package com.atlassian.stash.internal.user;

import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.SearchRestriction;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.Combine;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.builder.Restriction;
import com.atlassian.crowd.search.query.entity.restriction.NullRestriction;
import com.atlassian.crowd.search.query.entity.restriction.NullRestrictionImpl;
import com.atlassian.crowd.search.query.entity.restriction.constants.UserTermKeys;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.stash.event.permission.PermissionGrantedEvent;
import com.atlassian.stash.event.permission.PermissionRevokedEvent;
import com.atlassian.stash.exception.ForbiddenException;
import com.atlassian.stash.exception.IntegrityException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.internal.project.InternalProject;
import com.atlassian.stash.license.LicenseService;
import com.atlassian.stash.project.Project;
import com.atlassian.stash.user.Permission;
import com.atlassian.stash.user.PermissionAdminService;
import com.atlassian.stash.user.PermissionService;
import com.atlassian.stash.user.PermittedGroup;
import com.atlassian.stash.user.PermittedUser;
import com.atlassian.stash.user.StashAuthenticationContext;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.user.UserService;
import com.atlassian.stash.util.FilteredPageProvider;
import com.atlassian.stash.util.Page;
import com.atlassian.stash.util.PageFilter;
import com.atlassian.stash.util.PageImpl;
import com.atlassian.stash.util.PageProvider;
import com.atlassian.stash.util.PageRequest;
import com.google.common.base.Function;
import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import java.util.Collections;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@Service("permissionAdminService")
@AvailableToPlugins(PermissionAdminService.class)
/* loaded from: input_file:com/atlassian/stash/internal/user/PermissionAdminServiceImpl.class */
public class PermissionAdminServiceImpl implements PermissionAdminService {
    public static final Function<String, String> TO_LOWERCASE_FN = new Function<String, String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.1
        public String apply(@Nullable String str) {
            return IdentifierUtils.toLowerCase(str);
        }
    };
    public static final int INTERNAL_PAGE_LIMIT = 500;
    private final CrowdService crowdService;
    private final EventPublisher eventPublisher;
    private final GrantedPermissionDao grantedPermissionDao;
    private final I18nService i18nService;
    private final LicenseService licenseService;
    private final int maxUsers;
    private final int maxGroups;
    private final PermissionService permissionService;
    private final StashAuthenticationContext authenticationContext;
    private final UserService userService;
    private final UserUtils userUtils;

