package com.atlassian.bamboo.configuration;

import com.atlassian.bamboo.docker.BambooDockerHelper;
import com.atlassian.bamboo.event.SecuritySettingsUpdatedEvent;
import com.atlassian.bamboo.repository.NameValuePair;
import com.atlassian.bamboo.security.GlobalPermissionsService;
import com.atlassian.bamboo.security.acegi.acls.BambooPermission;
import com.atlassian.bamboo.security.acegi.acls.HibernateMutableAclService;
import com.atlassian.bamboo.util.BambooStringUtils;
import com.atlassian.bamboo.utils.XsrfUtils;
import com.atlassian.bamboo.v2.build.agent.capability.CapabilitySetManager;
import com.atlassian.event.api.EventPublisher;
import com.google.common.collect.BiMap;
import com.google.common.collect.ImmutableBiMap;
import com.google.common.collect.ImmutableMap;
import io.atlassian.fugue.Suppliers;
import java.io.File;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.inject.Inject;
import org.acegisecurity.acls.AccessControlEntry;
import org.acegisecurity.acls.MutableAcl;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/atlassian/bamboo/configuration/ConfigureSecurity.class */
public class ConfigureSecurity extends GlobalAdminAction {
    public static final BiMap<String, TimeUnit> SUPPORTED_MANUAL_ENCRYPTION_TIME_UNITS = new ImmutableBiMap.Builder().put("config.security.manual.encryption.limit.unit.hour", TimeUnit.HOURS).put("config.security.manual.encryption.limit.unit.day", TimeUnit.DAYS).build();

    @Inject
    private EventPublisher eventPublisher;

    @Inject
    private GlobalPermissionsService globalPermissionsService;
    private boolean enableSignup;
    private boolean enableCaptchaOnSignup;
    private boolean enableViewContactDetails;
    private boolean enableRestrictedAdmin;
    private boolean enableCaptcha;
    private boolean showAdminContactDetailsToAnonymousUsers;
    private boolean showAuthorsDetailsToUsers;
    private boolean soxComplianceModeEnabled;
    private boolean isXsrfProtectionEnabled;
    private boolean areMutativeGetsAllowed;
    private boolean resolveArtifactContentTypeByExtension;
    private String xstreamSerializationProtectionMethod;
    private String bandanaSerializationProtectionMethod;
    private boolean manageAcceptedSshHostKeys;
    private boolean unauthenticatedRemoteTriggerAllowed;
    private boolean agentAssignmentModificationByUsersAllowed;
    private boolean rssEnabled;
    private boolean rssExecuteSpecsInDocker;
    private String rssDockerImage;
    private boolean rssMountLocalMavenDirectory;
    private String rssLocalMavenDirectory;
    private boolean manualEncryptionEnabled;
    private int manualEncryptionLimit;
    private String manualEncryptionLimitUnit;
    private String loginAttempts;
    private String personalAccessTokenExpirationRequired;
    private String personalTokensMaxDaysUntilExpiry;

    @Inject
    private HibernateMutableAclService aclService;

    @Inject
    private CapabilitySetManager capabilitySetManager;
    private Supplier<Boolean> dockerConfigured = Suppliers.memoize(() -> {
        return Boolean.valueOf(BambooDockerHelper.isDockerExecutableConfigured(this.capabilitySetManager));
    });
    private Supplier<List<NameValuePair>> manualEncryptionTimeUnits = Suppliers.memoize(() -> {
        return (List) SUPPORTED_MANUAL_ENCRYPTION_TIME_UNITS.entrySet().stream().map(entry -> {
            return new NameValuePair(((TimeUnit) entry.getValue()).name(), getText((String) entry.getKey()));
        }).collect(Collectors.toList());
    });

