package com.atlassian.confluence.security;

import com.atlassian.confluence.impl.security.access.AccessDenied;
import com.atlassian.confluence.impl.security.access.SpacePermissionAccessMapper;
import com.atlassian.confluence.impl.security.access.SpacePermissionSubjectType;
import com.atlassian.confluence.internal.accessmode.AccessModeManager;
import com.atlassian.confluence.internal.security.SpacePermissionManagerInternal;
import com.atlassian.confluence.security.access.AccessStatus;
import com.atlassian.confluence.security.access.ConfluenceAccessManager;
import com.atlassian.confluence.security.access.DefaultConfluenceAccessManager;
import com.atlassian.confluence.setup.settings.beans.ColourSchemesSettings;
import com.atlassian.confluence.spaces.Space;
import com.atlassian.confluence.user.ConfluenceUser;
import com.atlassian.confluence.user.UserAccessor;
import com.atlassian.confluence.user.persistence.dao.compatibility.FindUserHelper;
import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.fugue.Either;
import com.atlassian.user.User;
import com.atlassian.util.profiling.UtilTimerStack;
import com.google.common.base.Supplier;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.ParametersAreNonnullByDefault;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ParametersAreNonnullByDefault
/* loaded from: input_file:com/atlassian/confluence/security/AbstractSpacePermissionManager.class */
public abstract class AbstractSpacePermissionManager implements SpacePermissionManagerInternal, DefaultConfluenceAccessManager.AccessManagerPermissionChecker {
    private final Logger log = LoggerFactory.getLogger(AbstractSpacePermissionManager.class);
    private final Supplier<UserAccessor> userAccessor;
    protected PermissionCheckExemptions permissionCheckExemptions;
    protected ConfluenceAccessManager confluenceAccessManager;
    protected SpacePermissionAccessMapper spacePermissionAccessMapper;
    private final CrowdService crowdService;
    private final AccessModeManager accessModeManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/confluence/security/AbstractSpacePermissionManager$DebuggingString.class */
    public static class DebuggingString {
        static final DebuggingString EMPTY_DEBUG_STR = new DebuggingString("()");
        public final String value;

        private DebuggingString(String str) {
            this.value = str;
        }

        public static DebuggingString of(String str) {
            return new DebuggingString(str);
        }

