package com.atlassian.confluence.api.impl.service.permissions;

import com.atlassian.confluence.api.impl.service.content.factory.Fauxpansions;
import com.atlassian.confluence.api.model.Expansion;
import com.atlassian.confluence.api.model.Expansions;
import com.atlassian.confluence.api.model.content.Content;
import com.atlassian.confluence.api.model.content.ContentSelector;
import com.atlassian.confluence.api.model.content.id.ContentId;
import com.atlassian.confluence.api.model.link.Link;
import com.atlassian.confluence.api.model.link.LinkType;
import com.atlassian.confluence.api.model.messages.SimpleMessage;
import com.atlassian.confluence.api.model.pagination.LimitedRequest;
import com.atlassian.confluence.api.model.pagination.LimitedRequestImpl;
import com.atlassian.confluence.api.model.pagination.PageRequest;
import com.atlassian.confluence.api.model.pagination.PageResponseImpl;
import com.atlassian.confluence.api.model.pagination.SimplePageRequest;
import com.atlassian.confluence.api.model.people.Group;
import com.atlassian.confluence.api.model.people.Subject;
import com.atlassian.confluence.api.model.people.SubjectType;
import com.atlassian.confluence.api.model.people.User;
import com.atlassian.confluence.api.model.permissions.ContentRestriction;
import com.atlassian.confluence.api.model.permissions.ContentRestrictionsPageResponse;
import com.atlassian.confluence.api.model.permissions.OperationKey;
import com.atlassian.confluence.api.model.reference.ModelMapBuilder;
import com.atlassian.confluence.api.model.validation.SimpleValidationResult;
import com.atlassian.confluence.api.model.validation.ValidationResult;
import com.atlassian.confluence.api.nav.NavigationService;
import com.atlassian.confluence.api.service.exceptions.BadRequestException;
import com.atlassian.confluence.api.service.exceptions.InternalServerException;
import com.atlassian.confluence.api.service.exceptions.NotFoundException;
import com.atlassian.confluence.api.service.exceptions.ServiceException;
import com.atlassian.confluence.api.service.exceptions.unchecked.NotImplementedServiceException;
import com.atlassian.confluence.api.service.permissions.ContentRestrictionService;
import com.atlassian.confluence.core.ContentEntityObject;
import com.atlassian.confluence.core.ContentPermissionManager;
import com.atlassian.confluence.internal.ContentEntityManagerInternal;
import com.atlassian.confluence.internal.user.UserAccessorInternal;
import com.atlassian.confluence.rest.api.model.pagination.PaginationLimits;
import com.atlassian.confluence.security.ContentPermission;
import com.atlassian.confluence.security.ContentPermissionSet;
import com.atlassian.confluence.security.PermissionUtils;
import com.atlassian.confluence.user.AuthenticatedUserThreadLocal;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.fugue.Option;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.UnmodifiableIterator;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/ContentRestrictionServiceImpl.class */
public class ContentRestrictionServiceImpl implements ContentRestrictionService {
    private static final Logger log = LoggerFactory.getLogger(ContentRestrictionServiceImpl.class);
    private static final SimplePageRequest DEFAULT_RESTRICTIONS_PAGE_REQUEST = new SimplePageRequest(0, PaginationLimits.restrictionSubjects());
    private final ContentEntityManagerInternal contentEntityManager;
    private final ContentPermissionManager contentPermissionManager;
    private final ContentRestrictionFactory contentRestrictionFactory;
    private final NavigationService navigationService;
    private final UserAccessorInternal userAccessorInternal;
    private final ContentRestrictionService.Validator contentRestrictionServiceValidator;

