package com.google.gerrit.server.project;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.Capable;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.common.data.RefConfigSection;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.metrics.Counter0;
import com.google.gerrit.metrics.Description;
import com.google.gerrit.metrics.MetricMaker;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.reviewdb.client.Change;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.client.RefNames;
import com.google.gerrit.reviewdb.server.ReviewDb;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.AllUsersName;
import com.google.gerrit.server.config.GitReceivePackGroups;
import com.google.gerrit.server.config.GitUploadPackGroups;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.git.VisibleRefFilter;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.FailedPermissionBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.ProjectPermission;
import com.google.gerrit.server.permissions.RefVisibilityControl;
import com.google.gerrit.server.project.ChangeControl;
import com.google.gerrit.server.project.PermissionCollection;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.gerrit.server.util.MagicBranch;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import com.google.inject.assistedinject.Assisted;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.RefDatabase;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.revwalk.RevCommit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/google/gerrit/server/project/ProjectControl.class */
public class ProjectControl {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ProjectControl.class);
    private final Set<AccountGroup.UUID> uploadGroups;
    private final Set<AccountGroup.UUID> receiveGroups;
    private final PermissionBackend.WithUser perm;
    private final CurrentUser user;
    private final ProjectState state;
    private final CommitsCollection commits;
    private final ChangeControl.Factory changeControlFactory;
    private final PermissionCollection.Factory permissionFilter;
    private final RefVisibilityControl refVisibilityControl;
    private final VisibleRefFilter.Factory visibleRefFilterFactory;
    private final GitRepositoryManager gitRepositoryManager;
    private final AllUsersName allUsersName;
    private List<SectionMatcher> allSections;
    private Map<String, RefControl> refControls;
    private Boolean declaredOwner;

    /* loaded from: input_file:com/google/gerrit/server/project/ProjectControl$AssistedFactory.class */
    public interface AssistedFactory {
        ProjectControl create(CurrentUser currentUser, ProjectState projectState);
    }

    /* loaded from: input_file:com/google/gerrit/server/project/ProjectControl$Factory.class */
    public static class Factory {
        private final Provider<PerRequestProjectControlCache> userCache;

        @Inject
        Factory(Provider<PerRequestProjectControlCache> provider) {
            this.userCache = provider;
        }

        public ProjectControl controlFor(Project.NameKey nameKey) throws NoSuchProjectException {
            return this.userCache.get().get(nameKey);
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/project/ProjectControl$ForProjectImpl.class */
    public class ForProjectImpl extends PermissionBackend.ForProject {
        public ForProjectImpl() {
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForProject user(CurrentUser currentUser) {
            return ProjectControl.this.forUser(currentUser).asForProject().database(this.db);
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForRef ref(String str) {
            return ProjectControl.this.controlForRef(str).asForRef().database(this.db);
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForChange change(ChangeData changeData) {
            try {
                checkProject(changeData.change());
                return super.change(changeData);
            } catch (OrmException e) {
                return FailedPermissionBackend.change("unavailable", e);
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForChange change(ChangeNotes changeNotes) {
            checkProject(changeNotes.getChange());
            return super.change(changeNotes);
        }

        private void checkProject(Change change) {
            Project.NameKey nameKey = ProjectControl.this.getProject().getNameKey();
            Preconditions.checkArgument(nameKey.equals(change.getProject()), "expected change in project %s, not %s", nameKey, change.getProject());
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public void check(ProjectPermission projectPermission) throws AuthException, PermissionBackendException {
            if (!can(projectPermission)) {
                throw new AuthException(projectPermission.describeForException() + " not permitted");
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public Set<ProjectPermission> test(Collection<ProjectPermission> collection) throws PermissionBackendException {
            EnumSet noneOf = EnumSet.noneOf(ProjectPermission.class);
            for (ProjectPermission projectPermission : collection) {
                if (can(projectPermission)) {
                    noneOf.add(projectPermission);
                }
            }
            return noneOf;
        }

        private boolean can(ProjectPermission projectPermission) throws PermissionBackendException {
            switch (projectPermission) {
                case ACCESS:
                    return (!ProjectControl.this.isHidden() && (ProjectControl.this.user.isInternalUser() || ProjectControl.this.canPerformOnAnyRef(Permission.READ))) || ProjectControl.this.isOwner();
                case READ:
                    return !ProjectControl.this.isHidden() && ProjectControl.this.allRefsAreVisible(Collections.emptySet());
                case READ_NO_CONFIG:
                    return !ProjectControl.this.isHidden() && ProjectControl.this.allRefsAreVisible(ImmutableSet.of(RefNames.REFS_CONFIG));
                case CREATE_REF:
                    return ProjectControl.this.canAddRefs();
                case CREATE_TAG_REF:
                    return ProjectControl.this.canAddTagRefs();
                case CREATE_CHANGE:
                    return ProjectControl.this.canCreateChanges();
                case RUN_RECEIVE_PACK:
                    return ProjectControl.this.canRunReceivePack();
                case RUN_UPLOAD_PACK:
                    return ProjectControl.this.canRunUploadPack();
                default:
                    throw new PermissionBackendException(projectPermission + " unsupported");
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/project/ProjectControl$GenericFactory.class */
    public static class GenericFactory {
        private final ProjectCache projectCache;