    public void validate() {
        super.validate();
        getAdministrationConfiguration();
        if (isEnableCaptcha() && getLoginAttemptsAsInt() <= 0) {
            addFieldError("loginAttempts", getText("config.security.loginAttemptsInvalid"));
        }
        if (this.rssExecuteSpecsInDocker) {
            if (StringUtils.isBlank(this.rssDockerImage)) {
                addFieldError("rssDockerImage", getText("config.security.rssDockerImage.error.empty"));
            }
            if (this.rssMountLocalMavenDirectory) {
                if (StringUtils.isBlank(this.rssLocalMavenDirectory)) {
                    addFieldError("rssLocalMavenDirectory", getText("config.security.rss.rssLocalMavenDirectory.error.empty"));
                } else {
                    File file = new File(this.rssLocalMavenDirectory);
                    if (!file.isAbsolute()) {
                        addFieldError("rssLocalMavenDirectory", getText("config.security.rss.rssLocalMavenDirectory.error.notabsolute"));
                    } else if (!file.isDirectory()) {
                        addFieldError("rssLocalMavenDirectory", getText("config.security.rss.rssLocalMavenDirectory.error.notexists", Collections.singletonList(this.rssLocalMavenDirectory)));
                    }
                }
            }
        }
        if (this.manualEncryptionEnabled) {
            if (this.manualEncryptionLimit <= 0) {
                addFieldError("manualEncryptionLimit", getText("config.security.manual.encryption.limit.invocations.error"));
            }
            if (SUPPORTED_MANUAL_ENCRYPTION_TIME_UNITS.values().stream().noneMatch(timeUnit -> {
                return Objects.equals(timeUnit.name(), this.manualEncryptionLimitUnit);
            })) {
                addFieldError("manualEncryptionLimit", getText("config.security.manual.encryption.limit.unit.error", Collections.singletonList((String) SUPPORTED_MANUAL_ENCRYPTION_TIME_UNITS.values().stream().map((v0) -> {
                    return v0.name();
                }).collect(Collectors.joining(", ")))));
            }
        }
        validatePersonalAccessTokenSettings();
    }

    public String input() throws Exception {
        AdministrationConfiguration administrationConfiguration = getAdministrationConfiguration();
        setEnableSignup(administrationConfiguration.isEnableSignup());
        setEnableRestrictedAdmin(administrationConfiguration.isEnableRestrictedAdmin());
        if (this.featureManager.isSoxComplianceModeConfigurable()) {
            setSoxComplianceModeEnabled(administrationConfiguration.isSoxComplianceModeEnabled());
        }
        setEnableCaptchaOnSignup(administrationConfiguration.getCaptchaConfiguration().isEnableCaptchaOnSignup());
        setEnableViewContactDetails(administrationConfiguration.isEnableViewContactDetails());
        setEnableCaptcha(administrationConfiguration.getCaptchaConfiguration().isEnableCaptcha());
        setShowAdminContactDetailsToAnonymousUsers(administrationConfiguration.isShowAdminContactDetailsToAnonymousUsers());
        setShowAuthorsDetailsToUsers(administrationConfiguration.isShowAuthorsDetailsToUsers());
        setLoginAttempts(Integer.toString(administrationConfiguration.getCaptchaConfiguration().getMaxLoginAttempts()));
        setXsrfProtectionEnabled(administrationConfiguration.isXsrfProtectionEnabled());
        setResolveArtifactContentTypeByExtension(administrationConfiguration.getResolveArtifactContentTypeByExtension());
        setXstreamSerializationProtectionMethod(administrationConfiguration.getSerializationSecurityConfig().getxStreamMethod().name());
        setBandanaSerializationProtectionMethod(administrationConfiguration.getSerializationSecurityConfig().getBandanaMethod().name());
        this.areMutativeGetsAllowed = administrationConfiguration.doesXsrfAllowMutativeGets();
        setManageAcceptedSshHostKeys(administrationConfiguration.isManageAcceptedSshHostKeys());
        setUnauthenticatedRemoteTriggerAllowed(administrationConfiguration.isUnauthenticatedRemoteTriggerAllowed());
        setAgentAssignmentModificationByUsersAllowed(administrationConfiguration.isAgentAssignmentModificationByUsersAllowed());
        if (this.featureManager.isRepositoryStoredSpecsEnabled()) {
            RssSecurityConfiguration rssSecurityConfiguration = administrationConfiguration.getRssSecurityConfiguration();
            setRssEnabled(rssSecurityConfiguration.isEnabled());
            setRssExecuteSpecsInDocker(rssSecurityConfiguration.isExecuteSpecsInDocker());
            setRssDockerImage((String) StringUtils.defaultIfBlank(rssSecurityConfiguration.getDockerImage(), BambooDockerHelper.DEFAULT_RSS_DOCKER_IMAGE));
            setRssMountLocalMavenDirectory(rssSecurityConfiguration.isMountLocalMavenDirectory());
            setRssLocalMavenDirectory(rssSecurityConfiguration.getLocalMavenDirectory());
        }
        setManualEncryptionEnabled(administrationConfiguration.getManualEncryptionConfiguration().isEnabled());
        setManualEncryptionLimit(administrationConfiguration.getManualEncryptionConfiguration().getLimit());
        setManualEncryptionLimitUnit(administrationConfiguration.getManualEncryptionConfiguration().getLimitUnit().name());
        setPersonalAccessTokenExpirationRequired((String) getPersonalAccessTokenExpirationRequiredOptions().entrySet().stream().filter(entry -> {
            return ((Boolean) entry.getValue()).equals(Boolean.valueOf(administrationConfiguration.getPersonalAccessTokensExpirationConfiguration().isExpirationRequired()));
        }).map((v0) -> {
            return v0.getKey();
        }).findFirst().orElse(null));
        setPersonalTokensMaxDaysUntilExpiry(Integer.toString(administrationConfiguration.getPersonalAccessTokensExpirationConfiguration().getMaxDaysUntilExpiry()));
        return "input";
    }

