package com.google.gerrit.server.permissions;

import com.google.auto.value.AutoValue;
import com.google.common.base.Preconditions;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.common.flogger.LazyArgs;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.entities.Change;
import com.google.gerrit.entities.RefNames;
import com.google.gerrit.metrics.Counter0;
import com.google.gerrit.metrics.Description;
import com.google.gerrit.metrics.MetricMaker;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.git.SearchingChangeCacheImpl;
import com.google.gerrit.server.git.TagCache;
import com.google.gerrit.server.git.TagMatcher;
import com.google.gerrit.server.logging.TraceContext;
import com.google.gerrit.server.notedb.ChangeNotes;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.project.ProjectState;
import com.google.gerrit.server.query.change.ChangeData;
import com.google.inject.Inject;
import com.google.inject.assistedinject.Assisted;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.eclipse.jgit.lib.Config;
import org.eclipse.jgit.lib.Ref;
import org.eclipse.jgit.lib.Repository;

/* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter.class */
class DefaultRefFilter {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final TagCache tagCache;
    private final PermissionBackend permissionBackend;
    private final RefVisibilityControl refVisibilityControl;
    private final ProjectControl projectControl;
    private final CurrentUser user;
    private final ProjectState projectState;
    private final PermissionBackend.ForProject permissionBackendForProject;

    @Nullable
    private final SearchingChangeCacheImpl searchingChangeDataProvider;
    private final ChangeData.Factory changeDataFactory;
    private final ChangeNotes.Factory changeNotesFactory;
    private final Counter0 fullFilterCount;
    private final Counter0 skipFilterCount;
    private final boolean skipFullRefEvaluationIfAllRefsAreVisible;

    /* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter$Factory.class */
    interface Factory {
        DefaultRefFilter create(ProjectControl projectControl);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: input_file:com/google/gerrit/server/permissions/DefaultRefFilter$Result.class */
    public static abstract class Result {
        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ImmutableList<Ref> visibleRefs();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ImmutableList<Ref> deferredTags();
    }

    @Inject
    DefaultRefFilter(TagCache tagCache, PermissionBackend permissionBackend, RefVisibilityControl refVisibilityControl, @GerritServerConfig Config config, MetricMaker metricMaker, @Nullable SearchingChangeCacheImpl searchingChangeCacheImpl, ChangeData.Factory factory, ChangeNotes.Factory factory2, @Assisted ProjectControl projectControl) {
        this.tagCache = tagCache;
        this.permissionBackend = permissionBackend;
        this.refVisibilityControl = refVisibilityControl;
        this.searchingChangeDataProvider = searchingChangeCacheImpl;
        this.changeDataFactory = factory;
        this.changeNotesFactory = factory2;
        this.skipFullRefEvaluationIfAllRefsAreVisible = config.getBoolean("auth", "skipFullRefEvaluationIfAllRefsAreVisible", true);
        this.projectControl = projectControl;
        this.user = projectControl.getUser();
        this.projectState = projectControl.getProjectState();
        this.permissionBackendForProject = permissionBackend.user(this.user).project(this.projectState.getNameKey());
        this.fullFilterCount = metricMaker.newCounter("permissions/ref_filter/full_filter_count", new Description("Rate of full ref filter operations").setRate());
        this.skipFilterCount = metricMaker.newCounter("permissions/ref_filter/skip_filter_count", new Description("Rate of ref filter operations where we skip full evaluation because the user can read all refs").setRate());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ImmutableList<Ref> filter(Collection<Ref> collection, Repository repository, PermissionBackend.RefFilterOptions refFilterOptions) throws PermissionBackendException {
        logger.atFinest().log("Filter refs for repository %s by visibility (options = %s, refs = %s)", this.projectState.getNameKey(), refFilterOptions, collection);
        logger.atFinest().log("Calling user: %s", this.user.getLoggableName());
        logger.atFinest().log("Groups: %s", LazyArgs.lazy(() -> {
            return this.user.getEffectiveGroups().getKnownGroups();
        }));
        logger.atFinest().log("auth.skipFullRefEvaluationIfAllRefsAreVisible = %s", Boolean.valueOf(this.skipFullRefEvaluationIfAllRefsAreVisible));
        logger.atFinest().log("Project state %s permits read = %s", this.projectState.getProject().getState(), this.projectState.statePermitsRead());
        Supplier<ImmutableMap<Change.Id, ChangeData>> memoize = Suppliers.memoize(() -> {
            return GitVisibleChangeFilter.getVisibleChanges(this.searchingChangeDataProvider, this.changeNotesFactory, this.changeDataFactory, this.projectState.getNameKey(), this.permissionBackendForProject, repository, changes(collection));
        });
        Result filterRefs = filterRefs(new ArrayList(collection), refFilterOptions, memoize);
        ImmutableList.Builder builder = ImmutableList.builder();
        builder.addAll((Iterable) filterRefs.visibleRefs());
        if (!filterRefs.deferredTags().isEmpty()) {
            TraceContext.TraceTimer newTimer = TraceContext.newTimer("Check visibility of deferred tags");
            try {
                Result filterRefs2 = filterRefs(getTaggableRefs(repository), refFilterOptions, memoize);
                Preconditions.checkState(filterRefs2.deferredTags().isEmpty(), "unexpected tags found when filtering refs/heads/* " + filterRefs2.deferredTags());
                TagMatcher matcher = this.tagCache.get(this.projectState.getNameKey()).matcher(this.tagCache, repository, filterRefs2.visibleRefs());
                UnmodifiableIterator<Ref> it = filterRefs.deferredTags().iterator();
                while (it.hasNext()) {
                    Ref next = it.next();
                    try {
                        if (matcher.isReachable(next)) {
                            logger.atFinest().log("Include reachable tag %s", next.getName());
                            builder.add((ImmutableList.Builder) next);
                        } else {
                            logger.atFinest().log("Filter out non-reachable tag %s", next.getName());
                        }
                    } catch (IOException e) {
                        throw new PermissionBackendException(e);
                    }
                }
                if (newTimer != null) {
                    newTimer.close();
                }
            } catch (Throwable th) {
                if (newTimer != null) {
                    try {
                        newTimer.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        ImmutableList<Ref> build = builder.build();
        logger.atFinest().log("visible refs = %s", build);
        return build;
    }

