package com.atlassian.stash.internal.user;

import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.stash.Product;
import com.atlassian.stash.event.permission.GlobalPermissionGrantedEvent;
import com.atlassian.stash.event.permission.GlobalPermissionRevokedEvent;
import com.atlassian.stash.event.permission.ProjectPermissionGrantedEvent;
import com.atlassian.stash.event.permission.ProjectPermissionRevokedEvent;
import com.atlassian.stash.event.permission.RepositoryPermissionGrantedEvent;
import com.atlassian.stash.event.permission.RepositoryPermissionRevokedEvent;
import com.atlassian.stash.event.user.GroupCleanupEvent;
import com.atlassian.stash.event.user.UserCleanupEvent;
import com.atlassian.stash.exception.AuthorisationException;
import com.atlassian.stash.exception.ForbiddenException;
import com.atlassian.stash.exception.IntegrityException;
import com.atlassian.stash.exception.ServerException;
import com.atlassian.stash.i18n.I18nService;
import com.atlassian.stash.internal.CommonValidations;
import com.atlassian.stash.internal.InternalConverter;
import com.atlassian.stash.internal.annotation.Secured;
import com.atlassian.stash.internal.user.InternalGlobalPermission;
import com.atlassian.stash.internal.user.InternalProjectPermission;
import com.atlassian.stash.internal.user.InternalRepositoryPermission;
import com.atlassian.stash.license.LicenseService;
import com.atlassian.stash.project.Project;
import com.atlassian.stash.project.ProjectType;
import com.atlassian.stash.repository.Repository;
import com.atlassian.stash.user.Permission;
import com.atlassian.stash.user.PermissionAdminService;
import com.atlassian.stash.user.PermissionService;
import com.atlassian.stash.user.PermittedGroup;
import com.atlassian.stash.user.PermittedUser;
import com.atlassian.stash.user.SetPermissionRequest;
import com.atlassian.stash.user.StashAuthenticationContext;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.user.UserService;
import com.atlassian.stash.util.Page;
import com.atlassian.stash.util.PageProvider;
import com.atlassian.stash.util.PageRequest;
import com.atlassian.stash.util.PageUtils;
import com.atlassian.stash.util.PagedIterable;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Iterables;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = true)
@AvailableToPlugins(PermissionAdminService.class)
@Service("permissionAdminService")
/* loaded from: input_file:com/atlassian/stash/internal/user/PermissionAdminServiceImpl.class */
public class PermissionAdminServiceImpl implements PermissionAdminService {
    private static final Comparator<String> CASE_INSENSITIVE_COMPARATOR = new Comparator<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.1
        @Override // java.util.Comparator
        public int compare(String str, String str2) {
            return IdentifierUtils.compareToInLowerCase(str, str2);
        }
    };
    private static final Comparator<StashUser> CASE_INSENSITIVE_NAME_COMPARATOR = new Comparator<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.2
        @Override // java.util.Comparator
        public int compare(StashUser stashUser, StashUser stashUser2) {
            return IdentifierUtils.compareToInLowerCase(stashUser.getName(), stashUser2.getName());
        }
    };
    public static final int INTERNAL_PAGE_LIMIT = 500;
    private final EventPublisher eventPublisher;
    private final GlobalPermissionDao globalPermissionDao;
    private final ProjectPermissionDao projectPermissionDao;
    private final RepositoryPermissionDao repositoryPermissionDao;
    private final I18nService i18nService;
    private final LicenseService licenseService;
    private final int maxUsers;
    private final int maxGroups;
    private final PermissionService permissionService;
    private final StashAuthenticationContext authenticationContext;
    private final UserService userService;

