package com.daml.ledger.api.auth.interceptor;

import com.daml.error.DamlContextualizedErrorLogger;
import com.daml.error.definitions.groups.AuthorizationChecks;
import com.daml.ledger.api.auth.AuthService;
import com.daml.ledger.api.auth.Claim;
import com.daml.ledger.api.auth.ClaimSet;
import com.daml.ledger.api.domain;
import com.daml.ledger.api.validation.ValidationErrors$;
import com.daml.ledger.participant.state.index.v2.UserManagementStore;
import com.daml.lf.data.Ref$;
import com.daml.logging.ContextualizedLogger;
import com.daml.logging.ContextualizedLogger$;
import com.daml.logging.LoggingContext;
import io.grpc.Context;
import io.grpc.Contexts;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.StatusRuntimeException;
import java.time.Instant;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.collection.immutable.Seq;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.jdk.FutureConverters$;
import scala.jdk.FutureConverters$CompletionStageOps$;
import scala.reflect.ScalaSignature;
import scala.runtime.Nothing$;
import scala.util.Failure;
import scala.util.Left;
import scala.util.Right;
import scala.util.Success;
import scala.util.Try;

/* compiled from: AuthorizationInterceptor.scala */
@ScalaSignature(bytes = "\u0006\u0005\tea\u0001\u0002\r\u001a\u0005\u0019B\u0001b\u000e\u0001\u0003\u0002\u0003\u0006I\u0001\u000f\u0005\ty\u0001\u0011\t\u0011)A\u0005{!Aq\n\u0001BC\u0002\u0013\r\u0001\u000b\u0003\u0005X\u0001\t\u0005\t\u0015!\u0003R\u0011!A\u0006A!A!\u0002\u0017I\u0006\"B0\u0001\t\u0003\u0001\u0007b\u00025\u0001\u0005\u0004%I!\u001b\u0005\u0007[\u0002\u0001\u000b\u0011\u00026\t\u000f9\u0004!\u0019!C\u0005_\"1a\u000f\u0001Q\u0001\nADQa\u001e\u0001\u0005BaD\u0001\"!\u0010\u0001A\u0013%\u0011q\b\u0005\t\u0003#\u0002\u0001\u0015\"\u0003\u0002T!A\u0011\u0011\f\u0001!\n\u0013\tYfB\u0004\u0002\u0012fA\t!a%\u0007\raI\u0002\u0012AAK\u0011\u0019y\u0006\u0003\"\u0001\u0002\u001e\"Q\u0011q\u0014\tC\u0002\u0013\u00051$!)\t\u0011\u0005E\u0006\u0003)A\u0005\u0003GCq!a-\u0011\t\u0003\t)\fC\u0004\u0002DB!\t!!2\t\u000f\u00055\u0007\u0003\"\u0001\u0002P\"A!\u0011\u0003\t!\n\u0013\u0011\u0019B\u0001\rBkRDwN]5{CRLwN\\%oi\u0016\u00148-\u001a9u_JT!AG\u000e\u0002\u0017%tG/\u001a:dKB$xN\u001d\u0006\u00039u\tA!Y;uQ*\u0011adH\u0001\u0004CBL'B\u0001\u0011\"\u0003\u0019aW\rZ4fe*\u0011!eI\u0001\u0005I\u0006lGNC\u0001%\u0003\r\u0019w.