package com.google.gerrit.server.permissions;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.common.data.PermissionRange;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.entities.Change;
import com.google.gerrit.entities.Project;
import com.google.gerrit.entities.RefNames;
import com.google.gerrit.exceptions.StorageException;
import com.google.gerrit.extensions.conditions.BooleanCondition;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.logging.CallerFinder;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendCondition;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.gerrit.server.util.MagicBranch;
import java.io.IOException;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/google/gerrit/server/permissions/RefControl.class */
public class RefControl {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final RefVisibilityControl refVisibilityControl;
    private final ProjectControl projectControl;
    private final GitRepositoryManager repositoryManager;
    private final String refName;
    private final PermissionCollection relevant;
    private final CallerFinder callerFinder = CallerFinder.builder().addTarget(PermissionBackend.class).matchSubClasses(true).matchInnerClasses(true).skip(1).build();
    private Boolean owner;
    private Boolean canForgeAuthor;
    private Boolean canForgeCommitter;
    private Boolean hasReadPermissionOnRef;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/server/permissions/RefControl$ForRefImpl.class */
    public class ForRefImpl extends PermissionBackend.ForRef {
        private String resourcePath;

        private ForRefImpl() {
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public String resourcePath() {
            if (this.resourcePath == null) {
                this.resourcePath = String.format("/projects/%s/+refs/%s", RefControl.this.getProjectControl().getProjectState().getName(), RefControl.this.refName);
            }
            return this.resourcePath;
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public PermissionBackend.ForChange change(ChangeData changeData) {
            try {
                return RefControl.this.getProjectControl().controlFor(changeData.change()).asForChange(changeData);
            } catch (StorageException e) {
                return FailedPermissionBackend.change("unavailable", e);
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public PermissionBackend.ForChange change(ChangeNotes changeNotes) {
            Project.NameKey nameKey = RefControl.this.getProjectControl().getProject().getNameKey();
            Change change = changeNotes.getChange();
            Preconditions.checkArgument(nameKey.equals(change.getProject()), "expected change in project %s, not %s", nameKey, change.getProject());
            return RefControl.this.getProjectControl().controlFor(changeNotes).asForChange(null);
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public PermissionBackend.ForChange indexedChange(ChangeData changeData, ChangeNotes changeNotes) {
            return RefControl.this.getProjectControl().controlFor(changeNotes).asForChange(changeData);
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public void check(RefPermission refPermission) throws AuthException, PermissionBackendException {
            if (can(refPermission)) {
                return;
            }
            PermissionDeniedException permissionDeniedException = new PermissionDeniedException(refPermission, RefControl.this.refName);
            switch (refPermission) {
                case UPDATE:
                    if (!RefControl.this.refName.equals(RefNames.REFS_CONFIG)) {
                        permissionDeniedException.setAdvice("To push into this reference you need 'Push' rights.");
                        break;
                    } else {
                        permissionDeniedException.setAdvice("Configuration changes can only be pushed by project owners\nwho also have 'Push' rights on refs/meta/config");
                        break;
                    }
                case DELETE:
                    permissionDeniedException.setAdvice("You need 'Delete Reference' rights or 'Push' rights with the \n'Force Push' flag set to delete references.");
                    break;
                case CREATE_CHANGE:
                    permissionDeniedException.setAdvice("You need 'Create Change' rights to upload code review requests.\nVerify that you are pushing to the right branch.");
                    break;
                case CREATE:
                    permissionDeniedException.setAdvice("You need 'Create' rights to create new references.");
                    break;
                case CREATE_SIGNED_TAG:
                    permissionDeniedException.setAdvice("You need 'Create Signed Tag' rights to push a signed tag.");
                    break;
                case CREATE_TAG:
                    permissionDeniedException.setAdvice("You need 'Create Tag' rights to push a normal tag.");
                    break;
                case FORCE_UPDATE:
                    permissionDeniedException.setAdvice("You need 'Push' rights with 'Force' flag set to do a non-fastforward push.");
                    break;
                case FORGE_AUTHOR:
                    permissionDeniedException.setAdvice("You need 'Forge Author' rights to push commits with another user as author.");
                    break;
                case FORGE_COMMITTER:
                    permissionDeniedException.setAdvice("You need 'Forge Committer' rights to push commits with another user as committer.");
                    break;
                case FORGE_SERVER:
                    permissionDeniedException.setAdvice("You need 'Forge Server' rights to push merge commits authored by the server.");
                    break;
                case MERGE:
                    permissionDeniedException.setAdvice("You need 'Push Merge' in addition to 'Push' rights to push merge commits.");
                    break;
                case READ:
                    permissionDeniedException.setAdvice("You need 'Read' rights to fetch or clone this ref.");
                    break;
                case READ_CONFIG:
                    permissionDeniedException.setAdvice("You need 'Read' rights on refs/meta/config to see the configuration.");
                    break;
                case READ_PRIVATE_CHANGES:
                    permissionDeniedException.setAdvice("You need 'Read Private Changes' to see private changes.");
                    break;
                case SET_HEAD:
                    permissionDeniedException.setAdvice("You need 'Set HEAD' rights to set the default branch.");
                    break;
                case SKIP_VALIDATION:
                    permissionDeniedException.setAdvice("You need 'Forge Author', 'Forge Server', 'Forge Committer'\nand 'Push Merge' rights to skip validation.");
                    break;
                case UPDATE_BY_SUBMIT:
                    permissionDeniedException.setAdvice("You need 'Submit' rights on refs/for/ to submit changes during change upload.");
                    break;
                case WRITE_CONFIG:
                    permissionDeniedException.setAdvice("You need 'Write' rights on refs/meta/config.");
                    break;
            }
            throw permissionDeniedException;
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public Set<RefPermission> test(Collection<RefPermission> collection) throws PermissionBackendException {
            EnumSet noneOf = EnumSet.noneOf(RefPermission.class);
            for (RefPermission refPermission : collection) {
                if (can(refPermission)) {
                    noneOf.add(refPermission);
                }
            }
            return noneOf;
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForRef
        public BooleanCondition testCond(RefPermission refPermission) {
            return new PermissionBackendCondition.ForRef(this, refPermission, RefControl.this.getUser());
        }

