package com.atlassian.jira.security;

import com.atlassian.cache.CacheManager;
import com.atlassian.collectors.CollectorsUtil;
import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.Group;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.query.membership.MembershipQuery;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.fugue.Option;
import com.atlassian.jira.EventComponent;
import com.atlassian.jira.application.ApplicationRoleManager;
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.config.CoreFeatures;
import com.atlassian.jira.config.FeatureManager;
import com.atlassian.jira.config.group.GroupConfigurable;
import com.atlassian.jira.entity.Entity;
import com.atlassian.jira.event.ClearCacheEvent;
import com.atlassian.jira.event.permission.GlobalPermissionAddedEvent;
import com.atlassian.jira.event.permission.GlobalPermissionDeletedEvent;
import com.atlassian.jira.license.LicenseCountService;
import com.atlassian.jira.ofbiz.FieldMap;
import com.atlassian.jira.ofbiz.OfBizDelegator;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.permission.GlobalPermissionType;
import com.atlassian.jira.security.plugin.GlobalPermissionEntityFactory;
import com.atlassian.jira.security.plugin.GlobalPermissionTypesManager;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.user.util.RecoveryMode;
import com.atlassian.jira.util.dbc.Assertions;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;

@EventComponent
/* loaded from: input_file:WEB-INF/classes/com/atlassian/jira/security/DefaultGlobalPermissionManager.class */
public class DefaultGlobalPermissionManager implements GlobalPermissionManager, GroupConfigurable {
    private static final ImmutableSet<GlobalPermissionKey> ONDEMAND_UM_MANAGED_PERMISSIONS = ImmutableSet.of(GlobalPermissionKey.ADMINISTER, GlobalPermissionKey.SYSTEM_ADMIN, GlobalPermissionKey.USE);
    private final GlobalPermissionsCache globalPermissionsCache;
    private final CrowdService crowdService;
    private final OfBizDelegator ofBizDelegator;
    private final EventPublisher eventPublisher;
    private final GlobalPermissionTypesManager globalPermissionTypesManager;
    private final RecoveryMode recoveryMode;
    private final ApplicationRoleManager applicationRoleManager;
    private final FeatureManager featureManager;

    public DefaultGlobalPermissionManager(CrowdService crowdService, OfBizDelegator ofBizDelegator, EventPublisher eventPublisher, GlobalPermissionTypesManager globalPermissionTypesManager, CacheManager cacheManager, ApplicationRoleManager applicationRoleManager, RecoveryMode recoveryMode, FeatureManager featureManager) {
        this.crowdService = crowdService;
        this.ofBizDelegator = ofBizDelegator;
        this.eventPublisher = eventPublisher;
        this.globalPermissionTypesManager = globalPermissionTypesManager;
        this.recoveryMode = (RecoveryMode) Assertions.notNull("recoveryMode", recoveryMode);
        this.globalPermissionsCache = new GlobalPermissionsCache(ofBizDelegator, cacheManager);
        this.applicationRoleManager = (ApplicationRoleManager) Assertions.notNull("applicationRoleManager", applicationRoleManager);
        this.featureManager = (FeatureManager) Assertions.notNull("featureManager", featureManager);
    }

