package com.google.gerrit.server.account;

import com.google.common.collect.UnmodifiableIterator;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.extensions.common.AccountVisibility;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.AccountGroup;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.GroupControl;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.AccountsSection;
import com.google.gerrit.server.project.ProjectCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Iterator;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:com/google/gerrit/server/account/AccountControl.class */
public class AccountControl {
    private final AccountsSection accountsSection;
    private final GroupControl.Factory groupControlFactory;
    private final PermissionBackend.WithUser perm;
    private final CurrentUser user;
    private final IdentifiedUser.GenericFactory userFactory;
    private final AccountVisibility accountVisibility;
    private Boolean viewAll;

    /* loaded from: input_file:com/google/gerrit/server/account/AccountControl$Factory.class */
    public static class Factory {
        private final PermissionBackend permissionBackend;
        private final ProjectCache projectCache;
        private final GroupControl.Factory groupControlFactory;
        private final Provider<CurrentUser> user;
        private final IdentifiedUser.GenericFactory userFactory;
        private final AccountVisibility accountVisibility;

        @Inject
        Factory(PermissionBackend permissionBackend, ProjectCache projectCache, GroupControl.Factory factory, Provider<CurrentUser> provider, IdentifiedUser.GenericFactory genericFactory, AccountVisibility accountVisibility) {
            this.permissionBackend = permissionBackend;
            this.projectCache = projectCache;
            this.groupControlFactory = factory;
            this.user = provider;
            this.userFactory = genericFactory;
            this.accountVisibility = accountVisibility;
        }

        public AccountControl get() {
            return new AccountControl(this.permissionBackend, this.projectCache, this.groupControlFactory, this.user.get(), this.userFactory, this.accountVisibility);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/server/account/AccountControl$OtherUser.class */
    public static abstract class OtherUser {
        IdentifiedUser user;

        private OtherUser() {
        }

        IdentifiedUser getUser() {
            if (this.user == null) {
                this.user = createUser();
            }
            return this.user;
        }

        abstract IdentifiedUser createUser();

        abstract Account.Id getId();
    }

    private AccountControl(PermissionBackend permissionBackend, ProjectCache projectCache, GroupControl.Factory factory, CurrentUser currentUser, IdentifiedUser.GenericFactory genericFactory, AccountVisibility accountVisibility) {
        this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
        this.groupControlFactory = factory;
        this.perm = permissionBackend.user(currentUser);
        this.user = currentUser;
        this.userFactory = genericFactory;
        this.accountVisibility = accountVisibility;
    }

    public CurrentUser getUser() {
        return this.user;
    }

    public boolean canSee(final Account.Id id) {
        return canSee(new OtherUser() { // from class: com.google.gerrit.server.account.AccountControl.1
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            Account.Id getId() {
                return id;
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            IdentifiedUser createUser() {
                return AccountControl.this.userFactory.create(id);
            }
        });
    }

    public boolean canSee(final AccountState accountState) {
        return canSee(new OtherUser() { // from class: com.google.gerrit.server.account.AccountControl.2
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            Account.Id getId() {
                return accountState.getAccount().getId();
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            IdentifiedUser createUser() {
                return AccountControl.this.userFactory.create(accountState);
            }
        });
    }

    private boolean canSee(OtherUser otherUser) {
        if (this.accountVisibility == AccountVisibility.ALL) {
            return true;
        }
        if ((this.user.isIdentifiedUser() && this.user.getAccountId().equals(otherUser.getId())) || viewAll()) {
            return true;
        }
        switch (this.accountVisibility) {
            case SAME_GROUP:
                Set<AccountGroup.UUID> groupsOf = groupsOf(otherUser.getUser());
                UnmodifiableIterator<PermissionRule> it = this.accountsSection.getSameGroupVisibility().iterator();
                while (it.hasNext()) {
                    PermissionRule next = it.next();
                    if (next.isBlock() || next.isDeny()) {
                        groupsOf.remove(next.getGroup().getUUID());
                    }
                }
                return this.user.getEffectiveGroups().containsAnyOf(groupsOf);
            case VISIBLE_GROUP:
                Iterator<AccountGroup.UUID> it2 = groupsOf(otherUser.getUser()).iterator();
                while (it2.hasNext()) {
                    if (this.groupControlFactory.controlFor(it2.next()).isVisible()) {
                        return true;
                    }
                }
                return false;
            case NONE:
                return false;
            case ALL:
            default:
                throw new IllegalStateException("Bad AccountVisibility " + this.accountVisibility);
        }
    }

    private boolean viewAll() {
        if (this.viewAll == null) {
            try {
                this.perm.check(GlobalPermission.VIEW_ALL_ACCOUNTS);
                this.viewAll = true;
            } catch (AuthException | PermissionBackendException e) {
                this.viewAll = false;
            }
        }
        return this.viewAll.booleanValue();
    }

    private Set<AccountGroup.UUID> groupsOf(IdentifiedUser identifiedUser) {
        return (Set) identifiedUser.getEffectiveGroups().getKnownGroups().stream().filter(uuid -> {
            return !SystemGroupBackend.isSystemGroup(uuid);
        }).collect(Collectors.toSet());
    }
}
