package org.sonar.server.permission;

import java.util.List;
import java.util.Optional;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.permission.GroupPermissionDto;
import org.sonar.server.permission.ws.PermissionRequestValidator;
import org.sonar.server.ws.WsUtils;

/* loaded from: input_file:org/sonar/server/permission/GroupPermissionChanger.class */
public class GroupPermissionChanger {
    private final DbClient dbClient;

    public GroupPermissionChanger(DbClient dbClient) {
        this.dbClient = dbClient;
    }

    public boolean apply(DbSession dbSession, GroupPermissionChange groupPermissionChange) {
        switch (groupPermissionChange.getOperation()) {
            case ADD:
                return addPermission(dbSession, groupPermissionChange);
            case REMOVE:
                return removePermission(dbSession, groupPermissionChange);
            default:
                throw new UnsupportedOperationException("Unsupported permission change: " + groupPermissionChange.getOperation());
        }
    }

    private boolean addPermission(DbSession dbSession, GroupPermissionChange groupPermissionChange) {
        if (loadExistingPermissions(dbSession, groupPermissionChange).contains(groupPermissionChange.getPermission())) {
            return false;
        }
        PermissionRequestValidator.validateNotAnyoneAndAdminPermission(groupPermissionChange.getPermission(), groupPermissionChange.getGroupIdOrAnyone());
        this.dbClient.groupPermissionDao().insert(dbSession, new GroupPermissionDto().setRole(groupPermissionChange.getPermission()).setOrganizationUuid(groupPermissionChange.getOrganizationUuid()).setGroupId(groupPermissionChange.getGroupIdOrAnyone().getId()).setResourceId(groupPermissionChange.getNullableProjectId()));
        return true;
    }

    private boolean removePermission(DbSession dbSession, GroupPermissionChange groupPermissionChange) {
        if (!loadExistingPermissions(dbSession, groupPermissionChange).contains(groupPermissionChange.getPermission())) {
            return false;
        }
        checkIfRemainingGlobalAdministrators(dbSession, groupPermissionChange);
        this.dbClient.groupPermissionDao().delete(dbSession, groupPermissionChange.getPermission(), groupPermissionChange.getOrganizationUuid(), groupPermissionChange.getGroupIdOrAnyone().getId(), groupPermissionChange.getNullableProjectId());
        return true;
    }

    private List<String> loadExistingPermissions(DbSession dbSession, GroupPermissionChange groupPermissionChange) {
        Optional<ProjectId> projectId = groupPermissionChange.getProjectId();
        return projectId.isPresent() ? this.dbClient.groupPermissionDao().selectProjectPermissionsOfGroup(dbSession, groupPermissionChange.getOrganizationUuid(), groupPermissionChange.getGroupIdOrAnyone().getId(), projectId.get().getId()) : this.dbClient.groupPermissionDao().selectGlobalPermissionsOfGroup(dbSession, groupPermissionChange.getOrganizationUuid(), groupPermissionChange.getGroupIdOrAnyone().getId());
    }

    private void checkIfRemainingGlobalAdministrators(DbSession dbSession, GroupPermissionChange groupPermissionChange) {
        if (!"admin".equals(groupPermissionChange.getPermission()) || groupPermissionChange.getGroupIdOrAnyone().isAnyone() || groupPermissionChange.getProjectId().isPresent()) {
            return;
        }
        WsUtils.checkRequest(this.dbClient.authorizationDao().countUsersWithGlobalPermissionExcludingGroup(dbSession, groupPermissionChange.getOrganizationUuid(), "admin", groupPermissionChange.getGroupIdOrAnyone().getId().longValue()) > 0, "Last group with permission '%s'. Permission cannot be removed.", "admin");
    }
}
