package com.atlassian.stash.internal.user;

import com.atlassian.crowd.embedded.impl.IdentifierUtils;
import com.atlassian.crowd.manager.recovery.RecoveryModeService;
import com.atlassian.plugin.spring.AvailableToPlugins;
import com.atlassian.stash.internal.AbstractService;
import com.atlassian.stash.internal.CommonValidations;
import com.atlassian.stash.internal.config.Feature;
import com.atlassian.stash.internal.config.FeatureManager;
import com.atlassian.stash.internal.project.ProjectDao;
import com.atlassian.stash.internal.repository.RepositoryDao;
import com.atlassian.stash.internal.user.GroupPermissionCriteria;
import com.atlassian.stash.internal.user.UserPermissionCriteria;
import com.atlassian.stash.project.Project;
import com.atlassian.stash.repository.Repository;
import com.atlassian.stash.user.Permission;
import com.atlassian.stash.user.PermissionService;
import com.atlassian.stash.user.StashUser;
import com.atlassian.stash.user.UserService;
import com.atlassian.stash.user.UserType;
import com.atlassian.stash.util.Page;
import com.atlassian.stash.util.PageProvider;
import com.atlassian.stash.util.PageRequest;
import com.atlassian.stash.util.PageRequestImpl;
import com.atlassian.stash.util.PageUtils;
import com.atlassian.stash.util.PagedIterable;
import com.atlassian.stash.util.Timer;
import com.atlassian.stash.util.TimerUtils;
import com.atlassian.stash.util.UserUtils;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Functions;
import com.google.common.base.Preconditions;
import com.google.common.collect.Collections2;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.google.common.primitives.Ints;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

@AvailableToPlugins(PermissionService.class)
@Service("permissionService")
/* loaded from: input_file:com/atlassian/stash/internal/user/PermissionServiceImpl.class */
public class PermissionServiceImpl extends AbstractService implements InternalPermissionService {
    public static final int GROUP_PAGESIZE = 1000;
    public static final String GROUP_PERMISSION_SEARCH = "Group Permission Search";
    public static final int USER_GROUP_PAGE_LIMIT = 500;
    private static final Logger log = LoggerFactory.getLogger(PermissionServiceImpl.class);
    private final InternalStashAuthenticationContext authenticationContext;
    private final EffectivePermissionDao effectivePermissionDao;
    private final FeatureManager featureManager;
    private final PermissionGraphFactory permissionGraphFactory;
    private final ProjectDao projectDao;
    private final RecoveryModeService recoveryModeService;
    private final RepositoryDao repositoryDao;
    private final RepositoryPermissionDao repositoryPermissionDao;
    private final UserService userService;

    @Value("${page.max.users}")
    private int maxUserPageSize;

    @Autowired
    public PermissionServiceImpl(InternalStashAuthenticationContext internalStashAuthenticationContext, EffectivePermissionDao effectivePermissionDao, FeatureManager featureManager, PermissionGraphFactory permissionGraphFactory, ProjectDao projectDao, RecoveryModeService recoveryModeService, RepositoryDao repositoryDao, RepositoryPermissionDao repositoryPermissionDao, UserService userService) {
        this.authenticationContext = internalStashAuthenticationContext;
        this.effectivePermissionDao = effectivePermissionDao;
        this.featureManager = featureManager;
        this.permissionGraphFactory = permissionGraphFactory;
        this.projectDao = projectDao;
        this.recoveryModeService = recoveryModeService;
        this.repositoryDao = repositoryDao;
        this.repositoryPermissionDao = repositoryPermissionDao;
        this.userService = userService;
    }

    public boolean hasGlobalPermission(String str, @Nonnull Permission permission) {
        return hasGlobalPermission(str == null ? null : findUserByName(str), permission);
    }

    public boolean hasGlobalPermission(StashUser stashUser, @Nonnull Permission permission) {
        CommonValidations.validateGlobalPermission(permission);
        return hasPermission(stashUser, (Object) null, permission);
    }

    public boolean hasGlobalPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Permission permission) {
        CommonValidations.validateGlobalPermission(permission);
        return hasPermission(stashUserAuthenticationToken, (Object) null, permission);
    }

    public boolean hasGlobalPermission(@Nonnull Permission permission) {
        return hasGlobalPermission(this.authenticationContext.getCurrentToken(), permission);
    }

