package com.google.gerrit.server.project;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.reviewdb.client.Project;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import org.eclipse.jgit.lib.PersonIdent;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevObject;
import org.eclipse.jgit.revwalk.RevTag;
import org.eclipse.jgit.revwalk.RevWalk;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/project/CreateRefControl.class */
public class CreateRefControl {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final PermissionBackend permissionBackend;
    private final ProjectCache projectCache;
    private final Reachable reachable;

    @Inject
    CreateRefControl(PermissionBackend permissionBackend, ProjectCache projectCache, Reachable reachable) {
        this.permissionBackend = permissionBackend;
        this.projectCache = projectCache;
        this.reachable = reachable;
    }

    public void checkCreateRef(Provider<? extends CurrentUser> provider, Repository repository, Branch.NameKey nameKey, RevObject revObject) throws AuthException, PermissionBackendException, NoSuchProjectException, IOException, ResourceConflictException {
        ProjectState checkedGet = this.projectCache.checkedGet(nameKey.getParentKey());
        if (checkedGet == null) {
            throw new NoSuchProjectException(nameKey.getParentKey());
        }
        checkedGet.checkStatePermitsWrite();
        PermissionBackend.ForRef ref = this.permissionBackend.user(provider.get()).ref(nameKey);
        if (revObject instanceof RevCommit) {
            ref.check(RefPermission.CREATE);
            checkCreateCommit(repository, (RevCommit) revObject, checkedGet.getNameKey(), ref);
            return;
        }
        if (revObject instanceof RevTag) {
            RevTag revTag = (RevTag) revObject;
            try {
                RevWalk revWalk = new RevWalk(repository);
                try {
                    revWalk.parseBody(revTag);
                    revWalk.close();
                    PersonIdent taggerIdent = revTag.getTaggerIdent();
                    if (taggerIdent != null && (!provider.get().isIdentifiedUser() || !provider.get().asIdentifiedUser().hasEmailAddress(taggerIdent.getEmailAddress()))) {
                        ref.check(RefPermission.FORGE_COMMITTER);
                    }
                    RevObject object = revTag.getObject();
                    if (object instanceof RevCommit) {
                        checkCreateCommit(repository, (RevCommit) object, checkedGet.getNameKey(), ref);
                    } else {
                        checkCreateRef(provider, repository, nameKey, object);
                    }
                    PermissionBackend.ForRef ref2 = this.permissionBackend.user(provider.get()).ref(nameKey);
                    if (revTag.getFullMessage().contains("-----BEGIN PGP SIGNATURE-----\n")) {
                        ref2.check(RefPermission.CREATE_SIGNED_TAG);
                    } else {
                        ref2.check(RefPermission.CREATE_TAG);
                    }
                } finally {
                }
            } catch (IOException e) {
                logger.atSevere().withCause(e).log("RevWalk(%s) parsing %s:", nameKey.getParentKey(), revTag.name());
                throw e;
            }
        }
    }

    private void checkCreateCommit(Repository repository, RevCommit revCommit, Project.NameKey nameKey, PermissionBackend.ForRef forRef) throws AuthException, PermissionBackendException, IOException {
        try {
            forRef.check(RefPermission.UPDATE);
        } catch (AuthException e) {
            if (this.reachable.fromRefs(nameKey, repository, revCommit, repository.getRefDatabase().getRefsByPrefix("refs/heads/", "refs/tags/"))) {
                return;
            }
            AuthException authException = new AuthException(String.format("%s for creating new commit object not permitted", RefPermission.UPDATE.describeForException()));
            authException.setAdvice(String.format("use a SHA1 visible to you, or get %s permission on the ref", RefPermission.UPDATE.describeForException()));
            throw authException;
        }
    }
}
