package org.sonar.server.permission;

import org.assertj.core.api.Assertions;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.sonar.api.utils.System2;
import org.sonar.core.permission.ProjectPermissions;
import org.sonar.db.DbTester;
import org.sonar.db.component.ComponentDto;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.permission.GroupPermissionDto;
import org.sonar.db.permission.OrganizationPermission;
import org.sonar.db.user.GroupDto;
import org.sonar.server.exceptions.BadRequestException;
import org.sonar.server.permission.PermissionChange;
import org.sonar.server.usergroups.ws.GroupIdOrAnyone;

/* loaded from: input_file:org/sonar/server/permission/GroupPermissionChangerTest.class */
public class GroupPermissionChangerTest {

    @Rule
    public DbTester db = DbTester.create(System2.INSTANCE);

    @Rule
    public ExpectedException expectedException = ExpectedException.none();
    private GroupPermissionChanger underTest = new GroupPermissionChanger(this.db.getDbClient());

    /* renamed from: org, reason: collision with root package name */
    private OrganizationDto f0org;
    private GroupDto group;
    private ComponentDto privateProject;
    private ComponentDto publicProject;

    @Before
    public void setUp() throws Exception {
        this.f0org = this.db.organizations().insert();
        this.group = this.db.users().insertGroup(this.f0org, "a-group");
        this.privateProject = this.db.components().insertPrivateProject(this.f0org);
        this.publicProject = this.db.components().insertPublicProject(this.f0org);
    }

    @Test
    public void apply_adds_organization_permission_to_group() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "gateadmin", (ProjectId) null, GroupIdOrAnyone.from(this.group)));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).containsOnly(new String[]{"gateadmin"});
    }

    @Test
    public void apply_adds_organization_permission_to_group_AnyOne() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "gateadmin", (ProjectId) null, GroupIdOrAnyone.forAnyone(this.f0org.getUuid())));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, (ComponentDto) null)).containsOnly(new String[]{"gateadmin"});
    }

    @Test
    public void apply_fails_with_BadRequestException_when_adding_any_permission_to_group_AnyOne_on_private_project() {
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        ProjectPermissions.ALL.forEach(str -> {
            try {
                apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str, new ProjectId(this.privateProject), forAnyone));
                Assertions.fail("a BadRequestException should have been thrown");
            } catch (BadRequestException e) {
                Assertions.assertThat(e).hasMessage("No permission can be granted to Anyone on a private component");
            }
        });
    }

    @Test
    public void apply_has_no_effect_when_removing_any_permission_to_group_AnyOne_on_private_project() {
        ProjectPermissions.ALL.forEach(this::unsafeInsertProjectPermissionOnAnyone);
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        ProjectPermissions.ALL.forEach(str -> {
            apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, str, new ProjectId(this.privateProject), forAnyone));
            Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.privateProject)).contains(new String[]{str});
        });
    }

    @Test
    public void apply_adds_permission_USER_to_group_on_private_project() {
        applyAddsPermissionToGroupOnPrivateProject("user");
    }

    @Test
    public void apply_adds_permission_CODEVIEWER_to_group_on_private_project() {
        applyAddsPermissionToGroupOnPrivateProject("codeviewer");
    }

    @Test
    public void apply_adds_permission_ADMIN_to_group_on_private_project() {
        applyAddsPermissionToGroupOnPrivateProject("admin");
    }

    @Test
    public void apply_adds_permission_ISSUE_ADMIN_to_group_on_private_project() {
        applyAddsPermissionToGroupOnPrivateProject("issueadmin");
    }

    @Test
    public void apply_adds_permission_SCAN_EXECUTION_to_group_on_private_project() {
        applyAddsPermissionToGroupOnPrivateProject("scan");
    }

    private void applyAddsPermissionToGroupOnPrivateProject(String str) {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str, new ProjectId(this.privateProject), GroupIdOrAnyone.from(this.group)));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).isEmpty();
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, this.privateProject)).containsOnly(new String[]{str});
    }

    @Test
    public void apply_removes_permission_USER_from_group_on_private_project() {
        applyRemovesPermissionFromGroupOnPrivateProject("user");
    }

    @Test
    public void apply_removes_permission_CODEVIEWER_from_group_on_private_project() {
        applyRemovesPermissionFromGroupOnPrivateProject("codeviewer");
    }

    @Test
    public void apply_removes_permission_ADMIN_from_on_private_project() {
        applyRemovesPermissionFromGroupOnPrivateProject("admin");
    }

    @Test
    public void apply_removes_permission_ISSUE_ADMIN_from_on_private_project() {
        applyRemovesPermissionFromGroupOnPrivateProject("issueadmin");
    }

    @Test
    public void apply_removes_permission_SCAN_EXECUTION_from_on_private_project() {
        applyRemovesPermissionFromGroupOnPrivateProject("scan");
    }

    private void applyRemovesPermissionFromGroupOnPrivateProject(String str) {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertProjectPermissionOnGroup(this.group, str, this.privateProject);
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str, new ProjectId(this.privateProject), from));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, this.privateProject)).containsOnly(new String[]{str});
    }