    public String execute() throws Exception {
        XsrfUtils.assertCanPerformMutativeAction("Cannot perform mutative operation");
        AdministrationConfiguration administrationConfiguration = getAdministrationConfiguration();
        administrationConfiguration.setEnableSignup(this.enableSignup);
        administrationConfiguration.getCaptchaConfiguration().setEnableCaptchaOnSignup(this.enableCaptchaOnSignup);
        administrationConfiguration.setShowAdminContactDetailsToAnonymousUsers(this.showAdminContactDetailsToAnonymousUsers);
        administrationConfiguration.setShowAuthorsDetailsToUsers(this.showAuthorsDetailsToUsers);
        administrationConfiguration.setEnableViewContactDetails(this.enableViewContactDetails);
        administrationConfiguration.setEnableRestrictedAdmin(this.enableRestrictedAdmin);
        if (this.featureManager.isSoxComplianceModeConfigurable()) {
            administrationConfiguration.setSoxComplianceModeEnabled(this.soxComplianceModeEnabled);
        }
        administrationConfiguration.getCaptchaConfiguration().setEnableCaptcha(this.enableCaptcha);
        administrationConfiguration.getCaptchaConfiguration().setMaxLoginAttempts(getLoginAttemptsAsInt());
        administrationConfiguration.setXsrfProtectionEnabled(this.isXsrfProtectionEnabled);
        administrationConfiguration.setXsrfAllowsMutativeGets(this.areMutativeGetsAllowed);
        administrationConfiguration.setResolveArtifactContentTypeByExtension(this.resolveArtifactContentTypeByExtension);
        administrationConfiguration.setSerializationSecurityConfig(new SerializationSecurityConfig(SerializationSecurityMethod.valueOf(this.bandanaSerializationProtectionMethod), SerializationSecurityMethod.valueOf(this.xstreamSerializationProtectionMethod)));
        administrationConfiguration.setManageAcceptedSshHostKeys(this.manageAcceptedSshHostKeys);
        administrationConfiguration.setUnauthenticatedRemoteTriggerAllowed(this.unauthenticatedRemoteTriggerAllowed);
        administrationConfiguration.setAgentAssignmentModificationByUsersAllowed(this.agentAssignmentModificationByUsersAllowed);
        administrationConfiguration.setPersonalAccessTokensExpirationConfiguration(new PersonalAccessTokensExpirationConfiguration(getPersonalAccessTokenExpirationRequiredOptions().getOrDefault(this.personalAccessTokenExpirationRequired, Boolean.FALSE).booleanValue(), Integer.parseInt(this.personalTokensMaxDaysUntilExpiry)));
        if (this.featureManager.isRepositoryStoredSpecsEnabled()) {
            administrationConfiguration.setRssSecurityConfiguration(new RssSecurityConfiguration(this.rssEnabled, this.rssExecuteSpecsInDocker, BambooStringUtils.firstNotBlank(new String[]{this.rssDockerImage, administrationConfiguration.getRssSecurityConfiguration().getDockerImage(), BambooDockerHelper.DEFAULT_RSS_DOCKER_IMAGE}), this.rssMountLocalMavenDirectory, this.rssLocalMavenDirectory));
        }
        this.administrationConfigurationPersister.saveAdministrationConfiguration(administrationConfiguration);
        enableRestrictedAdminRole(this.enableRestrictedAdmin);
        administrationConfiguration.setManualEncryptionConfiguration(new ManualEncryptionConfiguration(this.manualEncryptionEnabled, this.manualEncryptionLimit, StringUtils.isNotBlank(this.manualEncryptionLimitUnit) ? TimeUnit.valueOf(this.manualEncryptionLimitUnit) : ManualEncryptionConfiguration.DEFAULT_LIMIT_UNIT));
        this.administrationConfigurationPersister.saveAdministrationConfiguration(administrationConfiguration);
        this.eventPublisher.publish(new SecuritySettingsUpdatedEvent(administrationConfiguration, this));
        addActionMessage(getText("config.updated"));
        return "success";
    }

