package com.atlassian.confluence.api.impl.service.permissions;

import com.atlassian.confluence.api.model.content.Content;
import com.atlassian.confluence.api.model.content.id.ContentId;
import com.atlassian.confluence.api.model.messages.SimpleMessage;
import com.atlassian.confluence.api.model.pagination.PageResponse;
import com.atlassian.confluence.api.model.people.Anonymous;
import com.atlassian.confluence.api.model.people.Group;
import com.atlassian.confluence.api.model.people.Subject;
import com.atlassian.confluence.api.model.people.SubjectType;
import com.atlassian.confluence.api.model.people.User;
import com.atlassian.confluence.api.model.permissions.ContentRestriction;
import com.atlassian.confluence.api.model.permissions.OperationKey;
import com.atlassian.confluence.api.model.validation.ServiceExceptionSupplier;
import com.atlassian.confluence.api.model.validation.SimpleValidationResult;
import com.atlassian.confluence.api.model.validation.ValidationResult;
import com.atlassian.confluence.api.service.permissions.ContentRestrictionService;
import com.atlassian.confluence.core.ContentEntityObject;
import com.atlassian.confluence.internal.ContentEntityManagerInternal;
import com.atlassian.confluence.internal.user.UserAccessorInternal;
import com.atlassian.confluence.security.Permission;
import com.atlassian.confluence.security.PermissionManager;
import com.atlassian.confluence.user.AuthenticatedUserThreadLocal;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.fugue.Option;
import com.atlassian.user.GroupManager;
import com.google.common.collect.Lists;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/DefaultContentRestrictionServiceValidator.class */
public class DefaultContentRestrictionServiceValidator implements ContentRestrictionService.Validator {
    private final ContentEntityManagerInternal contentEntityManager;
    private final PermissionManager permissionManager;
    private final UserAccessorInternal userAccessorInternal;
    private final GroupManager groupManager;

    public DefaultContentRestrictionServiceValidator(ContentEntityManagerInternal contentEntityManagerInternal, PermissionManager permissionManager, UserAccessorInternal userAccessorInternal, GroupManager groupManager) {
        this.contentEntityManager = contentEntityManagerInternal;
        this.permissionManager = permissionManager;
        this.userAccessorInternal = userAccessorInternal;
        this.groupManager = groupManager;
    }

    ValidationResult validateContentExistsAndAccessibleByCurrentUser(ContentId contentId) {
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        return byId != null ? validateUserCanViewContent(AuthenticatedUserThreadLocal.get(), byId) : SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation(String.format("No content with id <%s> can be found", contentId))).addExceptionSupplier(ServiceExceptionSupplier.notFoundException()).build();
    }

    ValidationResult validateUserCanViewContent(@Nullable ConfluenceUser confluenceUser, ContentEntityObject contentEntityObject) {
        return !this.permissionManager.hasPermission(confluenceUser, Permission.VIEW, contentEntityObject) ? SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation(String.format("No content with id <%s> can be found", contentEntityObject.getContentId()))).addExceptionSupplier(ServiceExceptionSupplier.notFoundException()).build() : SimpleValidationResult.VALID;
    }

    ValidationResult validateInputContentRestrictionsBeforeUpdate(ContentId contentId, Collection<? extends ContentRestriction> collection) {
        SimpleValidationResult.Builder authorized = SimpleValidationResult.builder().authorized(true);
        if (collection == null || collection.isEmpty()) {
            return authorized.addMessage(SimpleMessage.withTranslation("No ContentRestrictions provided. Must pass proper restrictions in order to set them")).build();
        }
        HashSet hashSet = new HashSet();
        for (ContentRestriction contentRestriction : collection) {
            if (contentRestriction == null) {
                return authorized.addMessage(SimpleMessage.withTranslation("null-length/empty ContentRestrictions are not allowed")).build();
            }
            ValidationResult validateOperationKey = validateOperationKey(contentRestriction.getOperation());
            if (validateOperationKey.isNotSuccessful()) {
                return validateOperationKey;
            }
            Option<String> determinePermissionType = ContentRestrictionFactory.determinePermissionType(contentRestriction.getOperation());
            ValidationResult validatePermissionType = validatePermissionType(determinePermissionType);
            if (validatePermissionType.isNotSuccessful()) {
                return validatePermissionType;
            }
            if (hashSet.contains(determinePermissionType.get())) {
                return authorized.addMessage(SimpleMessage.withTranslation(String.format("duplicate operation: <%s>. Please provide exactly 1 (one) ContentRestriction object for each \"operation\"", contentRestriction.getOperation()))).build();
            }
            hashSet.add(determinePermissionType.get());
            if (contentRestriction.getContent() != null && contentRestriction.getContent().existsAndExpanded()) {
                ContentId id = ((Content) contentRestriction.getContent().get()).getId();
                if (!contentId.equals(id)) {
                    return authorized.addMessage(SimpleMessage.withTranslation(String.format("Attempt to change restrictions for contentId %1$s using service call for for contentId %2$s", id, contentId))).build();
                }
            }
            ValidationResult validateRestrictionsMap = validateRestrictionsMap(contentRestriction.getRestrictions());
            if (validateRestrictionsMap.isNotSuccessful()) {
                return validateRestrictionsMap;
            }
        }
        return SimpleValidationResult.VALID;
    }