    @Autowired
    public PermissionAdminServiceImpl(UserService userService, GlobalPermissionDao globalPermissionDao, ProjectPermissionDao projectPermissionDao, RepositoryPermissionDao repositoryPermissionDao, StashAuthenticationContext stashAuthenticationContext, PermissionService permissionService, I18nService i18nService, LicenseService licenseService, EventPublisher eventPublisher, @Value("${page.max.users}") int i, @Value("${page.max.groups}") int i2) {
        this.userService = userService;
        this.globalPermissionDao = globalPermissionDao;
        this.projectPermissionDao = projectPermissionDao;
        this.repositoryPermissionDao = repositoryPermissionDao;
        this.authenticationContext = stashAuthenticationContext;
        this.permissionService = permissionService;
        this.i18nService = i18nService;
        this.licenseService = licenseService;
        this.eventPublisher = eventPublisher;
        this.maxUsers = i;
        this.maxGroups = i2;
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    @Deprecated
    public Page<PermittedUser> getUsersWithGlobalPermission(@Nonnull PageRequest pageRequest) {
        return findUsersWithGlobalPermission(pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedUser> findUsersWithGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validatePageRequest(pageRequest);
        return this.globalPermissionDao.findHighestPermissionPerUser(str, pageRequest);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    @Deprecated
    public Page<? extends StashUser> getUsersWithoutGlobalPermission(@Nonnull PageRequest pageRequest) {
        return findUsersWithoutGlobalPermission(pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<StashUser> findUsersWithoutGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validatePageRequest(pageRequest);
        return getUsersWithoutPermission(withoutUsers(new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.3
            public Page<StashUser> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.globalPermissionDao.findUsersWithPermission(pageRequest2);
            }
        }), str, pageRequest);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    @Deprecated
    public Page<PermittedGroup> getGroupsWithGlobalPermission(@Nonnull PageRequest pageRequest) {
        CommonValidations.validatePageRequest(pageRequest);
        return findGroupsWithGlobalPermission(pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<PermittedGroup> findGroupsWithGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validatePageRequest(pageRequest);
        return this.globalPermissionDao.findHighestPermissionPerGroup(str, pageRequest);
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    @Deprecated
    public Page<String> getGroupsWithoutGlobalPermission(@Nonnull PageRequest pageRequest) {
        return findGroupsWithoutGlobalPermission(pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public Page<String> findGroupsWithoutGlobalPermission(String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validatePageRequest(pageRequest);
        return getGroupsWithoutPermission(str, withoutGroups(new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.4
            public Page<String> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.globalPermissionDao.findGroupsWithPermission(pageRequest2);
            }
        }), pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    @Deprecated
    public Page<PermittedUser> getUsersWithProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        return findUsersWithProjectPermission(project, pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedUser> findUsersWithProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateProject(project);
        CommonValidations.validatePageRequest(pageRequest);
        return this.projectPermissionDao.findHighestPermissionPerUser(project.getId().intValue(), str, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    @Deprecated
    public Page<? extends StashUser> getUsersWithoutProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        return findUsersWithoutProjectPermission(project, pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<StashUser> findUsersWithoutProjectPermission(@Nonnull final Project project, String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateProject(project);
        CommonValidations.validatePageRequest(pageRequest);
        return getUsersWithoutPermission(withoutUsers(new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.5
            public Page<StashUser> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.projectPermissionDao.findUsersWithPermission(project.getId().intValue(), pageRequest2);
            }
        }), str, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    @Deprecated
    public Page<PermittedGroup> getGroupsWithProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        return findGroupsWithProjectPermission(project, pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<PermittedGroup> findGroupsWithProjectPermission(@Nonnull Project project, String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateProject(project);
        CommonValidations.validatePageRequest(pageRequest);
        return this.projectPermissionDao.findHighestPermissionPerGroup(project.getId().intValue(), str, pageRequest);
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    @Deprecated
    public Page<String> getGroupsWithoutProjectPermission(@Nonnull Project project, @Nonnull PageRequest pageRequest) {
        return findGroupsWithoutProjectPermission(project, pageRequest.getFilter(), pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public Page<String> findGroupsWithoutProjectPermission(@Nonnull final Project project, String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateProject(project);
        CommonValidations.validatePageRequest(pageRequest);
        return getGroupsWithoutPermission(str, withoutGroups(new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.6
            public Page<String> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.projectPermissionDao.findGroupsWithPermission(project.getId().intValue(), pageRequest2);
            }
        }), pageRequest);
    }