    private void enableRestrictedAdminRole(boolean z) {
        if (!z) {
            MutableAcl aclOfGlobalPermission = this.aclService.getAclOfGlobalPermission();
            for (AccessControlEntry accessControlEntry : aclOfGlobalPermission.getEntries()) {
                if (BambooPermission.RESTRICTEDADMINISTRATION.equals(accessControlEntry.getPermission())) {
                    aclOfGlobalPermission.deleteAce(accessControlEntry.getId());
                }
            }
            this.aclService.updateAcl(aclOfGlobalPermission);
            return;
        }
        List list = (List) this.globalPermissionsService.supportedPermissions().stream().filter(bambooPermission -> {
            return this.globalPermissionsService.permissionDependencies(bambooPermission).contains(BambooPermission.RESTRICTEDADMINISTRATION);
        }).collect(Collectors.toList());
        MutableAcl aclOfGlobalPermission2 = this.aclService.getAclOfGlobalPermission();
        for (AccessControlEntry accessControlEntry2 : aclOfGlobalPermission2.getEntries()) {
            if (list.contains(accessControlEntry2.getPermission())) {
                aclOfGlobalPermission2.insertAce(accessControlEntry2.getId(), BambooPermission.RESTRICTEDADMINISTRATION, accessControlEntry2.getSid(), true);
            }
        }
        this.aclService.updateAcl(aclOfGlobalPermission2);
    }

    public boolean isEnableCaptchaOnSignup() {
        return this.enableCaptchaOnSignup;
    }

    public void setEnableCaptchaOnSignup(boolean z) {
        this.enableCaptchaOnSignup = z;
    }

    public boolean isEnableCaptcha() {
        return this.enableCaptcha;
    }

    public void setEnableCaptcha(boolean z) {
        this.enableCaptcha = z;
    }

    public String getLoginAttempts() {
        return this.loginAttempts;
    }

    public void setLoginAttempts(String str) {
        this.loginAttempts = str;
    }

    public int getLoginAttemptsAsInt() {
        try {
            return Integer.parseInt(this.loginAttempts);
        } catch (NumberFormatException e) {
            return 0;
        }
    }

