package com.google.gerrit.server.restapi.project;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.BranchNameKey;
import com.google.gerrit.extensions.api.config.AccessCheckInfo;
import com.google.gerrit.extensions.api.config.AccessCheckInput;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestReadView;
import com.google.gerrit.server.account.AccountResolver;
import com.google.gerrit.server.git.GitRepositoryManager;
import com.google.gerrit.server.logging.TraceContext;
import com.google.gerrit.server.permissions.DefaultPermissionMappings;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.ProjectPermission;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.project.ProjectResource;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.Optional;
import org.eclipse.jgit.errors.ConfigInvalidException;
import org.eclipse.jgit.lib.Repository;
import org.kohsuke.args4j.Option;

/* loaded from: input_file:com/google/gerrit/server/restapi/project/CheckAccess.class */
public class CheckAccess implements RestReadView<ProjectResource> {
    private final AccountResolver accountResolver;
    private final PermissionBackend permissionBackend;
    private final GitRepositoryManager gitRepositoryManager;

    @Option(name = "--ref", usage = "ref name to check permission for")
    String refName;

    @Option(name = "--account", usage = "account to check acccess for")
    String account;

    @Option(name = "--perm", usage = "permission to check; default: read of any ref.")
    String permission;

    @Inject
    CheckAccess(AccountResolver accountResolver, PermissionBackend permissionBackend, GitRepositoryManager gitRepositoryManager) {
        this.accountResolver = accountResolver;
        this.permissionBackend = permissionBackend;
        this.gitRepositoryManager = gitRepositoryManager;
    }

    public Response<AccessCheckInfo> apply(ProjectResource projectResource, AccessCheckInput accessCheckInput) throws PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
        RefPermission refPermission;
        this.permissionBackend.user(projectResource.getUser()).check(GlobalPermission.VIEW_ACCESS);
        projectResource.getProjectState().checkStatePermitsRead();
        if (accessCheckInput == null) {
            throw new BadRequestException("input is required");
        }
        if (Strings.isNullOrEmpty(accessCheckInput.account)) {
            throw new BadRequestException("input requires 'account'");
        }
        TraceContext open = TraceContext.open();
        try {
            open.enableAclLogging();
            Account.Id id = this.accountResolver.resolve(accessCheckInput.account).asUnique().account().id();
            try {
                this.permissionBackend.absentUser(id).project(projectResource.getNameKey()).check(ProjectPermission.ACCESS);
                if (Strings.isNullOrEmpty(accessCheckInput.permission)) {
                    refPermission = RefPermission.READ;
                } else {
                    if (Strings.isNullOrEmpty(accessCheckInput.ref)) {
                        throw new BadRequestException("must set 'ref' when specifying 'permission'");
                    }
                    Optional<RefPermission> refPermission2 = DefaultPermissionMappings.refPermission(accessCheckInput.permission);
                    if (!refPermission2.isPresent()) {
                        throw new BadRequestException(String.format("'%s' is not recognized as ref permission", accessCheckInput.permission));
                    }
                    refPermission = refPermission2.get();
                }
                String str = null;
                if (Strings.isNullOrEmpty(accessCheckInput.ref)) {
                    Repository openRepository = this.gitRepositoryManager.openRepository(projectResource.getNameKey());
                    try {
                        if (openRepository.getRefDatabase().getRefsByPrefix("refs/heads/").isEmpty()) {
                            str = "access is OK, but repository has no branches under refs/heads/";
                        }
                        if (openRepository != null) {
                            openRepository.close();
                        }
                    } finally {
                    }
                } else {
                    try {
                        this.permissionBackend.absentUser(id).ref(BranchNameKey.create(projectResource.getNameKey(), accessCheckInput.ref)).check(refPermission);
                    } catch (AuthException e) {
                        Response<AccessCheckInfo> ok = Response.ok(createInfo(403, String.format("user %s lacks permission %s for %s in project %s", id, accessCheckInput.permission, accessCheckInput.ref, projectResource.getName())));
                        if (open != null) {
                            open.close();
                        }
                        return ok;
                    }
                }
                Response<AccessCheckInfo> ok2 = Response.ok(createInfo(200, str));
                if (open != null) {
                    open.close();
                }
                return ok2;
            } catch (AuthException e2) {
                Response<AccessCheckInfo> ok3 = Response.ok(createInfo(403, String.format("user %s cannot see project %s", id, projectResource.getName())));
                if (open != null) {
                    open.close();
                }
                return ok3;
            }
        } catch (Throwable th) {
            if (open != null) {
                try {
                    open.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private AccessCheckInfo createInfo(int i, String str) {
        AccessCheckInfo accessCheckInfo = new AccessCheckInfo();
        accessCheckInfo.status = i;
        accessCheckInfo.message = str;
        accessCheckInfo.debugLogs = TraceContext.getAclLogRecords();
        if (accessCheckInfo.debugLogs.isEmpty()) {
            accessCheckInfo.debugLogs = ImmutableList.of("Found no rules that apply, so defaulting to no permission");
        }
        return accessCheckInfo;
    }

    @Override // com.google.gerrit.extensions.restapi.RestReadView
    public Response<AccessCheckInfo> apply(ProjectResource projectResource) throws PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
        AccessCheckInput accessCheckInput = new AccessCheckInput();
        accessCheckInput.ref = this.refName;
        accessCheckInput.account = this.account;
        accessCheckInput.permission = this.permission;
        return apply(projectResource, accessCheckInput);
    }
}
