package com.atlassian.applinks.internal.migration;

import com.atlassian.applinks.api.ApplicationId;
import com.atlassian.applinks.api.ApplicationLink;
import com.atlassian.applinks.api.auth.AuthenticationProvider;
import com.atlassian.applinks.api.auth.types.BasicAuthenticationProvider;
import com.atlassian.applinks.api.auth.types.TrustedAppsAuthenticationProvider;
import com.atlassian.applinks.internal.applink.ApplinkHelper;
import com.atlassian.applinks.internal.common.auth.trusted.ApplinksTrustedApps;
import com.atlassian.applinks.internal.common.exception.InvalidEntityStateException;
import com.atlassian.applinks.internal.common.exception.NoAccessException;
import com.atlassian.applinks.internal.common.exception.NoSuchApplinkException;
import com.atlassian.applinks.internal.common.exception.RemoteMigrationInvalidResponseException;
import com.atlassian.applinks.internal.common.exception.ServiceException;
import com.atlassian.applinks.internal.common.exception.ServiceExceptionFactory;
import com.atlassian.applinks.internal.common.i18n.I18nKey;
import com.atlassian.applinks.internal.migration.remote.RemoteMigrationHelper;
import com.atlassian.applinks.internal.permission.PermissionValidationService;
import com.atlassian.applinks.internal.rest.model.status.RestApplinkStatus;
import com.atlassian.applinks.internal.status.DefaultLegacyConfig;
import com.atlassian.applinks.internal.status.LegacyConfig;
import com.atlassian.applinks.internal.status.error.ApplinkStatusException;
import com.atlassian.applinks.internal.status.oauth.ApplinkOAuthStatus;
import com.atlassian.applinks.internal.status.oauth.OAuthStatusService;
import com.atlassian.applinks.internal.status.oauth.remote.RemoteOAuthStatusService;
import com.atlassian.applinks.spi.auth.AuthenticationConfigurationManager;
import java.io.Serializable;
import java.util.Objects;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:com/atlassian/applinks/internal/migration/DefaultAuthenticationMigrationService.class */
public class DefaultAuthenticationMigrationService implements AuthenticationMigrationService {
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultAuthenticationMigrationService.class);
    private final ApplinkHelper applinkHelper;
    private final OAuthStatusService oAuthStatusService;
    private final ServiceExceptionFactory serviceExceptionFactory;
    private final PermissionValidationService permissionValidationService;
    private final AuthenticationConfigurationManager authConfigManager;
    private final RemoteOAuthStatusService remoteOAuthStatusService;
    private final RemoteMigrationHelper remoteMigrationHelper;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/atlassian/applinks/internal/migration/DefaultAuthenticationMigrationService$MigrationState.class */
    public class MigrationState {
        final ApplicationLink link;
        final AuthenticationStatus authenticationStatus;
        final boolean remoteSysAdmin;
        final ApplinkOAuthStatus remoteOAuthStatus;

        public MigrationState(@Nonnull ApplicationLink applicationLink, @Nonnull AuthenticationStatus authenticationStatus, @Nonnull ApplinkOAuthStatus applinkOAuthStatus, boolean z) {
            this.link = (ApplicationLink) Objects.requireNonNull(applicationLink, RestApplinkStatus.LINK);
            this.authenticationStatus = (AuthenticationStatus) Objects.requireNonNull(authenticationStatus, "authenticationStatus");
            this.remoteOAuthStatus = (ApplinkOAuthStatus) Objects.requireNonNull(applinkOAuthStatus, "remoteOAuthStatus");
            this.remoteSysAdmin = z;
        }

        @Nonnull
        public MigrationState authenticationStatus(@Nonnull AuthenticationStatus authenticationStatus) {
            Objects.requireNonNull(authenticationStatus, "authenticationStatus");
            return new MigrationState(this.link, authenticationStatus, this.remoteOAuthStatus, this.remoteSysAdmin);
        }

        @Nonnull
        public MigrationState remoteOAuthStatus(@Nonnull ApplinkOAuthStatus applinkOAuthStatus) {
            Objects.requireNonNull(applinkOAuthStatus, "remoteOAuthStatus");
            return new MigrationState(this.link, this.authenticationStatus, applinkOAuthStatus, this.remoteSysAdmin);
        }
    }