    @Override // com.atlassian.bamboo.ww2.BambooActionSupport
    public boolean isEnableSignup() {
        return this.enableSignup;
    }

    public void setEnableSignup(boolean z) {
        this.enableSignup = z;
    }

    public boolean isShowAdminContactDetailsToAnonymousUsers() {
        return this.showAdminContactDetailsToAnonymousUsers;
    }

    public void setShowAdminContactDetailsToAnonymousUsers(boolean z) {
        this.showAdminContactDetailsToAnonymousUsers = z;
    }

    public boolean isShowAuthorsDetailsToUsers() {
        return this.showAuthorsDetailsToUsers;
    }

    public void setShowAuthorsDetailsToUsers(boolean z) {
        this.showAuthorsDetailsToUsers = z;
    }

    public boolean isEnableViewContactDetails() {
        return this.enableViewContactDetails;
    }

    public void setEnableViewContactDetails(boolean z) {
        this.enableViewContactDetails = z;
    }

    public boolean isEnableRestrictedAdmin() {
        return this.enableRestrictedAdmin;
    }

    public void setEnableRestrictedAdmin(boolean z) {
        this.enableRestrictedAdmin = z;
    }

    public boolean isSoxComplianceModeEnabled() {
        return this.soxComplianceModeEnabled;
    }

    public void setSoxComplianceModeEnabled(boolean z) {
        this.soxComplianceModeEnabled = z;
    }

    public boolean isXsrfProtectionEnabled() {
        return this.isXsrfProtectionEnabled;
    }

    public void setXsrfProtectionEnabled(boolean z) {
        this.isXsrfProtectionEnabled = z;
    }

    public boolean isXsrfProtectionMutativeGetsAllowed() {
        return this.areMutativeGetsAllowed;
    }

    public void setXsrfProtectionMutativeGetsAllowed(boolean z) {
        this.areMutativeGetsAllowed = z;
    }

    public boolean isResolveArtifactContentTypeByExtension() {
        return this.resolveArtifactContentTypeByExtension;
    }

    public void setResolveArtifactContentTypeByExtension(boolean z) {
        this.resolveArtifactContentTypeByExtension = z;
    }

    public String getXstreamSerializationProtectionMethod() {
        return this.xstreamSerializationProtectionMethod;
    }

    public void setXstreamSerializationProtectionMethod(String str) {
        this.xstreamSerializationProtectionMethod = str;
    }

    public String getBandanaSerializationProtectionMethod() {
        return this.bandanaSerializationProtectionMethod;
    }

    public void setBandanaSerializationProtectionMethod(String str) {
        this.bandanaSerializationProtectionMethod = str;
    }

    @NotNull
    public Map<String, String> getSerializationProtectionOptionsForRemoting() {
        return ImmutableMap.builder().put(SerializationSecurityMethod.WHITELIST.name(), getText("config.security.serialization.protection.method.whitelist")).put(SerializationSecurityMethod.BLACKLIST.name(), getText("config.security.serialization.protection.method.xstream.blacklist")).put(SerializationSecurityMethod.STRICT_BLACKLIST.name(), getText("config.security.serialization.protection.method.xstream.strictblacklist")).build();
    }

    @NotNull
    public Map<String, String> getSerializationProtectionOptionsForBandana() {
        return ImmutableMap.builder().put(SerializationSecurityMethod.BLACKLIST.name(), getText("config.security.serialization.protection.method.blacklist")).put(SerializationSecurityMethod.STRICT_BLACKLIST.name(), getText("config.security.serialization.protection.method.strictblacklist")).build();
    }

    public boolean isManageAcceptedSshHostKeys() {
        return this.manageAcceptedSshHostKeys;
    }

    public void setManageAcceptedSshHostKeys(boolean z) {
        this.manageAcceptedSshHostKeys = z;
    }

    public boolean isRssEnabled() {
        return this.rssEnabled;
    }

    public void setRssEnabled(boolean z) {
        this.rssEnabled = z;
    }

    public boolean isRssExecuteSpecsInDocker() {
        return this.rssExecuteSpecsInDocker;
    }

