package com.atlassian.confluence.api.impl.service.permissions;

import com.atlassian.annotations.VisibleForTesting;
import com.atlassian.confluence.api.impl.service.content.factory.PersonFactory;
import com.atlassian.confluence.api.model.people.Person;
import com.atlassian.confluence.api.model.permissions.Operation;
import com.atlassian.confluence.api.model.permissions.OperationCheckResult;
import com.atlassian.confluence.api.model.permissions.OperationDescription;
import com.atlassian.confluence.api.model.permissions.OperationKey;
import com.atlassian.confluence.api.model.permissions.Target;
import com.atlassian.confluence.api.model.permissions.TargetType;
import com.atlassian.confluence.api.model.permissions.spi.OperationCheck;
import com.atlassian.confluence.api.model.permissions.spi.OperationDelegate;
import com.atlassian.confluence.api.model.permissions.spi.UnsupportedTargetException;
import com.atlassian.confluence.api.model.validation.SimpleValidationResults;
import com.atlassian.confluence.api.model.validation.ValidationResult;
import com.atlassian.confluence.api.service.exceptions.BadRequestException;
import com.atlassian.confluence.api.service.exceptions.NotFoundException;
import com.atlassian.confluence.api.service.permissions.OperationService;
import com.atlassian.confluence.content.render.xhtml.storage.link.StorageLinkConstants;
import com.atlassian.confluence.internal.accessmode.AccessModeManager;
import com.atlassian.confluence.internal.security.ThreadLocalPermissionsCacheInternal;
import com.atlassian.confluence.internal.user.UserAccessorInternal;
import com.atlassian.confluence.security.PermissionCheckExemptions;
import com.atlassian.fugue.Either;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.ParametersAreNonnullByDefault;

@ParametersAreNonnullByDefault
/* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/OperationServiceImpl.class */
public class OperationServiceImpl implements OperationService {
    private final Map<TargetType, OperationDelegate> operationDelegates;
    private final PersonFactory personFactory;
    private final UserAccessorInternal userAccessor;
    private PermissionCheckExemptions permissionCheckExemptions;
    private final AccessModeManager accessModeManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/OperationServiceImpl$CategorizedResult.class */
    public static class CategorizedResult {
        private final OperationCheck operationCheck;
        private final ResultCategory resultCategory;

        private CategorizedResult(OperationCheck operationCheck, ResultCategory resultCategory) {
            this.operationCheck = operationCheck;
            this.resultCategory = resultCategory;
        }

        public static CategorizedResult of(OperationCheck operationCheck, ValidationResult validationResult) {
            return new CategorizedResult(operationCheck, ResultCategory.valueOf(validationResult));
        }

        static CategorizedResult unsupportedTarget(OperationCheck operationCheck) {
            return new CategorizedResult(operationCheck, ResultCategory.UNSUPPORTED_TARGET);
        }

        @Nonnull
        OperationCheck getOperationCheck() {
            return this.operationCheck;
        }

        @Nonnull
        ResultCategory getResultCategory() {
            return this.resultCategory;
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("operation", this.operationCheck.getOperationKey()).add("category", this.resultCategory).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/OperationServiceImpl$CategoryPredicate.class */
    public static class CategoryPredicate implements Predicate<CategorizedResult> {
        private final ResultCategory resultCategory;
        static final /* synthetic */ boolean $assertionsDisabled;

