package com.atlassian.jira.rest.v2.issue;

import com.atlassian.annotations.security.LicensedOnly;
import com.atlassian.crowd.embedded.api.CrowdService;
import com.atlassian.crowd.embedded.api.Group;
import com.atlassian.crowd.embedded.api.User;
import com.atlassian.crowd.embedded.impl.ImmutableGroup;
import com.atlassian.crowd.embedded.impl.ImmutableUser;
import com.atlassian.crowd.exception.OperationNotPermittedException;
import com.atlassian.crowd.exception.embedded.InvalidGroupException;
import com.atlassian.crowd.exception.runtime.OperationFailedException;
import com.atlassian.jira.bc.JiraServiceContextImpl;
import com.atlassian.jira.bc.group.GroupService;
import com.atlassian.jira.issue.fields.rest.json.UserBeanFactory;
import com.atlassian.jira.issue.fields.rest.json.beans.JiraBaseUrls;
import com.atlassian.jira.issue.fields.rest.json.beans.UserJsonBean;
import com.atlassian.jira.permission.GlobalPermissionKey;
import com.atlassian.jira.rest.api.http.CacheControl;
import com.atlassian.jira.rest.api.pagination.PageBean;
import com.atlassian.jira.rest.api.util.ErrorCollection;
import com.atlassian.jira.rest.exception.BadRequestWebException;
import com.atlassian.jira.rest.exception.ForbiddenWebException;
import com.atlassian.jira.rest.exception.NotFoundWebException;
import com.atlassian.jira.rest.exception.ServerErrorWebException;
import com.atlassian.jira.rest.util.ResponseFactory;
import com.atlassian.jira.rest.util.SelfLinkBuilder;
import com.atlassian.jira.security.GlobalPermissionManager;
import com.atlassian.jira.security.JiraAuthenticationContext;
import com.atlassian.jira.security.groups.GroupManager;
import com.atlassian.jira.user.ApplicationUser;
import com.atlassian.jira.util.I18nHelper;
import com.atlassian.jira.util.PageRequest;
import com.atlassian.jira.util.PageRequests;
import com.atlassian.sal.api.websudo.WebSudoRequired;
import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.Parameters;
import io.swagger.v3.oas.annotations.enums.ParameterIn;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.responses.ApiResponses;
import io.swagger.v3.oas.annotations.security.SecurityRequirement;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;

@Path("group")
@Consumes({"application/json"})
@Produces({"application/json"})
@LicensedOnly
/* loaded from: input_file:com/atlassian/jira/rest/v2/issue/GroupResource.class */
public class GroupResource {
    static final int MAX_USERS_COUNT = 50;
    private final GlobalPermissionManager permissionManager;
    private final JiraAuthenticationContext authContext;
    private final I18nHelper i18n;
    private final GroupManager groupManager;
    private final GroupService groupService;
    private final JiraBaseUrls jiraBaseUrls;
    private final SelfLinkBuilder.SelfLink groupSelfLink;
    private final CrowdService crowdService;
    private final UserBeanFactory userBeanFactory;
    private final ResponseFactory responses;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/jira/rest/v2/issue/GroupResource$GroupUpdateCommand.class */
    public interface GroupUpdateCommand {
        Response execute() throws OperationNotPermittedException, InvalidGroupException;
    }

    @Inject
    public GroupResource(GlobalPermissionManager globalPermissionManager, JiraAuthenticationContext jiraAuthenticationContext, I18nHelper i18nHelper, GroupManager groupManager, GroupService groupService, JiraBaseUrls jiraBaseUrls, SelfLinkBuilder selfLinkBuilder, CrowdService crowdService, UserBeanFactory userBeanFactory, ResponseFactory responseFactory) {
        this.permissionManager = globalPermissionManager;
        this.authContext = jiraAuthenticationContext;
        this.i18n = i18nHelper;
        this.groupManager = groupManager;
        this.groupService = groupService;
        this.jiraBaseUrls = jiraBaseUrls;
        this.crowdService = crowdService;
        this.userBeanFactory = userBeanFactory;
        this.responses = responseFactory;
        this.groupSelfLink = selfLinkBuilder.path("group");
    }

    private boolean hasGroupManagementPermission(ApplicationUser applicationUser) {
        return this.permissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, applicationUser) || this.permissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, applicationUser);
    }

