package org.radarbase.jersey.auth.filter;

import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.UriInfo;
import java.util.List;
import kotlin.Metadata;
import kotlin.TuplesKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import org.jetbrains.annotations.NotNull;
import org.radarbase.auth.authorization.Permission;
import org.radarbase.jersey.auth.Auth;
import org.radarbase.jersey.auth.NeedsPermission;
import org.radarbase.jersey.exception.HttpForbiddenException;
import org.radarbase.jersey.service.ProjectService;

/* compiled from: PermissionFilter.kt */
@Metadata(mv = {1, 6, 0}, k = 1, xi = 48, d1 = {"��0\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n��\u0018��2\u00020\u0001B-\u0012\b\b\u0001\u0010\u0002\u001a\u00020\u0003\u0012\b\b\u0001\u0010\u0004\u001a\u00020\u0005\u0012\b\b\u0001\u0010\u0006\u001a\u00020\u0007\u0012\b\b\u0001\u0010\b\u001a\u00020\t¢\u0006\u0002\u0010\nJ\u0010\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0016R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n��¨\u0006\u000f"}, d2 = {"Lorg/radarbase/jersey/auth/filter/PermissionFilter;", "Ljakarta/ws/rs/container/ContainerRequestFilter;", "resourceInfo", "Ljakarta/ws/rs/container/ResourceInfo;", "auth", "Lorg/radarbase/jersey/auth/Auth;", "projectService", "Lorg/radarbase/jersey/service/ProjectService;", "uriInfo", "Ljakarta/ws/rs/core/UriInfo;", "(Ljakarta/ws/rs/container/ResourceInfo;Lorg/radarbase/jersey/auth/Auth;Lorg/radarbase/jersey/service/ProjectService;Ljakarta/ws/rs/core/UriInfo;)V", "filter", "", "requestContext", "Ljakarta/ws/rs/container/ContainerRequestContext;", "radar-jersey"})
/* loaded from: input_file:org/radarbase/jersey/auth/filter/PermissionFilter.class */
public final class PermissionFilter implements ContainerRequestFilter {

    @NotNull
    private final ResourceInfo resourceInfo;

    @NotNull
    private final Auth auth;

    @NotNull
    private final ProjectService projectService;

    @NotNull
    private final UriInfo uriInfo;

    public PermissionFilter(@Context @NotNull ResourceInfo resourceInfo, @Context @NotNull Auth auth, @Context @NotNull ProjectService projectService, @Context @NotNull UriInfo uriInfo) {
        Intrinsics.checkNotNullParameter(resourceInfo, "resourceInfo");
        Intrinsics.checkNotNullParameter(auth, "auth");
        Intrinsics.checkNotNullParameter(projectService, "projectService");
        Intrinsics.checkNotNullParameter(uriInfo, "uriInfo");
        this.resourceInfo = resourceInfo;
        this.auth = auth;
        this.projectService = projectService;
        this.uriInfo = uriInfo;
    }

    public void filter(@NotNull ContainerRequestContext containerRequestContext) {
        List list;
        List list2;
        Intrinsics.checkNotNullParameter(containerRequestContext, "requestContext");
        NeedsPermission needsPermission = (NeedsPermission) this.resourceInfo.getResourceMethod().getAnnotation(NeedsPermission.class);
        Permission permission = new Permission(needsPermission.entity(), needsPermission.operation());
        String projectPathParam = needsPermission.projectPathParam();
        String str = projectPathParam.length() > 0 ? projectPathParam : null;
        String str2 = (str == null || (list2 = (List) this.uriInfo.getPathParameters().get(str)) == null) ? null : (String) CollectionsKt.firstOrNull(list2);
        String userPathParam = needsPermission.userPathParam();
        String str3 = userPathParam.length() > 0 ? userPathParam : null;
        String str4 = (str3 == null || (list = (List) this.uriInfo.getPathParameters().get(str3)) == null) ? null : (String) CollectionsKt.firstOrNull(list);
        boolean hasPermissionOnProject = str4 != null ? str2 != null && this.auth.getToken().hasPermissionOnSubject(permission, str2, str4) : str2 != null ? this.auth.getToken().hasPermissionOnProject(permission, str2) : this.auth.getToken().hasPermission(permission);
        Auth.DefaultImpls.logPermission$default(this.auth, hasPermissionOnProject, permission, containerRequestContext.getMethod() + " " + containerRequestContext.getUriInfo().getPath(), str2, str4, null, 32, null);
        if (!hasPermissionOnProject) {
            String str5 = permission + " permission not given.";
            throw new HttpForbiddenException("insufficient_scope", str5, CollectionsKt.listOf(TuplesKt.to("WWW-Authenticate", "Bearer realm=\"Kafka REST Proxy\" error=\"insufficient_scope\" error_description=\"" + str5 + "\" scope=\"" + permission + "\"")));
        }
        if (str2 != null) {
            this.projectService.ensureProject(str2);
        }
    }
}
