package com.atlassian.bamboo.security.acegi.afterinvocation;

import com.atlassian.bamboo.chains.ChainResultsSummary;
import com.atlassian.bamboo.plan.PlanIdentifier;
import com.atlassian.bamboo.plan.PlanKey;
import com.atlassian.bamboo.plan.PlanKeys;
import com.atlassian.bamboo.plan.cache.CachedPlanManager;
import com.atlassian.bamboo.project.ProjectIdentifier;
import com.atlassian.bamboo.project.ProjectPlanPermissions;
import com.atlassian.bamboo.resultsummary.ResultsSummary;
import com.atlassian.bamboo.security.acegi.BambooAcegiSecurityUtils;
import com.atlassian.bamboo.spring.ComponentAccessor;
import com.atlassian.bamboo.user.Authority;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.acegisecurity.AccessDeniedException;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthorizationServiceException;
import org.acegisecurity.ConfigAttribute;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.acls.AclService;
import org.acegisecurity.acls.NotFoundException;
import org.acegisecurity.acls.Permission;
import org.acegisecurity.acls.domain.BasePermission;
import org.acegisecurity.acls.objectidentity.ObjectIdentity;
import org.acegisecurity.acls.objectidentity.ObjectIdentityRetrievalStrategy;
import org.acegisecurity.acls.sid.Sid;
import org.acegisecurity.acls.sid.SidRetrievalStrategy;
import org.acegisecurity.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/atlassian/bamboo/security/acegi/afterinvocation/GenericAclEntryAfterInvocationCollectionFilteringProvider.class */
public class GenericAclEntryAfterInvocationCollectionFilteringProvider extends AclEntryAfterInvocationCollectionFilteringProvider {
    private static final Permission[] VIEW_PERMISSION = {BasePermission.READ};
    private final Supplier<CachedPlanManager> planManager;
    private final AclService aclService;
    private ObjectIdentityRetrievalStrategy localObjectIdentityRetrievalStrategy;
    private SidRetrievalStrategy localSidRetrievalStrategy;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/bamboo/security/acegi/afterinvocation/GenericAclEntryAfterInvocationCollectionFilteringProvider$PermissionCache.class */
    public class PermissionCache {
        private final Map<ProjectIdentifier, Optional<Boolean>> allowedByProject = new HashMap();
        private final Map<PlanKey, Boolean> planPermissionCache = new HashMap();
        private final Authentication authentication;

        public PermissionCache(Authentication authentication) {
            this.authentication = authentication;
        }

        public Optional<Boolean> hasPermissionFromProject(@NotNull ProjectIdentifier projectIdentifier) {
            return this.allowedByProject.computeIfAbsent(projectIdentifier, projectIdentifier2 -> {
                return !GenericAclEntryAfterInvocationCollectionFilteringProvider.this.hasViewPermission(this.authentication, projectIdentifier2) ? Optional.of(Boolean.FALSE) : GenericAclEntryAfterInvocationCollectionFilteringProvider.super.hasPermission((GenericAclEntryAfterInvocationCollectionFilteringProvider) this.authentication, (Authentication) new ProjectPlanPermissions(projectIdentifier2)) ? Optional.of(Boolean.TRUE) : Optional.empty();
            });
        }

        public boolean hasPlanPermission(@NotNull PlanKey planKey) {
            return this.planPermissionCache.computeIfAbsent(planKey, planKey2 -> {
                return Boolean.valueOf(GenericAclEntryAfterInvocationCollectionFilteringProvider.this.hasPermission(this.authentication, GenericAclEntryAfterInvocationCollectionFilteringProvider.this.planManager.get().getPlanByKey(planKey2), this));
            }).booleanValue();
        }
    }

    public GenericAclEntryAfterInvocationCollectionFilteringProvider(AclService aclService, String str, Permission[] permissionArr) {
        super(aclService, permissionArr);
        this.planManager = ComponentAccessor.CACHED_PLAN_MANAGER;
        this.aclService = aclService;
        setProcessConfigAttribute(str);
    }