    private Page<StashUser> getUsersWithoutPermission(Predicate<StashUser> predicate, String str, PageRequest pageRequest) {
        PageProvider<StashUser> createUserProvider = createUserProvider(str);
        UserPageFilter userPageFilter = new UserPageFilter(str);
        return PageUtils.filterPages(createUserProvider, Predicates.and(userPageFilter, predicate), pageRequest.buildRestrictedPageRequest(this.maxUsers));
    }

    private Page<String> getGroupsWithoutPermission(final String str, Predicate<String> predicate, PageRequest pageRequest) {
        PageProvider<String> pageProvider = new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.7
            public Page<String> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.userService.findGroupsByName(str, pageRequest2);
            }
        };
        GroupPageFilter groupPageFilter = new GroupPageFilter(str);
        return PageUtils.filterPages(pageProvider, Predicates.and(groupPageFilter, predicate), pageRequest.buildRestrictedPageRequest(this.maxGroups)).transform(IdentifierUtils.TO_LOWER_CASE);
    }

    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<PermittedUser> findUsersWithRepositoryPermission(@Nonnull Repository repository, @Nullable String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validatePageRequest(pageRequest);
        return this.repositoryPermissionDao.findHighestPermissionPerUser(repository.getId().intValue(), str, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<StashUser> findUsersWithoutRepositoryPermission(@Nonnull final Repository repository, @Nullable String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validatePageRequest(pageRequest);
        return getUsersWithoutPermission(withoutUsers(new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.8
            public Page<StashUser> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.repositoryPermissionDao.findUsersWithPermission(repository.getId().intValue(), pageRequest2);
            }
        }), str, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<PermittedGroup> findGroupsWithRepositoryPermission(@Nonnull Repository repository, @Nullable String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validatePageRequest(pageRequest);
        return this.repositoryPermissionDao.findHighestPermissionPerGroup(repository.getId().intValue(), str, pageRequest);
    }

    @Nonnull
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public Page<String> findGroupsWithoutRepositoryPermission(@Nonnull final Repository repository, @Nullable String str, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validatePageRequest(pageRequest);
        return getGroupsWithoutPermission(str, withoutGroups(new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.9
            public Page<String> get(PageRequest pageRequest2) {
                return PermissionAdminServiceImpl.this.repositoryPermissionDao.findGroupsWithPermission(repository.getId().intValue(), pageRequest2);
            }
        }), pageRequest);
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        if (this.permissionService.hasGlobalPermission(str, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.revoke.insufficient.permission", "You have insufficient permission to change {0}''s permissions", new Object[]{str}));
        }
        for (Permission permission : Permission.getGlobalPermissions()) {
            if (this.globalPermissionDao.hasPermissionEntry(buildPermission(permission, str, null))) {
                revokeGlobalPermission(permission, str);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGlobalPermissions(@Nonnull StashUser stashUser) {
        CommonValidations.validateUser(stashUser);
        if (this.permissionService.hasGlobalPermission(stashUser, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.revoke.insufficient.permission", "You have insufficient permission to change {0}''s permissions", new Object[]{stashUser.getDisplayName()}));
        }
        for (Permission permission : Permission.getGlobalPermissions()) {
            if (this.globalPermissionDao.hasPermissionEntry(buildPermission(permission, null, stashUser))) {
                revokeGlobalPermission(permission, stashUser);
            }
        }
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull String str) {
        CommonValidations.validateProject(project);
        CommonValidations.validateGroup(str);
        Iterator it = Permission.getPermissionsOn(Project.class).iterator();
        while (it.hasNext()) {
            revokeProjectPermission((Permission) it.next(), project, str);
        }
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project, @Nonnull StashUser stashUser) {
        CommonValidations.validateProject(project);
        CommonValidations.validateUser(stashUser);
        Iterator it = Permission.getPermissionsOn(Project.class).iterator();
        while (it.hasNext()) {
            revokeProjectPermission((Permission) it.next(), project, stashUser);
        }
    }

