package com.atlassian.upm.core.permission;

import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.plugin.event.events.PluginDisabledEvent;
import com.atlassian.plugin.event.events.PluginEnabledEvent;
import com.atlassian.sal.api.ApplicationProperties;
import com.atlassian.sal.usercompatibility.UserKey;
import com.atlassian.sal.usercompatibility.UserManager;
import com.atlassian.upm.SysCommon;
import com.atlassian.upm.UpmPluginAccessor;
import com.atlassian.upm.api.util.Option;
import com.atlassian.upm.core.Plugin;
import com.atlassian.upm.core.PluginMetadataAccessor;
import com.atlassian.upm.core.Sys;
import com.atlassian.upm.core.impl.Uris;
import com.atlassian.upm.core.permission.PermissionService;
import com.atlassian.user.configuration.Configuration;
import com.google.common.base.Preconditions;
import java.net.URI;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-2.20.2.jar:com/atlassian/upm/core/permission/DefaultPermissionService.class */
public class DefaultPermissionService implements PermissionService, InitializingBean, DisposableBean {
    private final UserManager userManager;
    private final PluginMetadataAccessor metadata;
    private final ApplicationProperties applicationProperties;
    private final EventPublisher eventPublisher;
    private final UpmPluginAccessor pluginAccessor;
    private boolean connectPluginAvailable = false;
    static final String CONFLUENCE_MACROS_HTML = "confluence.macros.html:html";
    static final String CONFLUENCE_MACROS_HTML_INCLUDE = "confluence.macros.html:html-include";

    public DefaultPermissionService(UserManager userManager, PluginMetadataAccessor pluginMetadataAccessor, ApplicationProperties applicationProperties, EventPublisher eventPublisher, UpmPluginAccessor upmPluginAccessor) {
        this.userManager = (UserManager) Preconditions.checkNotNull(userManager, Configuration.USERMANAGER);
        this.metadata = (PluginMetadataAccessor) Preconditions.checkNotNull(pluginMetadataAccessor, "metadata");
        this.applicationProperties = (ApplicationProperties) Preconditions.checkNotNull(applicationProperties, "applicationProperties");
        this.eventPublisher = (EventPublisher) Preconditions.checkNotNull(eventPublisher, "eventPublisher");
        this.pluginAccessor = (UpmPluginAccessor) Preconditions.checkNotNull(upmPluginAccessor, "pluginAccessor");
    }

    @Override // com.atlassian.upm.core.permission.PermissionService
    public Option<PermissionService.PermissionError> getPermissionError(UserKey userKey, Permission permission) {
        if (userKey == null) {
            return Option.some(PermissionService.PermissionError.UNAUTHORIZED);
        }
        switch (permission) {
            case GET_PLUGIN_MODULES:
            case GET_INSTALLED_PLUGINS:
            case GET_AUDIT_LOG:
                return adminOrSysadmin(userKey);
            case MANAGE_PLUGIN_ENABLEMENT:
            case MANAGE_PLUGIN_MODULE_ENABLEMENT:
                if (!Sys.isOnDemand() || this.userManager.isSystemAdmin(userKey)) {
                    return adminOrSysadmin(userKey);
                }
                throw new UnsupportedOperationException("This permission depends on the particular plugin being operated on.");
            case MANAGE_IN_PROCESS_PLUGIN_INSTALL_FROM_FILE:
                return (!Sys.isOnDemand() || Sys.isOnDemandPluginInstallationAllowed()) ? sysadminOnly(userKey) : Option.some(PermissionService.PermissionError.FORBIDDEN);
            case MANAGE_IN_PROCESS_PLUGIN_INSTALL_FROM_URI:
                return (!Sys.isOnDemand() || Sys.isOnDemandPluginInstallationAllowed()) ? sysadminOnly(userKey) : this.userManager.isSystemAdmin(userKey) ? Option.none(PermissionService.PermissionError.class) : Option.some(PermissionService.PermissionError.FORBIDDEN);
            case MANAGE_PLUGIN_UNINSTALL:
            case MANAGE_AUDIT_LOG:
                return sysadminOnly(userKey);
            case MANAGE_REMOTABLE_PLUGIN_INSTALL:
            case MANAGE_REMOTABLE_PLUGIN_UNINSTALL:
                return (Sys.isOnDemand() || this.connectPluginAvailable) ? adminOrSysadmin(userKey) : Option.some(PermissionService.PermissionError.FORBIDDEN);
            case MANAGE_PLUGIN_LICENSE:
                return Sys.isOnDemand() ? Option.some(PermissionService.PermissionError.FORBIDDEN) : adminOrSysadmin(userKey);
            case GET_APPLICATIONS:
            case MANAGE_APPLICATION_CONFIG:
            case MANAGE_APPLICATION_LICENSES:
                return Sys.isOnDemand() ? Option.some(PermissionService.PermissionError.FORBIDDEN) : sysadminOnly(userKey);
            case MANAGE_PLUGIN_LICENSE_SUBSCRIPTION:
                return Sys.isOnDemand() ? adminOrSysadmin(userKey) : Option.some(PermissionService.PermissionError.FORBIDDEN);
            case SCAN_PLUGIN_DIRECTORY:
                return sysadminOnly(userKey);
            default:
                throw new IllegalArgumentException("Unhandled permission: " + permission);
        }
    }