    @GET
    @Path("member")
    @Operation(summary = "Get users from a specified group", description = "Returns a paginated list of users who are members of the specified group and its subgroups", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "groupname", description = "The group name.", in = ParameterIn.PATH, required = true), @Parameter(name = "includeInactiveUsers", description = "Include inactive users.", in = ParameterIn.QUERY, required = false), @Parameter(name = "startAt", description = "The index of the first user in group to return.", in = ParameterIn.QUERY, required = false), @Parameter(name = "maxResults", description = "The maximum number of users to return.", in = ParameterIn.QUERY, required = false)})
    @ApiResponses({@ApiResponse(description = "Returns a paginated list of users in the group", responseCode = "200", content = {@Content(schema = @Schema(implementation = UserJsonBean.class))}), @ApiResponse(description = "Returned if the name of the provided group is empty", responseCode = "400"), @ApiResponse(description = "Returned if the user is not logged in.", responseCode = "401"), @ApiResponse(description = "Returned if the calling user is not admin or sysadmin", responseCode = "403"), @ApiResponse(description = "Returned if the specified group does not exist", responseCode = "404")})
    public Response getUsersFromGroup(@QueryParam("groupname") String str, @QueryParam("includeInactiveUsers") @DefaultValue("false") boolean z, @QueryParam("startAt") @DefaultValue("0") Long l, @QueryParam("maxResults") @DefaultValue("50") Integer num) {
        ensureCanManageGroups();
        Group ensureGroupExists = ensureGroupExists(str);
        PageRequest request = PageRequests.request(l, Integer.valueOf(Math.min(((Integer) MoreObjects.firstNonNull(num, 50)).intValue(), 50)));
        return this.responses.okNoCache(PageBean.from(request, this.groupManager.getUsersInGroup(ensureGroupExists.getName(), Boolean.valueOf(z), request)).setLinks(buildSelfForPagedUsers(str, Boolean.valueOf(z), l, num), request.getLimit()).build(applicationUser -> {
            return this.userBeanFactory.createBean(applicationUser, this.authContext.getLoggedInUser());
        }));
    }

    private String buildSelfForPagedUsers(String str, Boolean bool, Long l, Integer num) {
        return this.groupSelfLink.path("member", new String[0]).queryParam("groupname", str).queryParam("includeInactiveUsers", bool.toString()).queryParam("startAt", l.toString()).queryParam("maxResults", num.toString()).toString();
    }

    @Operation(summary = "Create a group with given parameters", description = "Creates a group by given group parameter", security = {@SecurityRequirement(name = "basic")})
    @POST
    @WebSudoRequired
    @Parameter(name = "groupBean", description = "A group to add", required = true)
    @ApiResponses({@ApiResponse(description = "Returns full representation of a Jira group in JSON format.", responseCode = "201", content = {@Content(schema = @Schema(implementation = GroupBean.class))}), @ApiResponse(description = "Returned if user requested an empty group name or group already exists", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the current user does not have administrator permissions.", responseCode = "403")})
    public Response createGroup(AddGroupBean addGroupBean) {
        String name = addGroupBean.getName();
        return doGroupUpdate(() -> {
            validateGroupName(name);
            if (this.crowdService.getGroup(name) != null) {
                throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("groupbrowser.error.group.exists")));
            }
            ImmutableGroup immutableGroup = new ImmutableGroup(name);
            this.crowdService.addGroup(immutableGroup);
            GroupBean buildGroupBean = buildGroupBean(immutableGroup);
            return Response.status(Response.Status.CREATED).location(buildGroupBean.getSelf()).entity(buildGroupBean).cacheControl(CacheControl.never()).build();
        });
    }

    @DELETE
    @Operation(summary = "Delete a specified group", description = "Deletes a group by given group parameter", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "groupname", description = "The name of the group to delete.", in = ParameterIn.QUERY, required = true), @Parameter(name = "swapGroup", description = "A different group to transfer the restrictions to.", in = ParameterIn.QUERY, required = false)})
    @WebSudoRequired
    @ApiResponses({@ApiResponse(description = "Returned if the group was deleted.", responseCode = "200"), @ApiResponse(description = "Returned if user requested a group that does not exist", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the current user does not have administrator permissions.", responseCode = "403"), @ApiResponse(description = "Returned if the requested group was not found.", responseCode = "404")})
    public Response removeGroup(@QueryParam("groupname") String str, @QueryParam("swapGroup") String str2) {
        return doGroupUpdate(() -> {
            ensureGroupExists(str);
            JiraServiceContextImpl jiraServiceContextImpl = new JiraServiceContextImpl(this.authContext.getLoggedInUser());
            if (!this.groupService.validateDelete(jiraServiceContextImpl, str, str2)) {
                return this.responses.errorResponse(jiraServiceContextImpl.getErrorCollection());
            }
            JiraServiceContextImpl jiraServiceContextImpl2 = new JiraServiceContextImpl(this.authContext.getLoggedInUser());
            return !this.groupService.delete(jiraServiceContextImpl2, str, str2) ? this.responses.errorResponse(jiraServiceContextImpl2.getErrorCollection()) : Response.ok().cacheControl(CacheControl.never()).build();
        });
    }