    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void revokeAllRepositoryPermissions(@Nonnull Repository repository, @Nonnull String str) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateGroup(str);
        Iterator it = Permission.getPermissionsOn(Repository.class).iterator();
        while (it.hasNext()) {
            revokeRepositoryPermission((Permission) it.next(), repository, str);
        }
    }

    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void revokeAllRepositoryPermissions(@Nonnull Repository repository, @Nonnull StashUser stashUser) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateUser(stashUser);
        Iterator it = Permission.getPermissionsOn(Repository.class).iterator();
        while (it.hasNext()) {
            revokeRepositoryPermission((Permission) it.next(), repository, stashUser);
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public void setGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        doSetPermission(new SetPermissionRequest.Builder().globalPermission(permission).group(str).build());
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void setProjectPermission(@Nonnull Project project, Permission permission, @Nonnull String str) {
        doSetPermission(new SetPermissionRequest.Builder().projectPermission(permission, project).group(str).build());
    }

    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void setRepositoryPermission(@Nonnull Repository repository, Permission permission, @Nonnull String str) {
        doSetPermission(new SetPermissionRequest.Builder().repositoryPermission(permission, repository).group(str).build());
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public void setGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        doSetPermission(new SetPermissionRequest.Builder().globalPermission(permission).user(stashUser).build());
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void setProjectPermission(@Nonnull Project project, @Nonnull Permission permission, @Nonnull StashUser stashUser) {
        doSetPermission(new SetPermissionRequest.Builder().projectPermission(permission, project).user(stashUser).build());
    }

    @Transactional
    @PreAuthorize("hasRepositoryPermission(#repository, 'REPO_ADMIN')")
    public void setRepositoryPermission(@Nonnull Repository repository, @Nonnull Permission permission, @Nonnull StashUser stashUser) {
        doSetPermission(new SetPermissionRequest.Builder().repositoryPermission(permission, repository).user(stashUser).build());
    }

    @Transactional
    @Secured("Permissions checks done internally")
    public void setPermission(@Nonnull SetPermissionRequest setPermissionRequest) {
        Permission permission = setPermissionRequest.getPermission();
        if ((permission.isGlobal() && !this.permissionService.hasGlobalPermission(Permission.max(permission, Permission.ADMIN))) || (permission.isResource(Project.class) && !this.permissionService.hasProjectPermission(setPermissionRequest.getProject(), Permission.PROJECT_ADMIN)) || (permission.isResource(Repository.class) && !this.permissionService.hasRepositoryPermission(setPermissionRequest.getRepository(), Permission.REPO_ADMIN))) {
            throw new AuthorisationException(this.i18nService.getKeyedText("stash.service.permissionadmin.usercannotgrantpermission", "You have insufficient permission to grant {0}", new Object[]{permission}));
        }
        doSetPermission(setPermissionRequest);
    }

    private void doSetPermission(@Nonnull SetPermissionRequest setPermissionRequest) {
        Permission permission = setPermissionRequest.getPermission();
        Project project = setPermissionRequest.getProject();
        Repository repository = setPermissionRequest.getRepository();
        Set<StashUser> users = setPermissionRequest.getUsers();
        Set<String> groups = setPermissionRequest.getGroups();
        CommonValidations.validateGrantablePermission(permission);
        if (permission.isGlobal()) {
            for (StashUser stashUser : users) {
                revokeAllGlobalPermissions(stashUser);
                grantGlobalPermission(permission, stashUser);
            }
            for (String str : groups) {
                revokeAllGlobalPermissions(str);
                grantGlobalPermission(permission, str);
            }
            return;
        }
        if (permission.isResource(Project.class)) {
            for (StashUser stashUser2 : users) {
                revokeAllProjectPermissions(project, stashUser2);
                grantPermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).user(InternalConverter.convertToInternalUser(stashUser2)).build());
            }
            for (String str2 : groups) {
                revokeAllProjectPermissions(project, str2);
                grantPermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).group(str2).build());
            }
            return;
        }
        if (!permission.isResource(Repository.class)) {
            throw new ServerException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotgrantunknownpermission", "{0} cannot grant unknown permission {1}", new Object[]{Product.NAME, permission}));
        }
        for (StashUser stashUser3 : users) {
            revokeAllRepositoryPermissions(repository, stashUser3);
            grantPermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).user(InternalConverter.convertToInternalUser(stashUser3)).build());
        }
        for (String str3 : groups) {
            revokeAllRepositoryPermissions(repository, str3);
            grantPermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).group(str3).build());
        }
    }