        public String toString() {
            return this.value;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractSpacePermissionManager(PermissionCheckExemptions permissionCheckExemptions, ConfluenceAccessManager confluenceAccessManager, SpacePermissionAccessMapper spacePermissionAccessMapper, CrowdService crowdService, Supplier<UserAccessor> supplier, AccessModeManager accessModeManager) {
        this.confluenceAccessManager = confluenceAccessManager;
        this.spacePermissionAccessMapper = spacePermissionAccessMapper;
        this.userAccessor = supplier;
        this.permissionCheckExemptions = permissionCheckExemptions;
        this.crowdService = crowdService;
        this.accessModeManager = accessModeManager;
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public final boolean hasPermission(String str, @Nullable Space space, @Nullable User user) {
        if (!isPermittedInReadOnlyAccessMode(str)) {
            return false;
        }
        if (!this.permissionCheckExemptions.isExempt(user)) {
            return hasPermissionNoExemptions(str, space, user);
        }
        this.log.debug("{} User is exempt from permission checks (i.e. super-user). PERMISSION GRANTED.", getPermissionCheckAsString(str, space, user));
        return true;
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public boolean hasPermissionNoExemptions(String str, @Nullable Space space, @Nullable User user) {
        DebuggingString permissionCheckAsString = getPermissionCheckAsString(str, space, user);
        UtilTimerStack.push("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
        try {
            try {
                if (!isPermittedInReadOnlyAccessMode(str)) {
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return false;
                }
                AccessStatus userAccessStatusNoExemptions = this.confluenceAccessManager.getUserAccessStatusNoExemptions(user);
                if (!userAccessStatusNoExemptions.canUseConfluence()) {
                    this.log.debug("{} User does not have Confluence access. PERMISSION DENIED.", permissionCheckAsString);
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return false;
                }
                if (space == null && hasConfluenceAccessPermission(userAccessStatusNoExemptions, str, permissionCheckAsString)) {
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return true;
                }
                Either<AccessDenied, Set<SpacePermissionSubjectType>> permissionCheckSubjectTypes = this.spacePermissionAccessMapper.getPermissionCheckSubjectTypes(userAccessStatusNoExemptions, str);
                if (permissionCheckSubjectTypes.isLeft()) {
                    this.log.debug("{} This type of permission cannot be granted for the current user's access status: {}", permissionCheckAsString, userAccessStatusNoExemptions);
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return false;
                }
                Set set = (Set) permissionCheckSubjectTypes.right().get();
                if (set.contains(SpacePermissionSubjectType.ANONYMOUS)) {
                    this.log.debug("{} Checking if anonymous category grants permission", permissionCheckAsString);
                    if (anonymousCategoryHasPermission(space, str, permissionCheckAsString)) {
                        this.log.debug("{} Anonymous permissions allow access. PERMISSION GRANTED.", permissionCheckAsString);
                        UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                        return true;
                    }
                }
                if (user == null) {
                    this.log.debug("{} No remaining checks for anonymous user. PERMISSION DENIED.", permissionCheckAsString);
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return false;
                }
                if (set.contains(SpacePermissionSubjectType.ALL_AUTHENTICATED_USERS)) {
                    this.log.debug("{} Checking if all users category grants permission", permissionCheckAsString);
                    if (allAuthenticatedUsersHavePermission(space, str, permissionCheckAsString)) {
                        this.log.debug("{} Permission granted to all authenticated users. PERMISSION GRANTED.", permissionCheckAsString);
                        UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                        return true;
                    }
                }
                if (set.contains(SpacePermissionSubjectType.GROUP)) {
                    this.log.debug("{} Checking if groups grant permission", permissionCheckAsString);
                    if (hasPermissionViaGroups(user, space, str)) {
                        this.log.debug("{} User is a member of a group with access to space. PERMISSION GRANTED.", permissionCheckAsString);
                        UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                        return true;
                    }
                }
                ConfluenceUser user2 = FindUserHelper.getUser(user);
                if (user2 == null) {
                    this.log.warn("{} User was not found in ConfluenceUserDao - PERMISSION DENIED.", permissionCheckAsString);
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return false;
                }
                if (set.contains(SpacePermissionSubjectType.USER)) {
                    this.log.debug("{} Checking if user is directly assigned permission", permissionCheckAsString);
                    if (hasPermissionAsUser(user2, space, str)) {
                        this.log.debug("{} User is directly assigned permission for space. PERMISSION GRANTED.", permissionCheckAsString);
                        UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                        return true;
                    }
                }
                if (userAccessStatusNoExemptions.hasLicensedAccess() && shouldCheckSiteAdminPermissionsForMissingSpace(space, str) && hasConfluenceAdministratorPermission(user2)) {
                    this.log.debug("{} User has Confluence administrator permission so is granted space-level permission type for missing space. PERMISSION GRANTED.", permissionCheckAsString);
                    UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                    return true;
                }
                this.log.debug("{} No remaining checks. PERMISSION DENIED.", permissionCheckAsString);
                UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                return false;
            } catch (Exception e) {
                this.log.error("Error checking permission " + permissionCheckAsString + ". Denying access.", e);
                UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
                return false;
            }
        } catch (Throwable th) {
            UtilTimerStack.pop("DefaultSpacePermissionManager.hasPermissionNoExemptions" + permissionCheckAsString);
            throw th;
        }
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public final boolean hasPermission(List list, @Nullable Space space, @Nullable User user) {
        return hasAllPermissions(list, space, user);
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public final boolean hasAllPermissions(List<String> list, @Nullable Space space, @Nullable User user) {
        return list.stream().allMatch(str -> {
            return hasPermission(str, space, user);
        });
    }

    private DebuggingString getPermissionCheckAsString(String str, @Nullable Space space, @Nullable User user) {
        if (!UtilTimerStack.isActive() && !this.log.isDebugEnabled()) {
            return DebuggingString.EMPTY_DEBUG_STR;
        }
        Object[] objArr = new Object[3];
        objArr[0] = str;
        objArr[1] = user != null ? user.getName() : "anonymous";
        objArr[2] = space != null ? space.getKey() : ColourSchemesSettings.GLOBAL;
        return DebuggingString.of(MessageFormat.format("({0}, {1}, {2})", objArr));
    }

    private boolean hasConfluenceAccessPermission(AccessStatus accessStatus, String str, DebuggingString debuggingString) {
        if (SpacePermission.USE_CONFLUENCE_PERMISSION.equals(str)) {
            if (accessStatus.hasLicensedAccess()) {
                this.log.debug("{} Authenticated user has USE_CONFLUENCE_PERMISSION. PERMISSION GRANTED.", debuggingString);
                return true;
            }
            if (accessStatus.hasAnonymousAccess()) {
                this.log.debug("{} Anonymous user has USE_CONFLUENCE_PERMISSION. PERMISSION GRANTED.", debuggingString);
                return true;
            }
        }
        if (!SpacePermission.LIMITED_USE_CONFLUENCE_PERMISSION.equals(str) || !accessStatus.hasUnlicensedAuthenticatedAccess()) {
            return false;
        }
        this.log.debug("{} User has LIMITED_USE_CONFLUENCE_PERMISSION - limited authenticated access. PERMISSION GRANTED.", debuggingString);
        return true;
    }

    private boolean anonymousCategoryHasPermission(@Nullable Space space, String str, DebuggingString debuggingString) {
        if (SpacePermission.isValidAnonymousPermission(str)) {
            return permissionExists(shouldCheckGlobalPermissions(space, str) ? SpacePermission.createAnonymousSpacePermission(str, null) : SpacePermission.createAnonymousSpacePermission(str, space));
        }
        this.log.debug("{} Permission is not valid for 'anonymous' category", debuggingString);
        return false;
    }