    /* loaded from: input_file:com/atlassian/confluence/api/impl/service/permissions/ContentRestrictionServiceImpl$MergeMode.class */
    public enum MergeMode {
        ADD,
        REPLACE,
        SUBTRACT
    }

    public ContentRestrictionServiceImpl(ContentEntityManagerInternal contentEntityManagerInternal, ContentPermissionManager contentPermissionManager, ContentRestrictionFactory contentRestrictionFactory, UserAccessorInternal userAccessorInternal, NavigationService navigationService, ContentRestrictionService.Validator validator) {
        this.contentEntityManager = contentEntityManagerInternal;
        this.contentPermissionManager = contentPermissionManager;
        this.contentRestrictionFactory = contentRestrictionFactory;
        this.userAccessorInternal = userAccessorInternal;
        this.navigationService = navigationService;
        this.contentRestrictionServiceValidator = validator;
    }

    public ContentRestrictionService.Validator validator() {
        return this.contentRestrictionServiceValidator;
    }

    public Map<OperationKey, ContentRestriction> getRestrictionsGroupByOperation(ContentId contentId, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateGetRestrictions(contentId).throwIfNotSuccessful();
        Expansions expansions = new Expansions(expansionArr);
        ModelMapBuilder newInstance = ModelMapBuilder.newInstance();
        UnmodifiableIterator it = ContentRestrictionFactory.getSupportedOperationKeys().iterator();
        while (it.hasNext()) {
            OperationKey operationKey = (OperationKey) it.next();
            Fauxpansions fauxpansions = Fauxpansions.fauxpansions(expansions, operationKey.toString());
            if (fauxpansions.canExpand()) {
                newInstance.put(operationKey, doGetRestrictionsForOperation(contentId, operationKey, DEFAULT_RESTRICTIONS_PAGE_REQUEST, fauxpansions.getSubExpansions().toArray()));
            } else {
                newInstance.addCollapsedEntry(operationKey);
            }
        }
        return newInstance.navigable(this.navigationService.createNavigation().content(Content.buildReference(ContentSelector.from(Content.builder().id(contentId).build()))).restrictionByOperation()).build();
    }

    public ContentRestriction getRestrictionsForOperation(ContentId contentId, OperationKey operationKey, PageRequest pageRequest, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateGetRestrictionsForOperation(contentId, operationKey).throwIfNotSuccessful();
        return doGetRestrictionsForOperation(contentId, operationKey, pageRequest, expansionArr);
    }

    ContentRestriction doGetRestrictionsForOperation(ContentId contentId, OperationKey operationKey, PageRequest pageRequest, Expansion[] expansionArr) {
        Expansions expansions = new Expansions(expansionArr);
        LimitedRequest create = LimitedRequestImpl.create(pageRequest, PaginationLimits.restrictionSubjects());
        String str = (String) ContentRestrictionFactory.determinePermissionType(operationKey).get();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        ContentPermissionSet contentPermissionSet = byId != null ? byId.getContentPermissionSet(str) : null;
        if (contentPermissionSet == null) {
            contentPermissionSet = new ContentPermissionSet(str, byId);
        }
        return this.contentRestrictionFactory.buildFrom(contentPermissionSet, create, expansions);
    }

    public ContentRestrictionsPageResponse getRestrictions(ContentId contentId, PageRequest pageRequest, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateGetRestrictions(contentId).throwIfNotSuccessful();
        List list = (List) ContentRestrictionFactory.getSupportedOperationKeys().stream().map(operationKey -> {
            return doGetRestrictionsForOperation(contentId, operationKey, pageRequest, expansionArr);
        }).collect(Collectors.toList());
        return ContentRestrictionsPageResponse.builder().withContentId(contentId).addAll(list).withRestrictionsHash(PermissionUtils.getRestrictionsHash(this.contentEntityManager.getById(contentId))).pageRequest(pageRequest).hasMore(false).addLink(new Link(new LinkType("byOperation"), this.navigationService.createNavigation().content(ContentSelector.from(Content.builder().id(contentId).build())).restrictionByOperation().buildAbsolute())).build();
    }

    public ContentRestrictionsPageResponse updateRestrictions(ContentId contentId, Collection<? extends ContentRestriction> collection, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateUpdateRestrictions(contentId, collection).throwIfNotSuccessful();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        Map<String, Collection<ContentPermission>> mergedContentPermissions = getMergedContentPermissions(byId, collection, MergeMode.REPLACE);
        validateSelfAccessRetained(mergedContentPermissions).throwIfNotSuccessful();
        this.contentPermissionManager.setContentPermissions(mergedContentPermissions, byId);
        return getRestrictions(contentId, DEFAULT_RESTRICTIONS_PAGE_REQUEST, expansionArr);
    }