    private PageProvider<StashUser> createUserProvider(final String str) {
        return new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.10
            public Page<StashUser> get(PageRequest pageRequest) {
                return PageUtils.asPageOf(StashUser.class, PermissionAdminServiceImpl.this.userService.findUsersByName(str, pageRequest));
            }
        };
    }

    @PreAuthorize("hasGlobalPermission('ADMIN') and hasGlobalPermission(#permission)")
    public boolean hasAllGlobalPermission(@Nonnull Permission permission) {
        CommonValidations.validateGlobalPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        return false;
    }

    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public boolean hasAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        CommonValidations.validateProject(project);
        return this.projectPermissionDao.hasPermissionEntry(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build());
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        this.licenseService.validateCanLicenseUser(stashUser, permission);
        grantPermission(buildPermission(permission, null, stashUser));
    }

    private void grantGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        this.licenseService.validateCanLicenseGroup(str, permission);
        grantPermission(buildPermission(permission, str, null));
    }

    private void grantPermission(InternalGlobalPermission internalGlobalPermission) {
        if (this.globalPermissionDao.hasPermissionEntry(internalGlobalPermission)) {
            return;
        }
        this.globalPermissionDao.create(internalGlobalPermission);
        this.eventPublisher.publish(new GlobalPermissionGrantedEvent(this, internalGlobalPermission.getPermission(), internalGlobalPermission.getGroup(), internalGlobalPermission.getUser()));
    }

    private void grantPermission(InternalProjectPermission internalProjectPermission) {
        if (internalProjectPermission.getProject().getType() == ProjectType.PERSONAL) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.personalproject.grant", "You cannot grant project permissions on a personal project.", new Object[0]));
        }
        if (this.projectPermissionDao.hasPermissionEntry(internalProjectPermission)) {
            return;
        }
        this.projectPermissionDao.create(internalProjectPermission);
        this.eventPublisher.publish(new ProjectPermissionGrantedEvent(this, internalProjectPermission.getPermission(), internalProjectPermission.getProject(), internalProjectPermission.getGroup(), internalProjectPermission.getUser()));
    }

    private void grantPermission(InternalRepositoryPermission internalRepositoryPermission) {
        if (this.repositoryPermissionDao.hasPermissionEntry(internalRepositoryPermission)) {
            return;
        }
        this.repositoryPermissionDao.create(internalRepositoryPermission);
        this.eventPublisher.publish(new RepositoryPermissionGrantedEvent(this, internalRepositoryPermission.getPermission(), internalRepositoryPermission.getRepository(), internalRepositoryPermission.getGroup(), internalRepositoryPermission.getUser()));
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void grantAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        CommonValidations.validateProject(project);
        grantPermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build());
    }

    private void revokeRepositoryPermission(@Nonnull Permission permission, @Nonnull Repository repository, @Nonnull StashUser stashUser) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        boolean z = !stashUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            z = currentUserHasImpliedRepositoryPermission(permission, repository);
        }
        if (!z) {
            z = this.permissionService.hasRepositoryPermissionThroughGroupMembership(repository, permission, Collections.emptySet());
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokeownrepositorypermission", "You cannot revoke permission on {0} as it would downgrade your own permissions.", new Object[]{repository.getName()}));
        }
        revokePermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).user(InternalConverter.convertToInternalUser(stashUser)).build());
    }

