package com.atlassian.jira.webtests.ztests.attachment;

import com.atlassian.integrationtesting.runner.restore.Restore;
import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.atlassian.jira.permission.ProjectPermissions;
import com.atlassian.jira.util.IOUtil;
import com.atlassian.jira.webtests.ztests.bundledplugins2.rest.TestUserResource;
import com.google.gson.Gson;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import org.apache.http.client.entity.EntityBuilder;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

@Restore("TestFullAnonymousPermissions.xml")
@WebTest({Category.FUNC_TEST, Category.ATTACHMENTS})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/attachment/TestTemporaryAttachmentsAccess.class */
public class TestTemporaryAttachmentsAccess extends BaseJiraFuncTest {
    private static final String SECURITY_BREACH_TEXT = "It seems that you have tried to perform an operation which you are not permitted to perform.";
    private static final String LOGIN_TEXT = "You must log in to access this page.";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/jira/webtests/ztests/attachment/TestTemporaryAttachmentsAccess$AttachTemporaryFileBean.class */
    public static class AttachTemporaryFileBean {
        public String name;
        public String id;
        public String attachmentUrl;

        AttachTemporaryFileBean() {
        }
    }

    @Before
    public void setUpTest() {
        this.backdoor.attachmentFile().enable();
    }

    @Test
    public void testAccessAsAdminWhenAttachmentCreatePermissionForEveryoneIsEnabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.navigation.login("admin");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsAdminWhenAttachmentCreatePermissionForEveryoneIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnonymousAttachmentCreation();
        this.navigation.login("admin");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsAdminWhenAttachmentCreatePermissionIsRestricted() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnyoneAttachmentCreation();
        this.navigation.login("admin");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsAdminWhenAttachmentCreateIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.backdoor.attachmentFile().disable();
        this.navigation.login("admin");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsNormalUserWhenAttachmentCreatePermissionForEveryoneIsEnabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.navigation.login("fred");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsNormalUserWhenAttachmentCreatePermissionForEveryoneIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnonymousAttachmentCreation();
        this.navigation.login("fred");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsNormalUserWhenAttachmentCreatePermissionIsRestricted() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnyoneAttachmentCreation();
        this.navigation.login("fred");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsNormalUserWhenAttachmentCreateIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.backdoor.attachmentFile().disable();
        this.navigation.login("fred");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(SECURITY_BREACH_TEXT);
    }

    @Test
    public void testAccessAsAnonymousWhenAttachmentCreatePermissionForEveryoneIsEnabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.navigation.logout();
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(LOGIN_TEXT);
    }

    @Test
    public void testAccessAsAnonymousWhenAttachmentCreatePermissionForEveryoneIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnonymousAttachmentCreation();
        this.navigation.logout();
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(LOGIN_TEXT);
    }

    @Test
    public void testAccessAsAnonymousWhenAttachmentCreatePermissionIsRestricted() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        disallowAnyoneAttachmentCreation();
        this.navigation.logout();
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(LOGIN_TEXT);
    }

    @Test
    public void testAccessAsAnonymousWhenAttachmentCreateIsDisabled() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.backdoor.attachmentFile().disable();
        this.navigation.logout();
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextPresent(LOGIN_TEXT);
    }

    @Test
    public void testContentSecurityPolicyHeader() throws IOException {
        String uploadTemporaryAttachment = uploadTemporaryAttachment();
        this.navigation.login("admin");
        this.tester.gotoPage(uploadTemporaryAttachment);
        this.tester.assertTextNotPresent(SECURITY_BREACH_TEXT);
        Assert.assertEquals("sandbox", this.tester.getDialog().getResponse().getHeaderField("Content-Security-Policy"));
    }

    private String uploadTemporaryAttachment() throws IOException {
        CloseableHttpClient createDefault = HttpClients.createDefault();
        try {
            byte[] bytes = "{\"test\": true}".getBytes(StandardCharsets.UTF_8);
            HttpPost httpPost = new HttpPost(getEnvironmentData().getBaseUrl().toString() + "/rest/internal/2/AttachTemporaryFile?filename=test.json&size=" + bytes.length + "&formToken=formId&projectId=10001");
            httpPost.setEntity(EntityBuilder.create().setBinary(bytes).setContentType(ContentType.APPLICATION_JSON).setContentEncoding(StandardCharsets.UTF_8.displayName()).build());
            httpPost.addHeader("Authorization", "Basic " + Base64.getEncoder().encodeToString("admin:admin".getBytes()));
            httpPost.addHeader(TestUserResource.ManualClient.X_ATLASSIAN_TOKEN, TestUserResource.ManualClient.NO_CHECK);
            CloseableHttpResponse execute = createDefault.execute(httpPost);
            try {
                if (execute.getStatusLine().getStatusCode() != 201) {
                    if (execute.getEntity().getContentLength() <= 0) {
                        throw new IllegalStateException("Failed to create new temporary attachment. No error in content. Response code:  `" + execute.getStatusLine().toString() + "`");
                    }
                    throw new IllegalStateException("Failed to create new temporary attachment with error `" + getResponseContentAsString(execute) + "`");
                }
                String responseContentAsString = getResponseContentAsString(execute);
                if (responseContentAsString.isEmpty()) {
                    throw new IllegalStateException("Response cannot be empty");
                }
                String str = ((AttachTemporaryFileBean) new Gson().fromJson(responseContentAsString, AttachTemporaryFileBean.class)).attachmentUrl;
                if (execute != null) {
                    execute.close();
                }
                if (createDefault != null) {
                    createDefault.close();
                }
                return str;
            } finally {
            }
        } catch (Throwable th) {
            if (createDefault != null) {
                try {
                    createDefault.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private String getResponseContentAsString(CloseableHttpResponse closeableHttpResponse) throws IOException {
        return new String(IOUtil.toByteArray(closeableHttpResponse.getEntity().getContent()), StandardCharsets.UTF_8);
    }

    private void disallowAnonymousAttachmentCreation() {
        this.backdoor.getTestkit().permissionSchemes().removeEveryonePermission(0L, ProjectPermissions.CREATE_ATTACHMENTS);
    }

    private void disallowUsersAttachmentCreation() {
        this.backdoor.getTestkit().permissionSchemes().removeGroupPermission(0L, ProjectPermissions.CREATE_ATTACHMENTS, "jira-users");
    }

    private void disallowAnyoneAttachmentCreation() {
        disallowAnonymousAttachmentCreation();
        disallowUsersAttachmentCreation();
    }
}