    public boolean hasAnyUserPermission(@Nonnull StashUser stashUser, @Nonnull Permission permission) {
        CommonValidations.validateUser(stashUser);
        CommonValidations.validateResourcePermission(permission);
        return hasPermission(stashUser, (Object) null, permission);
    }

    private boolean hasAnyUserPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Permission permission) {
        CommonValidations.validateResourcePermission(permission);
        return hasPermission(stashUserAuthenticationToken, (Object) null, permission);
    }

    public boolean hasAnyUserPermission(@Nonnull Permission permission) {
        StashUserAuthenticationToken currentToken = this.authenticationContext.getCurrentToken();
        return currentToken != null && hasAnyUserPermission(currentToken, permission);
    }

    public boolean hasProjectPermission(StashUser stashUser, @Nonnull Project project, @Nonnull Permission permission) {
        CommonValidations.validateProject(project);
        CommonValidations.validateProjectPermission(permission);
        return hasPermission(stashUser, project, permission);
    }

    private boolean hasProjectPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Project project, Permission permission) {
        CommonValidations.validateProject(project);
        CommonValidations.validateProjectPermission(permission);
        return hasPermission(stashUserAuthenticationToken, project, permission);
    }

    public boolean hasProjectPermission(@Nonnull Project project, @Nonnull Permission permission) {
        return hasProjectPermission(this.authenticationContext.getCurrentToken(), project, permission);
    }

    public boolean hasProjectPermission(int i, @Nonnull Permission permission) {
        return hasProjectPermission(this.authenticationContext.getCurrentToken(), i, permission);
    }

    public boolean hasProjectPermission(StashUser stashUser, int i, @Nonnull Permission permission) {
        CommonValidations.validateProjectPermission(permission);
        return hasPermission(stashUser, (Project) this.projectDao.getById(Integer.valueOf(i)), permission);
    }

    private boolean hasProjectPermission(StashUserAuthenticationToken stashUserAuthenticationToken, int i, Permission permission) {
        CommonValidations.validateProjectPermission(permission);
        return hasPermission(stashUserAuthenticationToken, (Project) this.projectDao.getById(Integer.valueOf(i)), permission);
    }

    @Nonnull
    private PermissionGraph getPermissionGraph(@Nonnull StashUserAuthenticationToken stashUserAuthenticationToken) {
        PermissionGraph permissions = stashUserAuthenticationToken.getPermissions();
        if (permissions == null) {
            permissions = createPermissionGraph(stashUserAuthenticationToken.getPrincipal());
            stashUserAuthenticationToken.setPermissions(permissions);
        }
        return permissions;
    }

    @Nonnull
    private PermissionGraph createPermissionGraph(@Nonnull StashUser stashUser) {
        CommonValidations.validateUser(stashUser);
        return this.permissionGraphFactory.createGraph(stashUser);
    }

    @VisibleForTesting
    PartitionedGroups getAllGroups(final String str) {
        return partitionGroups(new PagedIterable<>(new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.1
            public Page<String> get(PageRequest pageRequest) {
                return PermissionServiceImpl.this.userService.findGroupsByUser(str, pageRequest);
            }
        }, new PageRequestImpl(0, 500)), 500);
    }

    private PartitionedGroups partitionGroups(final PagedIterable<String> pagedIterable, final int i) {
        return new PartitionedGroups() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.2
            public Iterator<Collection<String>> iterator() {
                Iterator it = pagedIterable.iterator();
                return !it.hasNext() ? Collections.singletonList(Collections.emptyList()).iterator() : Iterators.partition(it, i);
            }
        };
    }

    private boolean hasPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Object obj, Permission permission) {
        if (stashUserAuthenticationToken == null) {
            return false;
        }
        return stashUserAuthenticationToken.isGranted(permission, obj) || hasPermission(stashUserAuthenticationToken.getPrincipal(), obj, permission);
    }

    private boolean hasPermission(@Nullable StashUser stashUser, @Nullable Object obj, @Nonnull Permission permission) {
        log.trace("user = {}, resource = {}, requested permission = {}", new Object[]{stashUser, obj, permission});
        if (isNullOrInactive(stashUser)) {
            return false;
        }
        if (this.recoveryModeService.isRecoveryModeOn() && stashUser.getName().equals(this.recoveryModeService.getRecoveryUsername())) {
            return true;
        }
        return (stashUser.equals(this.authenticationContext.getCurrentUser()) ? getPermissionGraph(this.authenticationContext.getCurrentToken()) : createPermissionGraph(stashUser)).isGranted(permission, obj) || (permission == Permission.REPO_READ && obj != null && isPubliclyAccessible((Repository) obj)) || (permission == Permission.PROJECT_VIEW && obj != null && isPubliclyAccessible((Project) obj));
    }

