package com.linecorp.centraldogma.server.internal.api.auth;

import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.Request;
import com.linecorp.armeria.common.Response;
import com.linecorp.armeria.common.util.Exceptions;
import com.linecorp.armeria.server.DecoratingServiceFunction;
import com.linecorp.armeria.server.Service;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.centraldogma.internal.shaded.guava.base.Preconditions;
import com.linecorp.centraldogma.internal.shaded.guava.base.Strings;
import com.linecorp.centraldogma.server.internal.admin.auth.AuthUtil;
import com.linecorp.centraldogma.server.internal.admin.auth.User;
import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
import com.linecorp.centraldogma.server.internal.metadata.MetadataService;
import com.linecorp.centraldogma.server.internal.metadata.MetadataServiceInjector;
import com.linecorp.centraldogma.server.internal.metadata.Permission;
import java.util.Collection;

/* loaded from: input_file:com/linecorp/centraldogma/server/internal/api/auth/AbstractPermissionCheckingDecorator.class */
abstract class AbstractPermissionCheckingDecorator implements DecoratingServiceFunction<HttpRequest, HttpResponse> {
    public final HttpResponse serve(Service<HttpRequest, HttpResponse> service, ServiceRequestContext serviceRequestContext, HttpRequest httpRequest) throws Exception {
        MetadataService metadataService = MetadataServiceInjector.getMetadataService(serviceRequestContext);
        User currentUser = AuthUtil.currentUser(serviceRequestContext);
        String pathParam = serviceRequestContext.pathParam("projectName");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(pathParam), "no project name is specified");
        String pathParam2 = serviceRequestContext.pathParam("repoName");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(pathParam2), "no repository name is specified");
        return "dogma".equals(pathParam2) ? serveInternalRepo(service, serviceRequestContext, httpRequest, metadataService, currentUser, pathParam) : serveUserRepo(service, serviceRequestContext, httpRequest, metadataService, currentUser, pathParam, pathParam2);
    }

    private static HttpResponse serveInternalRepo(Service<HttpRequest, HttpResponse> service, ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, MetadataService metadataService, User user, String str) throws Exception {
        return user.isAdmin() ? service.serve(serviceRequestContext, httpRequest) : HttpResponse.from(metadataService.findRole(str, user).handle((projectRole, th) -> {
            if (th != null) {
                return AbstractRoleCheckingDecorator.handleException(th);
            }
            if (!user.isAdmin()) {
                return (HttpResponse) HttpApiUtil.throwResponse(HttpStatus.FORBIDDEN, "Repository '%s/%s' can be accessed only by an administrator.", str, "dogma");
            }
            try {
                return service.serve(serviceRequestContext, httpRequest);
            } catch (Exception e) {
                return (HttpResponse) Exceptions.throwUnsafely(e);
            }
        }));
    }

    private HttpResponse serveUserRepo(Service<HttpRequest, HttpResponse> service, ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, MetadataService metadataService, User user, String str, String str2) throws Exception {
        try {
            return HttpResponse.from(metadataService.findPermissions(str, str2, user).handle((collection, th) -> {
                if (th != null) {
                    return AbstractRoleCheckingDecorator.handleException(th);
                }
                if (!hasPermission(collection)) {
                    return (HttpResponse) HttpApiUtil.throwResponse(HttpStatus.FORBIDDEN, "You must have %s permission for repository '%s/%s'.", collection, str, str2);
                }
                try {
                    return service.serve(serviceRequestContext, httpRequest);
                } catch (Exception e) {
                    return (HttpResponse) Exceptions.throwUnsafely(e);
                }
            }));
        } catch (Throwable th2) {
            return AbstractRoleCheckingDecorator.handleException(th2);
        }
    }

    protected abstract boolean hasPermission(Collection<Permission> collection);

    public /* bridge */ /* synthetic */ Response serve(Service service, ServiceRequestContext serviceRequestContext, Request request) throws Exception {
        return serve((Service<HttpRequest, HttpResponse>) service, serviceRequestContext, (HttpRequest) request);
    }
}
