package com.linecorp.centraldogma.server.internal.api.auth;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.Request;
import com.linecorp.armeria.common.Response;
import com.linecorp.armeria.common.util.Exceptions;
import com.linecorp.armeria.server.DecoratingServiceFunction;
import com.linecorp.armeria.server.Service;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.centraldogma.common.ProjectNotFoundException;
import com.linecorp.centraldogma.common.RepositoryNotFoundException;
import com.linecorp.centraldogma.server.internal.admin.authentication.AuthenticationUtil;
import com.linecorp.centraldogma.server.internal.admin.authentication.User;
import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
import com.linecorp.centraldogma.server.internal.metadata.MetadataService;
import com.linecorp.centraldogma.server.internal.metadata.MetadataServiceInjector;
import com.linecorp.centraldogma.server.internal.metadata.ProjectRole;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/linecorp/centraldogma/server/internal/api/auth/AbstractRoleCheckingDecorator.class */
public abstract class AbstractRoleCheckingDecorator implements DecoratingServiceFunction<HttpRequest, HttpResponse> {
    public final HttpResponse serve(Service<HttpRequest, HttpResponse> service, ServiceRequestContext serviceRequestContext, HttpRequest httpRequest) throws Exception {
        MetadataService metadataService = MetadataServiceInjector.getMetadataService(serviceRequestContext);
        User currentUser = AuthenticationUtil.currentUser(serviceRequestContext);
        String pathParam = serviceRequestContext.pathParam("projectName");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(pathParam), "no project name is specified");
        try {
            return HttpResponse.from(metadataService.findRole(pathParam, currentUser).handle((projectRole, th) -> {
                if (th != null) {
                    return handleException(th);
                }
                if (!isAccessAllowed(serviceRequestContext, httpRequest, currentUser, projectRole)) {
                    return (HttpResponse) HttpApiUtil.throwResponse(HttpStatus.FORBIDDEN, "You must be %s of project '%s'.", projectRole, pathParam);
                }
                try {
                    return service.serve(serviceRequestContext, httpRequest);
                } catch (Exception e) {
                    return (HttpResponse) Exceptions.throwUnsafely(e);
                }
            }));
        } catch (Throwable th2) {
            return handleException(th2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpResponse handleException(Throwable th) {
        Throwable peel = Exceptions.peel(th);
        return ((peel instanceof RepositoryNotFoundException) || (peel instanceof ProjectNotFoundException)) ? HttpApiUtil.newResponse(HttpStatus.NOT_FOUND, peel) : (HttpResponse) Exceptions.throwUnsafely(peel);
    }

    protected abstract boolean isAccessAllowed(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, User user, ProjectRole projectRole);

    public /* bridge */ /* synthetic */ Response serve(Service service, ServiceRequestContext serviceRequestContext, Request request) throws Exception {
        return serve((Service<HttpRequest, HttpResponse>) service, serviceRequestContext, (HttpRequest) request);
    }
}