    public boolean hasDirectGlobalUserPermission(@Nonnull Permission permission) {
        CommonValidations.validateGlobalPermission(permission);
        return hasDirectUserPermission(this.authenticationContext.getCurrentToken(), (Object) null, permission);
    }

    public boolean hasDirectProjectUserPermission(@Nonnull Project project, @Nonnull Permission permission) {
        CommonValidations.validateProject(project);
        CommonValidations.validateProjectPermission(permission);
        return hasDirectUserPermission(this.authenticationContext.getCurrentToken(), project, permission);
    }

    public boolean hasDirectRepositoryUserPermission(@Nonnull Repository repository, @Nonnull Permission permission) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        return hasDirectUserPermission(this.authenticationContext.getCurrentToken(), repository, permission);
    }

    private boolean hasDirectUserPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Object obj, Permission permission) {
        return stashUserAuthenticationToken != null && hasDirectUserPermission(stashUserAuthenticationToken.getPrincipal(), obj, permission);
    }

    private boolean hasDirectUserPermission(StashUser stashUser, Object obj, Permission permission) {
        Integer id;
        if (isNullOrInactive(stashUser) || (id = stashUser.getId()) == null) {
            return false;
        }
        boolean isGrantedToUser = this.effectivePermissionDao.isGrantedToUser(((UserPermissionCriteria.Builder) ((UserPermissionCriteria.Builder) new UserPermissionCriteria.Builder(id.intValue()).permission(permission)).resource(obj)).build());
        if (isGrantedToUser) {
            log.trace("{}: {}, or an inheriting permission, has been explicit granted", stashUser.getName(), permission);
        } else {
            log.trace("{}: {} has not been explicitly granted", stashUser.getName(), permission);
        }
        return isGrantedToUser;
    }

    public boolean hasGlobalGroupPermission(@Nonnull Permission permission, @Nonnull String str) {
        CommonValidations.validateGlobalPermission(permission);
        CommonValidations.validateGroup(str);
        return this.effectivePermissionDao.isGrantedToGroup(((GroupPermissionCriteria.Builder) new GroupPermissionCriteria.Builder(str).permission(permission)).build());
    }

    public boolean isProjectAccessible(@Nonnull Project project) {
        CommonValidations.validateProject(project);
        return hasProjectPermission(project, Permission.PROJECT_VIEW) || isPubliclyAccessible(project);
    }

    public boolean isProjectAccessible(int i) {
        Project project = (Project) this.projectDao.getById(Integer.valueOf(i));
        return project != null && isProjectAccessible(project);
    }

    public boolean isRepositoryAccessible(@Nonnull Repository repository) {
        CommonValidations.validateRepository(repository);
        return hasRepositoryPermission(repository, Permission.REPO_READ) || isPubliclyAccessible(repository);
    }

    public boolean isRepositoryAccessible(int i) {
        Repository repository = (Repository) this.repositoryDao.getById(Integer.valueOf(i));
        return repository != null && isRepositoryAccessible(repository);
    }

    @Transactional(propagation = Propagation.SUPPORTS)
    public boolean isPubliclyAccessible(@Nonnull Repository repository) {
        CommonValidations.validateRepository(repository);
        return this.featureManager.isEnabled(Feature.PUBLIC_ACCESS) && (repository.isPublic() || repository.getProject().isPublic());
    }

    public boolean isPubliclyAccessible(@Nonnull Project project) {
        CommonValidations.validateProject(project);
        return this.featureManager.isEnabled(Feature.PUBLIC_ACCESS) && (project.isPublic() || this.repositoryDao.countPublicByProject(project.getId().intValue()) > 0);
    }

    @Nonnull
    public Page<StashUser> getGrantedUsers(@Nonnull Permission permission, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateGlobalPermission(permission);
        CommonValidations.validatePageRequest(pageRequest);
        return this.effectivePermissionDao.findUsers(permission, pageRequest, UserUtils.IS_ACTIVE);
    }