        @Inject
        GenericFactory(ProjectCache projectCache) {
            this.projectCache = projectCache;
        }

        public ProjectControl controlFor(Project.NameKey nameKey, CurrentUser currentUser) throws NoSuchProjectException, IOException {
            ProjectState checkedGet = this.projectCache.checkedGet(nameKey);
            if (checkedGet == null) {
                throw new NoSuchProjectException(nameKey);
            }
            return checkedGet.controlFor(currentUser);
        }
    }

    @Singleton
    /* loaded from: input_file:com/google/gerrit/server/project/ProjectControl$Metrics.class */
    protected static class Metrics {
        final Counter0 claCheckCount;

        @Inject
        Metrics(MetricMaker metricMaker) {
            this.claCheckCount = metricMaker.newCounter("license/cla_check_count", new Description("Total number of CLA check requests").setRate().setUnit("requests"));
        }
    }

    @Inject
    ProjectControl(@GitUploadPackGroups Set<AccountGroup.UUID> set, @GitReceivePackGroups Set<AccountGroup.UUID> set2, PermissionCollection.Factory factory, CommitsCollection commitsCollection, ChangeControl.Factory factory2, PermissionBackend permissionBackend, RefVisibilityControl refVisibilityControl, GitRepositoryManager gitRepositoryManager, VisibleRefFilter.Factory factory3, AllUsersName allUsersName, @Assisted CurrentUser currentUser, @Assisted ProjectState projectState) {
        this.changeControlFactory = factory2;
        this.uploadGroups = set;
        this.receiveGroups = set2;
        this.permissionFilter = factory;
        this.commits = commitsCollection;
        this.perm = permissionBackend.user(currentUser);
        this.refVisibilityControl = refVisibilityControl;
        this.gitRepositoryManager = gitRepositoryManager;
        this.visibleRefFilterFactory = factory3;
        this.allUsersName = allUsersName;
        this.user = currentUser;
        this.state = projectState;
    }

    public ProjectControl forUser(CurrentUser currentUser) {
        ProjectControl controlFor = this.state.controlFor(currentUser);
        controlFor.allSections = this.allSections;
        return controlFor;
    }

    public ChangeControl controlFor(ReviewDb reviewDb, Change change) throws OrmException {
        return this.changeControlFactory.create(controlForRef(change.getDest()), reviewDb, change.getProject(), change.getId());
    }

    public ChangeControl controlFor(ChangeNotes changeNotes) {
        return this.changeControlFactory.create(controlForRef(changeNotes.getChange().getDest()), changeNotes);
    }

    public RefControl controlForRef(Branch.NameKey nameKey) {
        return controlForRef(nameKey.get());
    }

    public RefControl controlForRef(String str) {
        if (this.refControls == null) {
            this.refControls = new HashMap();
        }
        RefControl refControl = this.refControls.get(str);
        if (refControl == null) {
            refControl = new RefControl(this.visibleRefFilterFactory, this.refVisibilityControl, this, this.gitRepositoryManager, str, this.permissionFilter.filter(access(), str, this.user));
            this.refControls.put(str, refControl);
        }
        return refControl;
    }

    public CurrentUser getUser() {
        return this.user;
    }

    public ProjectState getProjectState() {
        return this.state;
    }

    public Project getProject() {
        return this.state.getProject();
    }

    public boolean isOwner() {
        return (isDeclaredOwner() && !controlForRef(RefConfigSection.ALL).isBlocked("owner")) || isAdmin();
    }