    @Autowired
    public DefaultAuthenticationMigrationService(ApplinkHelper applinkHelper, OAuthStatusService oAuthStatusService, RemoteOAuthStatusService remoteOAuthStatusService, RemoteMigrationHelper remoteMigrationHelper, ServiceExceptionFactory serviceExceptionFactory, PermissionValidationService permissionValidationService, AuthenticationConfigurationManager authenticationConfigurationManager) {
        this.applinkHelper = applinkHelper;
        this.oAuthStatusService = oAuthStatusService;
        this.remoteOAuthStatusService = remoteOAuthStatusService;
        this.remoteMigrationHelper = remoteMigrationHelper;
        this.serviceExceptionFactory = serviceExceptionFactory;
        this.permissionValidationService = permissionValidationService;
        this.authConfigManager = authenticationConfigurationManager;
    }

    @Override // com.atlassian.applinks.internal.migration.AuthenticationMigrationService
    @Nonnull
    public AuthenticationStatus migrateToOAuth(@Nonnull ApplicationId applicationId) throws ServiceException {
        Objects.requireNonNull(applicationId, "applicationId");
        this.permissionValidationService.validateAdmin();
        ApplicationLink applicationLink = this.applinkHelper.getApplicationLink(applicationId);
        MigrationState remoteOAuthStatus = migrate(new MigrationState(applicationLink, getAuthenticationMigrationStatus(applicationLink), fetchRemoteOAuthStatus(applicationLink), hasRemoteSysAdminAccess(applicationLink))).remoteOAuthStatus(fetchRemoteOAuthStatus(applicationLink));
        return removeOutbound(remoteOAuthStatus, removeInbound(remoteOAuthStatus)).authenticationStatus;
    }

    @Override // com.atlassian.applinks.internal.migration.AuthenticationMigrationService
    public boolean hasRemoteSysAdminAccess(@Nonnull ApplicationLink applicationLink) throws NoSuchApplinkException, NoAccessException {
        try {
            Objects.requireNonNull(applicationLink, RestApplinkStatus.LINK);
            this.permissionValidationService.validateAdmin();
            return this.remoteMigrationHelper.hasSysAdminAccess(applicationLink);
        } catch (RemoteMigrationInvalidResponseException e) {
            LOGGER.debug("Failed to check for remote sys admin access ", e);
            return false;
        }
    }

    private MigrationState migrate(MigrationState migrationState) throws ServiceException {
        if (migrationState.authenticationStatus.outgoing().isTrustedConfigured() || migrationState.authenticationStatus.incoming().isTrustedConfigured()) {
            this.permissionValidationService.validateSysadmin();
        }
        if (oAuthMismatch(migrationState)) {
            throw ((InvalidEntityStateException) this.serviceExceptionFactory.create(InvalidEntityStateException.class, I18nKey.newI18nKey("applinks.service.error.oauth.mismatch.during.migration", new Serializable[0])));
        }
        return (!migrationState.remoteSysAdmin || OAuthMigrationUtil.isOAuthConfigured(migrationState.authenticationStatus)) ? migrationState : migrationState.authenticationStatus(this.remoteMigrationHelper.migrate(migrationState.link, migrationState.authenticationStatus));
    }

    private boolean oAuthMismatch(MigrationState migrationState) {
        return !new ApplinkOAuthStatus(migrationState.authenticationStatus.incoming().getOAuthConfig(), migrationState.authenticationStatus.outgoing().getOAuthConfig()).matches(migrationState.remoteOAuthStatus);
    }

    private LegacyConfig getLocalLegacyConfig(@Nonnull ApplicationLink applicationLink) {
        return new DefaultLegacyConfig().basic(this.authConfigManager.isConfigured(applicationLink.getId(), BasicAuthenticationProvider.class)).trusted(this.authConfigManager.isConfigured(applicationLink.getId(), TrustedAppsAuthenticationProvider.class));
    }

    private MigrationState removeOutbound(MigrationState migrationState, Boolean bool) throws ServiceException {
        AuthenticationConfig outgoing = migrationState.authenticationStatus.outgoing();
        if (outgoing.isOAuthConfigured() && migrationState.remoteOAuthStatus.getIncoming().isEnabled()) {
            if (outgoing.isTrustedConfigured()) {
                boolean disableRemoteTrustedApp = bool == null ? this.remoteMigrationHelper.disableRemoteTrustedApp(migrationState.link) : bool.booleanValue();
                checkTrustedRemoved(migrationState, disableRemoteTrustedApp);
                if (disableRemoteTrustedApp) {
                    removeProvider(migrationState.link, TrustedAppsAuthenticationProvider.class);
                }
                outgoing = outgoing.trustedConfigured(!disableRemoteTrustedApp);
            }
            removeProvider(migrationState.link, BasicAuthenticationProvider.class);
            outgoing = outgoing.basicConfigured(false);
        }
        return migrationState.authenticationStatus(migrationState.authenticationStatus.outgoing(outgoing));
    }

