package com.google.gerrit.server.permissions;

import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import com.google.common.collect.UnmodifiableIterator;
import com.google.gerrit.common.PageLinks;
import com.google.gerrit.common.data.AccessSection;
import com.google.gerrit.common.data.Permission;
import com.google.gerrit.common.data.PermissionRule;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.BranchNameKey;
import com.google.gerrit.entities.Change;
import com.google.gerrit.entities.Project;
import com.google.gerrit.entities.RefNames;
import com.google.gerrit.exceptions.StorageException;
import com.google.gerrit.extensions.api.access.CoreOrPluginProjectPermission;
import com.google.gerrit.extensions.api.access.PluginProjectPermission;
import com.google.gerrit.extensions.conditions.BooleanCondition;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.GitReceivePackGroups;
import com.google.gerrit.server.config.GitUploadPackGroups;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.ChangeControl;
import com.google.gerrit.server.permissions.DefaultRefFilter;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendCondition;
import com.google.gerrit.server.permissions.PermissionCollection;
import com.google.gerrit.server.project.ProjectState;
import com.google.gerrit.server.project.SectionMatcher;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.gerrit.server.util.MagicBranch;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/google/gerrit/server/permissions/ProjectControl.class */
public class ProjectControl {
    private final Set<AccountGroup.UUID> uploadGroups;
    private final Set<AccountGroup.UUID> receiveGroups;
    private final PermissionBackend permissionBackend;
    private final RefVisibilityControl refVisibilityControl;
    private final GitRepositoryManager repositoryManager;
    private final CurrentUser user;
    private final ProjectState state;
    private final ChangeControl.Factory changeControlFactory;
    private final PermissionCollection.Factory permissionFilter;
    private final DefaultRefFilter.Factory refFilterFactory;
    private List<SectionMatcher> allSections;
    private Map<String, RefControl> refControls;
    private Boolean declaredOwner;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/gerrit/server/permissions/ProjectControl$Factory.class */
    public interface Factory {
        ProjectControl create(CurrentUser currentUser, ProjectState projectState);
    }

    /* loaded from: input_file:com/google/gerrit/server/permissions/ProjectControl$ForProjectImpl.class */
    private class ForProjectImpl extends PermissionBackend.ForProject {
        private DefaultRefFilter refFilter;
        private String resourcePath;

        private ForProjectImpl() {
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public String resourcePath() {
            if (this.resourcePath == null) {
                this.resourcePath = PageLinks.PROJECTS + ProjectControl.this.getProjectState().getName();
            }
            return this.resourcePath;
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForRef ref(String str) {
            return ProjectControl.this.controlForRef(str).asForRef();
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForChange change(ChangeData changeData) {
            try {
                checkProject(changeData.change());
                return super.change(changeData);
            } catch (StorageException e) {
                return FailedPermissionBackend.change("unavailable", e);
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public PermissionBackend.ForChange change(ChangeNotes changeNotes) {
            checkProject(changeNotes.getChange());
            return super.change(changeNotes);
        }

        private void checkProject(Change change) {
            Project.NameKey nameKey = ProjectControl.this.getProject().getNameKey();
            Preconditions.checkArgument(nameKey.equals(change.getProject()), "expected change in project %s, not %s", nameKey, change.getProject());
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public void check(CoreOrPluginProjectPermission coreOrPluginProjectPermission) throws AuthException, PermissionBackendException {
            if (!can(coreOrPluginProjectPermission)) {
                throw new AuthException(coreOrPluginProjectPermission.describeForException() + " not permitted");
            }
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public <T extends CoreOrPluginProjectPermission> Set<T> test(Collection<T> collection) throws PermissionBackendException {
            HashSet newHashSetWithExpectedSize = Sets.newHashSetWithExpectedSize(collection.size());
            for (T t : collection) {
                if (can(t)) {
                    newHashSetWithExpectedSize.add(t);
                }
            }
            return newHashSetWithExpectedSize;
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public BooleanCondition testCond(CoreOrPluginProjectPermission coreOrPluginProjectPermission) {
            return new PermissionBackendCondition.ForProject(this, coreOrPluginProjectPermission, ProjectControl.this.getUser());
        }