    public Capable canPushToAtLeastOneRef() {
        return (canPerformOnAnyRef(Permission.PUSH) || canPerformOnAnyRef(Permission.CREATE_TAG) || isOwner()) ? Capable.OK : new Capable("Upload denied for project '" + this.state.getName() + "'");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canRunUploadPack() {
        Iterator<AccountGroup.UUID> it = this.uploadGroups.iterator();
        while (it.hasNext()) {
            if (match(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canRunReceivePack() {
        Iterator<AccountGroup.UUID> it = this.receiveGroups.iterator();
        while (it.hasNext()) {
            if (match(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean allRefsAreVisible(Set<String> set) {
        return this.user.isInternalUser() || (!getProject().getNameKey().equals(this.allUsersName) && canPerformOnAllRefs(Permission.READ, set));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isHidden() {
        return getProject().getState().equals(com.google.gerrit.extensions.client.ProjectState.HIDDEN);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canAddRefs() {
        return canPerformOnAnyRef(Permission.CREATE) || isAdmin();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canAddTagRefs() {
        return canPerformOnTagRef(Permission.CREATE) || isAdmin();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canCreateChanges() {
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection accessSection = it.next().section;
            if (accessSection.getName().startsWith(MagicBranch.NEW_CHANGE) || accessSection.getName().startsWith("^refs/for/")) {
                if (accessSection.getPermission(Permission.PUSH) != null && controlForRef(accessSection.getName()).canPerform(Permission.PUSH)) {
                    return true;
                }
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAdmin() {
        try {
            this.perm.check(GlobalPermission.ADMINISTRATE_SERVER);
            return true;
        } catch (AuthException | PermissionBackendException e) {
            return false;
        }
    }

    private boolean isDeclaredOwner() {
        if (this.declaredOwner == null) {
            this.declaredOwner = Boolean.valueOf(this.user.getEffectiveGroups().containsAnyOf(this.state.getAllOwners()));
        }
        return this.declaredOwner.booleanValue();
    }

    private boolean canPerformOnTagRef(String str) {
        Boolean canPerform;
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection accessSection = it.next().section;
            if (accessSection.getName().startsWith("refs/tags/") || accessSection.getName().startsWith("^refs/tags/")) {
                Permission permission = accessSection.getPermission(str);
                if (permission != null && (canPerform = canPerform(str, accessSection, permission)) != null) {
                    return canPerform.booleanValue();
                }
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canPerformOnAnyRef(String str) {
        Boolean canPerform;
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection accessSection = it.next().section;
            Permission permission = accessSection.getPermission(str);
            if (permission != null && (canPerform = canPerform(str, accessSection, permission)) != null) {
                return canPerform.booleanValue();
            }
        }
        return false;
    }

    private Boolean canPerform(String str, AccessSection accessSection, Permission permission) {
        for (PermissionRule permissionRule : permission.getRules()) {
            if (!permissionRule.isBlock() && !permissionRule.isDeny() && match(permissionRule)) {
                return controlForRef(accessSection.getName()).canPerform(str) ? true : null;
            }
        }
        return null;
    }

    private boolean canPerformOnAllRefs(String str, Set<String> set) {
        boolean z = false;
        Set<String> allRefPatterns = allRefPatterns(str);
        if (allRefPatterns.contains(RefConfigSection.ALL)) {
            for (String str2 : allRefPatterns) {
                if (controlForRef(str2).canPerform(str)) {
                    z = true;
                } else if (!set.contains(str2)) {
                    return false;
                }
            }
        }
        return z;
    }

    private Set<String> allRefPatterns(String str) {
        HashSet hashSet = new HashSet();
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection accessSection = it.next().section;
            if (accessSection.getPermission(str) != null) {
                hashSet.add(accessSection.getName());
            }
        }
        return hashSet;
    }

    private List<SectionMatcher> access() {
        if (this.allSections == null) {
            this.allSections = this.state.getAllSections();
        }
        return this.allSections;
    }

    boolean match(PermissionRule permissionRule) {
        return match(permissionRule.getGroup().getUUID());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean match(PermissionRule permissionRule, boolean z) {
        return match(permissionRule.getGroup().getUUID(), z);
    }

    boolean match(AccountGroup.UUID uuid) {
        return match(uuid, false);
    }

    boolean match(AccountGroup.UUID uuid, boolean z) {
        return SystemGroupBackend.PROJECT_OWNERS.equals(uuid) ? isDeclaredOwner() : SystemGroupBackend.CHANGE_OWNER.equals(uuid) ? z : this.user.getEffectiveGroups().contains(uuid);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isReachableFromHeadsOrTags(Repository repository, RevCommit revCommit) {
        try {
            RefDatabase refDatabase = repository.getRefDatabase();
            Collection<Ref> values = refDatabase.getRefs("refs/heads/").values();
            Collection<Ref> values2 = refDatabase.getRefs("refs/tags/").values();
            HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(values.size() + values2.size());
            for (Ref ref : Iterables.concat(values, values2)) {
                newHashMapWithExpectedSize.put(ref.getName(), ref);
            }
            return this.commits.isReachableFrom(this.state, repository, revCommit, newHashMapWithExpectedSize);
        } catch (IOException e) {
            log.error("Cannot verify permissions to commit object {} in repository {}", revCommit.name(), getProject().getNameKey(), e);
            return false;
        }
    }

    public PermissionBackend.ForProject asForProject() {
        return new ForProjectImpl();
    }
}
