package com.atlassian.bamboo.security;

import com.atlassian.bamboo.FeatureManager;
import com.atlassian.bamboo.applinks.ImpersonationServiceImpl;
import com.atlassian.bamboo.configuration.AdministrationConfigurationAccessor;
import com.atlassian.bamboo.executor.RetryingTaskExecutor;
import com.atlassian.bamboo.plan.PlanKey;
import com.atlassian.bamboo.plan.cache.CachedPlanManager;
import com.atlassian.bamboo.plan.cache.ImmutablePlan;
import com.atlassian.bamboo.project.Project;
import com.atlassian.bamboo.security.acegi.BambooAcegiSecurityUtils;
import com.atlassian.bamboo.security.acegi.acls.BambooPermission;
import com.atlassian.bamboo.security.acegi.acls.GroupPrincipalSid;
import com.atlassian.bamboo.security.acegi.acls.HibernateObjectIdentityImpl;
import com.atlassian.bamboo.user.BambooUser;
import com.atlassian.bamboo.user.BambooUserManager;
import com.atlassian.bamboo.user.DefaultBambooUser;
import com.atlassian.bamboo.util.Narrow;
import com.google.common.base.Predicate;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.UnmodifiableIterator;
import java.util.ArrayList;
import java.util.Collection;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.acls.AccessControlEntry;
import org.acegisecurity.acls.Acl;
import org.acegisecurity.acls.MutableAclService;
import org.acegisecurity.acls.NotFoundException;
import org.acegisecurity.acls.Permission;
import org.acegisecurity.acls.objectidentity.ObjectIdentity;
import org.acegisecurity.acls.objectidentity.ObjectIdentityRetrievalStrategy;
import org.acegisecurity.acls.sid.PrincipalSid;
import org.acegisecurity.acls.sid.SidRetrievalStrategy;
import org.acegisecurity.adapters.PrincipalAcegiUserToken;
import org.acegisecurity.context.SecurityContextHolder;
import org.apache.log4j.Logger;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:com/atlassian/bamboo/security/BambooPermissionManagerImpl.class */
public class BambooPermissionManagerImpl implements BambooPermissionManager {
    private static final Logger log = Logger.getLogger(BambooPermissionManagerImpl.class);
    protected MutableAclService aclService;
    private SidRetrievalStrategy sidRetrievalStrategy;
    private ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy;
    private CachedPlanManager cachedPlanManager;
    private GrantedAuthority[] overrideAuthorities = new GrantedAuthority[0];
    private BambooUserManager bambooUserManager;
    private AdministrationConfigurationAccessor administrationConfigurationAccessor;

    @Autowired
    private FeatureManager featureManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.atlassian.bamboo.security.BambooPermissionManagerImpl$2, reason: invalid class name */
    /* loaded from: input_file:com/atlassian/bamboo/security/BambooPermissionManagerImpl$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$com$atlassian$bamboo$security$acegi$acls$HibernateObjectIdentityImpl$AncestorPermissionCheckPolicy = new int[HibernateObjectIdentityImpl.AncestorPermissionCheckPolicy.values().length];

        static {
            try {
                $SwitchMap$com$atlassian$bamboo$security$acegi$acls$HibernateObjectIdentityImpl$AncestorPermissionCheckPolicy[HibernateObjectIdentityImpl.AncestorPermissionCheckPolicy.AND.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$atlassian$bamboo$security$acegi$acls$HibernateObjectIdentityImpl$AncestorPermissionCheckPolicy[HibernateObjectIdentityImpl.AncestorPermissionCheckPolicy.OR.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public boolean hasPermission(@NotNull Permission permission, @NotNull Object obj, @Nullable Authentication authentication) {
        if (authentication == null) {
            authentication = SecurityContextHolder.getContext().getAuthentication();
        }
        if (authentication == null) {
            return false;
        }
        if (isOverrideAuthority(authentication)) {
            return true;
        }
        if (BambooAcegiSecurityUtils.hasAuthority(authentication, DefaultBambooUser.RESTRICTED_ADMIN_AUTHORITY) && (BambooPermission.isGrantedForRestrictedAdmin(permission) || !(obj instanceof GlobalApplicationSecureObject))) {
            return true;
        }
        ObjectIdentity createObjectIdentity = createObjectIdentity(obj);
        HibernateObjectIdentityImpl hibernateObjectIdentityImpl = (HibernateObjectIdentityImpl) Narrow.to(createObjectIdentity, HibernateObjectIdentityImpl.class);
        return hibernateObjectIdentityImpl != null ? hasPermission(permission, hibernateObjectIdentityImpl, authentication) : hasPermission(permission, createObjectIdentity, authentication);
    }