    @Autowired
    public PermissionAdminServiceImpl(UserService userService, GrantedPermissionDao grantedPermissionDao, StashAuthenticationContext stashAuthenticationContext, PermissionService permissionService, I18nService i18nService, CrowdService crowdService, UserUtils userUtils, LicenseService licenseService, EventPublisher eventPublisher, @Value("${page.max.users}") int i, @Value("${page.max.groups}") int i2) {
        this.userService = userService;
        this.grantedPermissionDao = grantedPermissionDao;
        this.authenticationContext = stashAuthenticationContext;
        this.permissionService = permissionService;
        this.i18nService = i18nService;
        this.crowdService = crowdService;
        this.licenseService = licenseService;
        this.eventPublisher = eventPublisher;
        this.maxUsers = i;
        this.maxGroups = i2;
        this.userUtils = userUtils;
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedUser> getUsersWithGlobalPermission(@Nonnull PageRequest pageRequest) {
        UserPermissionSearchCriteria userPermissionSearchCriteria = new UserPermissionSearchCriteria();
        userPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_GLOBAL);
        userPermissionSearchCriteria.setName(pageRequest.getFilter());
        return this.userUtils.getCrowdBackedPageOfPermittedUsers(this.grantedPermissionDao.getPermittedUsers(userPermissionSearchCriteria, pageRequest));
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<? extends StashUser> getUsersWithoutGlobalPermission(@Nonnull PageRequest pageRequest) {
        final UserPermissionSearchCriteria userPermissionSearchCriteria = new UserPermissionSearchCriteria();
        userPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_GLOBAL);
        return getUsersWithoutPermission(pageRequest.getFilter(), new UsersWithoutPermissionPageFilter() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.2
            @Override // com.atlassian.stash.internal.user.UsersWithoutPermissionPageFilter
            protected Page<? extends StashUser> getUsersWithPermission(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.grantedPermissionDao.searchUsers(userPermissionSearchCriteria, pageRequest2);
            }
        }, pageRequest);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedGroup> getGroupsWithGlobalPermission(@Nonnull PageRequest pageRequest) {
        GroupPermissionSearchCriteria groupPermissionSearchCriteria = new GroupPermissionSearchCriteria();
        groupPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_GLOBAL);
        groupPermissionSearchCriteria.setName(pageRequest.getFilter());
        return this.grantedPermissionDao.getPermittedGroups(groupPermissionSearchCriteria, pageRequest);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<String> getGroupsWithoutGlobalPermission(@Nonnull PageRequest pageRequest) {
        final GroupPermissionSearchCriteria groupPermissionSearchCriteria = new GroupPermissionSearchCriteria();
        groupPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_GLOBAL);
        return getGroupsWithoutPermission(pageRequest.getFilter(), new GroupsWithoutPermissionFilter() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.3
            @Override // com.atlassian.stash.internal.user.GroupsWithoutPermissionFilter
            protected Page<String> getGroupsWithPermission(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.grantedPermissionDao.searchGroups(groupPermissionSearchCriteria, pageRequest2);
            }
        }, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedUser> getUsersWithProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        UserPermissionSearchCriteria userPermissionSearchCriteria = new UserPermissionSearchCriteria();
        userPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_RESOURCE);
        userPermissionSearchCriteria.setProjectId(project.getId().intValue());
        userPermissionSearchCriteria.setName(pageRequest.getFilter());
        return this.userUtils.getCrowdBackedPageOfPermittedUsers(this.grantedPermissionDao.getPermittedUsers(userPermissionSearchCriteria, pageRequest));
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<? extends StashUser> getUsersWithoutProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        final UserPermissionSearchCriteria userPermissionSearchCriteria = new UserPermissionSearchCriteria();
        userPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_RESOURCE);
        userPermissionSearchCriteria.setProjectId(project.getId().intValue());
        return getUsersWithoutPermission(pageRequest.getFilter(), new UsersWithoutPermissionPageFilter() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.4
            @Override // com.atlassian.stash.internal.user.UsersWithoutPermissionPageFilter
            protected Page<? extends StashUser> getUsersWithPermission(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.grantedPermissionDao.searchUsers(userPermissionSearchCriteria, pageRequest2);
            }
        }, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedGroup> getGroupsWithProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        GroupPermissionSearchCriteria groupPermissionSearchCriteria = new GroupPermissionSearchCriteria();
        groupPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_RESOURCE);
        groupPermissionSearchCriteria.setProjectId(project.getId().intValue());
        groupPermissionSearchCriteria.setName(pageRequest.getFilter());
        return this.grantedPermissionDao.getPermittedGroups(groupPermissionSearchCriteria, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<String> getGroupsWithoutProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        final GroupPermissionSearchCriteria groupPermissionSearchCriteria = new GroupPermissionSearchCriteria();
        groupPermissionSearchCriteria.setFilterMode(PermissionFilterMode.ONLY_RESOURCE);
        groupPermissionSearchCriteria.setProjectId(((Project) Preconditions.checkNotNull(project)).getId().intValue());
        return getGroupsWithoutPermission(pageRequest.getFilter(), new GroupsWithoutPermissionFilter() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.5
            @Override // com.atlassian.stash.internal.user.GroupsWithoutPermissionFilter
            protected Page<String> getGroupsWithPermission(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.grantedPermissionDao.searchGroups(groupPermissionSearchCriteria, pageRequest2);
            }
        }, pageRequest);
    }