    private void revokeRepositoryPermission(@Nonnull Permission permission, @Nonnull Repository repository, @Nonnull String str) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        boolean z = currentUser == null || !this.userService.isUserInGroup(currentUser, str);
        if (!z) {
            z = currentUserHasImpliedRepositoryPermission(permission, repository);
        }
        if (!z) {
            z = this.permissionService.hasDirectRepositoryUserPermission(repository, permission);
        }
        if (!z) {
            z = this.permissionService.hasRepositoryPermissionThroughGroupMembership(repository, permission, Collections.singleton(str));
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokegrouprepositorypermission", "You cannot revoke the permission of group {1} on {0} as it would downgrade your own permissions.", new Object[]{repository.getName(), str}));
        }
        revokePermission(new InternalRepositoryPermission.Builder().permission(permission).repository(InternalConverter.convertToInternalRepository(repository)).group(str).build());
    }

    private boolean currentUserHasImpliedRepositoryPermission(Permission permission, final Repository repository) {
        return Iterables.any(permission.getImplyingPermissions(), new Predicate<Permission>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.11
            public boolean apply(Permission permission2) {
                if (permission2.isGlobal()) {
                    return PermissionAdminServiceImpl.this.permissionService.hasGlobalPermission(permission2);
                }
                if (permission2.isResource(Project.class)) {
                    return PermissionAdminServiceImpl.this.permissionService.hasProjectPermission(repository.getProject(), permission2);
                }
                if (permission2.isResource(Repository.class)) {
                    return PermissionAdminServiceImpl.this.permissionService.hasRepositoryPermission(repository, permission2);
                }
                return false;
            }
        });
    }

    private void revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull StashUser stashUser) {
        boolean z = !stashUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.emptySet());
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokeownprojectpermission", "You cannot revoke permission on {0} as it would downgrade your own permissions.", new Object[]{project.getName()}));
        }
        revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).user(InternalConverter.convertToInternalUser(stashUser)).build());
    }

    private void revokeProjectPermission(@Nonnull Permission permission, @Nonnull Project project, @Nonnull String str) {
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        boolean z = currentUser == null || !this.userService.isUserInGroup(currentUser, str);
        if (!z) {
            z = currentUserHasImpliedProjectPermission(permission, project);
        }
        if (!z) {
            z = this.permissionService.hasDirectProjectUserPermission(project, permission);
        }
        if (!z) {
            z = this.permissionService.hasProjectPermissionThroughGroupMembership(project, permission, Collections.singleton(str));
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokegroupprojectpermission", "You cannot revoke the permission of group {1} on {0} as it would downgrade your own permissions.", new Object[]{project.getName(), str}));
        }
        revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).group(str).build());
    }

    private boolean currentUserHasImpliedProjectPermission(Permission permission, final Project project) {
        return Iterables.any(permission.getImplyingPermissions(), new Predicate<Permission>() { // from class: com.atlassian.stash.internal.user.PermissionAdminServiceImpl.12
            public boolean apply(Permission permission2) {
                if (permission2.isGlobal()) {
                    return PermissionAdminServiceImpl.this.permissionService.hasGlobalPermission(permission2);
                }
                if (permission2.isResource(Project.class)) {
                    return PermissionAdminServiceImpl.this.permissionService.hasProjectPermission(project, permission2);
                }
                return false;
            }
        });
    }

    private void revokeGlobalPermission(@Nonnull Permission permission, @Nonnull StashUser stashUser) {
        boolean z = !stashUser.equals(this.authenticationContext.getCurrentUser());
        if (!z) {
            Iterator it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission((Permission) it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.emptySet());
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokeownpermission", "You cannot revoke this permission as it would downgrade your own permissions.", new Object[0]));
        }
        revokePermission(new InternalGlobalPermission.Builder().permission(permission).user(InternalConverter.convertToInternalUser(stashUser)).build());
    }

    private void revokePermission(InternalGlobalPermission internalGlobalPermission) {
        if (this.globalPermissionDao.revoke(internalGlobalPermission) > 0) {
            this.eventPublisher.publish(new GlobalPermissionRevokedEvent(this, internalGlobalPermission.getPermission(), internalGlobalPermission.getGroup(), internalGlobalPermission.getUser()));
        }
    }