    ValidationResult validateOperationKey(OperationKey operationKey) {
        SimpleValidationResult.Builder authorized = SimpleValidationResult.builder().authorized(true);
        return (operationKey == null || StringUtils.isBlank(operationKey.getValue())) ? authorized.addMessage(SimpleMessage.withTranslation("null-length/empty \"operation\" fields are not allowed")).build() : !ContentRestrictionFactory.getSupportedOperationKeys().contains(operationKey) ? authorized.addMessage(SimpleMessage.withTranslation(String.format("unsupported operation type: <%1$s>. Please use one of: %2$s", operationKey, ContentRestrictionFactory.getSupportedOperationKeys()))).build() : SimpleValidationResult.VALID;
    }

    ValidationResult validatePermissionType(Option<String> option) {
        return (option == null || option.isEmpty() || StringUtils.isBlank((CharSequence) option.get())) ? SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation("Could not identify proper permission type for the restriction.")).build() : SimpleValidationResult.VALID;
    }

    ValidationResult validateRestrictionsMap(@Nullable Map<SubjectType, PageResponse<Subject>> map) {
        SimpleValidationResult.Builder authorized = SimpleValidationResult.builder().authorized(true);
        if (map == null || map.isEmpty()) {
            return authorized.addMessage(SimpleMessage.withTranslation("ContentRestriction must have valid non empty map of subject types to restriction subjects specified")).build();
        }
        Set set = (Set) map.keySet().stream().filter(subjectType -> {
            return !SubjectType.VALUES.contains(subjectType);
        }).collect(Collectors.toSet());
        if (!set.isEmpty()) {
            return authorized.addMessage(SimpleMessage.withTranslation(String.format("Unsupported restriction SubjectType(s): <%1$s>. Please use one of: %2$s", set, SubjectType.VALUES))).build();
        }
        if (map.keySet().size() - set.size() < 1) {
            return authorized.addMessage(SimpleMessage.withTranslation(String.format("None of the supported restriction SubjectType(s) found. Please use one of: %s", SubjectType.VALUES))).build();
        }
        for (Map.Entry<SubjectType, PageResponse<Subject>> entry : map.entrySet()) {
            PageResponse<Subject> value = entry.getValue();
            if (value == null || value.getResults() == null) {
                return authorized.addMessage(SimpleMessage.withTranslation(String.format("Please provide valid PageResponse/List of Subjects for the SubjectType: <%s>", entry.getKey()))).build();
            }
            ValidationResult validateSubjectsExistStrictType = validateSubjectsExistStrictType(entry.getKey(), entry.getValue().getResults());
            if (validateSubjectsExistStrictType.isNotSuccessful()) {
                return validateSubjectsExistStrictType;
            }
        }
        return SimpleValidationResult.VALID;
    }

    private ValidationResult validateSubjectsExistStrictType(SubjectType subjectType, Collection<? extends Subject> collection) {
        if (SubjectType.USER.equals(subjectType)) {
            ValidationResult validateUsersExist = validateUsersExist(collection);
            if (validateUsersExist.isNotSuccessful()) {
                return validateUsersExist;
            }
        } else {
            if (!SubjectType.GROUP.equals(subjectType)) {
                return SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation("Checking restrictions only supported for User(s) and Group(s), whereas <" + subjectType + "> was provided")).build();
            }
            ValidationResult validateGroupsExist = validateGroupsExist(collection);
            if (validateGroupsExist.isNotSuccessful()) {
                return validateGroupsExist;
            }
        }
        return SimpleValidationResult.VALID;
    }

    private ValidationResult validateSubjectsExist(Collection<? extends Subject> collection) {
        for (Map.Entry entry : ((Map) ((Collection) Optional.ofNullable(collection).orElse(Collections.emptySet())).stream().distinct().collect(Collectors.groupingBy((v0) -> {
            return v0.getSubjectType();
        }))).entrySet()) {
            ValidationResult validateSubjectsExistStrictType = validateSubjectsExistStrictType((SubjectType) entry.getKey(), (Collection) entry.getValue());
            if (validateSubjectsExistStrictType.isNotSuccessful()) {
                return validateSubjectsExistStrictType;
            }
        }
        return SimpleValidationResult.VALID;
    }

