package org.sonar.server.permission;

import java.util.List;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
import org.sonar.api.security.DefaultGroups;
import org.sonar.core.permission.GlobalPermissions;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.permission.PermissionRepository;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.server.component.ComponentFinder;
import org.sonar.server.exceptions.BadRequestException;
import org.sonar.server.issue.index.IssueAuthorizationIndexer;
import org.sonar.server.permission.ws.PermissionRequestValidator;
import org.sonar.server.user.UserSession;

/* loaded from: input_file:org/sonar/server/permission/PermissionUpdater.class */
public class PermissionUpdater {
    private static final String OBJECT_TYPE_USER = "User";
    private static final String OBJECT_TYPE_GROUP = "Group";
    private static final String NOT_FOUND_FORMAT = "%s %s does not exist";
    private final DbClient dbClient;
    private final PermissionRepository permissionRepository;
    private final IssueAuthorizationIndexer issueAuthorizationIndexer;
    private final UserSession userSession;
    private final ComponentFinder componentFinder;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/sonar/server/permission/PermissionUpdater$Operation.class */
    public enum Operation {
        ADD,
        REMOVE
    }

    public PermissionUpdater(DbClient dbClient, PermissionRepository permissionRepository, IssueAuthorizationIndexer issueAuthorizationIndexer, UserSession userSession, ComponentFinder componentFinder) {
        this.dbClient = dbClient;
        this.permissionRepository = permissionRepository;
        this.issueAuthorizationIndexer = issueAuthorizationIndexer;
        this.userSession = userSession;
        this.componentFinder = componentFinder;
    }

    public static List<String> globalPermissions() {
        return GlobalPermissions.ALL;
    }

    public void addPermission(PermissionChange permissionChange) {
        DbSession openSession = this.dbClient.openSession(false);
        try {
            applyChange(Operation.ADD, permissionChange, openSession);
            this.dbClient.closeSession(openSession);
        } catch (Throwable th) {
            this.dbClient.closeSession(openSession);
            throw th;
        }
    }

    public void removePermission(PermissionChange permissionChange) {
        DbSession openSession = this.dbClient.openSession(false);
        try {
            applyChange(Operation.REMOVE, permissionChange, openSession);
            openSession.close();
        } catch (Throwable th) {
            openSession.close();
            throw th;
        }
    }

    private void applyChange(Operation operation, PermissionChange permissionChange, DbSession dbSession) {
        this.userSession.checkLoggedIn();
        permissionChange.validate();
        if (permissionChange.userLogin() != null ? applyChangeOnUser(dbSession, operation, permissionChange) : applyChangeOnGroup(dbSession, operation, permissionChange)) {
            dbSession.commit();
            if (permissionChange.componentKey() != null) {
                indexProjectPermissions();
            }
        }
    }

    private boolean applyChangeOnGroup(DbSession dbSession, Operation operation, PermissionChange permissionChange) {
        Long componentId = getComponentId(dbSession, permissionChange.componentKey());
        PermissionPrivilegeChecker.checkProjectAdminUserByComponentKey(this.userSession, permissionChange.componentKey());
        if (shouldSkipPermissionChange(operation, this.dbClient.roleDao().selectGroupPermissions(dbSession, permissionChange.groupName(), componentId), permissionChange)) {
            return false;
        }
        Long targetedGroup = getTargetedGroup(dbSession, permissionChange.groupName());
        String permission = permissionChange.permission();
        if (Operation.ADD == operation) {
            PermissionRequestValidator.validateNotAnyoneAndAdminPermission(permission, permissionChange.groupName());
            this.permissionRepository.insertGroupPermission(componentId, targetedGroup, permission, dbSession);
            return true;
        }
        checkAdminUsersExistOutsideTheRemovedGroup(dbSession, permissionChange, targetedGroup);
        this.permissionRepository.deleteGroupPermission(componentId, targetedGroup, permission, dbSession);
        return true;
    }

    private boolean applyChangeOnUser(DbSession dbSession, Operation operation, PermissionChange permissionChange) {
        Long componentId = getComponentId(dbSession, permissionChange.componentKey());
        PermissionPrivilegeChecker.checkProjectAdminUserByComponentKey(this.userSession, permissionChange.componentKey());
        if (shouldSkipPermissionChange(operation, this.dbClient.roleDao().selectUserPermissions(dbSession, permissionChange.userLogin(), componentId), permissionChange)) {
            return false;
        }
        Long targetedUser = getTargetedUser(dbSession, permissionChange.userLogin());
        if (Operation.ADD == operation) {
            this.permissionRepository.insertUserPermission(componentId, targetedUser, permissionChange.permission(), dbSession);
            return true;
        }
        checkOtherAdminUsersExist(dbSession, permissionChange);
        this.permissionRepository.deleteUserPermission(componentId, targetedUser, permissionChange.permission(), dbSession);
        return true;
    }

    private void checkOtherAdminUsersExist(DbSession dbSession, PermissionChange permissionChange) {
        if ("admin".equals(permissionChange.permission()) && permissionChange.componentKey() == null && this.dbClient.roleDao().countUserPermissions(dbSession, permissionChange.permission(), (Long) null) <= 1) {
            throw new BadRequestException(String.format("Last user with '%s' permission. Permission cannot be removed.", "admin"), new Object[0]);
        }
    }

    private void checkAdminUsersExistOutsideTheRemovedGroup(DbSession dbSession, PermissionChange permissionChange, @Nullable Long l) {
        if ("admin".equals(permissionChange.permission()) && l != null && permissionChange.componentKey() == null && this.dbClient.roleDao().countUserPermissions(dbSession, permissionChange.permission(), l) <= 0) {
            throw new BadRequestException(String.format("Last group with '%s' permission. Permission cannot be removed.", "admin"), new Object[0]);
        }
    }

    private Long getTargetedUser(DbSession dbSession, String str) {
        UserDto selectActiveUserByLogin = this.dbClient.userDao().selectActiveUserByLogin(dbSession, str);
        badRequestIfNullResult(selectActiveUserByLogin, OBJECT_TYPE_USER, str);
        return selectActiveUserByLogin.getId();
    }

    @Nullable
    private Long getTargetedGroup(DbSession dbSession, String str) {
        if (DefaultGroups.isAnyone(str)) {
            return null;
        }
        GroupDto selectByName = this.dbClient.groupDao().selectByName(dbSession, str);
        badRequestIfNullResult(selectByName, OBJECT_TYPE_GROUP, str);
        return selectByName.getId();
    }

    private static boolean shouldSkipPermissionChange(Operation operation, List<String> list, PermissionChange permissionChange) {
        return (Operation.ADD == operation && list.contains(permissionChange.permission())) || (Operation.REMOVE == operation && !list.contains(permissionChange.permission()));
    }

    @CheckForNull
    private Long getComponentId(DbSession dbSession, @Nullable String str) {
        if (str == null) {
            return null;
        }
        return this.componentFinder.getByKey(dbSession, str).getId();
    }

    private static Object badRequestIfNullResult(@Nullable Object obj, String str, String str2) {
        if (obj == null) {
            throw new BadRequestException(String.format(NOT_FOUND_FORMAT, str, str2), new Object[0]);
        }
        return obj;
    }

    private void indexProjectPermissions() {
        this.issueAuthorizationIndexer.index();
    }
}