    @EventListener
    public void onClearCache(ClearCacheEvent clearCacheEvent) {
        this.globalPermissionsCache.clearCache();
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<GlobalPermissionType> getAllGlobalPermissions() {
        return this.globalPermissionTypesManager.getAll();
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Option<GlobalPermissionType> getGlobalPermission(int i) {
        GlobalPermissionKey globalPermissionKey = GlobalPermissionKey.GLOBAL_PERMISSION_ID_TRANSLATION.get(Integer.valueOf(i));
        return globalPermissionKey == null ? Option.none() : getGlobalPermission(globalPermissionKey);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Option<GlobalPermissionType> getGlobalPermission(@Nonnull String str) {
        return this.globalPermissionTypesManager.getGlobalPermission(str);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Option<GlobalPermissionType> getGlobalPermission(@Nonnull GlobalPermissionKey globalPermissionKey) {
        return this.globalPermissionTypesManager.getGlobalPermission(globalPermissionKey);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean addPermission(int i, String str) {
        return ((Boolean) getGlobalPermission(i).fold(() -> {
            throw new IllegalArgumentException("Permission id passed must be a global permission, " + i + " is not");
        }, globalPermissionType -> {
            return Boolean.valueOf(addPermission(globalPermissionType, str));
        })).booleanValue();
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean addPermission(@Nonnull GlobalPermissionType globalPermissionType, String str) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionType.getGlobalPermissionKey());
        if (!globalPermissionType.isAnonymousAllowed() && str == null) {
            throw new IllegalArgumentException("The group Anyone cannot be added to the global permission JIRA Users");
        }
        this.ofBizDelegator.createValue(Entity.Name.GLOBAL_PERMISSION_ENTRY, FieldMap.build("permission", globalPermissionType.getKey()).add(GlobalPermissionEntityFactory.GROUP, str));
        this.globalPermissionsCache.clearCache();
        clearActiveUserCountIfNecessary(globalPermissionType.getGlobalPermissionKey());
        this.eventPublisher.publish(new GlobalPermissionAddedEvent(globalPermissionType, str));
        return true;
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<JiraPermission> getPermissions(int i) {
        ensureUsePermissionNotUsedIfRolesEnabled(i);
        Option<GlobalPermissionType> globalPermission = getGlobalPermission(i);
        if (globalPermission.isEmpty()) {
            return Collections.emptyList();
        }
        Collection<GlobalPermissionEntry> permissions = getPermissions(globalPermission.get().getGlobalPermissionKey());
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(permissions.size());
        Iterator<GlobalPermissionEntry> it2 = permissions.iterator();
        while (it2.hasNext()) {
            newArrayListWithCapacity.add(new JiraPermissionImpl(i, it2.next().getGroup(), "group"));
        }
        return newArrayListWithCapacity;
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<GlobalPermissionEntry> getPermissions(GlobalPermissionType globalPermissionType) {
        return getPermissions(globalPermissionType.getGlobalPermissionKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    @Nonnull
    public Collection<GlobalPermissionEntry> getPermissions(@Nonnull GlobalPermissionKey globalPermissionKey) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionKey);
        return this.globalPermissionsCache.getPermissions(globalPermissionKey.getKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean removePermission(int i, String str) {
        ensureUsePermissionNotUsedIfRolesEnabled(i);
        return ((Boolean) getGlobalPermission(i).fold(() -> {
            throw new IllegalArgumentException("Permission id passed must be a global permission, " + i + " is not");
        }, globalPermissionType -> {
            return Boolean.valueOf(removePermission(globalPermissionType, str));
        })).booleanValue();
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean removePermission(GlobalPermissionType globalPermissionType, String str) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionType.getGlobalPermissionKey());
        GlobalPermissionEntry globalPermissionEntry = new GlobalPermissionEntry(globalPermissionType.getKey(), str);
        if (!hasPermission(globalPermissionEntry)) {
            return false;
        }
        removePermission(globalPermissionEntry);
        this.globalPermissionsCache.clearCache();
        clearActiveUserCountIfNecessary(globalPermissionType.getGlobalPermissionKey());
        this.eventPublisher.publish(new GlobalPermissionDeletedEvent(globalPermissionType, str));
        return true;
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean removePermissions(@Nonnull String str) {
        Assertions.notNull("group", str);
        if (this.crowdService.getGroup(str) == null) {
            throw new IllegalArgumentException("Group passed must exist");
        }
        for (GlobalPermissionEntry globalPermissionEntry : this.globalPermissionsCache.getPermissions()) {
            if (str.equals(globalPermissionEntry.getGroup())) {
                removePermission(globalPermissionEntry);
                clearActiveUserCountIfNecessary(GlobalPermissionKey.of(globalPermissionEntry.getPermissionKey()));
            }
        }
        this.globalPermissionsCache.clearCache();
        return true;
    }

