package com.google.gerrit.server.permissions;

import com.google.auto.value.AutoValue;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.exceptions.StorageException;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.metrics.Counter0;
import com.google.gerrit.metrics.Description;
import com.google.gerrit.metrics.MetricMaker;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.reviewdb.client.Change;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.reviewdb.client.RefNames;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.git.SearchingChangeCacheImpl;
import com.google.gerrit.server.git.TagCache;
import com.google.gerrit.server.git.TagMatcher;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.project.ProjectState;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.lib.SymbolicRef;

/* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter.class */
class DefaultRefFilter {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final TagCache tagCache;
    private final ChangeNotes.Factory changeNotesFactory;

    @Nullable
    private final SearchingChangeCacheImpl changeCache;
    private final PermissionBackend permissionBackend;
    private final RefVisibilityControl refVisibilityControl;
    private final ProjectControl projectControl;
    private final CurrentUser user;
    private final ProjectState projectState;
    private final PermissionBackend.ForProject permissionBackendForProject;
    private final Counter0 fullFilterCount;
    private final Counter0 skipFilterCount;
    private final boolean skipFullRefEvaluationIfAllRefsAreVisible;
    private Map<Change.Id, Branch.NameKey> visibleChanges;

    /* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter$Factory.class */
    interface Factory {
        DefaultRefFilter create(ProjectControl projectControl);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter$Result.class */
    public static abstract class Result {
        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract Map<String, Ref> visibleRefs();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract List<Ref> deferredTags();
    }

    @Inject
    DefaultRefFilter(TagCache tagCache, ChangeNotes.Factory factory, @Nullable SearchingChangeCacheImpl searchingChangeCacheImpl, PermissionBackend permissionBackend, RefVisibilityControl refVisibilityControl, @GerritServerConfig Config config, MetricMaker metricMaker, @Assisted ProjectControl projectControl) {
        this.tagCache = tagCache;
        this.changeNotesFactory = factory;
        this.changeCache = searchingChangeCacheImpl;
        this.permissionBackend = permissionBackend;
        this.refVisibilityControl = refVisibilityControl;
        this.skipFullRefEvaluationIfAllRefsAreVisible = config.getBoolean("auth", "skipFullRefEvaluationIfAllRefsAreVisible", true);
        this.projectControl = projectControl;
        this.user = projectControl.getUser();
        this.projectState = projectControl.getProjectState();
        this.permissionBackendForProject = permissionBackend.user(this.user).project(this.projectState.getNameKey());
        this.fullFilterCount = metricMaker.newCounter("permissions/ref_filter/full_filter_count", new Description("Rate of full ref filter operations").setRate());
        this.skipFilterCount = metricMaker.newCounter("permissions/ref_filter/skip_filter_count", new Description("Rate of ref filter operations where we skip full evaluation because the user can read all refs").setRate());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, Ref> filter(Map<String, Ref> map, Repository repository, PermissionBackend.RefFilterOptions refFilterOptions) throws PermissionBackendException {
        if (map.size() == 1) {
            String name = ((Ref) Iterables.getOnlyElement(map.values())).getName();
            if (refFilterOptions.filterMeta() && isMetadata(name)) {
                return ImmutableMap.of();
            }
            if (RefNames.isRefsChanges(name)) {
                return canSeeSingleChangeRef(name) ? map : ImmutableMap.of();
            }
        }
        Result filterRefs = filterRefs(map, repository, refFilterOptions);
        Map<String, Ref> visibleRefs = filterRefs.visibleRefs();
        if (!filterRefs.deferredTags().isEmpty()) {
            Result filterRefs2 = filterRefs(getTaggableRefsMap(repository), repository, refFilterOptions);
            Preconditions.checkState(filterRefs2.deferredTags().isEmpty(), "unexpected tags found when filtering refs/heads/* " + filterRefs2.deferredTags());
            TagMatcher matcher = this.tagCache.get(this.projectState.getNameKey()).matcher(this.tagCache, repository, filterRefs2.visibleRefs().values());
            for (Ref ref : filterRefs.deferredTags()) {
                try {
                    if (matcher.isReachable(ref)) {
                        visibleRefs.put(ref.getName(), ref);
                    }
                } catch (IOException e) {
                    throw new PermissionBackendException(e);
                }
            }
        }
        return visibleRefs;
    }