        CategoryPredicate(ResultCategory resultCategory) {
            this.resultCategory = resultCategory;
        }

        public boolean apply(@Nullable CategorizedResult categorizedResult) {
            if ($assertionsDisabled || categorizedResult != null) {
                return categorizedResult.getResultCategory() == this.resultCategory;
            }
            throw new AssertionError();
        }

        static {
            $assertionsDisabled = !OperationServiceImpl.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/OperationServiceImpl$ResultCategory.class */
    public enum ResultCategory {
        PERMITTED,
        NOT_PERMITTED_BUT_TARGET_VISIBLE,
        NOT_FOUND,
        UNSUPPORTED_TARGET;

        public static ResultCategory valueOf(ValidationResult validationResult) {
            try {
                validationResult.throwIfNotSuccessful((String) null);
                return PERMITTED;
            } catch (RuntimeException e) {
                return NOT_PERMITTED_BUT_TARGET_VISIBLE;
            } catch (NotFoundException e2) {
                return NOT_FOUND;
            }
        }
    }

    public OperationServiceImpl(Map<TargetType, OperationDelegate> map, PersonFactory personFactory, UserAccessorInternal userAccessorInternal, PermissionCheckExemptions permissionCheckExemptions, AccessModeManager accessModeManager) {
        this.permissionCheckExemptions = permissionCheckExemptions;
        this.operationDelegates = ImmutableMap.copyOf(map);
        this.personFactory = personFactory;
        this.userAccessor = userAccessorInternal;
        this.accessModeManager = accessModeManager;
    }

    @Nonnull
    public List<OperationDescription> getAllOperationsForType(TargetType targetType) {
        throwBadRequestIfNull(targetType, "targetType");
        return makeOperationDescriptions(getAllOperationChecksForType(targetType), targetType);
    }

    @Nonnull
    public List<OperationCheckResult> getAvailableOperations(Person person, Target target) {
        throwBadRequestIfNull(person, "person");
        throwBadRequestIfNull(target, StorageLinkConstants.TARGET_ATTRIBUTE_NAME);
        TargetType targetType = target.getTargetType();
        boolean isExempt = isExempt(person);
        Iterable iterable = (Iterable) getAllOperationChecksForType(targetType).stream().map(operationCheck -> {
            OperationKey operationKey = operationCheck.getOperationKey();
            try {
                return CategorizedResult.of(operationCheck, !operationAllowedInReadOnlyAccessMode(operationKey) ? SimpleValidationResults.forbiddenResult("Operation " + operationKey + " is not allowed in read only access mode", new Object[0]) : isExempt ? operationCheck.canPerformAccordingToState(person, target) : operationCheck.canPerform(person, target));
            } catch (UnsupportedTargetException e) {
                return CategorizedResult.unsupportedTarget(operationCheck);
            }
        }).collect(Collectors.toList());
        Iterable<CategorizedResult> filter = Iterables.filter(iterable, new CategoryPredicate(ResultCategory.PERMITTED));
        if (!Iterables.isEmpty(filter)) {
            return makeOperationCheckResults(filter, target);
        }
        if (Iterables.isEmpty(Iterables.filter(iterable, new CategoryPredicate(ResultCategory.NOT_PERMITTED_BUT_TARGET_VISIBLE)))) {
            throw new NotFoundException("Target does not exist: " + target);
        }
        return ImmutableList.of();
    }

    @Nonnull
    public List<OperationCheckResult> getAvailableOperations(Target target) {
        throwBadRequestIfNull(target, StorageLinkConstants.TARGET_ATTRIBUTE_NAME);
        return getAvailableOperations(getCurrentUserAsPerson(), target);
    }

    @Nonnull
    public final ValidationResult canPerform(Person person, Operation operation, Target target) {
        throwBadRequestIfNull(person, "person");
        return isExempt(person) ? canPerformAccordingToFunction(person, operation, Collections.singleton(target), operationCheck -> {
            operationCheck.getClass();
            return operationCheck::canPerformAccordingToState;
        }).get(target) : canPerformAccordingToFunction(person, operation, Collections.singleton(target), operationCheck2 -> {
            operationCheck2.getClass();
            return operationCheck2::canPerform;
        }).get(target);
    }

    @Nonnull
    public ValidationResult canPerformWithoutExemptions(Person person, Operation operation, Target target) {
        return canPerformAccordingToFunction(person, operation, Collections.singleton(target), operationCheck -> {
            operationCheck.getClass();
            return operationCheck::canPerform;
        }).get(target);
    }

