package com.google.gerrit.server.restapi.project;

import com.google.common.base.Strings;
import com.google.gerrit.extensions.api.config.AccessCheckInfo;
import com.google.gerrit.extensions.api.config.AccessCheckInput;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.server.account.AccountResolver;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.permissions.DefaultPermissionMappings;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.ProjectPermission;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.project.ProjectResource;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import java.util.Optional;
import org.eclipse.jgit.errors.ConfigInvalidException;
import org.eclipse.jgit.lib.Repository;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/restapi/project/CheckAccess.class */
public class CheckAccess implements RestModifyView<ProjectResource, AccessCheckInput> {
    private final AccountResolver accountResolver;
    private final PermissionBackend permissionBackend;
    private final GitRepositoryManager gitRepositoryManager;

    @Inject
    CheckAccess(AccountResolver accountResolver, PermissionBackend permissionBackend, GitRepositoryManager gitRepositoryManager) {
        this.accountResolver = accountResolver;
        this.permissionBackend = permissionBackend;
        this.gitRepositoryManager = gitRepositoryManager;
    }

    @Override // com.google.gerrit.extensions.restapi.RestModifyView
    public AccessCheckInfo apply(ProjectResource projectResource, AccessCheckInput accessCheckInput) throws PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
        RefPermission refPermission;
        this.permissionBackend.user(projectResource.getUser()).check(GlobalPermission.VIEW_ACCESS);
        projectResource.getProjectState().checkStatePermitsRead();
        if (accessCheckInput == null) {
            throw new BadRequestException("input is required");
        }
        if (Strings.isNullOrEmpty(accessCheckInput.account)) {
            throw new BadRequestException("input requires 'account'");
        }
        Account.Id id = this.accountResolver.resolve(accessCheckInput.account).asUnique().getAccount().getId();
        AccessCheckInfo accessCheckInfo = new AccessCheckInfo();
        try {
            this.permissionBackend.absentUser(id).project(projectResource.getNameKey()).check(ProjectPermission.ACCESS);
            if (Strings.isNullOrEmpty(accessCheckInput.permission)) {
                refPermission = RefPermission.READ;
            } else {
                if (Strings.isNullOrEmpty(accessCheckInput.ref)) {
                    throw new BadRequestException("must set 'ref' when specifying 'permission'");
                }
                Optional<RefPermission> refPermission2 = DefaultPermissionMappings.refPermission(accessCheckInput.permission);
                if (!refPermission2.isPresent()) {
                    throw new BadRequestException(String.format("'%s' is not recognized as ref permission", accessCheckInput.permission));
                }
                refPermission = refPermission2.get();
            }
            if (Strings.isNullOrEmpty(accessCheckInput.ref)) {
                Repository openRepository = this.gitRepositoryManager.openRepository(projectResource.getNameKey());
                try {
                    if (openRepository.getRefDatabase().getRefsByPrefix("refs/heads/").isEmpty()) {
                        accessCheckInfo.message = "access is OK, but repository has no branches under refs/heads/";
                    }
                    if (openRepository != null) {
                        openRepository.close();
                    }
                } catch (Throwable th) {
                    if (openRepository != null) {
                        try {
                            openRepository.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } else {
                try {
                    this.permissionBackend.absentUser(id).ref(new Branch.NameKey(projectResource.getNameKey(), accessCheckInput.ref)).check(refPermission);
                } catch (AuthException e) {
                    accessCheckInfo.status = 403;
                    accessCheckInfo.message = String.format("user %s lacks permission %s for %s in project %s", id, accessCheckInput.permission, accessCheckInput.ref, projectResource.getName());
                    return accessCheckInfo;
                }
            }
            accessCheckInfo.status = 200;
            return accessCheckInfo;
        } catch (AuthException e2) {
            accessCheckInfo.message = String.format("user %s cannot see project %s", id, projectResource.getName());
            accessCheckInfo.status = 403;
            return accessCheckInfo;
        }
    }
}