    @Nonnull
    public Page<String> getGrantedGroups(@Nonnull Permission permission, @Nonnull PageRequest pageRequest) {
        CommonValidations.validateGlobalPermission(permission);
        CommonValidations.validatePageRequest(pageRequest);
        return this.effectivePermissionDao.findGroups(permission, pageRequest);
    }

    public boolean hasGlobalPermissionThroughGroupMembership(@Nonnull Permission permission, @Nonnull Set<String> set) {
        CommonValidations.validateGlobalPermission(permission);
        CommonValidations.validateGroups(set);
        return hasPermissionsThroughGroup(this.authenticationContext.getCurrentToken(), null, permission, set);
    }

    public boolean hasProjectPermissionThroughGroupMembership(@Nonnull Project project, @Nonnull Permission permission, @Nonnull Set<String> set) {
        CommonValidations.validateProject(project);
        CommonValidations.validateProjectPermission(permission);
        CommonValidations.validateGroups(set);
        return hasPermissionsThroughGroup(this.authenticationContext.getCurrentToken(), project, permission, set);
    }

    public boolean hasRepositoryPermissionThroughGroupMembership(@Nonnull Repository repository, @Nonnull Permission permission, @Nonnull Set<String> set) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        CommonValidations.validateGroups(set);
        return hasPermissionsThroughGroup(this.authenticationContext.getCurrentToken(), repository, permission, set);
    }

    private boolean hasPermissionsThroughGroup(Principal principal, Object obj, Permission permission, Set<String> set) {
        String name = principal.getName();
        Timer start = TimerUtils.start(GROUP_PERMISSION_SEARCH);
        Throwable th = null;
        try {
            Page findGroupsByUser = this.userService.findGroupsByUser(name, PageUtils.newRequest(0, 500));
            while (true) {
                HashSet newHashSet = Sets.newHashSet(findGroupsByUser.getValues());
                Iterables.removeAll(newHashSet, Collections2.transform(set, IdentifierUtils.TO_LOWER_CASE));
                if (newHashSet.isEmpty()) {
                    log.trace("All groups on the page have been excluded");
                } else {
                    log.trace("Testing for permission against {} groups", Integer.valueOf(newHashSet.size()));
                    if (this.effectivePermissionDao.isGrantedToGroup(((GroupPermissionCriteria.Builder) ((GroupPermissionCriteria.Builder) new GroupPermissionCriteria.Builder(newHashSet).permission(permission)).resource(obj)).build())) {
                        log.trace("{}: Permission {} granted by group membership", name, permission);
                        if (start != null) {
                            if (0 != 0) {
                                try {
                                    start.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                start.close();
                            }
                        }
                        return true;
                    }
                }
                if (findGroupsByUser.getIsLastPage()) {
                    log.trace("{}: All group memberships have been exhausted", name);
                    log.trace("permission not granted by any group membership");
                    if (start != null) {
                        if (0 != 0) {
                            try {
                                start.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            start.close();
                        }
                    }
                    return false;
                }
                log.trace("{}: Loading next page of groups", name);
                findGroupsByUser = this.userService.findGroupsByUser(name, findGroupsByUser.getNextPageRequest());
            }
        } catch (Throwable th4) {
            if (start != null) {
                if (0 != 0) {
                    try {
                        start.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    start.close();
                }
            }
            throw th4;
        }
    }

    public boolean hasRepositoryPermission(StashUser stashUser, @Nonnull Repository repository, @Nonnull Permission permission) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        return hasPermission(stashUser, repository, permission);
    }

    private boolean hasRepositoryPermission(StashUserAuthenticationToken stashUserAuthenticationToken, Repository repository, Permission permission) {
        CommonValidations.validateRepository(repository);
        CommonValidations.validateRepositoryPermission(permission);
        return hasPermission(stashUserAuthenticationToken, repository, permission);
    }

    public boolean hasRepositoryPermission(StashUser stashUser, int i, @Nonnull Permission permission) {
        return hasRepositoryPermission(stashUser, (Repository) this.repositoryDao.getById(Integer.valueOf(i)), permission);
    }

    private boolean hasRepositoryPermission(StashUserAuthenticationToken stashUserAuthenticationToken, int i, Permission permission) {
        return hasRepositoryPermission(stashUserAuthenticationToken, (Repository) this.repositoryDao.getById(Integer.valueOf(i)), permission);
    }

    public boolean hasRepositoryPermission(@Nonnull Repository repository, @Nonnull Permission permission) {
        return hasRepositoryPermission(this.authenticationContext.getCurrentToken(), repository, permission);
    }

    public boolean hasRepositoryPermission(int i, @Nonnull Permission permission) {
        return hasRepositoryPermission(this.authenticationContext.getCurrentToken(), i, permission);
    }