    @Nonnull
    private Map<Target, ValidationResult> canPerformAccordingToFunction(Person person, Operation operation, Iterable<Target> iterable, Function<OperationCheck, BiFunction<Person, Iterable<Target>, Map<Target, ValidationResult>>> function) {
        throwBadRequestIfNull(person, "person");
        throwBadRequestIfNull(operation, "operation");
        throwBadRequestIfNull(iterable, "targets");
        Iterable<Target> sanitiseTargetIterable = sanitiseTargetIterable(iterable);
        OperationKey operationKey = operation.getOperationKey();
        if (operationAllowedInReadOnlyAccessMode(operationKey)) {
            Either callOperationCheck = callOperationCheck(((Target) Iterables.getFirst(sanitiseTargetIterable, (Object) null)).getTargetType(), operation, operationCheck -> {
                try {
                    return (Map) ((BiFunction) function.apply(operationCheck)).apply(person, sanitiseTargetIterable);
                } catch (UnsupportedTargetException e) {
                    throw new BadRequestException(e.getMessage());
                }
            });
            return (Map) callOperationCheck.right().on(validationResult -> {
                ValidationResult validationResult = (ValidationResult) callOperationCheck.left().get();
                ImmutableMap.Builder builder = ImmutableMap.builder();
                Iterator it = sanitiseTargetIterable.iterator();
                while (it.hasNext()) {
                    builder.put((Target) it.next(), validationResult);
                }
                return builder.build();
            });
        }
        ValidationResult forbiddenResult = SimpleValidationResults.forbiddenResult("Operation " + operationKey + " is not allowed in read only access mode.", new Object[0]);
        ImmutableMap.Builder builder = ImmutableMap.builder();
        Iterator<Target> it = sanitiseTargetIterable.iterator();
        while (it.hasNext()) {
            builder.put(it.next(), forbiddenResult);
        }
        return builder.build();
    }

    @Nonnull
    public final Map<Target, ValidationResult> canPerform(Person person, Operation operation, Iterable<Target> iterable) {
        throwBadRequestIfNull(person, "person");
        return isExempt(person) ? canPerformAccordingToFunction(person, operation, iterable, operationCheck -> {
            operationCheck.getClass();
            return operationCheck::canPerformAccordingToState;
        }) : canPerformAccordingToFunction(person, operation, iterable, operationCheck2 -> {
            operationCheck2.getClass();
            return operationCheck2::canPerform;
        });
    }

    private Iterable<Target> sanitiseTargetIterable(Iterable<Target> iterable) {
        throwBadRequestIfNull(iterable, "targets");
        if (Iterables.isEmpty(iterable)) {
            throw new BadRequestException("At least one target must be supplied");
        }
        TargetType targetType = ((Target) throwBadRequestIfNull(Iterables.getFirst(iterable, (Object) null), "targets")).getTargetType();
        for (Target target : Iterables.skip(iterable, 1)) {
            throwBadRequestIfNull(target, "items in target list");
            if (!targetType.equals(target.getTargetType())) {
                throw new BadRequestException("Targets of differing TargetTypes (" + targetType + ", " + target.getTargetType() + "). First that was different: " + target);
            }
        }
        return ImmutableSet.copyOf(iterable);
    }

    @Nonnull
    public Map<Target, ValidationResult> canPerformWithoutExemptions(Person person, Operation operation, Iterable<Target> iterable) {
        return canPerformAccordingToFunction(person, operation, iterable, operationCheck -> {
            operationCheck.getClass();
            return operationCheck::canPerform;
        });
    }

    public <T> T withExemption(Supplier<T> supplier) {
        if (ThreadLocalPermissionsCacheInternal.hasTemporaryPermissionExemption()) {
            return supplier.get();
        }
        ThreadLocalPermissionsCacheInternal.enableTemporaryPermissionExemption();
        try {
            T t = supplier.get();
            ThreadLocalPermissionsCacheInternal.disableTemporaryPermissionExemption();
            return t;
        } catch (Throwable th) {
            ThreadLocalPermissionsCacheInternal.disableTemporaryPermissionExemption();
            throw th;
        }
    }

    private boolean isExempt(Person person) {
        return this.permissionCheckExemptions.isExempt(this.userAccessor.getExistingUserByPerson(person));
    }