    public Predicate<Object> hasPermission(@NotNull final BambooPermission bambooPermission, @Nullable final Authentication authentication) {
        return new Predicate<Object>() { // from class: com.atlassian.bamboo.security.BambooPermissionManagerImpl.1
            public boolean apply(@Nullable Object obj) {
                return obj != null && BambooPermissionManagerImpl.this.hasPermission((Permission) bambooPermission, obj, authentication);
            }
        };
    }

    public Acl getAcl(@NotNull Object obj) {
        return this.aclService.readAclById(createObjectIdentity(obj));
    }

    public boolean hasPermission(@NotNull String str, @NotNull Permission permission, @NotNull Object obj) {
        BambooUser loadUserByUsername = this.bambooUserManager.loadUserByUsername(str);
        if (loadUserByUsername == null) {
            return false;
        }
        return hasPermission(permission, obj, (Authentication) new PrincipalAcegiUserToken(ImpersonationServiceImpl.USER_TOKEN_KEY, loadUserByUsername.getUsername(), loadUserByUsername.getPassword(), loadUserByUsername.getAuthorities(), loadUserByUsername));
    }

    public boolean hasPlanPermission(@NotNull Permission permission, @NotNull PlanKey planKey) {
        ImmutablePlan planByKey = this.cachedPlanManager.getPlanByKey(planKey);
        return planByKey != null && hasPermission(permission, planByKey, (Authentication) null);
    }

    public boolean hasPlanPermission(@NotNull Permission permission, @NotNull ImmutablePlan immutablePlan) {
        return hasPermission(permission, immutablePlan, (Authentication) null);
    }

    public boolean hasGlobalPermission(@NotNull Permission permission) {
        return hasPermission(permission, GlobalApplicationSecureObject.INSTANCE, (Authentication) null);
    }

    public Collection<Permission> getPermissionsForPlan(@NotNull PlanKey planKey) {
        ArrayList newArrayList = Lists.newArrayList();
        ImmutablePlan planByKey = this.cachedPlanManager.getPlanByKey(planKey);
        if (planByKey != null) {
            UnmodifiableIterator it = BambooPermission.getPlanPermissionsList().iterator();
            while (it.hasNext()) {
                Permission permission = (Permission) it.next();
                if (hasPermission(permission, planByKey, (Authentication) null)) {
                    newArrayList.add(permission);
                }
            }
        }
        return newArrayList;
    }

    public boolean hasProjectEditPermission(Project project) {
        return (project == null || Iterables.isEmpty(this.cachedPlanManager.getEditablePlansByProject(project))) ? false : true;
    }

    public boolean isEnableSignup() {
        return this.administrationConfigurationAccessor.getAdministrationConfiguration().isEnableSignup();
    }

    @NotNull
    public Collection<String> getAdminGroups() {
        return getGroupsWithPermission(BambooPermission.ADMINISTRATION);
    }

    @NotNull
    public Collection<String> getRestrictedAdminGroups() {
        return getGroupsWithPermission(BambooPermission.RESTRICTEDADMINISTRATION);
    }

    @NotNull
    public Collection<String> getUsePermissionGroups() {
        return getGroupsWithPermission(BambooPermission.READ);
    }

    @NotNull
    public String getDefaultUsersGroup() {
        return DefaultBambooUser.DEFAULT_USERS_GROUP;
    }

    @NotNull
    public Collection<String> getGroupsWithPermission(BambooPermission bambooPermission) {
        ArrayList newArrayList = Lists.newArrayList();
        for (AccessControlEntry accessControlEntry : this.aclService.readAclById(new HibernateObjectIdentityImpl(GlobalApplicationSecureObject.INSTANCE)).getEntries()) {
            if (accessControlEntry.getPermission().equals(bambooPermission) && (accessControlEntry.getSid() instanceof GroupPrincipalSid)) {
                newArrayList.add(accessControlEntry.getSid().getPrincipal());
            }
        }
        return newArrayList;
    }

    @NotNull
    public Collection<String> getAdminUsers() {
        return getUsersWithPermission(BambooPermission.ADMINISTRATION);
    }

    @NotNull
    public Collection<String> getRestrictedAdminUsers() {
        return getUsersWithPermission(BambooPermission.RESTRICTEDADMINISTRATION);
    }

    @NotNull
    public Collection<String> getUsePermissionUsers() {
        return getUsersWithPermission(BambooPermission.READ);
    }

