package com.atlassian.confluence.impl.security.access;

import com.atlassian.confluence.core.ConfluenceActionSupport;
import com.atlassian.confluence.event.events.security.NoConfluencePermissionEvent;
import com.atlassian.confluence.security.access.AccessStatus;
import com.atlassian.confluence.security.access.ConfluenceAccessManager;
import com.atlassian.confluence.security.access.annotations.PublicAccess;
import com.atlassian.confluence.security.access.annotations.RequiresAnyConfluenceAccess;
import com.atlassian.confluence.security.access.annotations.RequiresLicensedConfluenceAccess;
import com.atlassian.confluence.security.access.annotations.RequiresLicensedOrAnonymousConfluenceAccess;
import com.atlassian.confluence.user.AuthenticatedUserThreadLocal;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.confluence.xwork.WebWorkActionHelper;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.fugue.Option;
import com.atlassian.fugue.Pair;
import com.atlassian.util.concurrent.Lazy;
import com.atlassian.util.concurrent.Supplier;
import com.atlassian.vcache.JvmCache;
import com.atlassian.vcache.JvmCacheSettingsBuilder;
import com.atlassian.vcache.VCacheFactory;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.lang.annotation.Annotation;
import java.lang.reflect.AnnotatedElement;
import java.lang.reflect.Method;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.Nullable;
import javax.annotation.ParametersAreNonnullByDefault;

@ParametersAreNonnullByDefault
/* loaded from: input_file:com/atlassian/confluence/impl/security/access/ActionAccessChecker.class */
public class ActionAccessChecker {
    private final ConfluenceAccessManager confluenceAccessManager;
    private final EventPublisher eventPublisher;
    private final Supplier<JvmCache<Pair<Class<?>, Option<String>>, List<AnnotatedElement>>> cacheRef;
    private static final String ANNOTATED_ELEMENTS_CACHE_NAME = ActionAccessChecker.class.getName() + ".annotatedElements";
    private static final Map<Class<? extends Annotation>, Predicate<AccessStatus>> POSITIVE_ACCESS_CHECKS = ImmutableMap.builder().put(PublicAccess.class, accessStatus -> {
        return true;
    }).put(RequiresAnyConfluenceAccess.class, accessStatus2 -> {
        return accessStatus2.canUseConfluence();
    }).put(RequiresLicensedConfluenceAccess.class, accessStatus3 -> {
        return accessStatus3.hasLicensedAccess();
    }).put(RequiresLicensedOrAnonymousConfluenceAccess.class, accessStatus4 -> {
        return accessStatus4.hasLicensedAccess() || accessStatus4.hasAnonymousAccess();
    }).build();

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    /* loaded from: input_file:com/atlassian/confluence/impl/security/access/ActionAccessChecker$AccessDecision.class */
    public enum AccessDecision {
        GRANTED,
        DENIED,
        ABSTAIN
    }

    public ActionAccessChecker(ConfluenceAccessManager confluenceAccessManager, EventPublisher eventPublisher, VCacheFactory vCacheFactory) {
        this.confluenceAccessManager = confluenceAccessManager;
        this.eventPublisher = eventPublisher;
        this.cacheRef = Lazy.supplier(() -> {
            return vCacheFactory.getJvmCache(ANNOTATED_ELEMENTS_CACHE_NAME, new JvmCacheSettingsBuilder().build());
        });
    }

    public boolean isAccessPermitted(Object obj, @Nullable String str) {
        if (!(obj instanceof ConfluenceActionSupport)) {
            return true;
        }
        ConfluenceActionSupport confluenceActionSupport = (ConfluenceActionSupport) obj;
        switch (checkUserAccessFromAnnotations(obj.getClass(), str, AuthenticatedUserThreadLocal.get())) {
            case GRANTED:
                confluenceActionSupport.setSkipAccessCheck(true);
                return true;
            case DENIED:
                this.eventPublisher.publish(new NoConfluencePermissionEvent(this));
                return false;
            default:
                return true;
        }
    }

    private AccessDecision checkUserAccessFromAnnotations(Class<?> cls, @Nullable String str, ConfluenceUser confluenceUser) {
        Supplier supplier = Lazy.supplier(() -> {
            return this.confluenceAccessManager.getUserAccessStatus(confluenceUser);
        });
        Iterator<AnnotatedElement> it = getOrderedAnnotatedElements(cls, str).iterator();
        while (it.hasNext()) {
            AccessDecision checkAccessAnnotations = checkAccessAnnotations(it.next(), supplier);
            if (checkAccessAnnotations == AccessDecision.GRANTED || checkAccessAnnotations == AccessDecision.DENIED) {
                return checkAccessAnnotations;
            }
        }
        return AccessDecision.ABSTAIN;
    }

    private List<AnnotatedElement> getOrderedAnnotatedElements(Class<?> cls, @Nullable String str) {
        return (List) ((JvmCache) this.cacheRef.get()).get(Pair.pair(cls, Option.option(str)), () -> {
            return calculateOrderedAnnotatedElements(cls, str);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static List<AnnotatedElement> calculateOrderedAnnotatedElements(Class<?> cls, @Nullable String str) {
        Package r0 = cls.getPackage();
        try {
            Method actionMethod = WebWorkActionHelper.getActionMethod(cls, str);
            Class<?> declaringClass = actionMethod.getDeclaringClass();
            ImmutableList.Builder builder = ImmutableList.builder();
            if (cls.equals(declaringClass)) {
                builder.add(actionMethod);
            }
            builder.add(cls);
            if (r0 != null) {
                builder.add(r0);
            }
            return builder.build();
        } catch (NoSuchMethodException e) {
            throw new RuntimeException("action method [ " + str + " ] not found on [ " + cls.getName() + " ]", e);
        }
    }

    @VisibleForTesting
    static AccessDecision checkAccessAnnotations(AnnotatedElement annotatedElement, Supplier<AccessStatus> supplier) {
        boolean z = false;
        for (Map.Entry<Class<? extends Annotation>, Predicate<AccessStatus>> entry : POSITIVE_ACCESS_CHECKS.entrySet()) {
            if (annotatedElement.isAnnotationPresent(entry.getKey())) {
                z = true;
                if (entry.getValue().apply(supplier.get())) {
                    return AccessDecision.GRANTED;
                }
            }
        }
        return z ? AccessDecision.DENIED : AccessDecision.ABSTAIN;
    }
}
