package com.google.gerrit.server.account;

import com.google.gerrit.extensions.annotations.CapabilityScope;
import com.google.gerrit.extensions.annotations.RequiresAnyCapability;
import com.google.gerrit.extensions.annotations.RequiresCapability;
import com.google.gerrit.extensions.restapi.AuthException;
import com.google.gerrit.server.CurrentUser;
import com.google.inject.Provider;
import java.lang.annotation.Annotation;
import java.util.Arrays;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/google/gerrit/server/account/CapabilityUtils.class */
public class CapabilityUtils {
    private static final Logger log = LoggerFactory.getLogger(CapabilityUtils.class);

    public static void checkRequiresCapability(Provider<CurrentUser> provider, String str, Class<?> cls) throws AuthException {
        checkRequiresCapability(provider.get(), str, cls);
    }

    public static void checkRequiresCapability(CurrentUser currentUser, String str, Class<?> cls) throws AuthException {
        RequiresCapability requiresCapability = (RequiresCapability) getClassAnnotation(cls, RequiresCapability.class);
        RequiresAnyCapability requiresAnyCapability = (RequiresAnyCapability) getClassAnnotation(cls, RequiresAnyCapability.class);
        if (requiresCapability != null && requiresAnyCapability != null) {
            log.error("Class {} uses both @{} and @{}", cls.getName(), RequiresCapability.class.getSimpleName(), RequiresAnyCapability.class.getSimpleName());
            throw new AuthException("cannot check capability");
        }
        CapabilityControl capabilities = currentUser.getCapabilities();
        if (capabilities.canAdministrateServer()) {
            return;
        }
        checkRequiresCapability(capabilities, str, cls, requiresCapability);
        checkRequiresAnyCapability(capabilities, str, cls, requiresAnyCapability);
    }

    private static void checkRequiresCapability(CapabilityControl capabilityControl, String str, Class<?> cls, RequiresCapability requiresCapability) throws AuthException {
        if (requiresCapability == null) {
            return;
        }
        String resolveCapability = resolveCapability(str, requiresCapability.value(), requiresCapability.scope(), cls);
        if (!capabilityControl.canPerform(resolveCapability)) {
            throw new AuthException(String.format("Capability %s is required to access this resource", resolveCapability));
        }
    }

    private static void checkRequiresAnyCapability(CapabilityControl capabilityControl, String str, Class<?> cls, RequiresAnyCapability requiresAnyCapability) throws AuthException {
        if (requiresAnyCapability == null) {
            return;
        }
        if (requiresAnyCapability.value().length == 0) {
            log.error("Class {} uses @{} with no capabilities listed", cls.getName(), RequiresAnyCapability.class.getSimpleName());
            throw new AuthException("cannot check capability");
        }
        for (String str2 : requiresAnyCapability.value()) {
            if (capabilityControl.canPerform(resolveCapability(str, str2, requiresAnyCapability.scope(), cls))) {
                return;
            }
        }
        throw new AuthException("One of the following capabilities is required to access this resource: " + Arrays.asList(requiresAnyCapability.value()));
    }

    private static String resolveCapability(String str, String str2, CapabilityScope capabilityScope, Class<?> cls) throws AuthException {
        if (str != null && !"gerrit".equals(str) && (capabilityScope == CapabilityScope.PLUGIN || capabilityScope == CapabilityScope.CONTEXT)) {
            str2 = String.format("%s-%s", str, str2);
        } else if (capabilityScope == CapabilityScope.PLUGIN) {
            log.error("Class {} uses @{}(scope={}), but is not within a plugin", cls.getName(), RequiresCapability.class.getSimpleName(), CapabilityScope.PLUGIN.name());
            throw new AuthException("cannot check capability");
        }
        return str2;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static <T extends Annotation> T getClassAnnotation(Class<?> cls, Class<T> cls2) {
        while (cls != null) {
            T t = (T) cls.getAnnotation(cls2);
            if (t != null) {
                return t;
            }
            cls = cls.getSuperclass();
        }
        return null;
    }
}
