package com.google.gerrit.server.project;

import com.google.gerrit.common.data.Permission;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.reviewdb.client.Branch;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.io.IOException;
import org.eclipse.jgit.lib.PersonIdent;
import org.eclipse.jgit.lib.Repository;
import org.eclipse.jgit.revwalk.RevCommit;
import org.eclipse.jgit.revwalk.RevObject;
import org.eclipse.jgit.revwalk.RevTag;
import org.eclipse.jgit.revwalk.RevWalk;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/project/CreateRefControl.class */
public class CreateRefControl {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CreateRefControl.class);
    private final PermissionBackend permissionBackend;
    private final ProjectCache projectCache;

    @Inject
    CreateRefControl(PermissionBackend permissionBackend, ProjectCache projectCache) {
        this.permissionBackend = permissionBackend;
        this.projectCache = projectCache;
    }

    public void checkCreateRef(Provider<? extends CurrentUser> provider, Repository repository, Branch.NameKey nameKey, RevObject revObject) throws AuthException, PermissionBackendException, NoSuchProjectException, IOException {
        ProjectState checkedGet = this.projectCache.checkedGet(nameKey.getParentKey());
        if (checkedGet == null) {
            throw new NoSuchProjectException(nameKey.getParentKey());
        }
        if (!checkedGet.getProject().getState().permitsWrite()) {
            throw new AuthException("project state does not permit write");
        }
        PermissionBackend.ForRef ref = this.permissionBackend.user(provider).ref(nameKey);
        if (revObject instanceof RevCommit) {
            ref.check(RefPermission.CREATE);
            checkCreateCommit(provider, repository, (RevCommit) revObject, checkedGet, ref);
            return;
        }
        if (revObject instanceof RevTag) {
            RevTag revTag = (RevTag) revObject;
            try {
                RevWalk revWalk = new RevWalk(repository);
                try {
                    revWalk.parseBody(revTag);
                    revWalk.close();
                    PersonIdent taggerIdent = revTag.getTaggerIdent();
                    if (taggerIdent != null && (!provider.get().isIdentifiedUser() || !provider.get().asIdentifiedUser().hasEmailAddress(taggerIdent.getEmailAddress()))) {
                        ref.check(RefPermission.FORGE_COMMITTER);
                    }
                    RevObject object = revTag.getObject();
                    if (object instanceof RevCommit) {
                        checkCreateCommit(provider, repository, (RevCommit) object, checkedGet, ref);
                    } else {
                        checkCreateRef(provider, repository, nameKey, object);
                    }
                    RefControl controlForRef = checkedGet.controlFor(provider.get()).controlForRef(nameKey);
                    if (revTag.getFullMessage().contains("-----BEGIN PGP SIGNATURE-----\n")) {
                        if (!controlForRef.canPerform(Permission.CREATE_SIGNED_TAG)) {
                            throw new AuthException("createSignedTag not permitted");
                        }
                    } else if (!controlForRef.canPerform(Permission.CREATE_TAG)) {
                        throw new AuthException("createTag not permitted");
                    }
                } finally {
                }
            } catch (IOException e) {
                log.error("RevWalk({}) parsing {}:", nameKey.getParentKey(), revTag.name(), e);
                throw e;
            }
        }
    }

    private void checkCreateCommit(Provider<? extends CurrentUser> provider, Repository repository, RevCommit revCommit, ProjectState projectState, PermissionBackend.ForRef forRef) throws AuthException, PermissionBackendException {
        try {
            forRef.check(RefPermission.UPDATE);
        } catch (AuthException e) {
            if (!projectState.controlFor(provider.get()).isReachableFromHeadsOrTags(repository, revCommit)) {
                throw new AuthException(String.format("%s for creating new commit object not permitted", RefPermission.UPDATE.describeForException()));
            }
        }
    }
}