    private boolean allAuthenticatedUsersHavePermission(@Nullable Space space, String str, DebuggingString debuggingString) {
        if (SpacePermission.isValidAuthenticatedUsersPermission(str)) {
            return permissionExists(shouldCheckGlobalPermissions(space, str) ? SpacePermission.createAuthenticatedUsersSpacePermission(str, null) : SpacePermission.createAuthenticatedUsersSpacePermission(str, space));
        }
        this.log.debug("{} Permission is not valid for all 'all authenticated users' category", debuggingString);
        return false;
    }

    private boolean shouldCheckSiteAdminPermissionsForMissingSpace(@Nullable Space space, String str) {
        return space == null && SpacePermission.GENERIC_SPACE_PERMISSIONS.contains(str);
    }

    private boolean hasConfluenceAdministratorPermission(@Nonnull ConfluenceUser confluenceUser) {
        if (hasPermissionViaGroups(confluenceUser, null, SpacePermission.CONFLUENCE_ADMINISTRATOR_PERMISSION)) {
            this.log.debug("User is a member of a group with Confluence administrative permission.");
            return true;
        }
        if (!hasPermissionAsUser(confluenceUser, null, SpacePermission.CONFLUENCE_ADMINISTRATOR_PERMISSION)) {
            return false;
        }
        this.log.debug("User has been individually assigned Confluence administrative permission.");
        return true;
    }

    private boolean hasPermissionAsUser(@Nonnull ConfluenceUser confluenceUser, @Nullable Space space, String str) {
        return permissionExists(shouldCheckGlobalPermissions(space, str) ? SpacePermission.createUserSpacePermission(str, (Space) null, confluenceUser) : SpacePermission.createUserSpacePermission(str, space, confluenceUser));
    }

    @Override // com.atlassian.confluence.security.access.DefaultConfluenceAccessManager.AccessManagerPermissionChecker
    public final boolean hasGlobalPermissionViaGroups(@Nonnull User user, String str) {
        return hasPermissionViaGroups(user, null, str);
    }

    private boolean hasPermissionViaGroups(@Nonnull User user, @Nullable Space space, String str) {
        Space space2 = shouldCheckGlobalPermissions(space, str) ? null : space;
        String name = user.getName();
        Iterator<String> it = getGroupNamesWithPermission(space2, str).iterator();
        while (it.hasNext()) {
            if (this.crowdService.isUserMemberOfGroup(name, it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean shouldCheckGlobalPermissions(@Nullable Space space, String str) {
        return space == null || !SpacePermission.GENERIC_SPACE_PERMISSIONS.contains(str);
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public boolean groupHasPermission(String str, @Nullable Space space, String str2) {
        return permissionExists(shouldCheckGlobalPermissions(space, str) ? SpacePermission.createGroupSpacePermission(str, null, str2) : SpacePermission.createGroupSpacePermission(str, space, str2));
    }

    protected abstract Iterable<String> getGroupNamesWithPermission(@Nullable Space space, String str);

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public final boolean hasPermissionForSpace(@Nullable User user, List list, @Nullable Space space) {
        return hasPermission(list, space, user);
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public Set<SpacePermission> getDefaultGlobalPermissions() {
        String newUserDefaultGroupName = getUserAccessor().getNewUserDefaultGroupName();
        ArrayList arrayList = new ArrayList();
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.USE_CONFLUENCE_PERMISSION, null, newUserDefaultGroupName));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.USE_CONFLUENCE_PERMISSION, null, UserAccessor.GROUP_CONFLUENCE_ADMINS));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.PERSONAL_SPACE_PERMISSION, null, newUserDefaultGroupName));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.PERSONAL_SPACE_PERMISSION, null, UserAccessor.GROUP_CONFLUENCE_ADMINS));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.CONFLUENCE_ADMINISTRATOR_PERMISSION, null, UserAccessor.GROUP_CONFLUENCE_ADMINS));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.SYSTEM_ADMINISTRATOR_PERMISSION, null, UserAccessor.GROUP_CONFLUENCE_ADMINS));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.CREATE_SPACE_PERMISSION, null, newUserDefaultGroupName));
        arrayList.add(SpacePermission.createGroupSpacePermission(SpacePermission.CREATE_SPACE_PERMISSION, null, UserAccessor.GROUP_CONFLUENCE_ADMINS));
        return Collections.unmodifiableSet(new HashSet(arrayList));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UserAccessor getUserAccessor() {
        return (UserAccessor) this.userAccessor.get();
    }

    protected AccessModeManager getAccessModeManager() {
        return this.accessModeManager;
    }

    @Override // com.atlassian.confluence.security.SpacePermissionManager
    public boolean isPermittedInReadOnlyAccessMode(String str) {
        return SpacePermission.READ_ONLY_SPACE_PERMISSIONS.contains(str) || !getAccessModeManager().shouldEnforceReadOnlyAccess();
    }
}