    private void revokePermission(InternalProjectPermission internalProjectPermission) {
        if (internalProjectPermission.getProject().getType() == ProjectType.PERSONAL) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.personalproject.revoke", "You cannot revoke project permissions on a personal project.", new Object[0]));
        }
        if (this.projectPermissionDao.revoke(internalProjectPermission) > 0) {
            this.eventPublisher.publish(new ProjectPermissionRevokedEvent(this, internalProjectPermission.getPermission(), internalProjectPermission.getProject(), internalProjectPermission.getGroup(), internalProjectPermission.getUser()));
        }
    }

    private void revokePermission(InternalRepositoryPermission internalRepositoryPermission) {
        if (this.repositoryPermissionDao.revoke(internalRepositoryPermission) > 0) {
            this.eventPublisher.publish(new RepositoryPermissionRevokedEvent(this, internalRepositoryPermission.getPermission(), internalRepositoryPermission.getRepository(), internalRepositoryPermission.getGroup(), internalRepositoryPermission.getUser()));
        }
    }

    private void revokeGlobalPermission(@Nonnull Permission permission, @Nonnull String str) {
        InternalStashUser convertToInternalUser = InternalConverter.convertToInternalUser(this.authenticationContext.getCurrentUser());
        boolean z = convertToInternalUser == null || !this.userService.isUserInGroup(convertToInternalUser, str);
        if (!z) {
            Iterator it = permission.getImplyingPermissions().iterator();
            while (it.hasNext()) {
                z = this.permissionService.hasGlobalPermission((Permission) it.next());
                if (z) {
                    break;
                }
            }
        }
        if (!z) {
            z = this.permissionService.hasDirectGlobalUserPermission(permission);
        }
        if (!z) {
            z = this.permissionService.hasGlobalPermissionThroughGroupMembership(permission, Collections.singleton(str));
        }
        if (!z) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cantrevokegrouppermission", "You cannot revoke the permission of group {0} as it would downgrade your own permissions.", new Object[]{str}));
        }
        revokePermission(new InternalGlobalPermission.Builder().permission(permission).group(str).build());
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermission(@Nonnull Permission permission, @Nonnull Project project) {
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGrantablePermission(permission);
        CommonValidations.validateProject(project);
        revokePermission(new InternalProjectPermission.Builder().permission(permission).project(InternalConverter.convertToInternalProject(project)).build());
    }

    @Transactional
    @PreAuthorize("hasProjectPermission(#project, 'PROJECT_ADMIN')")
    public void revokeAllProjectPermissions(@Nonnull Project project) {
        CommonValidations.validateProject(project);
        if (project.getType() == ProjectType.PERSONAL) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.personalproject.revokeall", "You cannot revoke all project permissions on a personal project.", new Object[0]));
        }
        this.projectPermissionDao.revokeAllForProject(project.getId().intValue());
    }

    @Transactional
    @PreAuthorize("not isCurrentUser(#username) and (hasGlobalPermission('SYS_ADMIN') or (hasGlobalPermission('ADMIN') and not hasGlobalPermission(#username, 'SYS_ADMIN')))")
    public void revokeAllUserPermissions(@Nonnull String str) {
        CommonValidations.validateUser(str);
        StashUser userByName = this.userService.getUserByName(str, true);
        if (userByName != null) {
            this.globalPermissionDao.revokeAll(userByName.getId().intValue());
            this.projectPermissionDao.revokeAll(userByName.getId().intValue());
            this.repositoryPermissionDao.revokeAll(userByName.getId().intValue());
        }
    }

    @Transactional
    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void revokeAllGroupPermissions(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        canRemovePermissionsFromGroup(str);
        this.globalPermissionDao.revokeAll(str);
        this.projectPermissionDao.revokeAll(str);
        this.repositoryPermissionDao.revokeAll(str);
    }

    private void canRemovePermissionsFromGroup(String str) {
        try {
            canDeleteGroup(str);
        } catch (ForbiddenException e) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeletegroup", "You cannot remove the permissions of the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        } catch (IntegrityException e2) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremovepermissionsgroup", "You cannot remove the permissions of this group as it would remove your own privileges.", new Object[0]));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canRemoveUserFromGroup(@Nonnull String str, @Nonnull String str2) {
        CommonValidations.validateUser(str);
        CommonValidations.validateGroup(str2);
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser == null || !IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            if (this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str2) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
                throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremoveuser", "You cannot remove {0} from the group {1} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str, str2}));
            }
        } else if (this.userService.isUserInGroup(currentUser, str2) && !canRemoveCurrentUserFromGroup(str2)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremoveself", "You cannot remove yourself from this group as it would remove your own privilege.", new Object[0]));
        }
    }