    private void checkTrustedRemoved(MigrationState migrationState, boolean z) throws ServiceException {
        if (migrationState.remoteSysAdmin && !z) {
            throw ((InvalidEntityStateException) this.serviceExceptionFactory.create(InvalidEntityStateException.class, I18nKey.newI18nKey("applinks.service.error.remote.disable.trusted.invalid", new Serializable[0])));
        }
    }

    private Boolean removeInbound(MigrationState migrationState) throws ServiceException {
        AuthenticationConfig incoming = migrationState.authenticationStatus.incoming();
        if (!incoming.isOAuthConfigured() || !migrationState.remoteOAuthStatus.getOutgoing().isEnabled() || !incoming.isTrustedConfigured()) {
            return null;
        }
        boolean disableRemoteTrustedApp = this.remoteMigrationHelper.disableRemoteTrustedApp(migrationState.link);
        checkTrustedRemoved(migrationState, disableRemoteTrustedApp);
        return Boolean.valueOf(disableRemoteTrustedApp);
    }

    private AuthenticationStatus getAuthenticationMigrationStatus(@Nonnull ApplicationLink applicationLink, @Nonnull ApplinkOAuthStatus applinkOAuthStatus, @Nonnull LegacyConfig legacyConfig) {
        Objects.requireNonNull(applinkOAuthStatus, "localOAuthStatus");
        Objects.requireNonNull(legacyConfig, "remoteLegacyConfig");
        LegacyConfig localLegacyConfig = getLocalLegacyConfig(applicationLink);
        return new AuthenticationStatus(new AuthenticationConfig(applinkOAuthStatus.getIncoming(), legacyConfig.isBasicConfigured(), applicationLink.getProperty(ApplinksTrustedApps.PROPERTY_TRUSTED_APPS_INCOMING_ID) != null), new AuthenticationConfig(applinkOAuthStatus.getOutgoing(), localLegacyConfig.isBasicConfigured(), localLegacyConfig.isTrustedConfigured()));
    }

    @Override // com.atlassian.applinks.internal.migration.AuthenticationMigrationService
    @Nonnull
    public AuthenticationStatus getAuthenticationMigrationStatus(@Nonnull ApplicationLink applicationLink, @Nonnull ApplinkOAuthStatus applinkOAuthStatus) throws NoSuchApplinkException, NoAccessException {
        LegacyConfig defaultLegacyConfig;
        Objects.requireNonNull(applinkOAuthStatus, "localOAuthStatus");
        this.permissionValidationService.validateAdmin();
        try {
            defaultLegacyConfig = this.remoteMigrationHelper.getLegacyConfig(applicationLink);
        } catch (RemoteMigrationInvalidResponseException e) {
            defaultLegacyConfig = new DefaultLegacyConfig();
        }
        return getAuthenticationMigrationStatus(applicationLink, applinkOAuthStatus, defaultLegacyConfig);
    }

    private AuthenticationStatus getAuthenticationMigrationStatus(ApplicationLink applicationLink) throws RemoteMigrationInvalidResponseException {
        return getAuthenticationMigrationStatus(applicationLink, this.oAuthStatusService.getOAuthStatus(applicationLink), this.remoteMigrationHelper.getLegacyConfig(applicationLink));
    }

    private ApplinkOAuthStatus fetchRemoteOAuthStatus(ApplicationLink applicationLink) {
        try {
            return this.remoteOAuthStatusService.fetchOAuthStatus(applicationLink);
        } catch (NoAccessException | ApplinkStatusException e) {
            LOGGER.debug("Failed to fetch remote oauth status.", e);
            return ApplinkOAuthStatus.OFF;
        }
    }

    private void removeProvider(ApplicationLink applicationLink, Class<? extends AuthenticationProvider> cls) {
        this.authConfigManager.unregisterProvider(applicationLink.getId(), cls);
    }
}
