package com.atlassian.crowd.manager.application.filtering;

import com.atlassian.crowd.directory.DirectoryProperties;
import com.atlassian.crowd.embedded.api.Directory;
import com.atlassian.crowd.embedded.api.SearchRestriction;
import com.atlassian.crowd.embedded.impl.IdentifierSet;
import com.atlassian.crowd.manager.application.search.DirectoryManagerSearchWrapper;
import com.atlassian.crowd.manager.application.search.DirectoryQueryWithFilter;
import com.atlassian.crowd.manager.application.search.NamesUtil;
import com.atlassian.crowd.manager.directory.DirectoryManager;
import com.atlassian.crowd.manager.property.PropertyManagerGeneric;
import com.atlassian.crowd.model.application.Application;
import com.atlassian.crowd.model.application.ApplicationDirectoryMapping;
import com.atlassian.crowd.search.Entity;
import com.atlassian.crowd.search.EntityDescriptor;
import com.atlassian.crowd.search.builder.Combine;
import com.atlassian.crowd.search.builder.QueryBuilder;
import com.atlassian.crowd.search.builder.Restriction;
import com.atlassian.crowd.search.query.entity.EntityQuery;
import com.atlassian.crowd.search.query.entity.restriction.NullRestriction;
import com.atlassian.crowd.search.query.entity.restriction.constants.GroupTermKeys;
import com.atlassian.crowd.search.query.membership.MembershipQuery;
import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;

/* loaded from: input_file:com/atlassian/crowd/manager/application/filtering/BaseAccessFilter.class */
public class BaseAccessFilter implements AccessFilter {
    private static final int QUERY_FOR_ALL_USERS_THRESHOLD = 1000;
    private final DirectoryManagerSearchWrapper directoryManagerSearchWrapper;
    private final Application application;
    private final Map<Long, GroupFilter> groupsWithAccess = new HashMap();
    private final Map<Long, IdentifierSet> usersWithAccess = new HashMap();
    private final int queryForAllUsersThreshold;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.atlassian.crowd.manager.application.filtering.BaseAccessFilter$1, reason: invalid class name */
    /* loaded from: input_file:com/atlassian/crowd/manager/application/filtering/BaseAccessFilter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$atlassian$crowd$search$Entity = new int[Entity.values().length];

        static {
            try {
                $SwitchMap$com$atlassian$crowd$search$Entity[Entity.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$atlassian$crowd$search$Entity[Entity.GROUP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BaseAccessFilter(DirectoryManager directoryManager, Application application, boolean z) {
        Preconditions.checkArgument(application.isFilteringUsersWithAccessEnabled() || application.isFilteringGroupsWithAccessEnabled());
        this.directoryManagerSearchWrapper = new DirectoryManagerSearchWrapper(directoryManager);
        this.application = application;
        this.queryForAllUsersThreshold = z ? -1 : QUERY_FOR_ALL_USERS_THRESHOLD;
    }

    @Override // com.atlassian.crowd.manager.application.filtering.AccessFilter
    public boolean requiresFiltering(Entity entity) {
        Application application = this.application;
        Objects.requireNonNull(application);
        Supplier supplier = application::isFilteringUsersWithAccessEnabled;
        Application application2 = this.application;
        Objects.requireNonNull(application2);
        return ((Boolean) runForType(entity, supplier, application2::isFilteringGroupsWithAccessEnabled)).booleanValue();
    }

    @Override // com.atlassian.crowd.manager.application.filtering.AccessFilter
    public boolean hasAccess(long j, Entity entity, String str) {
        if (requiresFiltering(entity)) {
            return namesFilter(getMappingOrFail(j), entity, Collections.singleton(str)).test(str);
        }
        return true;
    }

    @Override // com.atlassian.crowd.manager.application.filtering.AccessFilter
    public <T> Optional<DirectoryQueryWithFilter<T>> getDirectoryQueryWithFilter(Directory directory, MembershipQuery<T> membershipQuery) {
        ApplicationDirectoryMapping mappingOrFail = getMappingOrFail(directory.getId().longValue());
        if (mappingOrFail.isAllowAllToAuthenticate() || !(requiresFiltering(membershipQuery.getEntityToMatch().getEntityType()) || requiresFiltering(membershipQuery.getEntityToReturn().getEntityType()))) {
            return Optional.of(new DirectoryQueryWithFilter(directory, membershipQuery, UnaryOperator.identity()));
        }
        if (getGroupFilter(mappingOrFail).isEmpty()) {
            return Optional.empty();
        }
        DirectoryQueryWithFilter<T> filterChildrenQuery = membershipQuery.isFindChildren() ? filterChildrenQuery(mappingOrFail, membershipQuery) : filterParentsQuery(mappingOrFail, membershipQuery);
        return filterChildrenQuery.getMembershipQuery().getEntityNamesToMatch().isEmpty() ? Optional.empty() : Optional.of(filterChildrenQuery);
    }

