package com.atlassian.jira.rest.v2.issue.project;

import com.atlassian.annotations.security.LicensedOnly;
import com.atlassian.jira.bc.ServiceResult;
import com.atlassian.jira.bc.projectroles.ProjectRoleService;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.rest.api.project.ProjectRoleBean;
import com.atlassian.jira.rest.util.ResponseFactory;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.security.roles.DefaultRoleActors;
import com.atlassian.jira.security.roles.DefaultRoleActorsImpl;
import com.atlassian.jira.security.roles.ProjectRole;
import com.atlassian.jira.security.roles.ProjectRoleImpl;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.util.ErrorCollection;
import com.atlassian.jira.util.I18nHelper;
import com.atlassian.jira.util.SimpleErrorCollection;
import com.atlassian.sal.api.websudo.WebSudoRequired;
import io.atlassian.fugue.Either;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.Parameters;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.parameters.RequestBody;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.PUT;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;

@Path("role")
@Consumes({"application/json"})
@Produces({"application/json"})
@WebSudoRequired
@LicensedOnly
/* loaded from: input_file:com/atlassian/jira/rest/v2/issue/project/RoleResource.class */
public class RoleResource {
    private final ProjectRoleService projectRoleService;
    private final ProjectRoleBeanFactory projectRoleBeanFactory;
    private final ResponseFactory responses;
    private final I18nHelper i18n;
    private final JiraAuthenticationContext authContext;
    private final GlobalPermissionManager permissionManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/jira/rest/v2/issue/project/RoleResource$ValidationActorsResult.class */
    public static class ValidationActorsResult<T> {
        private final String roleType;
        private final T roleEntity;

        private ValidationActorsResult(String str, T t) {
            this.roleType = str;
            this.roleEntity = t;
        }
    }

    @Inject
    public RoleResource(ProjectRoleService projectRoleService, ProjectRoleBeanFactory projectRoleBeanFactory, ResponseFactory responseFactory, I18nHelper i18nHelper, JiraAuthenticationContext jiraAuthenticationContext, GlobalPermissionManager globalPermissionManager) {
        this.projectRoleService = projectRoleService;
        this.projectRoleBeanFactory = projectRoleBeanFactory;
        this.responses = responseFactory;
        this.i18n = i18nHelper;
        this.authContext = jiraAuthenticationContext;
        this.permissionManager = globalPermissionManager;
    }

    @GET
    @Operation(summary = "Get all project roles", description = "Get all the ProjectRoles available in Jira. Currently this list is global.", security = {@SecurityRequirement(name = "basic")})
    @ApiResponses({@ApiResponse(description = "Returns full details of the roles available in Jira.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleBean.class, type = "array"), mediaType = "application/json")}), @ApiResponse(description = "Returned if the user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403")})
    public Response getProjectRoles() {
        ArrayList arrayList = new ArrayList();
        ErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        Collection<ProjectRole> projectRoles = this.projectRoleService.getProjectRoles(simpleErrorCollection);
        if (simpleErrorCollection.hasAnyErrors()) {
            return this.responses.errorResponse(simpleErrorCollection);
        }
        for (ProjectRole projectRole : projectRoles) {
            DefaultRoleActors defaultRoleActors = this.projectRoleService.getDefaultRoleActors(projectRole, simpleErrorCollection);
            if (simpleErrorCollection.hasAnyErrors()) {
                return this.responses.errorResponse(simpleErrorCollection);
            }
            arrayList.add(this.projectRoleBeanFactory.projectRole(projectRole, defaultRoleActors));
        }
        return Response.ok(arrayList).build();
    }

    @GET
    @Path("{id}")
    @Operation(summary = "Get a specific project role", description = "Get a specific ProjectRole available in Jira.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "id", description = "The role id", required = true)
    @ApiResponses({@ApiResponse(description = "Returns full details of the role available in Jira.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response getProjectRolesById(@PathParam("id") long j) {
        return (Response) getProjectRole(j).left().on(projectRole -> {
            return (Response) withDefaultRoleActors(projectRole).left().on(new Function<DefaultRoleActors, Response>() { // from class: com.atlassian.jira.rest.v2.issue.project.RoleResource.1
                @Override // java.util.function.Function
                @Nullable
                public Response apply(@Nullable DefaultRoleActors defaultRoleActors) {
                    return Response.ok(RoleResource.this.projectRoleBeanFactory.projectRole(projectRole, defaultRoleActors)).build();
                }
            });
        });
    }