    private void removePermission(GlobalPermissionEntry globalPermissionEntry) {
        this.ofBizDelegator.removeByAnd(Entity.Name.GLOBAL_PERMISSION_ENTRY, FieldMap.build("permission", globalPermissionEntry.getPermissionKey()).add(GlobalPermissionEntityFactory.GROUP, globalPermissionEntry.getGroup()));
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean hasPermission(int i) {
        Option<GlobalPermissionType> globalPermission = getGlobalPermission(i);
        if (globalPermission.isEmpty()) {
            return false;
        }
        return hasPermission(globalPermission.get().getGlobalPermissionKey(), (ApplicationUser) null);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean hasPermission(@Nonnull GlobalPermissionType globalPermissionType) {
        return hasPermission(new GlobalPermissionEntry(globalPermissionType.getKey()));
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean hasPermission(int i, ApplicationUser applicationUser) {
        GlobalPermissionKey globalPermissionKey = GlobalPermissionKey.GLOBAL_PERMISSION_ID_TRANSLATION.get(Integer.valueOf(i));
        if (globalPermissionKey == null) {
            return false;
        }
        return hasPermission(globalPermissionKey, applicationUser);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean hasPermission(@Nonnull GlobalPermissionKey globalPermissionKey, @Nullable ApplicationUser applicationUser) {
        return hasPermissionIgnoreRecovery(globalPermissionKey, applicationUser) || (isRecoveryPermission(globalPermissionKey) && this.recoveryMode.isRecoveryUser(applicationUser));
    }

    private static boolean isRecoveryPermission(@Nonnull GlobalPermissionKey globalPermissionKey) {
        return GlobalPermissionKey.ADMINISTER.equals(globalPermissionKey) || GlobalPermissionKey.SYSTEM_ADMIN.equals(globalPermissionKey) || GlobalPermissionKey.USE.equals(globalPermissionKey);
    }

    private boolean hasPermissionIgnoreRecovery(@Nonnull GlobalPermissionKey globalPermissionKey, @Nullable ApplicationUser applicationUser) {
        if (applicationUser == null) {
            return hasPermission(new GlobalPermissionEntry(globalPermissionKey.getKey(), (String) null));
        }
        if (!applicationUser.isActive()) {
            return false;
        }
        if (GlobalPermissionKey.USE.getKey().equals(globalPermissionKey.getKey()) && this.applicationRoleManager.rolesEnabled()) {
            return this.applicationRoleManager.hasAnyRole(applicationUser);
        }
        if (hasPermission(new GlobalPermissionEntry(globalPermissionKey.getKey(), (String) null))) {
            return true;
        }
        return Iterables.any(this.crowdService.search(getGroupMembershipQuery(applicationUser)), str -> {
            return hasPermission(new GlobalPermissionEntry(globalPermissionKey.getKey(), str));
        });
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean hasPermission(@Nonnull GlobalPermissionType globalPermissionType, @Nullable ApplicationUser applicationUser) {
        return hasPermission(globalPermissionType.getGlobalPermissionKey(), applicationUser);
    }