    public void setRssExecuteSpecsInDocker(boolean z) {
        this.rssExecuteSpecsInDocker = z;
    }

    public boolean isUnauthenticatedRemoteTriggerAllowed() {
        return this.unauthenticatedRemoteTriggerAllowed;
    }

    public void setUnauthenticatedRemoteTriggerAllowed(boolean z) {
        this.unauthenticatedRemoteTriggerAllowed = z;
    }

    public boolean isAgentAssignmentModificationByUsersAllowed() {
        return this.agentAssignmentModificationByUsersAllowed;
    }

    public void setAgentAssignmentModificationByUsersAllowed(boolean z) {
        this.agentAssignmentModificationByUsersAllowed = z;
    }

    public String getRssDockerImage() {
        return this.rssDockerImage;
    }

    public void setRssDockerImage(String str) {
        this.rssDockerImage = str;
    }

    public boolean isDockerConfigured() {
        return this.dockerConfigured.get().booleanValue();
    }

    public String getRssDockerImageDescription() {
        return getText("config.security.rss.docker.image.description", Collections.singletonList(BambooDockerHelper.DEFAULT_RSS_DOCKER_IMAGE));
    }

    public boolean isManualEncryptionEnabled() {
        return this.manualEncryptionEnabled;
    }

    public void setManualEncryptionEnabled(boolean z) {
        this.manualEncryptionEnabled = z;
    }

    public int getManualEncryptionLimit() {
        return this.manualEncryptionLimit;
    }

    public void setManualEncryptionLimit(int i) {
        this.manualEncryptionLimit = i;
    }

    public String getManualEncryptionLimitUnit() {
        return this.manualEncryptionLimitUnit;
    }

    public void setManualEncryptionLimitUnit(String str) {
        this.manualEncryptionLimitUnit = str;
    }

    public List<NameValuePair> getSupportedManualEncryptionTimeUnits() {
        return this.manualEncryptionTimeUnits.get();
    }

    public boolean isRssMountLocalMavenDirectory() {
        return this.rssMountLocalMavenDirectory;
    }

    public void setRssMountLocalMavenDirectory(boolean z) {
        this.rssMountLocalMavenDirectory = z;
    }

    public String getRssLocalMavenDirectory() {
        return this.rssLocalMavenDirectory;
    }

    public void setRssLocalMavenDirectory(String str) {
        this.rssLocalMavenDirectory = str;
    }

    public String getPersonalTokensMaxDaysUntilExpiry() {
        return this.personalTokensMaxDaysUntilExpiry;
    }

    public void setPersonalTokensMaxDaysUntilExpiry(String str) {
        this.personalTokensMaxDaysUntilExpiry = str;
    }

    public String getPersonalAccessTokenExpirationRequired() {
        return this.personalAccessTokenExpirationRequired;
    }

    public void setPersonalAccessTokenExpirationRequired(String str) {
        this.personalAccessTokenExpirationRequired = str;
    }

    public Map<String, Boolean> getPersonalAccessTokenExpirationRequiredOptions() {
        return ImmutableMap.of("No", false, "Yes", true);
    }

    private void validatePersonalAccessTokenSettings() {
        if (!getPersonalAccessTokenExpirationRequiredOptions().containsKey(this.personalAccessTokenExpirationRequired)) {
            addFieldError("personalAccessTokenExpirationRequired", getText("config.security.personalAccessToken.expiration.required.validation.error"));
        }
        if (StringUtils.isNotBlank(this.personalTokensMaxDaysUntilExpiry)) {
            try {
                if (Integer.parseInt(this.personalTokensMaxDaysUntilExpiry) < 1) {
                    addFieldError("personalTokensMaxDaysUntilExpiry", getText("config.security.personalAccessToken.expiration.validation.error"));
                }
            } catch (NumberFormatException e) {
                addFieldError("personalTokensMaxDaysUntilExpiry", getText("config.security.personalAccessToken.expiration.validation.error"));
            }
        }
    }
}