    private Page<? extends StashUser> getUsersWithoutPermission(String str, UsersWithoutPermissionPageFilter usersWithoutPermissionPageFilter, PageRequest pageRequest) {
        PageProvider<StashUser> createUserProvider = createUserProvider(str);
        return new FilteredPageProvider(new FilteredPageProvider(createUserProvider, usersWithoutPermissionPageFilter), new UserMatchFilter(str)).get(pageRequest.buildRestrictedPageRequest(this.maxUsers));
    }

    private Page<String> getGroupsWithoutPermission(final String str, PageFilter<String> pageFilter, PageRequest pageRequest) {
        PageProvider<String> pageProvider = new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.6
            public Page<String> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.userService.findGroupsByContainedText(str, pageRequest2);
            }
        };
        return new FilteredPageProvider(new FilteredPageProvider(pageProvider, pageFilter), new GroupMatchFilter(str)).get(pageRequest.buildRestrictedPageRequest(this.maxGroups)).transform(TO_LOWERCASE_FN);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull String str) {
        Permission highestGlobalPermission = this.permissionService.getHighestGlobalPermission(this.authenticationContext.getCurrentUser());
        Permission highestGlobalGroupPermission = this.permissionService.getHighestGlobalGroupPermission(str);
        if (highestGlobalGroupPermission != null && highestGlobalGroupPermission.getWeight() > highestGlobalPermission.getWeight()) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.revoke.insufficient.permission", "You have insufficient permission to change {0}''s permissions", new Object[]{str}));
        }
        for (Permission permission : Permission.getGlobalPermissions()) {
            if (this.grantedPermissionDao.hasPermissionEntry(permission, (Project) null, str, (StashUser) null)) {
                revokeGlobalPermission(permission, str);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull StashUser stashUser) {
        Permission highestGlobalPermission = this.permissionService.getHighestGlobalPermission(this.authenticationContext.getCurrentUser());
        Permission highestGlobalPermission2 = this.permissionService.getHighestGlobalPermission(stashUser);
        if (highestGlobalPermission2 != null && highestGlobalPermission2.getWeight() > highestGlobalPermission.getWeight()) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.revoke.insufficient.permission", "You have insufficient permission to change {0}''s permissions", new Object[]{stashUser.getDisplayName()}));
        }
        for (Permission permission : Permission.getGlobalPermissions()) {
            if (this.grantedPermissionDao.hasPermissionEntry(permission, (Project) null, (String) null, stashUser)) {
                revokeGlobalPermission(permission, stashUser);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull String str) {
        for (Permission permission : Permission.getResourcePermissions()) {
            if (permission.isProjectRelated()) {
                revokeProjectPermission(permission, project, str);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull StashUser stashUser) {
        for (Permission permission : Permission.getResourcePermissions()) {
            if (permission.isProjectRelated()) {
                revokeProjectPermission(permission, project, stashUser);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public void setGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        revokeAllGlobalPermissions(str);
        grantGlobalPermission(permission, str);
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void setProjectPermission(@Nonnull Project project, @Nonnull Permission permission, @Nonnull String str) {
        revokeAllProjectPermissions(project, str);
        setProjectPermission(permission, project, str);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public void setGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        revokeAllGlobalPermissions(stashUser);
        grantGlobalPermission(permission, stashUser);
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void setProjectPermission(@Nonnull Project project, @Nonnull Permission permission, @Nonnull StashUser stashUser) {
        revokeAllProjectPermissions(project, stashUser);
        grantProjectPermission(permission, project, stashUser);
    }

    private PageProvider<StashUser> createUserProvider(String str) {
        final NullRestriction anyOf = str == null ? NullRestrictionImpl.INSTANCE : Combine.anyOf(new SearchRestriction[]{Restriction.on(UserTermKeys.DISPLAY_NAME).containing(str), Restriction.on(UserTermKeys.USERNAME).containing(str)});
        return new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.7
            public Page<StashUser> get(PageRequest pageRequest) {
                Iterable search = PermissionAdminServiceImpl.this.crowdService.search(QueryBuilder.queryFor(User.class, EntityDescriptor.user(), anyOf, pageRequest.getStart(), pageRequest.getLimit() + 1));
                int size = Iterables.size(search);
                int min = Math.min(size, pageRequest.getLimit());
                return new PageImpl(pageRequest, min, Iterables.transform(Iterables.limit(search, min), new Function<User, StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.7.1
                    public StashUser apply(User user) {
                        return new CrowdUserWrapper(user);
                    }
                }), size <= pageRequest.getLimit());
            }
        };
    }