    @Operation(summary = "Create a new project role", description = "Creates a new ProjectRole to be available in Jira. The created role does not have any default actors assigned.", security = {@SecurityRequirement(name = "basic")})
    @POST
    @RequestBody(description = "The role to create", required = true, content = {@Content(schema = @Schema(implementation = CreateUpdateRoleRequestBean.class))})
    @ApiResponses({@ApiResponse(description = "Returns full details of the created role", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the request json does not have a name field or the name field is invalid (empty or starts or ends with whitespace)", responseCode = "400"), @ApiResponse(description = "Returned if you are not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if you do not have permissions to create a role.", responseCode = "403"), @ApiResponse(description = "Returned if a role with given name already exists.", responseCode = "409")})
    public Response createProjectRole(CreateUpdateRoleRequestBean createUpdateRoleRequestBean) {
        ErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        ProjectRole createProjectRole = this.projectRoleService.createProjectRole(new ProjectRoleImpl(createUpdateRoleRequestBean.getName(), createUpdateRoleRequestBean.getDescription() == null ? "" : createUpdateRoleRequestBean.getDescription()), simpleErrorCollection);
        if (simpleErrorCollection.hasAnyErrors()) {
            return this.responses.errorResponse(simpleErrorCollection);
        }
        return Response.ok(this.projectRoleBeanFactory.projectRole(createProjectRole, new DefaultRoleActorsImpl(createProjectRole.getId(), Collections.emptySet()))).build();
    }

    @Path("{id}")
    @Operation(summary = "Partially updates a role's name or description", description = "Partially updates a roles name or description.", security = {@SecurityRequirement(name = "basic")})
    @POST
    @Parameter(name = "id", description = "The role id", required = true)
    @ApiResponses({@ApiResponse(description = "Returns updated role.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned when both name and description are not given or name field is invalid (empty or starts or ends with whitespace).", responseCode = "400"), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response partialUpdateProjectRole(@PathParam("id") long j, final CreateUpdateRoleRequestBean createUpdateRoleRequestBean) {
        final SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        return (Response) getProjectRole(j).left().on(new Function<ProjectRole, Response>() { // from class: com.atlassian.jira.rest.v2.issue.project.RoleResource.2
            @Override // java.util.function.Function
            @Nullable
            public Response apply(@Nullable ProjectRole projectRole) {
                RoleResource.this.validatePartialUpdate(createUpdateRoleRequestBean, simpleErrorCollection);
                if (simpleErrorCollection.hasAnyErrors()) {
                    return RoleResource.this.responses.errorResponse(simpleErrorCollection);
                }
                ProjectRole partiallyUpdatedProjectRole = RoleResource.this.getPartiallyUpdatedProjectRole(projectRole, createUpdateRoleRequestBean);
                RoleResource.this.projectRoleService.updateProjectRole(partiallyUpdatedProjectRole, simpleErrorCollection);
                return simpleErrorCollection.hasAnyErrors() ? RoleResource.this.responses.errorResponse(simpleErrorCollection) : (Response) RoleResource.this.withDefaultRoleActors(partiallyUpdatedProjectRole).left().on(defaultRoleActors -> {
                    return Response.ok(RoleResource.this.projectRoleBeanFactory.projectRole(partiallyUpdatedProjectRole, defaultRoleActors)).build();
                });
            }
        });
    }

    @Path("{id}")
    @Operation(summary = "Fully updates a role's name and description", description = "Fully updates a roles. Both name and description must be given.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "id", description = "The role id", required = true)
    @PUT
    @ApiResponses({@ApiResponse(description = "Returns updated role.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned when name or description is not given or the name field is invalid (empty or starts or ends with whitespace).", responseCode = "400"), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response fullyUpdateProjectRole(@PathParam("id") final long j, final CreateUpdateRoleRequestBean createUpdateRoleRequestBean) {
        final SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        return (Response) getProjectRole(j).left().on(new Function<ProjectRole, Response>() { // from class: com.atlassian.jira.rest.v2.issue.project.RoleResource.3
            @Override // java.util.function.Function
            @Nullable
            public Response apply(@Nullable ProjectRole projectRole) {
                RoleResource.this.validateFullUpdate(createUpdateRoleRequestBean, simpleErrorCollection);
                if (simpleErrorCollection.hasAnyErrors()) {
                    return RoleResource.this.responses.errorResponse(simpleErrorCollection);
                }
                final ProjectRole build = ProjectRoleImpl.Builder.from(projectRole).id(Long.valueOf(j)).name(createUpdateRoleRequestBean.getName()).description(createUpdateRoleRequestBean.getDescription()).build();
                RoleResource.this.projectRoleService.updateProjectRole(build, simpleErrorCollection);
                return simpleErrorCollection.hasAnyErrors() ? RoleResource.this.responses.errorResponse(simpleErrorCollection) : (Response) RoleResource.this.withDefaultRoleActors(build).left().on(new Function<DefaultRoleActors, Response>() { // from class: com.atlassian.jira.rest.v2.issue.project.RoleResource.3.1
                    @Override // java.util.function.Function
                    @Nullable
                    public Response apply(@Nullable DefaultRoleActors defaultRoleActors) {
                        return Response.ok(RoleResource.this.projectRoleBeanFactory.projectRole(build, defaultRoleActors)).build();
                    }
                });
            }
        });
    }