    Result filterRefs(Map<String, Ref> map, Repository repository, PermissionBackend.RefFilterOptions refFilterOptions) throws PermissionBackendException {
        if (this.projectState.isAllUsers()) {
            map = addUsersSelfSymref(map);
        }
        boolean checkProjectPermission = checkProjectPermission(this.permissionBackendForProject, ProjectPermission.READ);
        if (this.skipFullRefEvaluationIfAllRefsAreVisible && !this.projectState.isAllUsers()) {
            if (this.projectState.statePermitsRead() && checkProjectPermission) {
                this.skipFilterCount.increment();
                return new AutoValue_DefaultRefFilter_Result(map, ImmutableList.of());
            }
            if (this.projectControl.allRefsAreVisible(ImmutableSet.of(RefNames.REFS_CONFIG))) {
                this.skipFilterCount.increment();
                return new AutoValue_DefaultRefFilter_Result(fastHideRefsMetaConfig(map), ImmutableList.of());
            }
        }
        this.fullFilterCount.increment();
        boolean testOrFalse = this.permissionBackend.user(this.projectControl.getUser()).testOrFalse(GlobalPermission.ACCESS_DATABASE);
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(map.size());
        ArrayList arrayList = new ArrayList();
        for (Ref ref : map.values()) {
            String name = ref.getName();
            if (refFilterOptions.filterMeta() && isMetadata(name)) {
                logger.atFinest().log("Filter out metadata ref %s", name);
            } else if (!isTag(ref)) {
                Change.Id fromRef = Change.Id.fromRef(name);
                if (fromRef != null) {
                    if (testOrFalse) {
                        newHashMapWithExpectedSize.put(name, ref);
                    } else if (!visible(repository, fromRef)) {
                        logger.atFinest().log("Filter out invisible change ref %s", name);
                    } else if (!RefNames.isRefsEdit(name) || visibleEdit(repository, name)) {
                        newHashMapWithExpectedSize.put(name, ref);
                    } else {
                        logger.atFinest().log("Filter out invisible change edit ref %s", name);
                    }
                } else if (this.refVisibilityControl.isVisible(this.projectControl, ref.getLeaf().getName())) {
                    newHashMapWithExpectedSize.put(name, ref);
                }
            } else if (checkProjectPermission) {
                logger.atFinest().log("Include tag ref %s because user has read on refs/*", name);
                newHashMapWithExpectedSize.put(name, ref);
            } else if (ref.getObjectId() != null) {
                logger.atFinest().log("Defer tag ref %s", name);
                arrayList.add(ref);
            } else {
                logger.atFinest().log("Filter out tag ref %s that is not a tag", name);
            }
        }
        return new AutoValue_DefaultRefFilter_Result(newHashMapWithExpectedSize, arrayList);
    }

    private static Map<String, Ref> getTaggableRefsMap(Repository repository) throws PermissionBackendException {
        try {
            return (Map) repository.getRefDatabase().getRefs().stream().filter(ref -> {
                return (RefNames.isGerritRef(ref.getName()) || ref.getName().startsWith("refs/tags/") || ref.isSymbolic() || RefNames.REFS_CONFIG.equals(ref.getName())) ? false : true;
            }).collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, ref2 -> {
                return ref2;
            }));
        } catch (IOException e) {
            throw new PermissionBackendException(e);
        }
    }

    private Map<String, Ref> fastHideRefsMetaConfig(Map<String, Ref> map) throws PermissionBackendException {
        if (!map.containsKey(RefNames.REFS_CONFIG) || canReadRef(RefNames.REFS_CONFIG)) {
            return map;
        }
        HashMap hashMap = new HashMap(map);
        hashMap.remove(RefNames.REFS_CONFIG);
        return hashMap;
    }

    private Map<String, Ref> addUsersSelfSymref(Map<String, Ref> map) {
        Ref ref;
        if (this.user.isIdentifiedUser() && (ref = map.get(RefNames.refsUsers(this.user.getAccountId()))) != null) {
            SymbolicRef symbolicRef = new SymbolicRef(RefNames.REFS_USERS_SELF, ref);
            map = new HashMap(map);
            map.put(symbolicRef.getName(), symbolicRef);
        }
        return map;
    }

    private boolean visible(Repository repository, Change.Id id) throws PermissionBackendException {
        if (this.visibleChanges == null) {
            if (this.changeCache == null) {
                this.visibleChanges = visibleChangesByScan(repository);
            } else {
                this.visibleChanges = visibleChangesBySearch();
            }
        }
        return this.visibleChanges.containsKey(id);
    }