        private boolean can(RefPermission refPermission) throws PermissionBackendException {
            switch (refPermission) {
                case UPDATE:
                    return RefControl.this.canUpdate();
                case DELETE:
                    return RefControl.this.canDelete();
                case CREATE_CHANGE:
                    return RefControl.this.canUpload();
                case CREATE:
                    return RefControl.this.canPerform(RefControl.refPermissionName(refPermission));
                case CREATE_SIGNED_TAG:
                case CREATE_TAG:
                    return RefControl.this.canPerform(RefControl.refPermissionName(refPermission));
                case FORCE_UPDATE:
                    return RefControl.this.canForceUpdate();
                case FORGE_AUTHOR:
                    return RefControl.this.canForgeAuthor();
                case FORGE_COMMITTER:
                    return RefControl.this.canForgeCommitter();
                case FORGE_SERVER:
                    return RefControl.this.canForgeGerritServerIdentity();
                case MERGE:
                    return RefControl.this.canUploadMerges();
                case READ:
                    if (RefControl.this.getUser().isInternalUser()) {
                        return true;
                    }
                    return RefControl.this.refName.startsWith("refs/tags/") ? isTagVisible() : RefControl.this.refVisibilityControl.isVisible(RefControl.this.projectControl, RefControl.this.refName);
                case READ_CONFIG:
                    return RefControl.this.projectControl.controlForRef(RefNames.REFS_CONFIG).canPerform(RefPermission.READ.name());
                case READ_PRIVATE_CHANGES:
                    return RefControl.this.canPerform(Permission.VIEW_PRIVATE_CHANGES);
                case SET_HEAD:
                    return RefControl.this.projectControl.isOwner();
                case SKIP_VALIDATION:
                    return RefControl.this.canForgeAuthor() && RefControl.this.canForgeCommitter() && RefControl.this.canForgeGerritServerIdentity() && RefControl.this.canUploadMerges();
                case UPDATE_BY_SUBMIT:
                    return RefControl.this.projectControl.controlForRef(MagicBranch.NEW_CHANGE + RefControl.this.refName).canSubmit(true);
                case WRITE_CONFIG:
                    return RefControl.this.isOwner();
                default:
                    throw new PermissionBackendException(refPermission + " unsupported");
            }
        }