    @Path("{id}")
    @DELETE
    @Operation(summary = "Deletes a role", description = "Deletes a role. May return 403 in the future", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "id", description = "The role id", required = true), @Parameter(name = "swap", description = "If given, removes a role even if it is used in scheme by replacing the role with the given one")})
    @ApiResponses({@ApiResponse(description = "Returned if the delete was successful.", responseCode = "204"), @ApiResponse(description = "Returned if given role with given swap id does not exist.", responseCode = "400"), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404"), @ApiResponse(description = "Returned if the project role is used in schemes and roleToSwap query parameter is not given.", responseCode = "409")})
    public Response deleteProjectRole(@PathParam("id") long j, @QueryParam("swap") Long l) {
        SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        return (Response) getProjectRole(j).left().on(projectRole -> {
            if (l == null) {
                ServiceResult validateNoRoleUsage = this.projectRoleService.validateNoRoleUsage(projectRole);
                if (!validateNoRoleUsage.isValid()) {
                    return this.responses.errorResponse(validateNoRoleUsage.getErrorCollection());
                }
            } else {
                ProjectRole projectRole = this.projectRoleService.getProjectRole(l, simpleErrorCollection);
                if (projectRole == null) {
                    simpleErrorCollection.addErrorMessage("rest.swap.role.not.found", ErrorCollection.Reason.VALIDATION_FAILED);
                }
                if (simpleErrorCollection.hasAnyErrors()) {
                    return this.responses.errorResponse(simpleErrorCollection);
                }
                this.projectRoleService.swapRole(projectRole, projectRole);
            }
            this.projectRoleService.deleteProjectRole(projectRole, simpleErrorCollection);
            return simpleErrorCollection.hasAnyErrors() ? this.responses.errorResponse(simpleErrorCollection) : Response.noContent().build();
        });
    }

    @GET
    @Path("{id}/actors")
    @Operation(summary = "Get default actors for a role", description = "Gets default actors for the given role.", security = {@SecurityRequirement(name = "basic")})
    @Parameter(name = "id", description = "The role id", required = true)
    @ApiResponses({@ApiResponse(description = "Returns actor list.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleActorsBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response getProjectRoleActorsForRole(@PathParam("id") long j) {
        return (Response) getProjectRole(j).left().on(projectRole -> {
            return (Response) withDefaultRoleActors(projectRole).left().on(defaultRoleActors -> {
                return Response.ok(ProjectRoleActorsBean.from(defaultRoleActors.getRoleActors())).build();
            });
        });
    }

    @Path("{id}/actors")
    @Operation(summary = "Adds default actors to a role", description = "Adds default actors to the given role. The request data should contain a list of usernames or a list of groups to add.", security = {@SecurityRequirement(name = "basic")})
    @POST
    @Parameter(name = "id", description = "The role id", required = true)
    @ApiResponses({@ApiResponse(description = "Returns actor list.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleActorsBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if the request json does not have a user or group field or both user and group fields are given.", responseCode = "400"), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response addProjectRoleActorsToRole(@PathParam("id") long j, ActorInputBean actorInputBean) {
        SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        return (Response) getProjectRole(j).left().on(projectRole -> {
            return (Response) withValidationOfActorInputBean(actorInputBean).left().on(validationActorsResult -> {
                this.projectRoleService.addDefaultActorsToProjectRole((Collection) validationActorsResult.roleEntity, projectRole, validationActorsResult.roleType, simpleErrorCollection);
                return simpleErrorCollection.hasAnyErrors() ? this.responses.errorResponse(simpleErrorCollection) : (Response) withDefaultRoleActors(projectRole).left().on(defaultRoleActors -> {
                    return Response.ok(ProjectRoleActorsBean.from(defaultRoleActors.getRoleActors())).build();
                });
            });
        });
    }