    @NotNull
    public Collection<String> getUsersWithPermission(BambooPermission bambooPermission) {
        ArrayList newArrayList = Lists.newArrayList();
        for (AccessControlEntry accessControlEntry : this.aclService.readAclById(new HibernateObjectIdentityImpl(GlobalApplicationSecureObject.INSTANCE)).getEntries()) {
            if (accessControlEntry.getPermission().equals(bambooPermission) && (accessControlEntry.getSid() instanceof PrincipalSid)) {
                newArrayList.add(accessControlEntry.getSid().getPrincipal());
            }
        }
        return newArrayList;
    }

    public boolean isAdmin(String str) {
        if (this.bambooUserManager.loadUserByUsername(str) != null) {
            return hasPermission(str, (Permission) BambooPermission.ADMINISTRATION, (Object) GlobalApplicationSecureObject.INSTANCE) || hasPermission(str, (Permission) BambooPermission.RESTRICTEDADMINISTRATION, (Object) GlobalApplicationSecureObject.INSTANCE);
        }
        return false;
    }

    public boolean isSystemAdmin(String str) {
        return this.bambooUserManager.loadUserByUsername(str) != null && hasPermission(str, (Permission) BambooPermission.ADMINISTRATION, (Object) GlobalApplicationSecureObject.INSTANCE);
    }

    public boolean isAllowedToSetGlobalPermission(@NotNull Permission permission) {
        boolean hasGlobalPermission = hasGlobalPermission(BambooPermission.ADMINISTRATION);
        return permission.equals(BambooPermission.ADMINISTRATION) ? hasGlobalPermission : hasGlobalPermission || hasGlobalPermission(BambooPermission.RESTRICTEDADMINISTRATION);
    }

    public boolean canManageElasticBamboo() {
        return hasGlobalPermission(this.featureManager.isAtlassianAgents() ? BambooPermission.ADMINISTRATION : BambooPermission.RESTRICTEDADMINISTRATION);
    }

    public boolean canManageAgents() {
        return hasGlobalPermission(this.featureManager.isAtlassianAgents() ? BambooPermission.ADMINISTRATION : BambooPermission.RESTRICTEDADMINISTRATION);
    }

    protected boolean hasPermission(@NotNull Permission permission, @NotNull HibernateObjectIdentityImpl hibernateObjectIdentityImpl, @NotNull Authentication authentication) {
        boolean hasPermission = hasPermission(permission, (ObjectIdentity) hibernateObjectIdentityImpl, authentication);
        HibernateObjectIdentityImpl ancestorIdentity = hibernateObjectIdentityImpl.getAncestorIdentity();
        if (ancestorIdentity != null) {
            switch (AnonymousClass2.$SwitchMap$com$atlassian$bamboo$security$acegi$acls$HibernateObjectIdentityImpl$AncestorPermissionCheckPolicy[hibernateObjectIdentityImpl.getAncestorPermissionCheckPolicy(permission).ordinal()]) {
                case 1:
                    hasPermission = hasPermission && hasPermission(permission, ancestorIdentity, authentication);
                    break;
                case RetryingTaskExecutor.DEFAULT_BACK_OFF_MULTIPLIER /* 2 */:
                    hasPermission = hasPermission || hasPermission(permission, ancestorIdentity, authentication);
                    break;
            }
        }
        return hasPermission;
    }

    protected boolean hasPermission(@NotNull Permission permission, @NotNull ObjectIdentity objectIdentity, @NotNull Authentication authentication) {
        try {
            return this.aclService.readAclById(objectIdentity).isGranted(new Permission[]{permission}, this.sidRetrievalStrategy.getSids(authentication), false);
        } catch (NotFoundException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ObjectIdentity createObjectIdentity(@NotNull Object obj) {
        return this.objectIdentityRetrievalStrategy.getObjectIdentity(obj);
    }

    private boolean isOverrideAuthority(@NotNull Authentication authentication) {
        for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
            for (GrantedAuthority grantedAuthority2 : this.overrideAuthorities) {
                if (grantedAuthority2.getAuthority().equals(grantedAuthority.getAuthority())) {
                    return true;
                }
            }
        }
        return false;
    }

    public void setAdministrationConfigurationAccessor(AdministrationConfigurationAccessor administrationConfigurationAccessor) {
        this.administrationConfigurationAccessor = administrationConfigurationAccessor;
    }

    public void setAclService(MutableAclService mutableAclService) {
        this.aclService = mutableAclService;
    }

    public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
        this.sidRetrievalStrategy = sidRetrievalStrategy;
    }

    public void setCachedPlanManager(CachedPlanManager cachedPlanManager) {
        this.cachedPlanManager = cachedPlanManager;
    }

    public void setOverrideAuthorities(GrantedAuthority[] grantedAuthorityArr) {
        this.overrideAuthorities = grantedAuthorityArr;
    }

    public void setBambooUserManager(BambooUserManager bambooUserManager) {
        this.bambooUserManager = bambooUserManager;
    }

    public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) {
        this.objectIdentityRetrievalStrategy = objectIdentityRetrievalStrategy;
    }
}