    private ValidationResult validateUsersExist(@Nonnull Collection<? extends Subject> collection) {
        Iterator<? extends Subject> it = collection.iterator();
        while (it.hasNext()) {
            User user = (Subject) it.next();
            if (user == null) {
                return SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation("User cannot be <null>/empty/unspecified")).build();
            }
            if (user instanceof Anonymous) {
                return SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation("Anonymous user is not allowed in ContentRestrictions API")).build();
            }
            if (!(user instanceof User)) {
                return SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation(String.format("Subject <%s> is not a User. Please specify valid users under the \"user\" mapping part", user))).build();
            }
            User user2 = user;
            Option<ConfluenceUser> none = Option.none();
            String str = "";
            try {
                none = this.userAccessorInternal.getExistingByApiUser(user2);
            } catch (Exception e) {
                str = str + e.getMessage();
            }
            if (none.isEmpty() || none.getOrNull() == null) {
                SimpleValidationResult.Builder addMessage = SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation(String.format("Subject <%s> is not a valid existing user", user2)));
                if (StringUtils.isNotBlank(str)) {
                    addMessage.addMessage(SimpleMessage.withTranslation(str)).build();
                }
                return addMessage.build();
            }
        }
        return SimpleValidationResult.VALID;
    }

    private ValidationResult validateGroupsExist(@Nonnull Collection<? extends Subject> collection) {
        Iterator<? extends Subject> it = collection.iterator();
        while (it.hasNext()) {
            Group group = (Subject) it.next();
            if (group == null) {
                return SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation("Group cannot be <null>/empty/unspecified")).build();
            }
            if (!(group instanceof Group)) {
                return SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation(String.format("Subject <%s> is not a Group. Please specify valid groups under the \"groups\" mapping part", group))).build();
            }
            Group group2 = group;
            Option none = Option.none();
            String str = "";
            try {
                none = Option.option(this.groupManager.getGroup(group2.getName()));
            } catch (Exception e) {
                str = str + e.getMessage();
            }
            if (none.isEmpty() || none.getOrNull() == null) {
                SimpleValidationResult.Builder addMessage = SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation(String.format("Subject <%s> is not a valid existing group", group2)));
                if (StringUtils.isNotBlank(str)) {
                    addMessage.addMessage(SimpleMessage.withTranslation(str)).build();
                }
                return addMessage.build();
            }
        }
        return SimpleValidationResult.VALID;
    }

    ValidationResult validateUserCanAlterRestrictions(ConfluenceUser confluenceUser, ContentEntityObject contentEntityObject) {
        ValidationResult validateContentVersionIsOkForRestrictionsOperations = validateContentVersionIsOkForRestrictionsOperations(contentEntityObject);
        if (validateContentVersionIsOkForRestrictionsOperations.isNotSuccessful()) {
            return validateContentVersionIsOkForRestrictionsOperations;
        }
        ValidationResult validateUserCanAlterRestrictionsOnLatestVersion = validateUserCanAlterRestrictionsOnLatestVersion(confluenceUser, contentEntityObject);
        return validateUserCanAlterRestrictionsOnLatestVersion.isNotSuccessful() ? validateUserCanAlterRestrictionsOnLatestVersion : SimpleValidationResult.VALID;
    }

    private ValidationResult validateUserCanAlterRestrictionsOnLatestVersion(ConfluenceUser confluenceUser, ContentEntityObject contentEntityObject) {
        return this.permissionManager.hasPermission(confluenceUser, Permission.SET_PERMISSIONS, contentEntityObject) && this.permissionManager.hasPermission(confluenceUser, Permission.EDIT, contentEntityObject) ? SimpleValidationResult.VALID : SimpleValidationResult.builder().authorized(false).addMessage(SimpleMessage.withTranslation(String.format("Not enough permissions to alter ContentRestrictions on a content <%s>", contentEntityObject))).build();
    }

    ValidationResult validateContentVersionIsOkForRestrictionsOperations(@Nullable ContentEntityObject contentEntityObject) {
        return !(contentEntityObject != null && ((contentEntityObject.isLatestVersion() && contentEntityObject.isCurrent()) || contentEntityObject.isUnpublished())) ? SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation(String.format("Cannot find content <%s>. Outdated version/old_draft/trashed? Please provide valid ContentId.", contentEntityObject))).addExceptionSupplier(ServiceExceptionSupplier.notFoundException()).build() : SimpleValidationResult.VALID;
    }