    private MembershipQuery<String> getGroupMembershipQuery(ApplicationUser applicationUser) {
        return QueryBuilder.queryFor(String.class, EntityDescriptor.group()).parentsOf(EntityDescriptor.user()).withName(applicationUser.getName()).returningAtMost(-1);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<Group> getGroupsWithPermission(int i) {
        ensureUsePermissionNotUsedIfRolesEnabled(i);
        Option<GlobalPermissionType> globalPermission = getGlobalPermission(i);
        return globalPermission.isEmpty() ? Collections.emptyList() : getGroupsWithPermission(globalPermission.get().getGlobalPermissionKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<Group> getGroupsWithPermission(@Nonnull GlobalPermissionType globalPermissionType) {
        return getGroupsWithPermission(globalPermissionType.getGlobalPermissionKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    @Nonnull
    public Collection<Group> getGroupsWithPermission(@Nonnull GlobalPermissionKey globalPermissionKey) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionKey);
        Collection<String> groupNamesWithPermission = getGroupNamesWithPermission(globalPermissionKey);
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(groupNamesWithPermission.size());
        Iterator<String> it2 = groupNamesWithPermission.iterator();
        while (it2.hasNext()) {
            Group group = this.crowdService.getGroup(it2.next());
            if (group != null) {
                newArrayListWithCapacity.add(group);
            }
        }
        return Collections.unmodifiableCollection(newArrayListWithCapacity);
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    @Nonnull
    public Collection<String> getGroupNames(int i) {
        ensureUsePermissionNotUsedIfRolesEnabled(i);
        Option<GlobalPermissionType> globalPermission = getGlobalPermission(i);
        return globalPermission.isEmpty() ? Collections.emptyList() : getGroupNamesWithPermission(globalPermission.get().getGlobalPermissionKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public Collection<String> getGroupNames(@Nonnull GlobalPermissionType globalPermissionType) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionType.getGlobalPermissionKey());
        return getGroupNamesWithPermission(globalPermissionType.getGlobalPermissionKey());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    @Nonnull
    public Collection<String> getGroupNamesWithPermission(@Nonnull GlobalPermissionKey globalPermissionKey) {
        ensureUsePermissionNotUsedIfRolesEnabled(globalPermissionKey);
        return (Collection) this.globalPermissionsCache.getPermissions(globalPermissionKey.getKey()).stream().map((v0) -> {
            return v0.getGroup();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(CollectorsUtil.toImmutableSet());
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean isGlobalPermission(int i) {
        return GlobalPermissionKey.GLOBAL_PERMISSION_ID_TRANSLATION.containsKey(Integer.valueOf(i));
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public void clearCache() {
        this.globalPermissionsCache.clearCache();
    }

    @Override // com.atlassian.jira.security.GlobalPermissionManager
    public boolean isPermissionManagedByJira(@Nonnull GlobalPermissionKey globalPermissionKey) {
        return (this.featureManager.isEnabled(CoreFeatures.PERMISSIONS_MANAGED_BY_UM) && ONDEMAND_UM_MANAGED_PERMISSIONS.contains(globalPermissionKey)) ? false : true;
    }

    protected boolean hasPermission(GlobalPermissionEntry globalPermissionEntry) {
        if (this.applicationRoleManager.rolesEnabled() && GlobalPermissionKey.USE.getKey().equals(globalPermissionEntry.getPermissionKey())) {
            return false;
        }
        return GlobalPermissionKey.ADMINISTER.getKey().equals(globalPermissionEntry.getPermissionKey()) ? this.globalPermissionsCache.hasPermission(globalPermissionEntry) || this.globalPermissionsCache.hasPermission(new GlobalPermissionEntry(GlobalPermissionKey.SYSTEM_ADMIN, globalPermissionEntry.getGroup())) : this.globalPermissionsCache.hasPermission(globalPermissionEntry);
    }

    private void clearActiveUserCountIfNecessary(GlobalPermissionKey globalPermissionKey) {
        if (globalPermissionKey.equals(GlobalPermissionKey.USE) || globalPermissionKey.equals(GlobalPermissionKey.ADMINISTER) || globalPermissionKey.equals(GlobalPermissionKey.SYSTEM_ADMIN)) {
            ((LicenseCountService) ComponentAccessor.getComponent(LicenseCountService.class)).flush();
        }
    }

    private void ensureUsePermissionNotUsedIfRolesEnabled(int i) {
        if (this.applicationRoleManager.rolesEnabled() && i == 1) {
            throwUnsupportedOperationExceptionForUse();
        }
    }

    private void ensureUsePermissionNotUsedIfRolesEnabled(@Nonnull GlobalPermissionKey globalPermissionKey) {
        if (this.applicationRoleManager.rolesEnabled() && GlobalPermissionKey.USE.getKey().equals(globalPermissionKey.getKey())) {
            throwUnsupportedOperationExceptionForUse();
        }
    }

    private void throwUnsupportedOperationExceptionForUse() {
        throw new UnsupportedOperationException("Can't retrieve/add/remove USE permission if Application Roles are enabled, you must use roles. See ApplicationRoleManager#rolesEnabled");
    }

    @Override // com.atlassian.jira.config.group.GroupConfigurable
    public boolean isGroupUsed(@Nonnull Group group) {
        return this.globalPermissionsCache.isGroupUsed(group);
    }
}