    private boolean visibleEdit(Repository repository, String str) throws PermissionBackendException {
        Change.Id fromEditRefPart = Change.Id.fromEditRefPart(str);
        if (this.visibleChanges == null) {
            visible(repository, fromEditRefPart);
        }
        if (fromEditRefPart == null) {
            return false;
        }
        if (this.user.isIdentifiedUser() && str.startsWith(RefNames.refsEditPrefix(this.user.asIdentifiedUser().getAccountId())) && visible(repository, fromEditRefPart)) {
            return true;
        }
        if (!this.visibleChanges.containsKey(fromEditRefPart)) {
            return false;
        }
        try {
            this.permissionBackendForProject.ref(this.visibleChanges.get(fromEditRefPart).get()).check(RefPermission.READ_PRIVATE_CHANGES);
            return true;
        } catch (AuthException e) {
            return false;
        }
    }

    private Map<Change.Id, Branch.NameKey> visibleChangesBySearch() throws PermissionBackendException {
        Project.NameKey nameKey = this.projectState.getNameKey();
        try {
            HashMap hashMap = new HashMap();
            for (ChangeData changeData : this.changeCache.getChangeData(nameKey)) {
                ChangeNotes createFromIndexedChange = this.changeNotesFactory.createFromIndexedChange(changeData.change());
                if (this.projectState.statePermitsRead()) {
                    try {
                        this.permissionBackendForProject.indexedChange(changeData, createFromIndexedChange).check(ChangePermission.READ);
                        hashMap.put(changeData.getId(), changeData.change().getDest());
                    } catch (AuthException e) {
                    }
                }
            }
            return hashMap;
        } catch (StorageException e2) {
            logger.atSevere().withCause(e2).log("Cannot load changes for project %s, assuming no changes are visible", nameKey);
            return Collections.emptyMap();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Map<Change.Id, Branch.NameKey> visibleChangesByScan(Repository repository) throws PermissionBackendException {
        Project.NameKey nameKey = this.projectState.getNameKey();
        try {
            ImmutableList immutableList = (ImmutableList) this.changeNotesFactory.scan(repository, nameKey).collect(ImmutableList.toImmutableList());
            HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(immutableList.size());
            UnmodifiableIterator it = immutableList.iterator();
            while (it.hasNext()) {
                ChangeNotes notes = toNotes((ChangeNotes.Factory.ChangeNotesResult) it.next());
                if (notes != null) {
                    newHashMapWithExpectedSize.put(notes.getChangeId(), notes.getChange().getDest());
                }
            }
            return newHashMapWithExpectedSize;
        } catch (IOException e) {
            logger.atSevere().withCause(e).log("Cannot load changes for project %s, assuming no changes are visible", nameKey);
            return Collections.emptyMap();
        }
    }

    @Nullable
    private ChangeNotes toNotes(ChangeNotes.Factory.ChangeNotesResult changeNotesResult) throws PermissionBackendException {
        if (changeNotesResult.error().isPresent()) {
            logger.atWarning().withCause(changeNotesResult.error().get()).log("Failed to load change %s in %s", changeNotesResult.id(), this.projectState.getName());
            return null;
        }
        if (!this.projectState.statePermitsRead()) {
            return null;
        }
        try {
            this.permissionBackendForProject.change(changeNotesResult.notes()).check(ChangePermission.READ);
            return changeNotesResult.notes();
        } catch (AuthException e) {
            return null;
        }
    }

    private boolean isMetadata(String str) {
        return RefNames.isRefsChanges(str) || RefNames.isRefsEdit(str);
    }

    private static boolean isTag(Ref ref) {
        return ref.getLeaf().getName().startsWith("refs/tags/");
    }

    private boolean canReadRef(String str) throws PermissionBackendException {
        try {
            this.permissionBackendForProject.ref(str).check(RefPermission.READ);
            return this.projectState.statePermitsRead();
        } catch (AuthException e) {
            return false;
        }
    }

    private boolean checkProjectPermission(PermissionBackend.ForProject forProject, ProjectPermission projectPermission) throws PermissionBackendException {
        try {
            forProject.check(projectPermission);
            return true;
        } catch (AuthException e) {
            return false;
        }
    }

    private boolean canSeeSingleChangeRef(String str) throws PermissionBackendException {
        Change.Id fromRef = Change.Id.fromRef(str);
        if (fromRef == null) {
            logger.atWarning().log("invalid change ref %s is not visible", str);
            return false;
        }
        try {
            try {
                this.permissionBackendForProject.change(this.changeNotesFactory.create(this.projectState.getNameKey(), fromRef)).check(ChangePermission.READ);
                return true;
            } catch (AuthException e) {
                return false;
            }
        } catch (StorageException e2) {
            throw new PermissionBackendException("can't construct change notes", e2);
        }
    }
}