    public ContentRestrictionsPageResponse addRestrictions(ContentId contentId, Collection<? extends ContentRestriction> collection, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateAddRestrictions(contentId, collection).throwIfNotSuccessful();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        Map<String, Collection<ContentPermission>> mergedContentPermissions = getMergedContentPermissions(byId, collection, MergeMode.ADD);
        validateSelfAccessRetained(mergedContentPermissions).throwIfNotSuccessful();
        this.contentPermissionManager.setContentPermissions(mergedContentPermissions, byId);
        return getRestrictions(contentId, DEFAULT_RESTRICTIONS_PAGE_REQUEST, expansionArr);
    }

    public ContentRestrictionsPageResponse deleteAllDirectRestrictions(ContentId contentId, Expansion... expansionArr) throws ServiceException {
        this.contentRestrictionServiceValidator.validateDeleteAllDirectRestrictions(contentId).throwIfNotSuccessful();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        this.contentPermissionManager.setContentPermissions((Map) ContentRestrictionFactory.getSupportedOperationKeys().stream().map(ContentRestrictionFactory::determinePermissionType).collect(Collectors.toMap((v0) -> {
            return v0.get();
        }, option -> {
            return Collections.emptyList();
        })), byId);
        return getRestrictions(contentId, DEFAULT_RESTRICTIONS_PAGE_REQUEST, expansionArr);
    }

    public boolean hasDirectRestrictionForSubject(ContentId contentId, OperationKey operationKey, Subject subject) throws ServiceException {
        validator().validateHasDirectRestrictionsForSubject(contentId, operationKey, subject).throwIfNotSuccessful();
        return getPreExistingContentPermissionForSubject(this.contentEntityManager.getById(contentId), (String) ContentRestrictionFactory.determinePermissionType(operationKey).get(), subject).isPresent();
    }

    public void deleteDirectRestrictionForSubject(ContentId contentId, OperationKey operationKey, Subject subject) throws ServiceException {
        validator().validateDeleteDirectRestrictionForSubject(contentId, operationKey, subject).throwIfNotSuccessful();
        String str = (String) ContentRestrictionFactory.determinePermissionType(operationKey).get();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        ContentPermission orElseThrow = getPreExistingContentPermissionForSubject(byId, str, subject).orElseThrow(() -> {
            return new NotFoundException("Cannot delete the restriction specified since it doesn't exist.");
        });
        validateSelfAccessRetained(getMergedContentPermissions(byId, Collections.singleton(ContentRestriction.builder().operation(operationKey).restrictions(Collections.singletonMap(subject.getSubjectType(), PageResponseImpl.fromSingle(subject, false).build())).build()), MergeMode.SUBTRACT)).throwIfNotSuccessful();
        this.contentPermissionManager.removeContentPermission(orElseThrow);
    }

    public void addDirectRestrictionForSubject(ContentId contentId, OperationKey operationKey, Subject subject) throws ServiceException {
        validator().validateAddDirectRestrictionForSubject(contentId, operationKey, subject).throwIfNotSuccessful();
        ContentEntityObject byId = this.contentEntityManager.getById(contentId);
        Map<String, Collection<ContentPermission>> mergedContentPermissions = getMergedContentPermissions(byId, Collections.singleton(ContentRestriction.builder().operation(operationKey).restrictions(ImmutableMap.of(subject.getSubjectType(), PageResponseImpl.fromSingle(subject, false).build())).build()), MergeMode.ADD);
        validateSelfAccessRetained(mergedContentPermissions).throwIfNotSuccessful();
        this.contentPermissionManager.setContentPermissions(mergedContentPermissions, byId);
    }