    @Test
    public void apply_has_no_effect_when_adding_USER_permission_to_group_AnyOne_on_a_public_project() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "user", new ProjectId(this.publicProject), GroupIdOrAnyone.forAnyone(this.f0org.getUuid())));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.publicProject)).isEmpty();
    }

    @Test
    public void apply_has_no_effect_when_adding_CODEVIEWER_permission_to_group_AnyOne_on_a_public_project() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "codeviewer", new ProjectId(this.publicProject), GroupIdOrAnyone.forAnyone(this.f0org.getUuid())));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.publicProject)).isEmpty();
    }

    @Test
    public void apply_fails_with_BadRequestException_when_adding_permission_ADMIN_to_group_AnyOne_on_a_public_project() {
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("It is not possible to add the 'admin' permission to group 'Anyone'");
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "admin", new ProjectId(this.publicProject), forAnyone));
    }

    @Test
    public void apply_adds_permission_ISSUE_ADMIN_to_group_AnyOne_on_a_public_project() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "issueadmin", new ProjectId(this.publicProject), GroupIdOrAnyone.forAnyone(this.f0org.getUuid())));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.publicProject)).containsOnly(new String[]{"issueadmin"});
    }

    @Test
    public void apply_adds_permission_SCAN_EXECUTION_to_group_AnyOne_on_a_public_project() {
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "scan", new ProjectId(this.publicProject), GroupIdOrAnyone.forAnyone(this.f0org.getUuid())));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.publicProject)).containsOnly(new String[]{"scan"});
    }

    @Test
    public void apply_fails_with_BadRequestException_when_removing_USER_permission_from_group_AnyOne_on_a_public_project() {
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("Permission user can't be removed from a public component");
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "user", new ProjectId(this.publicProject), forAnyone));
    }

    @Test
    public void apply_fails_with_BadRequestException_when_removing_CODEVIEWER_permission_from_group_AnyOne_on_a_public_project() {
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("Permission codeviewer can't be removed from a public component");
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "codeviewer", new ProjectId(this.publicProject), forAnyone));
    }

    @Test
    public void apply_removes_ADMIN_permission_from_group_AnyOne_on_a_public_project() {
        applyRemovesPermissionFromGroupAnyOneOnAPublicProject("admin");
    }

    @Test
    public void apply_removes_ISSUE_ADMIN_permission_from_group_AnyOne_on_a_public_project() {
        applyRemovesPermissionFromGroupAnyOneOnAPublicProject("issueadmin");
    }

    @Test
    public void apply_removes_SCAN_EXECUTION_permission_from_group_AnyOne_on_a_public_project() {
        applyRemovesPermissionFromGroupAnyOneOnAPublicProject("scan");
    }

    private void applyRemovesPermissionFromGroupAnyOneOnAPublicProject(String str) {
        GroupIdOrAnyone forAnyone = GroupIdOrAnyone.forAnyone(this.f0org.getUuid());
        this.db.users().insertProjectPermissionOnAnyone(str, this.publicProject);
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, str, new ProjectId(this.publicProject), forAnyone));
        Assertions.assertThat(this.db.users().selectAnyonePermissions(this.f0org, this.publicProject)).isEmpty();
    }

    @Test
    public void apply_fails_with_BadRequestException_when_removing_USER_permission_from_a_group_on_a_public_project() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("Permission user can't be removed from a public component");
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "user", new ProjectId(this.publicProject), from));
    }

    @Test
    public void apply_fails_with_BadRequestException_when_removing_CODEVIEWER_permission_from_a_group_on_a_public_project() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("Permission codeviewer can't be removed from a public component");
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "codeviewer", new ProjectId(this.publicProject), from));
    }

    @Test
    public void add_permission_to_anyone() {
        OrganizationDto defaultOrganization = this.db.getDefaultOrganization();
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, "gateadmin", (ProjectId) null, GroupIdOrAnyone.forAnyone(defaultOrganization.getUuid())));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).isEmpty();
        Assertions.assertThat(this.db.users().selectAnyonePermissions(defaultOrganization, (ComponentDto) null)).containsOnly(new String[]{"gateadmin"});
    }

    @Test
    public void do_nothing_when_adding_permission_that_already_exists() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.ADMINISTER_QUALITY_GATES);
        apply(new GroupPermissionChange(PermissionChange.Operation.ADD, OrganizationPermission.ADMINISTER_QUALITY_GATES.getKey(), (ProjectId) null, from));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).containsOnly(new String[]{OrganizationPermission.ADMINISTER_QUALITY_GATES.getKey()});
    }