    @Path("user")
    @Operation(summary = "Add a user to a specified group", description = "Adds given user to a group", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "groupname", description = "A name of requested group.", in = ParameterIn.QUERY, required = true), @Parameter(name = "userBean", description = "User to add to a group", required = true)})
    @POST
    @WebSudoRequired
    @ApiResponses({@ApiResponse(description = "Returns full representation of a Jira group in JSON format.", responseCode = "201", content = {@Content(schema = @Schema(implementation = GroupBean.class))}), @ApiResponse(description = "Returned if user requested an empty group name or the user already belongs to the group.", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the current user does not have administrator permissions.", responseCode = "403"), @ApiResponse(description = "Returned if the requested group was not found or requested user was not found.", responseCode = "404")})
    public Response addUserToGroup(@QueryParam("groupname") String str, UpdateUserToGroupBean updateUserToGroupBean) {
        return doGroupUpdate(() -> {
            ensureGroupExists(str);
            String name = updateUserToGroupBean.getName();
            JiraServiceContextImpl jiraServiceContextImpl = new JiraServiceContextImpl(this.authContext.getLoggedInUser());
            if (!this.groupService.validateAddUserToGroup(jiraServiceContextImpl, ImmutableList.of(str), name)) {
                return this.responses.errorResponse(jiraServiceContextImpl.getErrorCollection());
            }
            User user = getUser(name);
            ImmutableGroup immutableGroup = new ImmutableGroup(str);
            if (!this.crowdService.addUserToGroup(ImmutableUser.newUser(user).toUser(), immutableGroup)) {
                return Response.status(Response.Status.BAD_REQUEST).entity(ErrorCollection.of(this.i18n.getText("rest.group.user.already.exists.in.group", name, str))).cacheControl(CacheControl.never()).build();
            }
            GroupBean buildGroupBean = buildGroupBean(immutableGroup);
            return Response.status(Response.Status.CREATED).location(buildGroupBean.getSelf()).entity(buildGroupBean).cacheControl(CacheControl.never()).build();
        });
    }

    @Path("user")
    @DELETE
    @Operation(summary = "Remove a user from a specified group", description = "Removes given user from a group", security = {@SecurityRequirement(name = "basic")})
    @Parameters({@Parameter(name = "groupname", description = "A name of requested group.", in = ParameterIn.QUERY, required = true), @Parameter(name = "username", description = "User to remove from a group", in = ParameterIn.QUERY, required = true)})
    @WebSudoRequired
    @ApiResponses({@ApiResponse(description = "If the user was removed from the group.", responseCode = "200"), @ApiResponse(description = "Returned if user requested an empty group name", responseCode = "400"), @ApiResponse(description = "Returned if the current user is not authenticated.", responseCode = "401"), @ApiResponse(description = "Returned if the current user does not have administrator permissions.", responseCode = "403"), @ApiResponse(description = "Returned if the requested group was not found or the requested user wan not found", responseCode = "404")})
    public Response removeUserFromGroup(@QueryParam("groupname") String str, @QueryParam("username") String str2) {
        return doGroupUpdate(() -> {
            ensureGroupExists(str);
            User user = getUser(str2);
            JiraServiceContextImpl jiraServiceContextImpl = new JiraServiceContextImpl(this.authContext.getLoggedInUser());
            if (!this.groupService.validateRemoveUserFromGroups(jiraServiceContextImpl, ImmutableList.of(str), str2)) {
                return this.responses.errorResponse(jiraServiceContextImpl.getErrorCollection());
            }
            ImmutableGroup immutableGroup = new ImmutableGroup(str);
            this.crowdService.removeUserFromGroup(ImmutableUser.newUser(user).toUser(), immutableGroup);
            return Response.ok().cacheControl(CacheControl.never()).build();
        });
    }

    private Response doGroupUpdate(GroupUpdateCommand groupUpdateCommand) {
        ensureCanManageGroups();
        try {
            return groupUpdateCommand.execute();
        } catch (OperationFailedException e) {
            throw new ServerErrorWebException(ErrorCollection.of(this.i18n.getText("generic.error", e.getLocalizedMessage())));
        } catch (InvalidGroupException e2) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("generic.error", e2.getLocalizedMessage())));
        } catch (OperationNotPermittedException e3) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("generic.error", e3.getLocalizedMessage())));
        }
    }

    private Group ensureGroupExists(String str) {
        validateGroupName(str);
        Group group = this.groupManager.getGroup(str.trim());
        if (group == null) {
            throw new NotFoundWebException(ErrorCollection.of(this.i18n.getText("rest.group.error.not.found", str)));
        }
        return group;
    }

    private User getUser(String str) {
        User user = null;
        if (str != null) {
            user = this.crowdService.getUser(str);
            if (user == null) {
                throw new NotFoundWebException(ErrorCollection.of(this.i18n.getText("admin.errors.user.does.not.exist", str)));
            }
        }
        return user;
    }

    private void ensureCanManageGroups() {
        if (!hasGroupManagementPermission(this.authContext.getLoggedInUser())) {
            throw new ForbiddenWebException(ErrorCollection.of(this.i18n.getText("rest.authorization.admin.required")));
        }
    }

    private void validateGroupName(String str) {
        if (StringUtils.isEmpty(str)) {
            throw new BadRequestWebException(ErrorCollection.of(this.i18n.getText("rest.group.error.empty")));
        }
    }

    private GroupBean buildGroupBean(Group group) {
        return new GroupBeanBuilder(this.jiraBaseUrls, group.getName()).users(new UserJsonBeanListWrapper(this.groupManager.getUsersInGroupCount(group), () -> {
            return ImmutableList.copyOf(Iterables.filter(this.groupManager.getUsersInGroup(group), applicationUser -> {
                return applicationUser != null && applicationUser.isActive();
            }));
        }, 50, this.authContext.getLoggedInUser(), this.userBeanFactory)).build();
    }
}