    @Nonnull
    protected Map<String, Collection<ContentPermission>> getMergedContentPermissions(@Nonnull ContentEntityObject contentEntityObject, @Nonnull Collection<? extends ContentRestriction> collection, @Nonnull MergeMode mergeMode) {
        HashMap hashMap = new HashMap();
        for (ContentRestriction contentRestriction : collection) {
            String str = (String) ContentRestrictionFactory.determinePermissionType(contentRestriction.getOperation()).get();
            ((Collection) hashMap.computeIfAbsent(str, str2 -> {
                return new HashSet();
            })).addAll(doMergeContentPermissions(contentEntityObject, str, mergeMode, (Map) SubjectType.VALUES.stream().collect(Collectors.toMap(subjectType -> {
                return subjectType;
            }, subjectType2 -> {
                return Optional.ofNullable(contentRestriction.getRestrictions().get(subjectType2)).map((v0) -> {
                    return v0.getResults();
                }).map(list -> {
                    return (Set) list.stream().map(subject -> {
                        return toContentPermissionStrict(str, subjectType2, subject);
                    }).collect(Collectors.toSet());
                });
            }))));
        }
        return ImmutableMap.copyOf(hashMap);
    }

    @Nonnull
    private Set<ContentPermission> doMergeContentPermissions(@Nonnull ContentEntityObject contentEntityObject, @Nonnull String str, @Nonnull MergeMode mergeMode, @Nonnull Map<SubjectType, Optional<Collection<ContentPermission>>> map) {
        HashSet hashSet = new HashSet();
        switch (mergeMode) {
            case REPLACE:
                SubjectType.VALUES.forEach(subjectType -> {
                    hashSet.addAll((Collection) ((Optional) map.getOrDefault(subjectType, Optional.empty())).orElse(getPreExistingContentPermissionsForSubjectType(contentEntityObject, str, subjectType)));
                });
                break;
            case ADD:
                Set<ContentPermission> preExistingContentPermissions = getPreExistingContentPermissions(contentEntityObject, str);
                Set set = (Set) map.values().stream().flatMap(optional -> {
                    return ((Collection) optional.orElse(Collections.emptySet())).stream();
                }).collect(Collectors.toSet());
                hashSet.addAll(preExistingContentPermissions);
                hashSet.addAll(set);
                break;
            case SUBTRACT:
                Set<ContentPermission> preExistingContentPermissions2 = getPreExistingContentPermissions(contentEntityObject, str);
                Set set2 = (Set) map.values().stream().flatMap(optional2 -> {
                    return ((Collection) optional2.orElse(Collections.emptySet())).stream();
                }).collect(Collectors.toSet());
                hashSet.addAll(preExistingContentPermissions2);
                hashSet.removeAll(set2);
                break;
            default:
                log.error("Unsupported MergeMode. Should never end up like that!");
                throw new InternalServerException("Exception while modifying ContentRestrictions", new IllegalStateException("Unsupported MergeMode. Should never end up like that!"));
        }
        return hashSet;
    }

    private ContentPermission toContentPermissionStrict(String str, SubjectType subjectType, Subject subject) {
        if (SubjectType.USER.equals(subjectType)) {
            return ContentPermission.createUserPermission(str, this.userAccessorInternal.getExistingUserByPerson((User) subject));
        }
        if (SubjectType.GROUP.equals(subjectType)) {
            return ContentPermission.createGroupPermission(str, ((Group) subject).getName());
        }
        throw throwableUnsupportedSubjectType(subjectType);
    }

    @Nonnull
    protected NotImplementedServiceException throwableUnsupportedSubjectType(@Nullable Object obj) {
        String format = String.format("Restrictions operations on SubjectType <%1$s> are not implemented yet. Please use one of <%2$s>", obj, SubjectType.VALUES);
        log.error(format);
        return new NotImplementedServiceException(format, new UnsupportedOperationException(format));
    }

    @Nonnull
    protected Set<ContentPermission> getPreExistingContentPermissions(@Nullable ContentEntityObject contentEntityObject, @Nullable String str, @Nullable Predicate<ContentPermission> predicate) {
        return (Set) getPreExistingContentPermissions(contentEntityObject, str).stream().filter(predicate != null ? predicate : contentPermission -> {
            return true;
        }).collect(Collectors.toSet());
    }

