desk".equals(groupWithAttributes.getValue("synch.created.by.jira.service.desk"));
    }

    private void saveNotMigratedGroups(List<String> list) {
        if (list.isEmpty()) {
            this.applicationProperties.setString(PROPERTY_SERVICEDESK_NOT_MIGRATED_GROUPS, null);
        } else {
            this.applicationProperties.setString(PROPERTY_SERVICEDESK_NOT_MIGRATED_GROUPS, Joiner.on(", ").join(list));
        }
    }
}