        private boolean isTagVisible() throws PermissionBackendException {
            if (RefControl.this.projectControl.asForProject().test(ProjectPermission.READ)) {
                return true;
            }
            try {
                Repository openRepository = RefControl.this.repositoryManager.openRepository(RefControl.this.projectControl.getProject().getNameKey());
                try {
                    Ref exactRef = openRepository.getRefDatabase().exactRef(RefControl.this.refName);
                    if (exactRef == null) {
                        if (openRepository != null) {
                            openRepository.close();
                        }
                        return false;
                    }
                    boolean anyMatch = RefControl.this.projectControl.asForProject().filter(ImmutableList.of(exactRef), openRepository, PermissionBackend.RefFilterOptions.defaults()).values().stream().anyMatch(ref -> {
                        return RefControl.this.refName.equals(ref.getName());
                    });
                    if (openRepository != null) {
                        openRepository.close();
                    }
                    return anyMatch;
                } finally {
                }
            } catch (IOException e) {
                throw new PermissionBackendException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RefControl(RefVisibilityControl refVisibilityControl, ProjectControl projectControl, GitRepositoryManager gitRepositoryManager, String str, PermissionCollection permissionCollection) {
        this.refVisibilityControl = refVisibilityControl;
        this.projectControl = projectControl;
        this.repositoryManager = gitRepositoryManager;
        this.refName = str;
        this.relevant = permissionCollection;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProjectControl getProjectControl() {
        return this.projectControl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CurrentUser getUser() {
        return this.projectControl.getUser();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isOwner() {
        if (this.owner == null) {
            if (canPerform("owner")) {
                this.owner = true;
            } else {
                this.owner = Boolean.valueOf(this.projectControl.isOwner());
            }
        }
        return this.owner.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasReadPermissionOnRef(boolean z) {
        if (!z && (this.refName.startsWith("refs/tags/") || RefNames.isGerritRef(this.refName))) {
            logger.atWarning().atMostEvery(30, TimeUnit.SECONDS).log("%s: Can't determine visibility of %s in RefControl. Denying access. This case should have been handled before.", this.projectControl.getProject().getName(), this.refName);
            return false;
        }
        if (this.hasReadPermissionOnRef == null) {
            this.hasReadPermissionOnRef = Boolean.valueOf(getUser().isInternalUser() || canPerform(Permission.READ));
        }
        return this.hasReadPermissionOnRef.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canAddPatchSet() {
        return this.projectControl.controlForRef(MagicBranch.NEW_CHANGE + this.refName).canPerform(Permission.ADD_PATCH_SET);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canRebase() {
        return canPerform("rebase");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canSubmit(boolean z) {
        return RefNames.REFS_CONFIG.equals(this.refName) ? this.projectControl.isOwner() : canPerform(Permission.SUBMIT, z, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canForceEditTopicName() {
        return canPerform(Permission.EDIT_TOPIC_NAME, false, true);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canDeleteChanges(boolean z) {
        return canPerform(Permission.DELETE_CHANGES) || (z && canPerform(Permission.DELETE_OWN_CHANGES, z, false));
    }

    PermissionRange getRange(String str) {
        return getRange(str, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionRange getRange(String str, boolean z) {
        if (Permission.hasRange(str)) {
            return toRange(str, z);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canPerform(String str) {
        return canPerform(str, false, false);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionBackend.ForRef asForRef() {
        return new ForRefImpl();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canUpload() {
        return this.projectControl.controlForRef(MagicBranch.NEW_CHANGE + this.refName).canPerform(Permission.PUSH);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canUploadMerges() {
        return this.projectControl.controlForRef(MagicBranch.NEW_CHANGE + this.refName).canPerform(Permission.PUSH_MERGE);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canUpdate() {
        if (!RefNames.REFS_CONFIG.equals(this.refName) || this.projectControl.isOwner() || (this.projectControl.getProjectState().isAllProjects() && this.projectControl.isAdmin())) {
            return canPerform(Permission.PUSH);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canForceUpdate() {
        if (canPushWithForce()) {
            return true;
        }
        switch (getUser().getAccessPath()) {
            case GIT:
                return false;
            case REST_API:
            case SSH_COMMAND:
            case UNKNOWN:
            case WEB_BROWSER:
            default:
                return (isOwner() && !isBlocked(Permission.PUSH, false, true)) || this.projectControl.isAdmin();
        }
    }

    private boolean canPushWithForce() {
        if (!RefNames.REFS_CONFIG.equals(this.refName) || this.projectControl.isOwner()) {
            return canPerform(Permission.PUSH, false, true);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canDelete() {
        switch (getUser().getAccessPath()) {
            case GIT:
                return canPushWithForce() || canPerform(Permission.DELETE);
            case REST_API:
            case SSH_COMMAND:
            case UNKNOWN:
            case WEB_BROWSER:
            default:
                return (isOwner() && !isBlocked(Permission.PUSH, false, true)) || canPushWithForce() || canPerform(Permission.DELETE) || this.projectControl.isAdmin();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canForgeAuthor() {
        if (this.canForgeAuthor == null) {
            this.canForgeAuthor = Boolean.valueOf(canPerform(Permission.FORGE_AUTHOR));
        }
        return this.canForgeAuthor.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canForgeCommitter() {
        if (this.canForgeCommitter == null) {
            this.canForgeCommitter = Boolean.valueOf(canPerform(Permission.FORGE_COMMITTER));
        }
        return this.canForgeCommitter.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canForgeGerritServerIdentity() {
        return canPerform(Permission.FORGE_SERVER);
    }