    @Nonnull
    public Set<String> getUsersWithPermission(@Nonnull final Permission permission) {
        CommonValidations.validateGlobalPermission(permission);
        HashSet hashSet = new HashSet();
        Iterables.addAll(hashSet, Iterables.transform(Iterables.filter(new PagedIterable(new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.3
            public Page<StashUser> get(PageRequest pageRequest) {
                return PermissionServiceImpl.this.getGrantedUsers(permission, pageRequest);
            }
        }, this.maxUserPageSize), UserUtils.IS_ACTIVE), Functions.compose(IdentifierUtils.TO_LOWER_CASE, UserUtils.TO_USERNAME)));
        for (final String str : new PagedIterable(new PageProvider<String>() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.4
            public Page<String> get(PageRequest pageRequest) {
                return PermissionServiceImpl.this.getGrantedGroups(permission, pageRequest);
            }
        }, GROUP_PAGESIZE)) {
            Iterables.addAll(hashSet, Iterables.transform(Iterables.filter(new PagedIterable(new PageProvider<StashUser>() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.5
                public Page<StashUser> get(PageRequest pageRequest) {
                    return PageUtils.asPageOf(StashUser.class, PermissionServiceImpl.this.userService.findUsersByGroup(str, pageRequest));
                }
            }, this.maxUserPageSize), UserUtils.IS_ACTIVE), Functions.compose(IdentifierUtils.TO_LOWER_CASE, UserUtils.TO_USERNAME)));
        }
        return hashSet;
    }

    public int getCountOfAccessibleRepositories(@Nonnull Project project) {
        CommonValidations.validateProject(project);
        StashUserAuthenticationToken currentToken = this.authenticationContext.getCurrentToken();
        if (hasProjectPermission(currentToken, project, Permission.PROJECT_READ)) {
            return Ints.saturatedCast(this.repositoryDao.countByProject(((Project) Preconditions.checkNotNull(project, "project")).getId().intValue()));
        }
        if (currentToken == null || currentToken.getPrincipal() == null) {
            return 0;
        }
        StashUser principal = currentToken.getPrincipal();
        return Ints.saturatedCast(this.repositoryPermissionDao.countWithPermission(principal.getId().intValue(), getAllGroups(principal.getName()), project.getId().intValue()));
    }

    public Permission getHighestGlobalPermission(StashUser stashUser) {
        if (isNullOrInactive(stashUser)) {
            return null;
        }
        for (Permission permission : getOrderedGlobalPermissions()) {
            if (hasGlobalPermission(stashUser, permission)) {
                return permission;
            }
        }
        return null;
    }

    public Permission getHighestGlobalPermission(String str) {
        StashUser findUserByName = str != null ? findUserByName(str) : null;
        if (findUserByName != null) {
            return getHighestGlobalPermission(findUserByName);
        }
        return null;
    }

    public Permission getHighestGlobalGroupPermission(String str) {
        if (str == null) {
            return null;
        }
        for (Permission permission : getOrderedGlobalPermissions()) {
            if (hasGlobalGroupPermission(permission, str)) {
                return permission;
            }
        }
        return null;
    }

    private boolean isNullOrInactive(StashUser stashUser) {
        return stashUser == null || (!stashUser.isActive() && stashUser.getType() == UserType.NORMAL);
    }

    private StashUser findUserByName(String str) {
        return this.userService.getUserByName(str);
    }

    private List<Permission> getOrderedGlobalPermissions() {
        ArrayList newArrayList = Lists.newArrayList(Permission.getGlobalPermissions());
        Collections.sort(newArrayList, new Comparator<Permission>() { // from class: com.atlassian.stash.internal.user.PermissionServiceImpl.6
            @Override // java.util.Comparator
            public int compare(Permission permission, Permission permission2) {
                if (permission == permission2) {
                    return 0;
                }
                if (permission.getWeight() < permission2.getWeight()) {
                    return 1;
                }
                return permission.getWeight() > permission2.getWeight() ? -1 : 0;
            }
        });
        return newArrayList;
    }
}
