package com.google.gerrit.server.account;

import com.google.common.collect.UnmodifiableIterator;
import com.google.common.flogger.FluentLogger;
import com.google.gerrit.common.UsedAt;
import com.google.gerrit.entities.Account;
import com.google.gerrit.entities.AccountGroup;
import com.google.gerrit.entities.AccountsSection;
import com.google.gerrit.entities.PermissionRule;
import com.google.gerrit.extensions.common.AccountVisibility;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.gerrit.server.IdentifiedUser;
import com.google.gerrit.server.account.GroupControl;
import com.google.gerrit.server.group.SystemGroupBackend;
import com.google.gerrit.server.permissions.GlobalPermission;
import com.google.gerrit.server.permissions.PermissionBackend;
import com.google.gerrit.server.permissions.PermissionBackendException;
import com.google.gerrit.server.project.ProjectCache;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:com/google/gerrit/server/account/AccountControl.class */
public class AccountControl {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private final AccountsSection accountsSection;
    private final GroupControl.Factory groupControlFactory;
    private final PermissionBackend.WithUser perm;
    private final CurrentUser user;
    private final IdentifiedUser.GenericFactory userFactory;
    private final AccountVisibility accountVisibility;
    private Boolean viewAll;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.gerrit.server.account.AccountControl$3, reason: invalid class name */
    /* loaded from: input_file:com/google/gerrit/server/account/AccountControl$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$com$google$gerrit$extensions$common$AccountVisibility = new int[AccountVisibility.values().length];

        static {
            try {
                $SwitchMap$com$google$gerrit$extensions$common$AccountVisibility[AccountVisibility.SAME_GROUP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$google$gerrit$extensions$common$AccountVisibility[AccountVisibility.VISIBLE_GROUP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$google$gerrit$extensions$common$AccountVisibility[AccountVisibility.NONE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$google$gerrit$extensions$common$AccountVisibility[AccountVisibility.ALL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* loaded from: input_file:com/google/gerrit/server/account/AccountControl$Factory.class */
    public static class Factory {
        private final PermissionBackend permissionBackend;
        private final ProjectCache projectCache;
        private final GroupControl.Factory groupControlFactory;
        private final Provider<CurrentUser> user;
        private final IdentifiedUser.GenericFactory userFactory;
        private final AccountVisibility accountVisibility;

        @Inject
        Factory(PermissionBackend permissionBackend, ProjectCache projectCache, GroupControl.Factory factory, Provider<CurrentUser> provider, IdentifiedUser.GenericFactory genericFactory, AccountVisibility accountVisibility) {
            this.permissionBackend = permissionBackend;
            this.projectCache = projectCache;
            this.groupControlFactory = factory;
            this.user = provider;
            this.userFactory = genericFactory;
            this.accountVisibility = accountVisibility;
        }

        public AccountControl get() {
            return new AccountControl(this.permissionBackend, this.projectCache, this.groupControlFactory, (CurrentUser) this.user.get(), this.userFactory, this.accountVisibility);
        }

        @UsedAt(UsedAt.Project.PLUGIN_CODE_OWNERS)
        public AccountControl get(IdentifiedUser identifiedUser) {
            return new AccountControl(this.permissionBackend, this.projectCache, this.groupControlFactory, identifiedUser, this.userFactory, this.accountVisibility);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/gerrit/server/account/AccountControl$OtherUser.class */
    public static abstract class OtherUser {
        IdentifiedUser user;

        private OtherUser() {
        }

        IdentifiedUser getUser() {
            if (this.user == null) {
                this.user = createUser();
            }
            return this.user;
        }

        abstract IdentifiedUser createUser();

        abstract Account.Id getId();
    }

    private AccountControl(PermissionBackend permissionBackend, ProjectCache projectCache, GroupControl.Factory factory, CurrentUser currentUser, IdentifiedUser.GenericFactory genericFactory, AccountVisibility accountVisibility) {
        this.accountsSection = projectCache.getAllProjects().getConfig().getAccountsSection();
        this.groupControlFactory = factory;
        this.perm = permissionBackend.user(currentUser);
        this.user = currentUser;
        this.userFactory = genericFactory;
        this.accountVisibility = accountVisibility;
    }

    public CurrentUser getUser() {
        return this.user;
    }

    public boolean canSee(final Account.Id id) {
        return canSee(new OtherUser() { // from class: com.google.gerrit.server.account.AccountControl.1
            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            Account.Id getId() {
                return id;
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            IdentifiedUser createUser() {
                return AccountControl.this.userFactory.create(id);
            }
        });
    }

    public boolean canSee(final AccountState accountState) {
        return canSee(new OtherUser() { // from class: com.google.gerrit.server.account.AccountControl.2
            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            Account.Id getId() {
                return accountState.account().id();
            }