    @Nonnull
    protected Set<ContentPermission> getPreExistingContentPermissions(@Nullable ContentEntityObject contentEntityObject, @Nullable String str) {
        return (contentEntityObject == null || str == null || contentEntityObject.getContentPermissionSet(str) == null) ? Collections.emptySet() : new HashSet((Collection) contentEntityObject.getContentPermissionSet(str).getContentPermissionsCopy());
    }

    @Nonnull
    protected Set<ContentPermission> getPreExistingContentPermissionsForSubjectType(@Nullable ContentEntityObject contentEntityObject, @Nullable String str, @Nullable SubjectType subjectType) {
        if (SubjectType.USER.equals(subjectType)) {
            return getPreExistingContentPermissions(contentEntityObject, str, (v0) -> {
                return v0.isUserPermission();
            });
        }
        if (SubjectType.GROUP.equals(subjectType)) {
            return getPreExistingContentPermissions(contentEntityObject, str, (v0) -> {
                return v0.isGroupPermission();
            });
        }
        throw throwableUnsupportedSubjectType(subjectType);
    }

    @Nonnull
    protected Optional<ContentPermission> getPreExistingContentPermissionForSubject(@Nullable ContentEntityObject contentEntityObject, @Nullable String str, @Nullable Subject subject) {
        if (subject instanceof User) {
            return getPreExistingContentPermissionForUser(contentEntityObject, str, (User) subject);
        }
        if (subject instanceof Group) {
            return getPreExistingContentPermissionForGroup(contentEntityObject, str, (Group) subject);
        }
        throw new BadRequestException("ContentRestrictions only support User(s) and Group(s)");
    }

    @Nonnull
    protected Optional<ContentPermission> getPreExistingContentPermissionForUser(@Nullable ContentEntityObject contentEntityObject, @Nullable String str, @Nonnull User user) {
        Option<ConfluenceUser> existingByApiUser = this.userAccessorInternal.getExistingByApiUser(user);
        if (existingByApiUser.isDefined()) {
            return getPreExistingContentPermissions(contentEntityObject, str, (v0) -> {
                return v0.isUserPermission();
            }).stream().filter(contentPermission -> {
                return Objects.equals(existingByApiUser.get(), contentPermission.getUserSubject());
            }).findFirst();
        }
        throw new NotFoundException("Specified User does not exist");
    }

    @Nonnull
    protected Optional<ContentPermission> getPreExistingContentPermissionForGroup(@Nullable ContentEntityObject contentEntityObject, @Nullable String str, @Nullable Group group) {
        if (group == null || group.getName() == null) {
            throw new NotFoundException("Specified Group does not exist");
        }
        return getPreExistingContentPermissions(contentEntityObject, str, (v0) -> {
            return v0.isGroupPermission();
        }).stream().filter(contentPermission -> {
            return Objects.equals(group.getName(), contentPermission.getGroupName());
        }).findFirst();
    }

    @Nonnull
    protected ValidationResult validateSelfAccessRetained(@Nonnull Map<String, Collection<ContentPermission>> map) {
        ArrayList arrayList = new ArrayList();
        ConfluenceUser confluenceUser = AuthenticatedUserThreadLocal.get();
        for (Map.Entry<String, Collection<ContentPermission>> entry : map.entrySet()) {
            if (!(entry.getValue().isEmpty() || entry.getValue().stream().filter((v0) -> {
                return v0.isUserPermission();
            }).map((v0) -> {
                return v0.getUserSubject();
            }).anyMatch(confluenceUser2 -> {
                return Objects.equals(confluenceUser, confluenceUser2);
            }))) {
                arrayList.add(ContentRestrictionFactory.determineOpKey(entry.getKey()));
            }
        }
        return !arrayList.isEmpty() ? SimpleValidationResult.builder().authorized(true).addMessage(SimpleMessage.withTranslation(String.format("Provided ContentRestrictions evicts current user (you) from: %s. Must include yourself in \"user\" sections for READ and/or UPDATE when restricting those operations. Must not provide restrictions which when applied result in current situation.", arrayList))).build() : SimpleValidationResult.VALID;
    }
}