        @Override // com.google.gerrit.server.permissions.PermissionBackend.ForProject
        public Collection<Ref> filter(Collection<Ref> collection, Repository repository, PermissionBackend.RefFilterOptions refFilterOptions) throws PermissionBackendException {
            if (this.refFilter == null) {
                this.refFilter = ProjectControl.this.refFilterFactory.create(ProjectControl.this);
            }
            return this.refFilter.filter(collection, repository, refFilterOptions);
        }

        private boolean can(CoreOrPluginProjectPermission coreOrPluginProjectPermission) throws PermissionBackendException {
            if (coreOrPluginProjectPermission instanceof ProjectPermission) {
                return can((ProjectPermission) coreOrPluginProjectPermission);
            }
            if (coreOrPluginProjectPermission instanceof PluginProjectPermission) {
                return false;
            }
            throw new PermissionBackendException(coreOrPluginProjectPermission.describeForException() + " unsupported");
        }

        private boolean can(ProjectPermission projectPermission) throws PermissionBackendException {
            switch (projectPermission) {
                case ACCESS:
                    return ProjectControl.this.user.isInternalUser() || ProjectControl.this.isOwner() || ProjectControl.this.canPerformOnAnyRef(Permission.READ);
                case READ:
                    return ProjectControl.this.allRefsAreVisible(Collections.emptySet());
                case CREATE_REF:
                    return ProjectControl.this.canAddRefs();
                case CREATE_TAG_REF:
                    return ProjectControl.this.canAddTagRefs();
                case CREATE_CHANGE:
                    return ProjectControl.this.canCreateChanges();
                case RUN_RECEIVE_PACK:
                    return ProjectControl.this.canRunReceivePack();
                case RUN_UPLOAD_PACK:
                    return ProjectControl.this.canRunUploadPack();
                case PUSH_AT_LEAST_ONE_REF:
                    return ProjectControl.this.canPushToAtLeastOneRef();
                case READ_CONFIG:
                    return ProjectControl.this.controlForRef(RefNames.REFS_CONFIG).hasReadPermissionOnRef(false);
                case BAN_COMMIT:
                case READ_REFLOG:
                case WRITE_CONFIG:
                    return ProjectControl.this.isOwner();
                default:
                    throw new PermissionBackendException(projectPermission + " unsupported");
            }
        }
    }

    @Inject
    ProjectControl(@GitUploadPackGroups Set<AccountGroup.UUID> set, @GitReceivePackGroups Set<AccountGroup.UUID> set2, PermissionCollection.Factory factory, ChangeControl.Factory factory2, PermissionBackend permissionBackend, RefVisibilityControl refVisibilityControl, GitRepositoryManager gitRepositoryManager, DefaultRefFilter.Factory factory3, @Assisted CurrentUser currentUser, @Assisted ProjectState projectState) {
        this.changeControlFactory = factory2;
        this.uploadGroups = set;
        this.receiveGroups = set2;
        this.permissionFilter = factory;
        this.permissionBackend = permissionBackend;
        this.refVisibilityControl = refVisibilityControl;
        this.repositoryManager = gitRepositoryManager;
        this.refFilterFactory = factory3;
        this.user = currentUser;
        this.state = projectState;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionBackend.ForProject asForProject() {
        return new ForProjectImpl();
    }

    ChangeControl controlFor(Change change) {
        return this.changeControlFactory.create(controlForRef(change.getDest()), change.getProject(), change.getId());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ChangeControl controlFor(ChangeNotes changeNotes) {
        return this.changeControlFactory.create(controlForRef(changeNotes.getChange().getDest()), changeNotes);
    }

    RefControl controlForRef(BranchNameKey branchNameKey) {
        return controlForRef(branchNameKey.branch());
    }

    public RefControl controlForRef(String str) {
        if (this.refControls == null) {
            this.refControls = new HashMap();
        }
        RefControl refControl = this.refControls.get(str);
        if (refControl == null) {
            refControl = new RefControl(this.refVisibilityControl, this, this.repositoryManager, str, this.permissionFilter.filter(access(), str, this.user));
            this.refControls.put(str, refControl);
        }
        return refControl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CurrentUser getUser() {
        return this.user;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProjectState getProjectState() {
        return this.state;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Project getProject() {
        return this.state.getProject();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isOwner() {
        return (isDeclaredOwner() && controlForRef(AccessSection.ALL).canPerform("owner")) || isAdmin();
    }

