package com.google.gerrit.server.git;

import com.google.gerrit.common.Nullable;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.reviewdb.client.Change;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.client.RefNames;
import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.ChangePermission;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.ProjectPermission;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.project.ProjectControl;
import com.google.gerrit.server.project.ProjectState;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.assistedinject.Assisted;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.lib.SymbolicRef;
import org.eclipse.jgit.revwalk.RevWalk;
import org.eclipse.jgit.transport.AbstractAdvertiseRefsHook;
import org.eclipse.jgit.transport.ServiceMayNotContinueException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/google/gerrit/server/git/VisibleRefFilter.class */
public class VisibleRefFilter extends AbstractAdvertiseRefsHook {
    private static final Logger log = LoggerFactory.getLogger(VisibleRefFilter.class);
    private final TagCache tagCache;
    private final ChangeNotes.Factory changeNotesFactory;

    @Nullable
    private final SearchingChangeCacheImpl changeCache;
    private final Provider<ReviewDb> db;
    private final Provider<CurrentUser> user;
    private final PermissionBackend permissionBackend;
    private final PermissionBackend.ForProject perm;
    private final ProjectState projectState;
    private final Repository git;
    private ProjectControl projectCtl;
    private boolean showMetadata = true;
    private String userEditPrefix;
    private Map<Change.Id, Branch.NameKey> visibleChanges;

    /* loaded from: input_file:com/google/gerrit/server/git/VisibleRefFilter$Factory.class */
    public interface Factory {
        VisibleRefFilter create(ProjectState projectState, Repository repository);
    }

    @Inject
    VisibleRefFilter(TagCache tagCache, ChangeNotes.Factory factory, @Nullable SearchingChangeCacheImpl searchingChangeCacheImpl, Provider<ReviewDb> provider, Provider<CurrentUser> provider2, PermissionBackend permissionBackend, @Assisted ProjectState projectState, @Assisted Repository repository) {
        this.tagCache = tagCache;
        this.changeNotesFactory = factory;
        this.changeCache = searchingChangeCacheImpl;
        this.db = provider;
        this.user = provider2;
        this.permissionBackend = permissionBackend;
        this.perm = permissionBackend.user(provider2).database(provider).project(projectState.getProject().getNameKey());
        this.projectState = projectState;
        this.git = repository;
    }

    public VisibleRefFilter setShowMetadata(boolean z) {
        this.showMetadata = z;
        return this;
    }

    public Map<String, Ref> filter(Map<String, Ref> map, boolean z) {
        Account.Id id;
        boolean z2;
        if (this.projectState.isAllUsers()) {
            map = addUsersSelfSymref(map);
        }
        PermissionBackend.WithUser user = this.permissionBackend.user(this.user);
        PermissionBackend.ForProject project = user.project(this.projectState.getNameKey());
        if (!this.projectState.isAllUsers()) {
            if (checkProjectPermission(project, ProjectPermission.READ)) {
                return map;
            }
            if (checkProjectPermission(project, ProjectPermission.READ_NO_CONFIG)) {
                return fastHideRefsMetaConfig(map);
            }
        }
        if (this.user.get().isIdentifiedUser()) {
            z2 = user.testOrFalse(GlobalPermission.ACCESS_DATABASE);
            id = this.user.get().asIdentifiedUser().getAccountId();
            this.userEditPrefix = RefNames.refsEditPrefix(id);
        } else {
            id = null;
            z2 = false;
        }
        HashMap hashMap = new HashMap();
        ArrayList<Ref> arrayList = new ArrayList();
        this.projectCtl = this.projectState.controlFor(this.user.get());
        for (Ref ref : map.values()) {
            String name = ref.getName();
            if (!name.startsWith(RefNames.REFS_CACHE_AUTOMERGE) && (this.showMetadata || !isMetadata(name))) {
                if (!RefNames.isRefsEdit(name)) {
                    Change.Id fromRef = Change.Id.fromRef(name);
                    if (fromRef == null) {
                        Account.Id fromRef2 = Account.Id.fromRef(name);
                        if (fromRef2 != null) {
                            if (z2 || (fromRef2.equals(id) && canReadRef(name))) {
                                hashMap.put(name, ref);
                            }
                        } else if (isTag(ref)) {
                            if (ref.getObjectId() != null) {
                                arrayList.add(ref);
                            }
                        } else if (name.startsWith(RefNames.REFS_SEQUENCES)) {
                            if (z2) {
                                hashMap.put(name, ref);
                            }
                        } else if (this.projectState.isAllUsers() && name.equals(RefNames.REFS_EXTERNAL_IDS)) {
                            if (z2) {
                                hashMap.put(name, ref);
                            }
                        } else if (canReadRef(ref.getLeaf().getName())) {
                            hashMap.put(name, ref);
                        } else if (isRefsUsersSelf(ref) && z2) {
                            hashMap.put(name, ref);
                        }
                    } else if (z2 || visible(fromRef)) {
                        hashMap.put(name, ref);
                    }
                } else if (z2 || visibleEdit(name)) {
                    hashMap.put(name, ref);
                }
            }
        }
        if (!arrayList.isEmpty() && (!hashMap.isEmpty() || z)) {
            TagMatcher matcher = this.tagCache.get(this.projectState.getNameKey()).matcher(this.tagCache, this.git, z ? filter(this.git.getAllRefs()).values() : hashMap.values());
            for (Ref ref2 : arrayList) {
                if (matcher.isReachable(ref2)) {
                    hashMap.put(ref2.getName(), ref2);
                }
            }
        }
        return hashMap;
    }

    private Map<String, Ref> fastHideRefsMetaConfig(Map<String, Ref> map) {
        if (!map.containsKey(RefNames.REFS_CONFIG) || canReadRef(RefNames.REFS_CONFIG)) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        hashMap.remove(RefNames.REFS_CONFIG);
        return hashMap;
    }

    private Map<String, Ref> addUsersSelfSymref(Map<String, Ref> map) {
        Ref ref;
        if (this.user.get().isIdentifiedUser() && (ref = map.get(RefNames.refsUsers(this.user.get().getAccountId()))) != null) {
            SymbolicRef symbolicRef = new SymbolicRef(RefNames.REFS_USERS_SELF, ref);
            map = new HashMap(map);
            map.put(symbolicRef.getName(), symbolicRef);
        }
        return map;
    }