    @Nonnull
    private List<OperationCheck> getAllOperationChecksForType(@Nonnull TargetType targetType) {
        Either map = getOperationDelegate(targetType).map(operationDelegate -> {
            List allOperations = operationDelegate.getAllOperations();
            Preconditions.checkState((allOperations == null || allOperations.isEmpty()) ? false : true, "%s for %s %s provides no operations", new Object[]{operationDelegate.getClass().getName(), TargetType.class.getSimpleName(), targetType});
            return allOperations;
        });
        if (map.isRight()) {
            return (List) map.right().get();
        }
        throw ((ValidationResult) map.left().get()).throwIfInvalid((String) null);
    }

    @Nonnull
    private List<OperationDescription> makeOperationDescriptions(Iterable<OperationCheck> iterable, TargetType targetType) {
        return ImmutableList.builder().addAll((Iterable) StreamSupport.stream(iterable.spliterator(), false).map(operationCheck -> {
            return OperationDescription.builder().operationKey(operationCheck.getOperationKey()).targetType(targetType).build();
        }).collect(Collectors.toList())).build();
    }

    @Nonnull
    private List<OperationCheckResult> makeOperationCheckResults(Iterable<CategorizedResult> iterable, Target target) {
        return ImmutableList.builder().addAll((Iterable) StreamSupport.stream(iterable.spliterator(), false).map(categorizedResult -> {
            return OperationCheckResult.builder().operationKey(categorizedResult.getOperationCheck().getOperationKey()).targetType(target.getTargetType()).build();
        }).collect(Collectors.toList())).build();
    }

    private Either<ValidationResult, OperationDelegate> getOperationDelegate(TargetType targetType) {
        OperationDelegate operationDelegate = this.operationDelegates.get(targetType);
        return operationDelegate == null ? TargetType.BUILT_IN.contains(targetType) ? Either.left(SimpleValidationResults.notImplementedResult("No " + OperationDelegate.class.getSimpleName() + " is implemented yet for " + TargetType.class.getSimpleName() + " " + targetType, new Object[0])) : Either.left(SimpleValidationResults.forbiddenResult("No " + OperationDelegate.class.getSimpleName() + " is currently installed to support " + TargetType.class.getSimpleName() + " " + targetType, new Object[0])) : Either.right(operationDelegate);
    }

    @Nonnull
    private <T> Either<ValidationResult, T> callOperationCheck(TargetType targetType, Operation operation, com.google.common.base.Function<OperationCheck, T> function) {
        return getOperationDelegate(targetType).flatMap(operationDelegate -> {
            OperationKey operationKey = operation.getOperationKey();
            OperationCheck operation2 = operationDelegate.getOperation(operationKey);
            return operation2 == null ? Either.left(SimpleValidationResults.notFoundResult(OperationDelegate.class.getSimpleName() + " does not support operation " + operationKey, new Object[0])) : Either.right(function.apply(operation2));
        });
    }

    private static <T> T throwBadRequestIfNull(@Nullable T t, String str) {
        if (t == null) {
            throw new BadRequestException(str + " must not be null");
        }
        return t;
    }

    private Person getCurrentUserAsPerson() {
        return this.personFactory.forCurrentUser();
    }

    @VisibleForTesting
    boolean operationAllowedInReadOnlyAccessMode(OperationKey operationKey) {
        return !this.accessModeManager.shouldEnforceReadOnlyAccess() || OperationKey.READ_ONLY_WHITELIST.contains(operationKey);
    }
}