    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public boolean hasAllGlobalPermission(@Nonnull Permission permission) {
        Preconditions.checkArgument(permission.isGlobal());
        return this.grantedPermissionDao.hasPermissionEntry(permission, (Project) null, (String) null, (StashUser) null);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public boolean hasAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        Preconditions.checkArgument(!permission.isGlobal());
        Preconditions.checkNotNull(project);
        return this.grantedPermissionDao.hasPermissionEntry(permission, project, (String) null, (StashUser) null);
    }

    private void grantProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull StashUser stashUser) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        Preconditions.checkNotNull(stashUser);
        grantPermission(new InternalGrantedPermission(permission, InternalConverter.convertToInternalProject(project), (String) null, InternalConverter.convertToInternalUser(stashUser)));
    }

    private void setProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull String str) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        Preconditions.checkNotNull(str);
        grantPermission(new InternalGrantedPermission(permission, InternalConverter.convertToInternalProject(project), str, (InternalStashUser) null));
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        Preconditions.checkArgument(permission.isGlobal());
        Preconditions.checkNotNull(stashUser);
        this.licenseService.validateCanLicenseUser(stashUser, permission);
        grantPermission(new InternalGrantedPermission(permission, (InternalProject) null, (String) null, InternalConverter.convertToInternalUser(stashUser)));
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        Preconditions.checkArgument(permission.isGlobal());
        Preconditions.checkNotNull(str);
        this.licenseService.validateCanLicenseGroup(str, permission);
        grantPermission(new InternalGrantedPermission(permission, (InternalProject) null, str, (InternalStashUser) null));
    }

    private void grantPermission(InternalGrantedPermission internalGrantedPermission) {
        if (this.grantedPermissionDao.hasPermissionEntry(internalGrantedPermission)) {
            return;
        }
        this.grantedPermissionDao.create(internalGrantedPermission);
        this.eventPublisher.publish(new PermissionGrantedEvent(this, internalGrantedPermission.getPermission(), internalGrantedPermission.getProject(), internalGrantedPermission.getGroup(), internalGrantedPermission.getUser()));
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void grantAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        grantPermission(new InternalGrantedPermission(permission, InternalConverter.convertToInternalProject(project), (String) null, (InternalStashUser) null));
    }

    private void revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull StashUser stashUser) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        boolean z = !stashUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.emptySet());
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokeownprojectpermission", "You cannot revoke permission on {0} as it would downgrade your own permissions.", new Object[]{project.getName()}));
        }
        revokePermission(permission, project, stashUser, null);
        revokePermission(permission, project, stashUser, null);
    }

    private void revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull String str) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        boolean z = currentUser == null || !this.userService.isUserMemberOfGroup(currentUser, str);
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasDirectProjectUserPermission(project, permission);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.singleton(str));
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokegroupprojectpermission", "You cannot revoke the permission of group {1} on {0} as it would downgrade your own permissions.", new Object[]{project.getName(), str}));
        }
        revokePermission(permission, project, null, str);
    }

    private boolean currentUserHasImpliedProjectPermission(Permission permission, Project project) {
        boolean z = false;
        for (Permission permission2 : permission.getImplyingPermissions()) {
            z = permission2.isGlobal() ? this.permissionService.hasGlobalPermission(permission2) : this.permissionService.hasProjectPermission(project, permission2);
            if (z) {
                break;
            }
        }
        return z;
    }

    private void revokeGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        Preconditions.checkArgument(permission.isGlobal());
        boolean z = !stashUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            Iterator it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission((Permission) it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.emptySet());
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokeownpermission", "You cannot revoke this permission as it would downgrade your own permissions.", new Object[0]));
        }
        revokePermission(permission, null, stashUser, null);
    }

