package com.linecorp.centraldogma.server.internal.api.auth;

import com.linecorp.armeria.common.HttpRequest;
import com.linecorp.armeria.common.HttpResponse;
import com.linecorp.armeria.common.HttpStatus;
import com.linecorp.armeria.common.RequestContext;
import com.linecorp.armeria.common.util.Exceptions;
import com.linecorp.armeria.server.HttpService;
import com.linecorp.armeria.server.ServiceRequestContext;
import com.linecorp.armeria.server.SimpleDecoratingHttpService;
import com.linecorp.armeria.server.annotation.DecoratorFactoryFunction;
import com.linecorp.centraldogma.internal.shaded.guava.base.Preconditions;
import com.linecorp.centraldogma.internal.shaded.guava.base.Strings;
import com.linecorp.centraldogma.server.internal.admin.auth.AuthUtil;
import com.linecorp.centraldogma.server.internal.api.HttpApiUtil;
import com.linecorp.centraldogma.server.metadata.MetadataService;
import com.linecorp.centraldogma.server.metadata.MetadataServiceInjector;
import com.linecorp.centraldogma.server.metadata.Permission;
import com.linecorp.centraldogma.server.metadata.User;
import java.util.Objects;
import java.util.function.Function;
import javax.annotation.Nullable;

/* loaded from: input_file:com/linecorp/centraldogma/server/internal/api/auth/RequiresPermissionDecorator.class */
public final class RequiresPermissionDecorator extends SimpleDecoratingHttpService {
    private final Permission requiredPermission;

    @Nullable
    private final String projectName;

    @Nullable
    private final String repoName;

    /* loaded from: input_file:com/linecorp/centraldogma/server/internal/api/auth/RequiresPermissionDecorator$RequiresReadPermissionDecoratorFactory.class */
    public static final class RequiresReadPermissionDecoratorFactory implements DecoratorFactoryFunction<RequiresReadPermission> {
        public Function<? super HttpService, ? extends HttpService> newDecorator(RequiresReadPermission requiresReadPermission) {
            return httpService -> {
                return new RequiresPermissionDecorator(httpService, Permission.READ, Strings.emptyToNull(requiresReadPermission.project()), Strings.emptyToNull(requiresReadPermission.repository()));
            };
        }
    }

    /* loaded from: input_file:com/linecorp/centraldogma/server/internal/api/auth/RequiresPermissionDecorator$RequiresWritePermissionDecoratorFactory.class */
    public static final class RequiresWritePermissionDecoratorFactory implements DecoratorFactoryFunction<RequiresWritePermission> {
        public Function<? super HttpService, ? extends HttpService> newDecorator(RequiresWritePermission requiresWritePermission) {
            return httpService -> {
                return new RequiresPermissionDecorator(httpService, Permission.WRITE, Strings.emptyToNull(requiresWritePermission.project()), Strings.emptyToNull(requiresWritePermission.repository()));
            };
        }
    }

    RequiresPermissionDecorator(HttpService httpService, Permission permission, @Nullable String str, @Nullable String str2) {
        super(httpService);
        this.requiredPermission = (Permission) Objects.requireNonNull(permission, "requiredPermission");
        this.projectName = str;
        this.repoName = str2;
    }

    public HttpResponse serve(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest) throws Exception {
        MetadataService metadataService = MetadataServiceInjector.getMetadataService(serviceRequestContext);
        User currentUser = AuthUtil.currentUser(serviceRequestContext);
        String str = this.projectName;
        if (str == null) {
            str = serviceRequestContext.pathParam("projectName");
        }
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "no project name is specified");
        String str2 = this.repoName;
        if (str2 == null) {
            str2 = serviceRequestContext.pathParam("repoName");
        }
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str2), "no repository name is specified");
        return "dogma".equals(str2) ? !currentUser.isAdmin() ? throwForbiddenResponse(serviceRequestContext, str, str2, "administrator") : unwrap().serve(serviceRequestContext, httpRequest) : serveUserRepo(serviceRequestContext, httpRequest, metadataService, currentUser, str, maybeRemoveGitSuffix(str2));
    }

    private static HttpResponse throwForbiddenResponse(ServiceRequestContext serviceRequestContext, String str, String str2, String str3) {
        return (HttpResponse) HttpApiUtil.throwResponse((RequestContext) serviceRequestContext, HttpStatus.FORBIDDEN, "Repository '%s/%s' can be accessed only by an %s.", str, str2, str3);
    }

    private static String maybeRemoveGitSuffix(String str) {
        if (str.length() >= 5 && str.endsWith(".git")) {
            str = str.substring(0, str.length() - 4);
        }
        return str;
    }

    private HttpResponse serveUserRepo(ServiceRequestContext serviceRequestContext, HttpRequest httpRequest, MetadataService metadataService, User user, String str, String str2) throws Exception {
        try {
            return HttpResponse.of(metadataService.findPermissions(str, str2, user).handle((collection, th) -> {
                if (th != null) {
                    return RequiresRoleDecorator.handleException(serviceRequestContext, th);
                }
                if (!collection.contains(this.requiredPermission)) {
                    return (HttpResponse) HttpApiUtil.throwResponse((RequestContext) serviceRequestContext, HttpStatus.FORBIDDEN, "You must have %s permission for repository '%s/%s'.", this.requiredPermission, str, str2);
                }
                try {
                    return unwrap().serve(serviceRequestContext, httpRequest);
                } catch (Exception e) {
                    return (HttpResponse) Exceptions.throwUnsafely(e);
                }
            }));
        } catch (Throwable th2) {
            return RequiresRoleDecorator.handleException(serviceRequestContext, th2);
        }
    }
}