            @Override // com.google.gerrit.server.account.AccountControl.OtherUser
            IdentifiedUser createUser() {
                return AccountControl.this.userFactory.create(accountState);
            }
        });
    }

    private boolean canSee(OtherUser otherUser) {
        if (this.accountVisibility == AccountVisibility.ALL) {
            logger.atFine().log("user %s can see account %d (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), AccountVisibility.ALL);
            return true;
        }
        if (this.user.isIdentifiedUser() && this.user.getAccountId().equals(otherUser.getId())) {
            logger.atFine().log("user %s can see own account %d", this.user.getLoggableName(), otherUser.getId().get());
            return true;
        }
        if (viewAll()) {
            logger.atFine().log("user %s can see account %d (view all accounts = true)", this.user.getLoggableName(), otherUser.getId().get());
            return true;
        }
        switch (AnonymousClass3.$SwitchMap$com$google$gerrit$extensions$common$AccountVisibility[this.accountVisibility.ordinal()]) {
            case 1:
                Set<AccountGroup.UUID> groupsOf = groupsOf(otherUser.getUser());
                UnmodifiableIterator it = this.accountsSection.getSameGroupVisibility().iterator();
                while (it.hasNext()) {
                    PermissionRule permissionRule = (PermissionRule) it.next();
                    if (permissionRule.isBlock() || permissionRule.isDeny()) {
                        logger.atFine().log("ignoring group %s of user %s for %s account visibility check because there is a blocked/denied sameGroupVisibility rule: %s", permissionRule.getGroup().getUUID(), otherUser.getUser().getLoggableName(), AccountVisibility.SAME_GROUP, permissionRule);
                        groupsOf.remove(permissionRule.getGroup().getUUID());
                    }
                }
                if (this.user.getEffectiveGroups().containsAnyOf(groupsOf)) {
                    logger.atFine().log("user %s can see account %d because they share a group (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), AccountVisibility.SAME_GROUP);
                    return true;
                }
                logger.atFine().log("user %s cannot see account %d because they don't share a group (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), AccountVisibility.SAME_GROUP);
                logger.atFine().log("groups of user %s: %s", this.user.getLoggableName(), groupsOf(this.user));
                logger.atFine().log("groups of other user %s: %s", otherUser.getUser().getLoggableName(), groupsOf);
                return false;
            case 2:
                Set<AccountGroup.UUID> groupsOf2 = groupsOf(otherUser.getUser());
                for (AccountGroup.UUID uuid : groupsOf2) {
                    if (this.groupControlFactory.controlFor(uuid).isVisible()) {
                        logger.atFine().log("user %s can see account %d because it is member of the visible group %s (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), uuid.get(), AccountVisibility.VISIBLE_GROUP);
                        return true;
                    }
                    continue;
                }
                logger.atFine().log("user %s cannot see account %d because none of its groups are visible (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), AccountVisibility.VISIBLE_GROUP);
                logger.atFine().log("groups of other user %s: %s", otherUser.getUser().getLoggableName(), groupsOf2);
                return false;
            case 3:
                logger.atFine().log("user %s cannot see account %d (accountVisibility = %s)", this.user.getLoggableName(), Integer.valueOf(otherUser.getId().get()), AccountVisibility.NONE);
                return false;
            case 4:
            default:
                throw new IllegalStateException("Bad AccountVisibility " + this.accountVisibility);
        }
    }

    private boolean viewAll() {
        if (this.viewAll == null) {
            try {
                this.perm.check(GlobalPermission.VIEW_ALL_ACCOUNTS);
                this.viewAll = true;
            } catch (AuthException e) {
                this.viewAll = false;
            } catch (PermissionBackendException e2) {
                logger.atFine().withCause(e2).log("Failed to check %s global capability for user %s", GlobalPermission.VIEW_ALL_ACCOUNTS, this.user.getLoggableName());
                this.viewAll = false;
            }
        }
        return this.viewAll.booleanValue();
    }

    private Set<AccountGroup.UUID> groupsOf(CurrentUser currentUser) {
        return (Set) currentUser.getEffectiveGroups().getKnownGroups().stream().filter(uuid -> {
            return !SystemGroupBackend.isSystemGroup(uuid);
        }).collect(Collectors.toSet());
    }
}