    @Override // com.atlassian.crowd.manager.application.filtering.AccessFilter
    public <T> Optional<DirectoryQueryWithFilter<T>> getDirectoryQueryWithFilter(Directory directory, EntityQuery<T> entityQuery) {
        ApplicationDirectoryMapping mappingOrFail = getMappingOrFail(directory.getId().longValue());
        return (mappingOrFail.isAllowAllToAuthenticate() || !requiresFiltering(entityQuery.getEntityDescriptor().getEntityType())) ? Optional.of(new DirectoryQueryWithFilter(directory, entityQuery, UnaryOperator.identity())) : getGroupFilter(mappingOrFail).isEmpty() ? Optional.empty() : Optional.of(filterEntityQuery(mappingOrFail, entityQuery));
    }

    private <T> DirectoryQueryWithFilter<T> filterEntityQuery(ApplicationDirectoryMapping applicationDirectoryMapping, EntityQuery<T> entityQuery) {
        if (entityQuery.getSearchRestriction() != null && !(entityQuery.getSearchRestriction() instanceof NullRestriction) && !DirectoryProperties.cachesAnyUsers(applicationDirectoryMapping.getDirectory())) {
            return new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), entityQuery.withAllResults(), list -> {
                return filter(applicationDirectoryMapping, entityQuery.getEntityDescriptor().getEntityType(), list);
            });
        }
        if (entityQuery.getEntityDescriptor().getEntityType() == Entity.USER) {
            return new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), QueryBuilder.queryFor(entityQuery.getReturnType(), entityQuery.getEntityDescriptor()).with(entityQuery.getSearchRestriction()).childrenOf(EntityDescriptor.group()).withNames(getGroupFilter(applicationDirectoryMapping).getAllWithAccess()).startingAt(entityQuery.getStartIndex()).returningAtMost(entityQuery.getMaxResults()), UnaryOperator.identity());
        }
        return new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), entityQuery.withSearchRestriction(Combine.optionalAllOf(new SearchRestriction[]{entityQuery.getSearchRestriction(), Restriction.on(GroupTermKeys.NAME).exactlyMatchingAny(getGroupFilter(applicationDirectoryMapping).getAllWithAccess())})), UnaryOperator.identity());
    }

    private <T> DirectoryQueryWithFilter<T> filterChildrenQuery(ApplicationDirectoryMapping applicationDirectoryMapping, MembershipQuery<T> membershipQuery) {
        MembershipQuery<T> filterToMatch = filterToMatch(membershipQuery, applicationDirectoryMapping);
        return (requiresFiltering(applicationDirectoryMapping, membershipQuery.getEntityToMatch().getEntityType()) || filterToMatch.equals(membershipQuery)) ? new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), filterToMatch, UnaryOperator.identity()) : new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), membershipQuery.withAllResults(), list -> {
            return filter(applicationDirectoryMapping, membershipQuery.getEntityToReturn().getEntityType(), list);
        });
    }

    private <T> DirectoryQueryWithFilter<T> filterParentsQuery(ApplicationDirectoryMapping applicationDirectoryMapping, MembershipQuery<T> membershipQuery) {
        Entity entityType = membershipQuery.getEntityToReturn().getEntityType();
        return requiresFiltering(applicationDirectoryMapping, entityType) ? new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), membershipQuery.withAllResults(), list -> {
            return filter(applicationDirectoryMapping, entityType, list);
        }) : isSimpleUserParentsQuery(membershipQuery) ? new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), membershipQuery.withAllResults(), allGroupsOrNone(applicationDirectoryMapping)) : new DirectoryQueryWithFilter<>(applicationDirectoryMapping.getDirectory(), filterToMatch(membershipQuery, applicationDirectoryMapping), UnaryOperator.identity());
    }

    private boolean requiresFiltering(ApplicationDirectoryMapping applicationDirectoryMapping, Entity entity) {
        return requiresFiltering(entity) && !applicationDirectoryMapping.isAllowAllToAuthenticate();
    }