    ValidationResult validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions(ContentId contentId) {
        ValidationResult validateGetRestrictions = validateGetRestrictions(contentId);
        if (validateGetRestrictions.isNotSuccessful()) {
            return validateGetRestrictions;
        }
        ValidationResult validateUserCanAlterRestrictions = validateUserCanAlterRestrictions(AuthenticatedUserThreadLocal.get(), this.contentEntityManager.getById(contentId));
        return validateUserCanAlterRestrictions.isNotSuccessful() ? validateUserCanAlterRestrictions : SimpleValidationResult.VALID;
    }

    public ValidationResult validateUpdateRestrictions(ContentId contentId, Collection<? extends ContentRestriction> collection) {
        ValidationResult validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions = validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions(contentId);
        if (validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions.isNotSuccessful()) {
            return validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions;
        }
        ValidationResult validateInputContentRestrictionsBeforeUpdate = validateInputContentRestrictionsBeforeUpdate(contentId, collection);
        return validateInputContentRestrictionsBeforeUpdate.isNotSuccessful() ? validateInputContentRestrictionsBeforeUpdate : SimpleValidationResult.VALID;
    }

    public ValidationResult validateAddRestrictions(ContentId contentId, Collection<? extends ContentRestriction> collection) {
        return validateUpdateRestrictions(contentId, collection);
    }

    public ValidationResult validateDeleteAllDirectRestrictions(ContentId contentId) {
        ValidationResult validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions = validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions(contentId);
        return validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions.isNotSuccessful() ? validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions : SimpleValidationResult.VALID;
    }

    public ValidationResult validateHasDirectRestrictionsForSubject(ContentId contentId, OperationKey operationKey, Subject subject) {
        ValidationResult validateGetRestrictionsForOperation = validateGetRestrictionsForOperation(contentId, operationKey);
        return validateGetRestrictionsForOperation.isNotSuccessful() ? validateGetRestrictionsForOperation : ((subject instanceof User) || (subject instanceof Group)) ? SimpleValidationResult.VALID : subject instanceof Anonymous ? SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation("Operations on ContentRestrictions for <Anonymous> user are not supported.")).build() : SimpleValidationResult.builder().addMessage(SimpleMessage.withTranslation("Checking restrictions only supported for User(s) and Group(s), whereas <" + subject + "> was provided")).build();
    }

    public ValidationResult validateDeleteDirectRestrictionForSubject(ContentId contentId, OperationKey operationKey, Subject subject) {
        ValidationResult validateHasDirectRestrictionsForSubject = validateHasDirectRestrictionsForSubject(contentId, operationKey, subject);
        if (validateHasDirectRestrictionsForSubject.isNotSuccessful()) {
            return validateHasDirectRestrictionsForSubject;
        }
        ValidationResult validateDeleteAllDirectRestrictions = validateDeleteAllDirectRestrictions(contentId);
        return validateDeleteAllDirectRestrictions.isNotSuccessful() ? validateDeleteAllDirectRestrictions : SimpleValidationResult.VALID;
    }

    public ValidationResult validateAddDirectRestrictionForSubject(ContentId contentId, OperationKey operationKey, Subject subject) {
        ValidationResult validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions = validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions(contentId);
        if (validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions.isNotSuccessful()) {
            return validateContentExistsAndCanViewAndCanEditAndCanEditRestrictions;
        }
        ValidationResult validateHasDirectRestrictionsForSubject = validateHasDirectRestrictionsForSubject(contentId, operationKey, subject);
        if (validateHasDirectRestrictionsForSubject.isNotSuccessful()) {
            return validateHasDirectRestrictionsForSubject;
        }
        ValidationResult validateSubjectsExist = validateSubjectsExist(Collections.singleton(subject));
        return validateSubjectsExist.isNotSuccessful() ? validateSubjectsExist : SimpleValidationResult.VALID;
    }

    public ValidationResult validateGetRestrictions(ContentId contentId) {
        ValidationResult validateContentExistsAndAccessibleByCurrentUser = validateContentExistsAndAccessibleByCurrentUser(contentId);
        if (validateContentExistsAndAccessibleByCurrentUser.isNotSuccessful()) {
            return validateContentExistsAndAccessibleByCurrentUser;
        }
        ValidationResult validateContentVersionIsOkForRestrictionsOperations = validateContentVersionIsOkForRestrictionsOperations(this.contentEntityManager.getById(contentId));
        return validateContentVersionIsOkForRestrictionsOperations.isNotSuccessful() ? validateContentVersionIsOkForRestrictionsOperations : SimpleValidationResult.VALID;
    }

    public ValidationResult validateGetRestrictionsForOperation(ContentId contentId, OperationKey operationKey) {
        ValidationResult validateOperationKey = validateOperationKey(operationKey);
        if (validateOperationKey.isNotSuccessful()) {
            return SimpleValidationResult.builder().authorized(validateOperationKey.isAuthorized()).addErrors(Lists.newArrayList(validateOperationKey.getErrors())).addExceptionSupplier(ServiceExceptionSupplier.notFoundException()).build();
        }
        ValidationResult validateGetRestrictions = validateGetRestrictions(contentId);
        return validateGetRestrictions.isNotSuccessful() ? validateGetRestrictions : SimpleValidationResult.VALID;
    }
}