    private boolean canRemoveCurrentUserFromGroup(String str) {
        return this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str) ? this.permissionService.hasDirectGlobalUserPermission(Permission.SYS_ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.SYS_ADMIN, Collections.singleton(str)) : !this.permissionService.hasGlobalGroupPermission(Permission.ADMIN, str) || this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) || this.permissionService.hasDirectGlobalUserPermission(Permission.ADMIN) || this.permissionService.hasGlobalPermissionThroughGroupMembership(Permission.ADMIN, Collections.singleton(str));
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canAddUserToGroup(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotaddusertogroup", "You cannot add a user to the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteGroup(@Nonnull String str) {
        CommonValidations.validateGroup(str);
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && this.userService.isUserInGroup(currentUser, str)) {
            if (!canRemoveCurrentUserFromGroup(str)) {
                throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotremovegroup", "You cannot remove this group as it would remove your own privileges.", new Object[0]));
            }
        } else if (!this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN) && this.permissionService.hasGlobalGroupPermission(Permission.SYS_ADMIN, str)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeletegroup", "You cannot remove the group {0} as it has System Administrator privileges, and you are not a System Administrator.", new Object[]{str}));
        }
    }

    @PreAuthorize("hasGlobalPermission('ADMIN')")
    public void canDeleteUser(@Nonnull String str) {
        CommonValidations.validateUser(str);
        StashUser currentUser = this.authenticationContext.getCurrentUser();
        if (currentUser != null && IdentifierUtils.equalsInLowerCase(currentUser.getName(), str)) {
            throw new IntegrityException(this.i18nService.getKeyedText("stash.service.permissionadmin.selfdelete", "You cannot delete yourself.", new Object[0]));
        }
        StashUser userByName = this.userService.getUserByName(str);
        if (userByName != null && this.permissionService.hasGlobalPermission(userByName, Permission.SYS_ADMIN) && !this.permissionService.hasGlobalPermission(Permission.SYS_ADMIN)) {
            throw new ForbiddenException(this.i18nService.getKeyedText("stash.service.permissionadmin.cannotdeleteuser", "You cannot delete the user {0} as they have System Administrator privileges, and you are not a System Administrator.", new Object[]{userByName.getName()}));
        }
    }

    @EventListener
    public void onGroupDeleted(GroupCleanupEvent groupCleanupEvent) {
        this.globalPermissionDao.revokeAll(groupCleanupEvent.getGroup());
        this.projectPermissionDao.revokeAll(groupCleanupEvent.getGroup());
        this.repositoryPermissionDao.revokeAll(groupCleanupEvent.getGroup());
    }

    @EventListener
    public void onUserDeleted(UserCleanupEvent userCleanupEvent) {
        this.globalPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId().intValue());
        this.projectPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId().intValue());
        this.repositoryPermissionDao.revokeAll(userCleanupEvent.getDeletedUser().getId().intValue());
    }

    private InternalGlobalPermission buildPermission(Permission permission, String str, StashUser stashUser) {
        return new InternalGlobalPermission.Builder().permission(permission).user(InternalConverter.convertToInternalUser(stashUser)).group(str).build();
    }

    @VisibleForTesting
    static Predicate<String> withoutGroups(PageProvider<String> pageProvider) {
        return Predicates.not(new InIteratorPredicate(CASE_INSENSITIVE_COMPARATOR, new PagedIterable(pageProvider, 500).iterator()));
    }

    @VisibleForTesting
    static Predicate<StashUser> withoutUsers(PageProvider<StashUser> pageProvider) {
        return Predicates.not(new InIteratorPredicate(CASE_INSENSITIVE_NAME_COMPARATOR, new PagedIterable(pageProvider, 500).iterator()));
    }
}