    boolean canPushToAtLeastOneRef() {
        return canPerformOnAnyRef(Permission.PUSH) || canPerformOnAnyRef(Permission.CREATE_TAG) || isOwner();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAdmin() {
        try {
            this.permissionBackend.user(this.user).check(GlobalPermission.ADMINISTRATE_SERVER);
            return true;
        } catch (AuthException | PermissionBackendException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean match(PermissionRule permissionRule, boolean z) {
        return match(permissionRule.getGroup().getUUID(), z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean allRefsAreVisible(Set<String> set) {
        return this.user.isInternalUser() || canPerformOnAllRefs(Permission.READ, set);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canRunUploadPack() {
        Iterator<AccountGroup.UUID> it = this.uploadGroups.iterator();
        while (it.hasNext()) {
            if (match(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canRunReceivePack() {
        Iterator<AccountGroup.UUID> it = this.receiveGroups.iterator();
        while (it.hasNext()) {
            if (match(it.next())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canAddRefs() {
        return canPerformOnAnyRef(Permission.CREATE) || isAdmin();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canAddTagRefs() {
        return canPerformOnTagRef(Permission.CREATE) || isAdmin();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canCreateChanges() {
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection section = it.next().getSection();
            if (section.getName().startsWith(MagicBranch.NEW_CHANGE) || section.getName().startsWith("^refs/for/")) {
                if (section.getPermission(Permission.PUSH) != null && controlForRef(section.getName()).canPerform(Permission.PUSH)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isDeclaredOwner() {
        if (this.declaredOwner == null) {
            this.declaredOwner = Boolean.valueOf(this.user.getEffectiveGroups().containsAnyOf(this.state.getAllOwners()));
        }
        return this.declaredOwner.booleanValue();
    }

    private boolean canPerformOnTagRef(String str) {
        Boolean canPerform;
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection section = it.next().getSection();
            if (section.getName().startsWith("refs/tags/") || section.getName().startsWith("^refs/tags/")) {
                Permission permission = section.getPermission(str);
                if (permission != null && (canPerform = canPerform(str, section, permission)) != null) {
                    return canPerform.booleanValue();
                }
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean canPerformOnAnyRef(String str) {
        Boolean canPerform;
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection section = it.next().getSection();
            Permission permission = section.getPermission(str);
            if (permission != null && (canPerform = canPerform(str, section, permission)) != null) {
                return canPerform.booleanValue();
            }
        }
        return false;
    }

    private Boolean canPerform(String str, AccessSection accessSection, Permission permission) {
        UnmodifiableIterator<PermissionRule> it = permission.getRules().iterator();
        while (it.hasNext()) {
            PermissionRule next = it.next();
            if (!next.isBlock() && !next.isDeny() && match(next)) {
                return controlForRef(accessSection.getName()).canPerform(str) ? true : null;
            }
        }
        return null;
    }

    private boolean canPerformOnAllRefs(String str, Set<String> set) {
        boolean z = false;
        Set<String> allRefPatterns = allRefPatterns(str);
        if (allRefPatterns.contains(AccessSection.ALL)) {
            for (String str2 : allRefPatterns) {
                if (controlForRef(str2).canPerform(str)) {
                    z = true;
                } else if (!set.contains(str2)) {
                    return false;
                }
            }
        }
        return z;
    }

    private Set<String> allRefPatterns(String str) {
        HashSet hashSet = new HashSet();
        Iterator<SectionMatcher> it = access().iterator();
        while (it.hasNext()) {
            AccessSection section = it.next().getSection();
            if (section.getPermission(str) != null) {
                hashSet.add(section.getName());
            }
        }
        return hashSet;
    }

    private List<SectionMatcher> access() {
        if (this.allSections == null) {
            this.allSections = this.state.getAllSections();
        }
        return this.allSections;
    }

    private boolean match(PermissionRule permissionRule) {
        return match(permissionRule.getGroup().getUUID());
    }

    private boolean match(AccountGroup.UUID uuid) {
        return match(uuid, false);
    }

    private boolean match(AccountGroup.UUID uuid, boolean z) {
        return SystemGroupBackend.PROJECT_OWNERS.equals(uuid) ? isDeclaredOwner() : SystemGroupBackend.CHANGE_OWNER.equals(uuid) ? z : this.user.getEffectiveGroups().contains(uuid);
    }
}