    private static boolean isAllow(PermissionRule permissionRule, boolean z) {
        return permissionRule.getAction() == PermissionRule.Action.ALLOW && (permissionRule.getForce() || !z);
    }

    private static boolean isBlock(PermissionRule permissionRule, boolean z) {
        return permissionRule.getAction() == PermissionRule.Action.BLOCK && (!permissionRule.getForce() || z);
    }

    private PermissionRange toRange(String str, boolean z) {
        int i = Integer.MIN_VALUE;
        int i2 = Integer.MAX_VALUE;
        Iterator<List<Permission>> it = this.relevant.getBlockRules(str).iterator();
        while (it.hasNext()) {
            boolean z2 = false;
            int i3 = Integer.MIN_VALUE;
            int i4 = Integer.MAX_VALUE;
            Iterator<Permission> it2 = it.next().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                Permission next = it2.next();
                if (next.getExclusiveGroup()) {
                    UnmodifiableIterator<PermissionRule> it3 = next.getRules().iterator();
                    while (it3.hasNext()) {
                        PermissionRule next2 = it3.next();
                        if (next2.getAction() != PermissionRule.Action.ALLOW || !this.projectControl.match(next2, z)) {
                        }
                    }
                }
                UnmodifiableIterator<PermissionRule> it4 = next.getRules().iterator();
                while (it4.hasNext()) {
                    PermissionRule next3 = it4.next();
                    if (next3.getAction() == PermissionRule.Action.BLOCK && this.projectControl.match(next3, z)) {
                        i3 = next3.getMin() + 1;
                        i4 = next3.getMax() - 1;
                        z2 = true;
                    }
                }
                if (z2) {
                    UnmodifiableIterator<PermissionRule> it5 = next.getRules().iterator();
                    while (true) {
                        if (!it5.hasNext()) {
                            break;
                        }
                        PermissionRule next4 = it5.next();
                        if (next4.getAction() == PermissionRule.Action.ALLOW && this.projectControl.match(next4, z)) {
                            i3 = next4.getMin();
                            i4 = next4.getMax();
                            break;
                        }
                    }
                }
            }
            i = Math.max(i3, i);
            i2 = Math.min(i4, i2);
        }
        int i5 = 0;
        int i6 = 0;
        for (PermissionRule permissionRule : this.relevant.getAllowRules(str)) {
            if (permissionRule.getAction() == PermissionRule.Action.ALLOW && this.projectControl.match(permissionRule, z)) {
                i5 = Math.min(i5, permissionRule.getMin());
                i6 = Math.max(i6, permissionRule.getMax());
            }
        }
        return new PermissionRange(str, Math.max(i5, i), Math.min(i6, i2));
    }

    /* JADX WARN: Code restructure failed: missing block: B:68:0x0013, code lost:
    
        continue;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean isBlocked(java.lang.String r5, boolean r6, boolean r7) {
        /*
            Method dump skipped, instructions count: 318
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.google.gerrit.server.permissions.RefControl.isBlocked(java.lang.String, boolean, boolean):boolean");
    }

    private boolean canPerform(String str, boolean z, boolean z2) {
        if (isBlocked(str, z, z2)) {
            logger.atFine().log("'%s' cannot perform '%s' with force=%s on project '%s' for ref '%s' (caller: %s) because this permission is blocked", getUser().getLoggableName(), str, Boolean.valueOf(z2), this.projectControl.getProject().getName(), this.refName, this.callerFinder.findCallerLazy());
            return false;
        }
        for (PermissionRule permissionRule : this.relevant.getAllowRules(str)) {
            if (isAllow(permissionRule, z2) && this.projectControl.match(permissionRule, z)) {
                logger.atFine().log("'%s' can perform '%s' with force=%s on project '%s' for ref '%s' (caller: %s)", getUser().getLoggableName(), str, Boolean.valueOf(z2), this.projectControl.getProject().getName(), this.refName, this.callerFinder.findCallerLazy());
                return true;
            }
        }
        logger.atFine().log("'%s' cannot perform '%s' with force=%s on project '%s' for ref '%s' (caller: %s)", getUser().getLoggableName(), str, Boolean.valueOf(z2), this.projectControl.getProject().getName(), this.refName, this.callerFinder.findCallerLazy());
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String refPermissionName(RefPermission refPermission) {
        return DefaultPermissionMappings.refPermissionName(refPermission).orElseThrow(() -> {
            return new IllegalStateException("no name for " + refPermission);
        });
    }
}