    @Path("{id}/actors")
    @DELETE
    @Operation(summary = "Removes default actor from a role", description = "Removes default actor from the given role.", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "id", description = "The role id to remove the actors from", required = true), @Parameter(name = "user", description = "If given, removes an actor from given role"), @Parameter(name = "group", description = "If given, removes an actor from given role")})
    @ApiResponses({@ApiResponse(description = "Returns updated actors list.", responseCode = "200", content = {@Content(schema = @Schema(implementation = ProjectRoleActorsBean.class), mediaType = "application/json")}), @ApiResponse(description = "Returned if user and group are not given, both user and group are given or provided group or user does not exist.", responseCode = "400"), @ApiResponse(description = "Returned if the requesting user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the requesting user is not an admin or a sysadmin.", responseCode = "403"), @ApiResponse(description = "Returned if the role with the given id does not exist.", responseCode = "404")})
    public Response deleteProjectRoleActorsFromRole(@PathParam("id") long j, @QueryParam("user") String str, @QueryParam("group") String str2) {
        return (Response) getProjectRole(j).left().on(projectRole -> {
            SimpleErrorCollection simpleErrorCollection = new SimpleErrorCollection();
            return (Response) withValidationOfInputUserNamesAndGroupNames(str, str2).left().on(validationActorsResult -> {
                this.projectRoleService.removeDefaultActorsFromProjectRole(Collections.singleton((String) validationActorsResult.roleEntity), projectRole, validationActorsResult.roleType, simpleErrorCollection);
                return simpleErrorCollection.hasAnyErrors() ? this.responses.errorResponse(simpleErrorCollection) : (Response) withDefaultRoleActors(projectRole).left().on(defaultRoleActors -> {
                    return Response.ok(ProjectRoleActorsBean.from(defaultRoleActors.getRoleActors())).build();
                });
            });
        });
    }

    private void validateFullUpdate(CreateUpdateRoleRequestBean createUpdateRoleRequestBean, SimpleErrorCollection simpleErrorCollection) {
        if (createUpdateRoleRequestBean.getName() == null || createUpdateRoleRequestBean.getDescription() == null) {
            simpleErrorCollection.addErrorMessage(this.i18n.getText("rest.role.name.and.description.required"), ErrorCollection.Reason.VALIDATION_FAILED);
        }
    }

    private ProjectRole getPartiallyUpdatedProjectRole(ProjectRole projectRole, CreateUpdateRoleRequestBean createUpdateRoleRequestBean) {
        ProjectRoleImpl.Builder id = ProjectRoleImpl.Builder.from(projectRole).id(projectRole.getId());
        if (createUpdateRoleRequestBean.getName() != null) {
            id.name(createUpdateRoleRequestBean.getName());
        } else {
            id.description(createUpdateRoleRequestBean.getDescription());
        }
        return id.build();
    }

    private void validatePartialUpdate(CreateUpdateRoleRequestBean createUpdateRoleRequestBean, SimpleErrorCollection simpleErrorCollection) {
        if (createUpdateRoleRequestBean.getName() == null && createUpdateRoleRequestBean.getDescription() == null) {
            simpleErrorCollection.addErrorMessage(this.i18n.getText("rest.role.name.or.description.required"), ErrorCollection.Reason.VALIDATION_FAILED);
        }
    }

    @Nonnull
    private Either<Response, ProjectRole> getProjectRole(long j) {
        ErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        if (!hasAdminPermission(this.authContext.getLoggedInUser())) {
            return Either.left(this.responses.forbidden("rest.authorization.admin.required", new String[0]));
        }
        ProjectRole projectRole = this.projectRoleService.getProjectRole(Long.valueOf(j), simpleErrorCollection);
        return simpleErrorCollection.hasAnyErrors() ? Either.left(this.responses.errorResponse(simpleErrorCollection)) : projectRole == null ? Either.left(this.responses.notFound("rest.role.not.found", new String[0])) : Either.right(projectRole);
    }

    @Nonnull
    private Either<Response, DefaultRoleActors> withDefaultRoleActors(ProjectRole projectRole) {
        ErrorCollection simpleErrorCollection = new SimpleErrorCollection();
        return simpleErrorCollection.hasAnyErrors() ? Either.left(this.responses.errorResponse(simpleErrorCollection)) : Either.right(this.projectRoleService.getDefaultRoleActors(projectRole, simpleErrorCollection));
    }

    private boolean hasAdminPermission(ApplicationUser applicationUser) {
        return this.permissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, applicationUser);
    }

    private Either<Response, ValidationActorsResult<Collection<String>>> withValidationOfActorInputBean(ActorInputBean actorInputBean) {
        return withValidationOfInputUserNamesAndGroupNames(actorInputBean.getUsernames(), actorInputBean.getGroupnames());
    }

    private <T> Either<Response, ValidationActorsResult<T>> withValidationOfInputUserNamesAndGroupNames(T t, T t2) {
        return (t == null || t2 == null) ? t != null ? Either.right(new ValidationActorsResult("atlassian-user-role-actor", t)) : t2 != null ? Either.right(new ValidationActorsResult("atlassian-group-role-actor", t2)) : Either.left(this.responses.badRequest("rest.role.actors.delete.username.or.groupname.required", new String[0])) : Either.left(this.responses.badRequest("rest.role.actors.add.username.or.groupname.both.cannot.be.provided", new String[0]));
    }
}