    @Override // com.atlassian.upm.core.permission.PermissionService
    public Option<PermissionService.PermissionError> getPermissionError(UserKey userKey, Permission permission, Plugin plugin) {
        return ((Permission.MANAGE_PLUGIN_ENABLEMENT == permission || Permission.MANAGE_PLUGIN_MODULE_ENABLEMENT == permission) && Sys.isOnDemand()) ? sysadminAllPluginsOrAdminUserInstalledPluginsOnly(userKey, plugin) : getPermissionError(userKey, permission);
    }

    @Override // com.atlassian.upm.core.permission.PermissionService
    public Option<PermissionService.PermissionError> getPermissionError(UserKey userKey, Permission permission, Plugin.Module module) {
        switch (permission) {
            case MANAGE_PLUGIN_ENABLEMENT:
                return getPermissionError(userKey, permission, module.getPlugin());
            case MANAGE_PLUGIN_MODULE_ENABLEMENT:
                if (!module.getPlugin().isEnabled() || module.getPlugin().isUpmPlugin()) {
                    return Option.some(PermissionService.PermissionError.CONFLICT);
                }
                String completeKey = module.getCompleteKey();
                if (CONFLUENCE_MACROS_HTML.equals(completeKey) || CONFLUENCE_MACROS_HTML_INCLUDE.equals(completeKey)) {
                    return sysadminOnly(userKey);
                }
                if (Sys.isOnDemand()) {
                    return sysadminAllPluginsOrAdminUserInstalledPluginsOnly(userKey, module.getPlugin());
                }
                break;
        }
        return getPermissionError(userKey, permission);
    }

    @Override // com.atlassian.upm.core.permission.PermissionService
    public Option<PermissionService.PermissionError> getInProcessInstallationFromUriPermissionError(UserKey userKey, URI uri) {
        if (!Sys.isOnDemand() || Sys.isOnDemandPluginInstallationAllowed()) {
            return sysadminOnly(userKey);
        }
        if (this.userManager.isSystemAdmin(userKey) && Uris.hasFileScheme(uri)) {
            return Option.none(PermissionService.PermissionError.class);
        }
        return Option.some(PermissionService.PermissionError.FORBIDDEN);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Option<PermissionService.PermissionError> adminOrSysadmin(UserKey userKey) {
        return (this.userManager.isSystemAdmin(userKey) || this.userManager.isAdmin(userKey)) ? Option.none(PermissionService.PermissionError.class) : Option.some(PermissionService.PermissionError.UNAUTHORIZED);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Option<PermissionService.PermissionError> sysadminOnly(UserKey userKey) {
        return this.userManager.isSystemAdmin(userKey) ? Option.none(PermissionService.PermissionError.class) : Option.some(PermissionService.PermissionError.UNAUTHORIZED);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Option<PermissionService.PermissionError> nonSysadminOnly(UserKey userKey) {
        return this.userManager.isSystemAdmin(userKey) ? Option.some(PermissionService.PermissionError.UNAUTHORIZED) : Option.none(PermissionService.PermissionError.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Option<PermissionService.PermissionError> inApplication(String... strArr) {
        String displayName = this.applicationProperties.getDisplayName();
        for (String str : strArr) {
            if (displayName.equalsIgnoreCase(str)) {
                return Option.none(PermissionService.PermissionError.class);
            }
        }
        return Option.some(PermissionService.PermissionError.FORBIDDEN);
    }

    protected Option<PermissionService.PermissionError> sysadminAllPluginsOrAdminUserInstalledPluginsOnly(UserKey userKey, Plugin plugin) {
        if (this.userManager.isSystemAdmin(userKey)) {
            return Option.none(PermissionService.PermissionError.class);
        }
        if (this.userManager.isAdmin(userKey) && this.metadata.isUserInstalled(plugin)) {
            return Option.none(PermissionService.PermissionError.class);
        }
        return Option.some(PermissionService.PermissionError.UNAUTHORIZED);
    }

    public void afterPropertiesSet() throws Exception {
        this.eventPublisher.register(this);
        this.connectPluginAvailable = this.pluginAccessor.isPluginEnabled(SysCommon.ATLASSIAN_CONNECT_PLUGIN_KEY);
    }

    public void destroy() throws Exception {
        this.eventPublisher.unregister(this);
    }

    @EventListener
    public void onPluginEnabled(PluginEnabledEvent pluginEnabledEvent) {
        if (SysCommon.ATLASSIAN_CONNECT_PLUGIN_KEY.equals(pluginEnabledEvent.getPlugin().getKey())) {
            this.connectPluginAvailable = true;
        }
    }

    @EventListener
    public void onPluginDisabled(PluginDisabledEvent pluginDisabledEvent) {
        if (SysCommon.ATLASSIAN_CONNECT_PLUGIN_KEY.equals(pluginDisabledEvent.getPlugin().getKey())) {
            this.connectPluginAvailable = false;
        }
    }
}
