package com.atlassian.jira.security.auth;

import com.atlassian.jira.application.ApplicationRoleManager;
import com.atlassian.jira.bc.security.login.LoginLoggers;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.plugin.webwork.WebworkPluginSecurityServiceHelper;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.PermissionManager;
import com.atlassian.jira.security.Permissions;
import com.atlassian.jira.security.auth.Authorisation;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.ozymandias.SafePluginPointAccess;
import com.atlassian.plugin.PluginAccessor;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;

/* loaded from: input_file:com/atlassian/jira/security/auth/AuthorisationManagerImpl.class */
public class AuthorisationManagerImpl implements AuthorisationManager {
    private static final Logger loggerSecurityEvents = LoginLoggers.LOGIN_SECURITY_EVENTS;
    private final PermissionManager permissionManager;
    private final PluginAccessor pluginAccessor;
    private final WebworkPluginSecurityServiceHelper webworkPluginSecurityServiceHelper;
    private final ApplicationRoleManager applicationRoleManager;
    private final GlobalPermissionManager globalPermissions;

    public AuthorisationManagerImpl(PermissionManager permissionManager, PluginAccessor pluginAccessor, WebworkPluginSecurityServiceHelper webworkPluginSecurityServiceHelper, ApplicationRoleManager applicationRoleManager, GlobalPermissionManager globalPermissionManager) {
        this.permissionManager = permissionManager;
        this.pluginAccessor = pluginAccessor;
        this.webworkPluginSecurityServiceHelper = webworkPluginSecurityServiceHelper;
        this.applicationRoleManager = applicationRoleManager;
        this.globalPermissions = globalPermissionManager;
    }

    @Override // com.atlassian.jira.security.auth.AuthorisationManager
    public boolean authoriseForLogin(@Nonnull ApplicationUser applicationUser, HttpServletRequest httpServletRequest) {
        Authorisation.Decision authoriseForLoginViaPlugins = authoriseForLoginViaPlugins(applicationUser, httpServletRequest);
        if (authoriseForLoginViaPlugins == Authorisation.Decision.ABSTAIN) {
            authoriseForLoginViaPlugins = authoriseForLoginViaJIRA(applicationUser);
        }
        boolean z = authoriseForLoginViaPlugins.toBoolean();
        if (!z) {
            loggerSecurityEvents.warn("The user '" + safeUserName(applicationUser) + "' is NOT AUTHORIZED to perform to login for this request");
        }
        return z;
    }

    private Authorisation.Decision authoriseForLoginViaPlugins(ApplicationUser applicationUser, HttpServletRequest httpServletRequest) {
        if (applicationUser != null) {
            for (Authorisation authorisation : getAuthorisations()) {
                Authorisation.Decision safeRun = safeRun(authorisation, applicationUser, () -> {
                    return authorisation.authoriseForLogin(applicationUser, httpServletRequest);
                });
                if (safeRun != Authorisation.Decision.ABSTAIN) {
                    return safeRun;
                }
            }
        }
        return Authorisation.Decision.ABSTAIN;
    }

    @Override // com.atlassian.jira.security.auth.AuthorisationManager
    public boolean hasUserAccessToJIRA(@Nonnull ApplicationUser applicationUser) {
        return authoriseForLoginViaJIRA(applicationUser).toBoolean();
    }

    private Authorisation.Decision authoriseForLoginViaJIRA(ApplicationUser applicationUser) {
        return (this.applicationRoleManager.hasAnyRole(applicationUser) || this.globalPermissions.hasPermission(GlobalPermissionKey.ADMINISTER, applicationUser)) ? Authorisation.Decision.GRANTED : Authorisation.Decision.DENIED;
    }

    @Override // com.atlassian.jira.security.auth.AuthorisationManager
    public Set<String> getRequiredRoles(HttpServletRequest httpServletRequest) {
        HashSet newHashSet = Sets.newHashSet(this.webworkPluginSecurityServiceHelper.getRequiredRoles(httpServletRequest));
        for (Authorisation authorisation : getAuthorisations()) {
            try {
                newHashSet.addAll(safeSet(authorisation.getRequiredRoles(httpServletRequest)));
            } catch (RuntimeException e) {
                loggerSecurityEvents.error(String.format("Exception thrown by '%s'. The roles will be ignored : %s", authorisation.getClass().getName(), e.getMessage()));
            }
        }
        return newHashSet;
    }

    @Override // com.atlassian.jira.security.auth.AuthorisationManager
    public boolean authoriseForRole(@Nullable ApplicationUser applicationUser, HttpServletRequest httpServletRequest, String str) {
        Authorisation.Decision authoriseForRoleViaPlugins = authoriseForRoleViaPlugins(applicationUser, httpServletRequest, str);
        if (authoriseForRoleViaPlugins == Authorisation.Decision.ABSTAIN) {
            authoriseForRoleViaPlugins = authoriseForRoleViaJIRA(applicationUser, str);
        }
        boolean z = authoriseForRoleViaPlugins.toBoolean();
        if (!z) {
            loggerSecurityEvents.warn("The user '" + safeUserName(applicationUser) + "' is NOT AUTHORIZED to perform this request");
        }
        return z;
    }

    private Authorisation.Decision authoriseForRoleViaPlugins(final ApplicationUser applicationUser, final HttpServletRequest httpServletRequest, final String str) {
        for (final Authorisation authorisation : getAuthorisations()) {
            Authorisation.Decision safeRun = safeRun(authorisation, applicationUser, new Callable<Authorisation.Decision>() { // from class: com.atlassian.jira.security.auth.AuthorisationManagerImpl.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Authorisation.Decision call() throws Exception {
                    return authorisation.authoriseForRole(applicationUser, httpServletRequest, str);
                }
            });
            if (safeRun != Authorisation.Decision.ABSTAIN) {
                return safeRun;
            }
        }
        return Authorisation.Decision.ABSTAIN;
    }

    private List<Authorisation> getAuthorisations() {
        return SafePluginPointAccess.to(this.pluginAccessor).forType(AuthorisationModuleDescriptor.class, (authorisationModuleDescriptor, authorisation) -> {
            return authorisation;
        });
    }

    private Authorisation.Decision authoriseForRoleViaJIRA(ApplicationUser applicationUser, String str) {
        int type = Permissions.getType(str);
        return type == -1 ? Authorisation.Decision.DENIED : Authorisation.Decision.toDecision(this.permissionManager.hasPermission(type, applicationUser));
    }

    private Authorisation.Decision safeRun(Authorisation authorisation, ApplicationUser applicationUser, Callable<Authorisation.Decision> callable) {
        try {
            Authorisation.Decision call = callable.call();
            if (loggerSecurityEvents.isDebugEnabled()) {
                loggerSecurityEvents.debug(String.format("%s has authorised '%s' as %s", authorisation.getClass().getName(), safeUserName(applicationUser), call));
            }
            return call;
        } catch (Exception e) {
            loggerSecurityEvents.error(String.format("Exception thrown by '%s'. The decision will be treated as ABSTAIN : %s", authorisation.getClass().getName(), e.getMessage()));
            return Authorisation.Decision.ABSTAIN;
        }
    }

    private String safeUserName(ApplicationUser applicationUser) {
        return applicationUser == null ? "anonymous" : applicationUser.getUsername();
    }

    private Set<String> safeSet(Set<String> set) {
        return set == null ? Collections.emptySet() : set;
    }
}