    private Predicate<String> namesFilter(ApplicationDirectoryMapping applicationDirectoryMapping, Entity entity, Collection<String> collection) {
        return applicationDirectoryMapping.isAllowAllToAuthenticate() ? str -> {
            return true;
        } : (collection.isEmpty() || applicationDirectoryMapping.getAuthorisedGroupNames().isEmpty()) ? str2 -> {
            return false;
        } : (Predicate) runForType(entity, () -> {
            IdentifierSet usersWithAccess = getUsersWithAccess(applicationDirectoryMapping, collection);
            Objects.requireNonNull(usersWithAccess);
            return (v1) -> {
                return r0.contains(v1);
            };
        }, () -> {
            GroupFilter groupFilter = getGroupFilter(applicationDirectoryMapping);
            Objects.requireNonNull(groupFilter);
            return groupFilter::hasAccess;
        });
    }

    private IdentifierSet getUsersWithAccess(ApplicationDirectoryMapping applicationDirectoryMapping, Collection<String> collection) {
        Long id = applicationDirectoryMapping.getDirectory().getId();
        if (collection.size() >= this.queryForAllUsersThreshold || this.usersWithAccess.containsKey(id)) {
            return this.usersWithAccess.computeIfAbsent(id, l -> {
                return computeUsersWithAccess(applicationDirectoryMapping);
            });
        }
        Map searchDirectGroupRelationshipsGroupedByName = this.directoryManagerSearchWrapper.searchDirectGroupRelationshipsGroupedByName(id.longValue(), QueryBuilder.queryFor(String.class, EntityDescriptor.group()).parentsOf(EntityDescriptor.user()).withNames(collection).returningAtMost(-1));
        GroupFilter groupFilter = getGroupFilter(applicationDirectoryMapping);
        return new IdentifierSet((Collection) searchDirectGroupRelationshipsGroupedByName.entrySet().stream().filter(entry -> {
            return groupFilter.anyHasAccess((Collection) entry.getValue());
        }).map((v0) -> {
            return v0.getKey();
        }).collect(Collectors.toSet()));
    }

    private IdentifierSet computeUsersWithAccess(ApplicationDirectoryMapping applicationDirectoryMapping) {
        return new IdentifierSet(this.directoryManagerSearchWrapper.searchDirectGroupRelationships(applicationDirectoryMapping.getDirectory().getId().longValue(), QueryBuilder.queryFor(String.class, EntityDescriptor.user()).childrenOf(EntityDescriptor.group()).withNames(getGroupFilter(applicationDirectoryMapping).getAllWithAccess()).returningAtMost(-1)));
    }

    private <T> UnaryOperator<List<T>> allGroupsOrNone(ApplicationDirectoryMapping applicationDirectoryMapping) {
        GroupFilter groupFilter = getGroupFilter(applicationDirectoryMapping);
        return list -> {
            return groupFilter.anyHasAccess(NamesUtil.namesOf(list)) ? list : Collections.emptyList();
        };
    }

    @Nonnull
    private ApplicationDirectoryMapping getMappingOrFail(long j) {
        return (ApplicationDirectoryMapping) Objects.requireNonNull(this.application.getApplicationDirectoryMapping(j));
    }

    private GroupFilter getGroupFilter(ApplicationDirectoryMapping applicationDirectoryMapping) {
        return this.groupsWithAccess.computeIfAbsent(applicationDirectoryMapping.getDirectory().getId(), l -> {
            return new GroupFilter(this.directoryManagerSearchWrapper, applicationDirectoryMapping);
        });
    }

    private <T> MembershipQuery<T> filterToMatch(MembershipQuery<T> membershipQuery, ApplicationDirectoryMapping applicationDirectoryMapping) {
        return membershipQuery.withEntityNames(filter(applicationDirectoryMapping, membershipQuery.getEntityToMatch().getEntityType(), membershipQuery.getEntityNamesToMatch()));
    }

    private <T> List<T> filter(ApplicationDirectoryMapping applicationDirectoryMapping, Entity entity, Collection<T> collection) {
        return NamesUtil.filterByName(collection, namesFilter(applicationDirectoryMapping, entity, NamesUtil.namesOf(collection)));
    }

    private <T> boolean isSimpleUserParentsQuery(MembershipQuery<T> membershipQuery) {
        return (membershipQuery.getSearchRestriction() == null || (membershipQuery.getSearchRestriction() instanceof NullRestriction)) && membershipQuery.getEntityNamesToMatch().size() == 1 && membershipQuery.getEntityToMatch().getEntityType() == Entity.USER;
    }

    private static <T> T runForType(Entity entity, Supplier<T> supplier, Supplier<T> supplier2) {
        switch (AnonymousClass1.$SwitchMap$com$atlassian$crowd$search$Entity[entity.ordinal()]) {
            case 1:
                return supplier.get();
            case PropertyManagerGeneric.DEFAULT_SCHEDULED_BACKUP_HOUR /* 2 */:
                return supplier2.get();
            default:
                throw new IllegalArgumentException("Unsupported entity type " + entity);
        }
    }
}
