package com.google.gerrit.server.account;

import com.google.common.flogger.FluentLogger;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.GroupDescription;
import com.google.gerrit.exceptions.NoSuchGroupException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;

/* loaded from: input_file:com/google/gerrit/server/account/GroupControl.class */
public class GroupControl {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final CurrentUser user;
    private final GroupDescription.Basic group;
    private Boolean isOwner;
    private final PermissionBackend.WithUser perm;
    private final GroupBackend groupBackend;

    /* loaded from: input_file:com/google/gerrit/server/account/GroupControl$Factory.class */
    public static class Factory {
        private final PermissionBackend permissionBackend;
        private final Provider<CurrentUser> user;
        private final GroupBackend groupBackend;

        @Inject
        Factory(PermissionBackend permissionBackend, Provider<CurrentUser> provider, GroupBackend groupBackend) {
            this.permissionBackend = permissionBackend;
            this.user = provider;
            this.groupBackend = groupBackend;
        }

        public GroupControl controlFor(AccountGroup.UUID uuid) throws NoSuchGroupException {
            GroupDescription.Basic basic = this.groupBackend.get(uuid);
            if (basic == null) {
                throw new NoSuchGroupException(uuid);
            }
            return controlFor(basic);
        }

        public GroupControl controlFor(GroupDescription.Basic basic) {
            return new GroupControl(this.user.get(), basic, this.permissionBackend, this.groupBackend);
        }

        public GroupControl validateFor(AccountGroup.UUID uuid) throws NoSuchGroupException {
            GroupControl controlFor = controlFor(uuid);
            if (controlFor.isVisible()) {
                return controlFor;
            }
            throw new NoSuchGroupException(uuid);
        }
    }

    @Singleton
    /* loaded from: input_file:com/google/gerrit/server/account/GroupControl$GenericFactory.class */
    public static class GenericFactory {
        private final PermissionBackend permissionBackend;
        private final GroupBackend groupBackend;

        @Inject
        GenericFactory(PermissionBackend permissionBackend, GroupBackend groupBackend) {
            this.permissionBackend = permissionBackend;
            this.groupBackend = groupBackend;
        }

        public GroupControl controlFor(CurrentUser currentUser, AccountGroup.UUID uuid) throws NoSuchGroupException {
            GroupDescription.Basic basic = this.groupBackend.get(uuid);
            if (basic == null) {
                throw new NoSuchGroupException(uuid);
            }
            return new GroupControl(currentUser, basic, this.permissionBackend, this.groupBackend);
        }
    }

    GroupControl(CurrentUser currentUser, GroupDescription.Basic basic, PermissionBackend permissionBackend, GroupBackend groupBackend) {
        this.user = currentUser;
        this.group = basic;
        this.perm = permissionBackend.user(this.user);
        this.groupBackend = groupBackend;
    }

    public GroupDescription.Basic getGroup() {
        return this.group;
    }

    public CurrentUser getUser() {
        return this.user;
    }

    public boolean isVisible() {
        if (this.user.isInternalUser()) {
            logger.atFine().log("group %s is visible to internal user %s", this.group.getGroupUUID().get(), this.user.getLoggableName());
            return true;
        }
        if (this.groupBackend.isVisibleToAll(this.group.getGroupUUID())) {
            logger.atFine().log("group %s is visible to user %s (group is visible to all users)", this.group.getGroupUUID().get(), this.user.getLoggableName());
            return true;
        }
        if (this.user.getEffectiveGroups().contains(this.group.getGroupUUID())) {
            logger.atFine().log("group %s is visible to user %s (user is member of the group)", this.group.getGroupUUID().get(), this.user.getLoggableName());
            return true;
        }
        if (isOwner()) {
            logger.atFine().log("group %s is visible to user %s (user is owner of the group)", this.group.getGroupUUID().get(), this.user.getLoggableName());
            return true;
        }
        if (canAdministrateServer()) {
            logger.atFine().log("group %s is visible to user %s (user is admin)", this.group.getGroupUUID().get(), this.user.getLoggableName());
            return true;
        }
        logger.atFine().log("group %s is not visible to user %s", this.group.getGroupUUID().get(), this.user.getLoggableName());
        return false;
    }

    public boolean isOwner() {
        if (this.isOwner != null) {
            return this.isOwner.booleanValue();
        }
        if (this.group instanceof GroupDescription.Internal) {
            if (getUser().getEffectiveGroups().contains(((GroupDescription.Internal) this.group).getOwnerGroupUUID())) {
                logger.atFine().log("user %s is owner of group %s", this.user.getLoggableName(), this.group.getGroupUUID().get());
                this.isOwner = true;
            } else if (canAdministrateServer()) {
                logger.atFine().log("user %s is owner of group %s (user is admin)", this.user.getLoggableName(), this.group.getGroupUUID().get());
                this.isOwner = true;
            } else {
                logger.atFine().log("user %s is not an owner of group %s", this.user.getLoggableName(), this.group.getGroupUUID().get());
                this.isOwner = false;
            }
        } else {
            logger.atFine().log("user %s is not an owner of external group %s", this.user.getLoggableName(), this.group.getGroupUUID().get());
            this.isOwner = false;
        }
        return this.isOwner.booleanValue();
    }

    private boolean canAdministrateServer() {
        try {
            return this.perm.test(GlobalPermission.ADMINISTRATE_SERVER);
        } catch (PermissionBackendException e) {
            logger.atFine().log("Failed to check %s global capability for user %s", GlobalPermission.ADMINISTRATE_SERVER, this.user.getLoggableName());
            return false;
        }
    }

    public boolean canAddMember() {
        return isOwner();
    }

    public boolean canRemoveMember() {
        return isOwner();
    }

    public boolean canSeeMember(Account.Id id) {
        if (this.user.isIdentifiedUser() && this.user.getAccountId().equals(id)) {
            return true;
        }
        return canSeeMembers();
    }

    public boolean canAddGroup() {
        return isOwner();
    }

    public boolean canRemoveGroup() {
        return isOwner();
    }

    public boolean canSeeGroup() {
        return canSeeMembers();
    }

    private boolean canSeeMembers() {
        return this.group instanceof GroupDescription.Internal ? ((GroupDescription.Internal) this.group).isVisibleToAll() || isOwner() : canAdministrateServer();
    }
}
