package pl.allegro.tech.hermes.management.api;

import jakarta.annotation.Priority;
import jakarta.ws.rs.ServiceUnavailableException;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.ext.Provider;
import java.io.IOException;
import org.glassfish.jersey.server.ContainerRequest;
import org.springframework.beans.factory.annotation.Autowired;
import pl.allegro.tech.hermes.management.api.auth.Roles;
import pl.allegro.tech.hermes.management.domain.mode.ModeService;

@Provider
@Priority(2001)
/* loaded from: input_file:pl/allegro/tech/hermes/management/api/ReadOnlyFilter.class */
public class ReadOnlyFilter implements ContainerRequestFilter {
    private static final String READ_ONLY_ERROR_MESSAGE = "Action forbidden due to read-only mode";
    private final ModeService modeService;

    @Autowired
    public ReadOnlyFilter(ModeService modeService) {
        this.modeService = modeService;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.modeService.isReadOnlyEnabled() && !isWhitelisted((ContainerRequest) containerRequestContext.getRequest()) && !isAdmin(containerRequestContext)) {
            throw new ServiceUnavailableException(READ_ONLY_ERROR_MESSAGE);
        }
    }

    private boolean isAdmin(ContainerRequestContext containerRequestContext) {
        return containerRequestContext.getSecurityContext().isUserInRole(Roles.ADMIN);
    }

    private boolean isWhitelisted(ContainerRequest containerRequest) {
        if (containerRequest.getMethod().equals("GET")) {
            return true;
        }
        String path = containerRequest.getUriInfo().getPath();
        if (path.startsWith("/query") || path.startsWith("/mode")) {
            return true;
        }
        return path.startsWith("/topics") && path.endsWith("query");
    }
}