    @Test
    public void fail_to_add_global_permission_but_SCAN_and_ADMIN_on_private_project() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        OrganizationPermission.all().map((v0) -> {
            return v0.getKey();
        }).filter(str -> {
            return ("admin".equals(str) || "scan".equals(str)) ? false : true;
        }).forEach(str2 -> {
            try {
                apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str2, new ProjectId(this.privateProject), from));
                Assertions.fail("a BadRequestException should have been thrown for permission " + str2);
            } catch (BadRequestException e) {
                Assertions.assertThat(e).hasMessage("Invalid project permission '" + str2 + "'. Valid values are [admin, codeviewer, issueadmin, scan, user]");
            }
        });
    }

    @Test
    public void fail_to_add_global_permission_but_SCAN_and_ADMIN_on_public_project() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        OrganizationPermission.all().map((v0) -> {
            return v0.getKey();
        }).filter(str -> {
            return ("admin".equals(str) || "scan".equals(str)) ? false : true;
        }).forEach(str2 -> {
            try {
                apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str2, new ProjectId(this.publicProject), from));
                Assertions.fail("a BadRequestException should have been thrown for permission " + str2);
            } catch (BadRequestException e) {
                Assertions.assertThat(e).hasMessage("Invalid project permission '" + str2 + "'. Valid values are [admin, codeviewer, issueadmin, scan, user]");
            }
        });
    }

    @Test
    public void fail_to_add_project_permission_but_SCAN_and_ADMIN_on_global_group() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        ProjectPermissions.ALL.stream().filter(str -> {
            return ("scan".equals(str) || OrganizationPermission.ADMINISTER.getKey().equals(str)) ? false : true;
        }).forEach(str2 -> {
            try {
                apply(new GroupPermissionChange(PermissionChange.Operation.ADD, str2, (ProjectId) null, from));
                Assertions.fail("a BadRequestException should have been thrown for permission " + str2);
            } catch (BadRequestException e) {
                Assertions.assertThat(e).hasMessage("Invalid global permission '" + str2 + "'. Valid values are [admin, profileadmin, gateadmin, scan, provisioning]");
            }
        });
    }

    @Test
    public void remove_permission_from_group() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.ADMINISTER_QUALITY_GATES);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.PROVISION_PROJECTS);
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, OrganizationPermission.ADMINISTER_QUALITY_GATES.getKey(), (ProjectId) null, from));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).containsOnly(new String[]{OrganizationPermission.PROVISION_PROJECTS.getKey()});
    }

    @Test
    public void remove_project_permission_from_group() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.ADMINISTER_QUALITY_GATES);
        this.db.users().insertProjectPermissionOnGroup(this.group, "issueadmin", this.privateProject);
        this.db.users().insertProjectPermissionOnGroup(this.group, "codeviewer", this.privateProject);
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "issueadmin", new ProjectId(this.privateProject), from));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).containsOnly(new String[]{OrganizationPermission.ADMINISTER_QUALITY_GATES.getKey()});
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, this.privateProject)).containsOnly(new String[]{"codeviewer"});
    }

    @Test
    public void do_not_fail_if_removing_a_permission_that_does_not_exist() {
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, "issueadmin", new ProjectId(this.privateProject), GroupIdOrAnyone.from(this.group)));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).isEmpty();
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, this.privateProject)).isEmpty();
    }

    @Test
    public void fail_to_remove_admin_permission_if_no_more_admins() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.ADMINISTER);
        this.expectedException.expect(BadRequestException.class);
        this.expectedException.expectMessage("Last group with permission 'admin'. Permission cannot be removed.");
        this.underTest.apply(this.db.getSession(), new GroupPermissionChange(PermissionChange.Operation.REMOVE, OrganizationPermission.ADMINISTER.getKey(), (ProjectId) null, from));
    }

    @Test
    public void remove_admin_group_if_still_other_admins() {
        GroupIdOrAnyone from = GroupIdOrAnyone.from(this.group);
        this.db.users().insertPermissionOnGroup(this.group, OrganizationPermission.ADMINISTER);
        this.db.users().insertPermissionOnUser(this.f0org, this.db.users().insertUser(), OrganizationPermission.ADMINISTER);
        apply(new GroupPermissionChange(PermissionChange.Operation.REMOVE, OrganizationPermission.ADMINISTER.getKey(), (ProjectId) null, from));
        Assertions.assertThat(this.db.users().selectGroupPermissions(this.group, (ComponentDto) null)).isEmpty();
    }

    private void apply(GroupPermissionChange groupPermissionChange) {
        this.underTest.apply(this.db.getSession(), groupPermissionChange);
        this.db.commit();
    }

    private void unsafeInsertProjectPermissionOnAnyone(String str) {
        this.db.getDbClient().groupPermissionDao().insert(this.db.getSession(), new GroupPermissionDto().setOrganizationUuid(this.privateProject.getOrganizationUuid()).setGroupId((Integer) null).setRole(str).setResourceId(this.privateProject.getId()));
        this.db.commit();
    }
}
