package com.google.gerrit.server.project;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Sets;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.extensions.api.access.GlobalOrPluginPermission;
import com.google.gerrit.extensions.api.access.PluginPermission;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.PeerDaemonUser;
import com.google.gerrit.server.account.CapabilityCollection;
import com.google.gerrit.server.permissions.FailedPermissionBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Set;
import java.util.stream.Collectors;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/project/DefaultPermissionBackend.class */
public class DefaultPermissionBackend extends PermissionBackend {
    private static final CurrentUser.PropertyKey<Boolean> IS_ADMIN = CurrentUser.PropertyKey.create();
    private final ProjectCache projectCache;

    /* loaded from: input_file:com/google/gerrit/server/project/DefaultPermissionBackend$WithUserImpl.class */
    class WithUserImpl extends PermissionBackend.WithUser {
        private final CurrentUser user;
        private Boolean admin;

        WithUserImpl(CurrentUser currentUser) {
            this.user = (CurrentUser) Preconditions.checkNotNull(currentUser, "user");
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.WithUser
        public PermissionBackend.ForProject project(Project.NameKey nameKey) {
            try {
                ProjectState checkedGet = DefaultPermissionBackend.this.projectCache.checkedGet(nameKey);
                return checkedGet != null ? checkedGet.controlFor(this.user).asForProject().database(this.db) : FailedPermissionBackend.project("not found");
            } catch (IOException e) {
                return FailedPermissionBackend.project("unavailable", e);
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.WithUser
        public void check(GlobalOrPluginPermission globalOrPluginPermission) throws AuthException, PermissionBackendException {
            if (!can(globalOrPluginPermission)) {
                throw new AuthException(globalOrPluginPermission.describeForException() + " not permitted");
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.WithUser
        public <T extends GlobalOrPluginPermission> Set<T> test(Collection<T> collection) throws PermissionBackendException {
            Set<T> newSet = DefaultPermissionBackend.newSet(collection);
            for (T t : collection) {
                if (can(t)) {
                    newSet.add(t);
                }
            }
            return newSet;
        }

        private boolean can(GlobalOrPluginPermission globalOrPluginPermission) throws PermissionBackendException {
            if (globalOrPluginPermission instanceof GlobalPermission) {
                return can((GlobalPermission) globalOrPluginPermission);
            }
            if (!(globalOrPluginPermission instanceof PluginPermission)) {
                throw new PermissionBackendException(globalOrPluginPermission + " unsupported");
            }
            PluginPermission pluginPermission = (PluginPermission) globalOrPluginPermission;
            return has(pluginPermission.permissionName()) || (pluginPermission.fallBackToAdmin() && isAdmin());
        }

        private boolean can(GlobalPermission globalPermission) throws PermissionBackendException {
            switch (globalPermission) {
                case ADMINISTRATE_SERVER:
                    return isAdmin();
                case EMAIL_REVIEWERS:
                    return canEmailReviewers();
                case FLUSH_CACHES:
                case KILL_TASK:
                case RUN_GC:
                case VIEW_CACHES:
                case VIEW_QUEUE:
                    return has(globalPermission.permissionName()) || can(GlobalPermission.MAINTAIN_SERVER);
                case CREATE_ACCOUNT:
                case CREATE_GROUP:
                case CREATE_PROJECT:
                case MAINTAIN_SERVER:
                case MODIFY_ACCOUNT:
                case STREAM_EVENTS:
                case VIEW_ALL_ACCOUNTS:
                case VIEW_CONNECTIONS:
                case VIEW_PLUGINS:
                    return has(globalPermission.permissionName()) || isAdmin();
                case ACCESS_DATABASE:
                case RUN_AS:
                    return has(globalPermission.permissionName());
                default:
                    throw new PermissionBackendException(globalPermission + " unsupported");
            }
        }

        private boolean isAdmin() {
            if (this.admin == null) {
                this.admin = computeAdmin();
            }
            return this.admin.booleanValue();
        }

        private Boolean computeAdmin() {
            Boolean bool = (Boolean) this.user.get(DefaultPermissionBackend.IS_ADMIN);
            if (bool == null) {
                bool = this.user.isImpersonating() ? false : this.user instanceof PeerDaemonUser ? true : Boolean.valueOf(allow(DefaultPermissionBackend.this.capabilities().administrateServer));
                this.user.put(DefaultPermissionBackend.IS_ADMIN, bool);
            }
            return bool;
        }

        private boolean canEmailReviewers() {
            ImmutableList<PermissionRule> immutableList = DefaultPermissionBackend.this.capabilities().emailReviewers;
            return allow(immutableList) || notDenied(immutableList);
        }

        private boolean has(String str) {
            return allow(DefaultPermissionBackend.this.capabilities().getPermission(str));
        }

        private boolean allow(Collection<PermissionRule> collection) {
            return this.user.getEffectiveGroups().containsAnyOf((Iterable) collection.stream().filter(permissionRule -> {
                return permissionRule.getAction() == PermissionRule.Action.ALLOW;
            }).map(permissionRule2 -> {
                return permissionRule2.getGroup().getUUID();
            }).collect(Collectors.toSet()));
        }

        private boolean notDenied(Collection<PermissionRule> collection) {
            Set set = (Set) collection.stream().filter(permissionRule -> {
                return permissionRule.getAction() != PermissionRule.Action.ALLOW;
            }).map(permissionRule2 -> {
                return permissionRule2.getGroup().getUUID();
            }).collect(Collectors.toSet());
            return set.isEmpty() || !this.user.getEffectiveGroups().containsAnyOf(set);
        }
    }

    @Inject
    DefaultPermissionBackend(ProjectCache projectCache) {
        this.projectCache = projectCache;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CapabilityCollection capabilities() {
        return this.projectCache.getAllProjects().getCapabilityCollection();
    }

    @Override // com.google.gerrit.server.permissions.PermissionBackend
    public PermissionBackend.WithUser user(CurrentUser currentUser) {
        return new WithUserImpl((CurrentUser) Preconditions.checkNotNull(currentUser, "user"));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T extends GlobalOrPluginPermission> Set<T> newSet(Collection<T> collection) {
        if (!(collection instanceof EnumSet)) {
            return Sets.newHashSetWithExpectedSize(collection.size());
        }
        EnumSet clone = ((EnumSet) collection).clone();
        clone.clear();
        return clone;
    }
}
