package com.google.gerrit.server.restapi.project;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.gerrit.entities.AccessSection;
import com.google.gerrit.entities.Project;
import com.google.gerrit.exceptions.InvalidNameException;
import com.google.gerrit.extensions.api.access.AccessSectionInfo;
import com.google.gerrit.extensions.api.access.PermissionInfo;
import com.google.gerrit.extensions.api.access.PermissionRuleInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInfo;
import com.google.gerrit.extensions.api.access.ProjectAccessInput;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.extensions.restapi.ResourceConflictException;
import com.google.gerrit.extensions.restapi.Response;
import com.google.gerrit.extensions.restapi.RestModifyView;
import com.google.gerrit.server.CreateGroupPermissionSyncer;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.GroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.RefPermission;
import com.google.gerrit.server.project.ProjectConfig;
import com.google.gerrit.server.project.ProjectResource;
import com.google.gerrit.server.restapi.project.RepoMetaDataUpdater;
import com.google.inject.Inject;
import com.google.inject.Provider;
import com.google.inject.Singleton;
import java.util.Map;
import org.eclipse.jgit.errors.ConfigInvalidException;

@Singleton
/* loaded from: input_file:com/google/gerrit/server/restapi/project/SetAccess.class */
public class SetAccess implements RestModifyView<ProjectResource, ProjectAccessInput> {
    protected final GroupBackend groupBackend;
    private final PermissionBackend permissionBackend;
    private final GetAccess getAccess;
    private final Provider<IdentifiedUser> identifiedUser;
    private final SetAccessUtil accessUtil;
    private final RepoMetaDataUpdater repoMetaDataUpdater;
    private final CreateGroupPermissionSyncer createGroupPermissionSyncer;

    @Inject
    private SetAccess(GroupBackend groupBackend, PermissionBackend permissionBackend, GetAccess getAccess, Provider<IdentifiedUser> provider, SetAccessUtil setAccessUtil, CreateGroupPermissionSyncer createGroupPermissionSyncer, RepoMetaDataUpdater repoMetaDataUpdater) {
        this.groupBackend = groupBackend;
        this.permissionBackend = permissionBackend;
        this.getAccess = getAccess;
        this.identifiedUser = provider;
        this.accessUtil = setAccessUtil;
        this.repoMetaDataUpdater = repoMetaDataUpdater;
        this.createGroupPermissionSyncer = createGroupPermissionSyncer;
    }

    @Override // com.google.gerrit.extensions.restapi.RestModifyView
    public Response<ProjectAccessInfo> apply(ProjectResource projectResource, ProjectAccessInput projectAccessInput) throws Exception {
        validateInput(projectAccessInput);
        ImmutableList<AccessSection> accessSections = this.accessUtil.getAccessSections(projectAccessInput.remove, false);
        ImmutableList<AccessSection> accessSections2 = this.accessUtil.getAccessSections(projectAccessInput.add, true);
        try {
            RepoMetaDataUpdater.ConfigUpdater configUpdaterWithoutPermissionsCheck = this.repoMetaDataUpdater.configUpdaterWithoutPermissionsCheck(projectResource.getNameKey(), projectAccessInput.message, "Modify access rules");
            try {
                ProjectConfig config = configUpdaterWithoutPermissionsCheck.getConfig();
                boolean z = false;
                for (AccessSection accessSection : Iterables.concat(accessSections2, accessSections)) {
                    if (!AccessSection.GLOBAL_CAPABILITIES.equals(accessSection.getName())) {
                        this.permissionBackend.currentUser().project(projectResource.getNameKey()).ref(accessSection.getName()).check(RefPermission.WRITE_CONFIG);
                    } else if (!z) {
                        this.permissionBackend.currentUser().check(GlobalPermission.ADMINISTRATE_SERVER);
                        z = true;
                    }
                }
                this.accessUtil.validateChanges(config, accessSections, accessSections2);
                this.accessUtil.applyChanges(config, accessSections, accessSections2);
                this.accessUtil.setParentName(this.identifiedUser.get(), config, projectResource.getNameKey(), projectAccessInput.parent == null ? null : Project.nameKey(projectAccessInput.parent), !z);
                configUpdaterWithoutPermissionsCheck.commitConfigUpdate();
                this.createGroupPermissionSyncer.syncIfNeeded();
                if (configUpdaterWithoutPermissionsCheck != null) {
                    configUpdaterWithoutPermissionsCheck.close();
                }
                return Response.ok(this.getAccess.apply(projectResource.getNameKey()));
            } finally {
            }
        } catch (InvalidNameException e) {
            throw new BadRequestException(e.toString());
        } catch (ConfigInvalidException e2) {
            throw new ResourceConflictException(projectResource.getName(), e2);
        }
    }

    private static void validateInput(ProjectAccessInput projectAccessInput) throws BadRequestException {
        if (projectAccessInput.add != null) {
            for (Map.Entry<String, AccessSectionInfo> entry : projectAccessInput.add.entrySet()) {
                validateAccessSection(entry.getKey(), entry.getValue());
            }
        }
    }

    private static void validateAccessSection(String str, AccessSectionInfo accessSectionInfo) throws BadRequestException {
        if (accessSectionInfo != null) {
            for (Map.Entry<String, PermissionInfo> entry : accessSectionInfo.permissions.entrySet()) {
                validatePermission(str, entry.getKey(), entry.getValue());
            }
        }
    }

    private static void validatePermission(String str, String str2, PermissionInfo permissionInfo) throws BadRequestException {
        if (permissionInfo != null) {
            for (Map.Entry<String, PermissionRuleInfo> entry : permissionInfo.rules.entrySet()) {
                validatePermissionRule(str, str2, entry.getKey(), entry.getValue());
            }
        }
    }

    private static void validatePermissionRule(String str, String str2, String str3, PermissionRuleInfo permissionRuleInfo) throws BadRequestException {
        if (permissionRuleInfo != null) {
            if (permissionRuleInfo.min == null && permissionRuleInfo.max == null) {
                return;
            }
            if (permissionRuleInfo.min == null) {
                throw new BadRequestException(String.format("Invalid range for permission rule that assigns %s to group %s on ref %s: ..%d (min is required if max is set)", str2, str3, str, permissionRuleInfo.max));
            }
            if (permissionRuleInfo.max == null) {
                throw new BadRequestException(String.format("Invalid range for permission rule that assigns %s to group %s on ref %s: %d.. (max is required if min is set)", str2, str3, str, permissionRuleInfo.min));
            }
            if (permissionRuleInfo.min.intValue() > permissionRuleInfo.max.intValue()) {
                throw new BadRequestException(String.format("Invalid range for permission rule that assigns %s to group %s on ref %s: %d..%d (min must be <= max)", str2, str3, str, permissionRuleInfo.min, permissionRuleInfo.max));
            }
        }
    }
}