    Result filterRefs(List<Ref> list, PermissionBackend.RefFilterOptions refFilterOptions, Supplier<ImmutableMap<Change.Id, ChangeData>> supplier) throws PermissionBackendException {
        logger.atFinest().log("Filter refs (refs = %s)", list);
        if (!this.projectState.statePermitsRead()) {
            return new AutoValue_DefaultRefFilter_Result(ImmutableList.of(), ImmutableList.of());
        }
        boolean checkProjectPermission = checkProjectPermission(this.permissionBackendForProject, ProjectPermission.READ);
        logger.atFinest().log("User has READ on refs/* = %s", Boolean.valueOf(checkProjectPermission));
        if (this.skipFullRefEvaluationIfAllRefsAreVisible && !this.projectState.isAllUsers()) {
            if (checkProjectPermission) {
                this.skipFilterCount.increment();
                logger.atFinest().log("Fast path, all refs are visible because user has READ on refs/*: %s", list);
                return new AutoValue_DefaultRefFilter_Result(ImmutableList.copyOf((Collection) list), ImmutableList.of());
            }
            if (this.projectControl.allRefsAreVisible(ImmutableSet.of(RefNames.REFS_CONFIG))) {
                this.skipFilterCount.increment();
                List<Ref> fastHideRefsMetaConfig = fastHideRefsMetaConfig(list);
                logger.atFinest().log("Fast path, all refs except %s are visible: %s", RefNames.REFS_CONFIG, fastHideRefsMetaConfig);
                return new AutoValue_DefaultRefFilter_Result(ImmutableList.copyOf((Collection) fastHideRefsMetaConfig), ImmutableList.of());
            }
        }
        logger.atFinest().log("Doing full ref filtering");
        this.fullFilterCount.increment();
        boolean testOrFalse = this.permissionBackend.user(this.projectControl.getUser()).testOrFalse(GlobalPermission.ACCESS_DATABASE);
        ImmutableList.Builder builderWithExpectedSize = ImmutableList.builderWithExpectedSize(list.size());
        ImmutableList.Builder builder = ImmutableList.builder();
        for (Ref ref : list) {
            String name = ref.getName();
            if (refFilterOptions.filterMeta() && isMetadata(name)) {
                logger.atFinest().log("Filter out metadata ref %s", name);
            } else if (!isTag(ref)) {
                Change.Id fromRef = Change.Id.fromRef(name);
                if (fromRef != null) {
                    if (testOrFalse) {
                        builderWithExpectedSize.add((ImmutableList.Builder) ref);
                    } else if (!supplier.get().containsKey(fromRef)) {
                        logger.atFinest().log("Filter out invisible change ref %s", name);
                    } else if (!RefNames.isRefsEdit(name) || visibleEdit(name, supplier.get())) {
                        builderWithExpectedSize.add((ImmutableList.Builder) ref);
                    } else {
                        logger.atFinest().log("Filter out invisible change edit ref %s", name);
                    }
                } else if (this.refVisibilityControl.isVisible(this.projectControl, ref.getLeaf().getName())) {
                    builderWithExpectedSize.add((ImmutableList.Builder) ref);
                }
            } else if (checkProjectPermission) {
                logger.atFinest().log("Include tag ref %s because user has read on refs/*", name);
                builderWithExpectedSize.add((ImmutableList.Builder) ref);
            } else if (ref.getObjectId() != null) {
                logger.atFinest().log("Defer tag ref %s", name);
                builder.add((ImmutableList.Builder) ref);
            } else {
                logger.atFinest().log("Filter out tag ref %s that is not a tag", name);
            }
        }
        AutoValue_DefaultRefFilter_Result autoValue_DefaultRefFilter_Result = new AutoValue_DefaultRefFilter_Result(builderWithExpectedSize.build(), builder.build());
        logger.atFinest().log("Result of ref filtering = %s", autoValue_DefaultRefFilter_Result);
        return autoValue_DefaultRefFilter_Result;
    }