    private void revokePermission(Permission permission, Project project, StashUser stashUser, String str) {
        if (this.grantedPermissionDao.hasPermissionEntry(permission, project, str, stashUser)) {
            this.grantedPermissionDao.deleteGrantedPermissions(permission, project == null ? null : project.getId(), stashUser == null ? null : stashUser.getId(), str == null ? null : str);
            this.eventPublisher.publish(new PermissionRevokedEvent(this, permission, project, str, stashUser));
        }
    }

    private void revokeGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        Preconditions.checkArgument(permission.isGlobal());
        InternalStashUser convertToInternalUser = InternalConverter.convertToInternalUser(this.authenticationContext.getCurrentUser());
        boolean z = convertToInternalUser == null || !this.userService.isUserMemberOfGroup(convertToInternalUser, str);
        if (!z) {
            Iterator it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission((Permission) it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasDirectGlobalUserPermission(permission);
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.singleton(str));
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokegrouppermission", "You cannot revoke the permission of group {0} as it would downgrade your own permissions.", new Object[]{str}));
        }
        revokePermission(permission, null, null, str);
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        Preconditions.checkNotNull(project);
        Preconditions.checkArgument(!permission.isGlobal());
        revokePermission(permission, project, null, null);
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project) {
        this.grantedPermissionDao.deleteAllProjectPermissions(project.getId());
    }

    @Transactional
    @PreAuthorize("not isCurrentUser(#username) and (hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#username, 'SYS_ADMIN')))")
    public void revokeAllUserPermissions(@Nonnull String str) {
        StashUser user = this.userService.getUser(str, true);
        if (user != null) {
            this.grantedPermissionDao.deleteAllUserPermissions(user.getId().intValue());
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGroupPermissions(@Nonnull String str) {
        canRemovePermissionsFromGroup(str);
        this.grantedPermissionDao.deleteAllGroupPermissions(str);
    }

    private void canRemovePermissionsFromGroup(String str) {
        try {
            canDeleteGroup(str);
        } catch (ForbiddenException e) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeletegroup", "You cannot remove the permissions of the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        } catch (IntegrityException e2) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremovepermissionsgroup", "You cannot remove the permissions of this group as it would remove your own privileges.", new Object[0]));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canRemoveUserFromGroup(@Nonnull String str, @Nonnull String str2) {
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser == null || !IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            if (this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str2) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
                throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremoveuser", "You cannot remove {0} from the group {1} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str, str2}));
            }
        } else if (this.userService.isUserMemberOfGroup(currentUser, str2) && !canRemoveCurrentUserFromGroup(str2)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremoveself", "You cannot remove yourself from this group as it would remove your own privilege.", new Object[0]));
        }
    }

    private boolean canRemoveCurrentUserFromGroup(String str) {
        return this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str) ? this.permissionService.hasDirectGlobalUserPermission(Permission.SYS_ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.SYS_ADMIN, Collections.singleton(str)) : !this.permissionService.hasGlobalGroupPermission(Permission.ADMIN, str) || this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) || this.permissionService.hasDirectGlobalUserPermission(Permission.ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.ADMIN, Collections.singleton(str));
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canAddUserToGroup(@Nonnull String str) {
        if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotaddusertogroup", "You cannot add a user to the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteGroup(@Nonnull String str) {
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && this.userService.isUserMemberOfGroup(currentUser, str)) {
            if (!canRemoveCurrentUserFromGroup(str)) {
                throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremovegroup", "You cannot remove this group as it would remove your own privileges.", new Object[0]));
            }
        } else if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeletegroup", "You cannot remove the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteUser(@Nonnull String str) {
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.selfdelete", "You cannot delete yourself.", new Object[0]));
        }
        StashUser user = this.userService.getUser(str);
        if (user != null && this.permissionService.hasGlobalPermission(user, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeleteuser", "You cannot delete the user {0} as they have System Administrator privileges, and you are not a System Administrator.", new Object[]{user.getName()}));
        }
    }
}