    @Override // org.eclipse.jgit.transport.AbstractAdvertiseRefsHook
    protected Map<String, Ref> getAdvertisedRefs(Repository repository, RevWalk revWalk) throws ServiceMayNotContinueException {
        try {
            return filter(repository.getRefDatabase().getRefs(""));
        } catch (ServiceMayNotContinueException e) {
            throw e;
        } catch (IOException e2) {
            ServiceMayNotContinueException serviceMayNotContinueException = new ServiceMayNotContinueException();
            serviceMayNotContinueException.initCause(e2);
            throw serviceMayNotContinueException;
        }
    }

    private Map<String, Ref> filter(Map<String, Ref> map) {
        return filter(map, false);
    }

    private boolean visible(Change.Id id) {
        if (this.visibleChanges == null) {
            if (this.changeCache == null) {
                this.visibleChanges = visibleChangesByScan();
            } else {
                this.visibleChanges = visibleChangesBySearch();
            }
        }
        return this.visibleChanges.containsKey(id);
    }

    private boolean visibleEdit(String str) {
        Change.Id fromEditRefPart = Change.Id.fromEditRefPart(str);
        if (this.visibleChanges == null) {
            visible(fromEditRefPart);
        }
        if (fromEditRefPart != null) {
            return (this.userEditPrefix != null && str.startsWith(this.userEditPrefix) && visible(fromEditRefPart)) || (this.visibleChanges.containsKey(fromEditRefPart) && this.projectCtl.controlForRef(this.visibleChanges.get(fromEditRefPart)).isEditVisible());
        }
        return false;
    }

    private Map<Change.Id, Branch.NameKey> visibleChangesBySearch() {
        Project.NameKey nameKey = this.projectState.getNameKey();
        try {
            HashMap hashMap = new HashMap();
            for (ChangeData changeData : this.changeCache.getChangeData(this.db.get(), nameKey)) {
                if (this.perm.indexedChange(changeData, this.changeNotesFactory.createFromIndexedChange(changeData.change())).test(ChangePermission.READ)) {
                    hashMap.put(changeData.getId(), changeData.change().getDest());
                }
            }
            return hashMap;
        } catch (PermissionBackendException | OrmException e) {
            log.error("Cannot load changes for project " + nameKey + ", assuming no changes are visible", e);
            return Collections.emptyMap();
        }
    }

    private Map<Change.Id, Branch.NameKey> visibleChangesByScan() {
        Project.NameKey nameKey = this.projectState.getNameKey();
        try {
            return (Map) this.changeNotesFactory.scan(this.git, this.db.get(), nameKey).map(changeNotesResult -> {
                return toNotes(nameKey, changeNotesResult);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toMap(changeNotes -> {
                return changeNotes.getChangeId();
            }, changeNotes2 -> {
                return changeNotes2.getChange().getDest();
            }));
        } catch (IOException e) {
            log.error("Cannot load changes for project " + nameKey + ", assuming no changes are visible", (Throwable) e);
            return Collections.emptyMap();
        }
    }

    @Nullable
    private ChangeNotes toNotes(Project.NameKey nameKey, ChangeNotes.Factory.ChangeNotesResult changeNotesResult) {
        if (changeNotesResult.error().isPresent()) {
            log.warn("Failed to load change " + changeNotesResult.id() + " in " + nameKey, (Throwable) changeNotesResult.error().get());
            return null;
        }
        try {
            if (this.perm.change(changeNotesResult.notes()).test(ChangePermission.READ)) {
                return changeNotesResult.notes();
            }
            return null;
        } catch (PermissionBackendException e) {
            log.warn("Failed to check permission for " + changeNotesResult.id() + " in " + nameKey, (Throwable) e);
            return null;
        }
    }

    private boolean isMetadata(String str) {
        return str.startsWith(RefNames.REFS_CHANGES) || RefNames.isRefsEdit(str);
    }

    private static boolean isTag(Ref ref) {
        return ref.getLeaf().getName().startsWith("refs/tags/");
    }

    private static boolean isRefsUsersSelf(Ref ref) {
        return ref.getName().startsWith(RefNames.REFS_USERS_SELF);
    }

    private boolean canReadRef(String str) {
        try {
            this.perm.ref(str).check(RefPermission.READ);
            return true;
        } catch (AuthException e) {
            return false;
        } catch (PermissionBackendException e2) {
            log.error("unable to check permissions", (Throwable) e2);
            return false;
        }
    }

    private boolean checkProjectPermission(PermissionBackend.ForProject forProject, ProjectPermission projectPermission) {
        try {
            forProject.check(projectPermission);
            return true;
        } catch (AuthException e) {
            return false;
        } catch (PermissionBackendException e2) {
            log.error(String.format("Can't check permission for user %s on project %s", this.user.get(), this.projectState.getName()), (Throwable) e2);
            return false;
        }
    }
}