    private static List<Ref> getTaggableRefs(Repository repository) throws PermissionBackendException {
        try {
            return (List) repository.getRefDatabase().getRefs().stream().filter(ref -> {
                return (RefNames.isGerritRef(ref.getName()) || ref.getName().startsWith("refs/tags/") || ref.isSymbolic() || ref.getName().equals(RefNames.REFS_CONFIG)) ? false : true;
            }).collect(Collectors.toList());
        } catch (IOException e) {
            throw new PermissionBackendException(e);
        }
    }

    private static ImmutableSet<Change.Id> changes(Collection<Ref> collection) {
        return (ImmutableSet) collection.stream().map((v0) -> {
            return v0.getName();
        }).map(Change.Id::fromRef).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(ImmutableSet.toImmutableSet());
    }

    private List<Ref> fastHideRefsMetaConfig(List<Ref> list) throws PermissionBackendException {
        return !canReadRef(RefNames.REFS_CONFIG) ? (List) list.stream().filter(ref -> {
            return !ref.getName().equals(RefNames.REFS_CONFIG);
        }).collect(Collectors.toCollection(() -> {
            return new ArrayList(list.size());
        })) : list;
    }

    private boolean visibleEdit(String str, ImmutableMap<Change.Id, ChangeData> immutableMap) throws PermissionBackendException {
        Change.Id fromEditRefPart = Change.Id.fromEditRefPart(str);
        if (fromEditRefPart == null) {
            logger.atWarning().log("Couldn't extract change ID from edit ref %s", str);
            return false;
        }
        if (this.user.isIdentifiedUser() && str.startsWith(RefNames.refsEditPrefix(this.user.asIdentifiedUser().getAccountId())) && immutableMap.containsKey(fromEditRefPart)) {
            logger.atFinest().log("Own change edit ref is visible: %s", str);
            return true;
        }
        if (!immutableMap.containsKey(fromEditRefPart)) {
            logger.atFinest().log("Change %d of change edit ref %s is not visible", fromEditRefPart.get(), (Object) str);
            return false;
        }
        boolean test = this.permissionBackendForProject.ref(immutableMap.get(fromEditRefPart).change().getDest().branch()).test(RefPermission.READ_PRIVATE_CHANGES);
        logger.atFinest().log("Foreign change edit ref is " + (test ? "visible" : "invisible") + ": %s", str);
        return test;
    }

    private boolean isMetadata(String str) {
        boolean z = RefNames.isRefsChanges(str) || RefNames.isRefsEdit(str);
        logger.atFinest().log("ref %s is " + (z ? "" : "not ") + "a metadata ref", str);
        return z;
    }

    private static boolean isTag(Ref ref) {
        return ref.getLeaf().getName().startsWith("refs/tags/");
    }

    private boolean canReadRef(String str) throws PermissionBackendException {
        return this.permissionBackendForProject.ref(str).test(RefPermission.READ);
    }

    private boolean checkProjectPermission(PermissionBackend.ForProject forProject, ProjectPermission projectPermission) throws PermissionBackendException {
        return forProject.test(projectPermission);
    }
}