    protected boolean hasPermission(Authentication authentication, Object obj) {
        return hasPermission(authentication, obj, new PermissionCache(authentication));
    }

    private boolean hasPermission(Authentication authentication, Object obj, PermissionCache permissionCache) {
        if (obj instanceof ResultsSummary) {
            return hasPermission((ResultsSummary) obj, permissionCache);
        }
        if (obj instanceof PlanIdentifier) {
            Optional<Boolean> hasPermissionFromProject = permissionCache.hasPermissionFromProject(((PlanIdentifier) obj).getProject());
            if (hasPermissionFromProject.isPresent()) {
                return hasPermissionFromProject.get().booleanValue();
            }
        }
        return super.hasPermission(authentication, obj);
    }

    private boolean hasViewPermission(Authentication authentication, Object obj) {
        ObjectIdentity objectIdentity = this.localObjectIdentityRetrievalStrategy.getObjectIdentity(obj);
        Sid[] sids = this.localSidRetrievalStrategy.getSids(authentication);
        try {
            return this.aclService.readAclById(objectIdentity, sids).isGranted(VIEW_PERMISSION, sids, false);
        } catch (NotFoundException e) {
            return false;
        }
    }

    public Object decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object obj2) throws AccessDeniedException {
        Iterator configAttributes = configAttributeDefinition.getConfigAttributes();
        while (configAttributes.hasNext()) {
            if (supports((ConfigAttribute) configAttributes.next())) {
                if (obj2 == null) {
                    if (!logger.isDebugEnabled()) {
                        return null;
                    }
                    logger.debug("Return object is null, skipping");
                    return null;
                }
                if (BambooAcegiSecurityUtils.hasAuthority(authentication, Authority.RESTRICTED_ADMIN)) {
                    return obj2;
                }
                if (!(obj2 instanceof Collection)) {
                    if (obj2.getClass().isArray()) {
                        return super.decide(authentication, obj, configAttributeDefinition, obj2);
                    }
                    throw new AuthorizationServiceException("A Collection or an array (or null) was required as the returnedObject, but the returnedObject was: " + String.valueOf(obj2));
                }
                PermissionCache permissionCache = new PermissionCache(authentication);
                Stream stream = ((Collection) obj2).stream();
                Class<?> cls = ((Collection) obj2).getClass();
                return stream.filter(obj3 -> {
                    if (obj3 == null) {
                        return true;
                    }
                    boolean hasPermission = hasPermission(authentication, obj3, permissionCache);
                    if (!hasPermission && logger.isDebugEnabled()) {
                        logger.debug("Principal is NOT authorised for element: " + String.valueOf(obj3));
                    }
                    return hasPermission;
                }).collect(Collectors.toCollection(() -> {
                    try {
                        return (Collection) cls.newInstance();
                    } catch (IllegalAccessException | InstantiationException e) {
                        logger.error("Cannot instantiate original collection type, falling back on defaults");
                        return createDefaultCollection(cls);
                    }
                }));
            }
        }
        return obj2;
    }

    private Collection<Object> createDefaultCollection(Class<?> cls) {
        return Set.class.isAssignableFrom(cls) ? new HashSet() : new ArrayList();
    }

    private boolean hasPermission(ResultsSummary resultsSummary, PermissionCache permissionCache) {
        return permissionCache.hasPlanPermission(resultsSummary instanceof ChainResultsSummary ? resultsSummary.getPlanKey() : PlanKeys.getChainKeyFromJobKey(resultsSummary.getPlanKey()));
    }

    public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
        super.setObjectIdentityRetrievalStrategy(objectIdentityRetrievalStrategy);
        this.localObjectIdentityRetrievalStrategy = objectIdentityRetrievalStrategy;
    }

    public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
        super.setSidRetrievalStrategy(sidRetrievalStrategy);
        this.localSidRetrievalStrategy = sidRetrievalStrategy;
    }
}
