package com.google.gerrit.server.project;

import com.google.common.base.Strings;
import com.google.gerrit.extensions.api.config.AccessCheckInfo;
import com.google.gerrit.extensions.api.config.AccessCheckInput;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.RestApiException;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.extensions.restapi.UnprocessableEntityException;
import com.google.gerrit.reviewdb.client.Account;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.AccountResolver;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.ProjectPermission;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gwtorm.server.OrmException;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import java.io.IOException;
import org.eclipse.jgit.errors.ConfigInvalidException;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/project/CheckAccess.class */
public class CheckAccess implements RestModifyView<ProjectResource, AccessCheckInput> {
    private final AccountResolver accountResolver;
    private final IdentifiedUser.GenericFactory userFactory;
    private final PermissionBackend permissionBackend;

    @Inject
    CheckAccess(AccountResolver accountResolver, IdentifiedUser.GenericFactory genericFactory, PermissionBackend permissionBackend) {
        this.accountResolver = accountResolver;
        this.userFactory = genericFactory;
        this.permissionBackend = permissionBackend;
    }

    @Override // com.google.gerrit.extensions.restapi.RestModifyView
    public AccessCheckInfo apply(ProjectResource projectResource, AccessCheckInput accessCheckInput) throws OrmException, PermissionBackendException, RestApiException, IOException, ConfigInvalidException {
        this.permissionBackend.user(projectResource.getUser()).check(GlobalPermission.ADMINISTRATE_SERVER);
        if (accessCheckInput == null) {
            throw new BadRequestException("input is required");
        }
        if (Strings.isNullOrEmpty(accessCheckInput.account)) {
            throw new BadRequestException("input requires 'account'");
        }
        Account find = this.accountResolver.find(accessCheckInput.account);
        if (find == null) {
            throw new UnprocessableEntityException(String.format("cannot find account %s", accessCheckInput.account));
        }
        AccessCheckInfo accessCheckInfo = new AccessCheckInfo();
        IdentifiedUser create = this.userFactory.create(find.getId());
        try {
            this.permissionBackend.user(create).project(projectResource.getNameKey()).check(ProjectPermission.ACCESS);
            if (!Strings.isNullOrEmpty(accessCheckInput.ref)) {
                try {
                    this.permissionBackend.user(create).ref(new Branch.NameKey(projectResource.getNameKey(), accessCheckInput.ref)).check(RefPermission.READ);
                } catch (AuthException | PermissionBackendException e) {
                    accessCheckInfo.status = 403;
                    accessCheckInfo.message = String.format("user %s (%s) cannot see ref %s in project %s", create.getNameEmail(), create.getAccount().getId(), accessCheckInput.ref, projectResource.getName());
                    return accessCheckInfo;
                }
            }
            accessCheckInfo.status = 200;
            return accessCheckInfo;
        } catch (AuthException | PermissionBackendException e2) {
            accessCheckInfo.message = String.format("user %s (%s) cannot see project %s", create.getNameEmail(), create.getAccount().getId(), projectResource.getName());
            accessCheckInfo.status = 403;
            return accessCheckInfo;
        }
    }
}