\\\u0002\u0001'\r\u0001qe\f\t\u0003Q5j\u0011!\u000b\u0006\u0003U-\nA\u0001\\1oO*\tA&\u0001\u0003kCZ\f\u0017B\u0001\u0018*\u0005\u0019y%M[3diB\u0011\u0001'N\u0007\u0002c)\u0011!gM\u0001\u0005OJ\u00048MC\u00015\u0003\tIw.\u0003\u00027c\t\t2+\u001a:wKJLe\u000e^3sG\u0016\u0004Ho\u001c:\u0002\u0017\u0005,H\u000f[*feZL7-\u001a\t\u0003sij\u0011aG\u0005\u0003wm\u00111\"Q;uQN+'O^5dK\u0006!Ro]3s\u001b\u0006t\u0017mZ3nK:$8\u000b^8sK>\u00032AP!D\u001b\u0005y$\"\u0001!\u0002\u000bM\u001c\u0017\r\\1\n\u0005\t{$AB(qi&|g\u000e\u0005\u0002E\u001b6\tQI\u0003\u0002G\u000f\u0006\u0011aO\r\u0006\u0003\u0011&\u000bQ!\u001b8eKbT!AS&\u0002\u000bM$\u0018\r^3\u000b\u00051{\u0012a\u00039beRL7-\u001b9b]RL!AT#\u0003'U\u001bXM]'b]\u0006<W-\\3oiN#xN]3\u0002\u0005\u0015\u001cW#A)\u0011\u0005I+V\"A*\u000b\u0005Q{\u0014AC2p]\u000e,(O]3oi&\u0011ak\u0015\u0002\u0011\u000bb,7-\u001e;j_:\u001cuN\u001c;fqR\f1!Z2!\u00039awnZ4j]\u001e\u001cuN\u001c;fqR\u0004\"AW/\u000e\u0003mS!\u0001X\u0011\u0002\u000f1|wmZ5oO&\u0011al\u0017\u0002\u000f\u0019><w-\u001b8h\u0007>tG/\u001a=u\u0003\u0019a\u0014N\\5u}Q!\u0011-\u001a4h)\t\u0011G\r\u0005\u0002d\u00015\t\u0011\u0004C\u0003Y\r\u0001\u000f\u0011\fC\u00038\r\u0001\u0007\u0001\bC\u0003=\r\u0001\u0007Q\bC\u0003P\r\u0001\u000f\u0011+\u0001\u0004m_\u001e<WM]\u000b\u0002UB\u0011!l[\u0005\u0003Yn\u0013AcQ8oi\u0016DH/^1mSj,G\rT8hO\u0016\u0014\u0018a\u00027pO\u001e,'\u000fI\u0001\fKJ\u0014xN\u001d'pO\u001e,'/F\u0001q!\t\tH/D\u0001s\u0015\t\u0019\u0018%A\u0003feJ|'/\u0003\u0002ve\niB)Y7m\u0007>tG/\u001a=uk\u0006d\u0017N_3e\u000bJ\u0014xN\u001d'pO\u001e,'/\u0001\u0007feJ|'\u000fT8hO\u0016\u0014\b%A\u0007j]R,'oY3qi\u000e\u000bG\u000e\\\u000b\u0006s\u0006\u001d\u0011Q\u0005\u000b\bu\u0006e\u0011\u0011FA\u001a!\u0011Yh0a\u0001\u000f\u0005Ab\u0018BA?2\u0003)\u0019VM\u001d<fe\u000e\u000bG\u000e\\\u0005\u0004\u007f\u0006\u0005!\u0001\u0003'jgR,g.\u001a:\u000b\u0005u\f\u0004\u0003BA\u0003\u0003\u000fa\u0001\u0001B\u0004\u0002\n-\u0011\r!a\u0003\u0003\tI+\u0017\u000fV\t\u0005\u0003\u001b\t\u0019\u0002E\u0002?\u0003\u001fI1!!\u0005@\u0005\u001dqu\u000e\u001e5j]\u001e\u00042APA\u000b\u0013\r\t9b\u0010\u0002\u0004\u0003:L\bbBA\u000e\u0017\u0001\u0007\u0011QD\u0001\u0005G\u0006dG\u000eE\u00041\u0003?\t\u0019!a\t\n\u0007\u0005\u0005\u0012G\u0001\u0006TKJ4XM]\"bY2\u0004B!!\u0002\u0002&\u00119\u0011qE\u0006C\u0002\u0005-!!\u0002*fgB$\u0006bBA\u0016\u0017\u0001\u0007\u0011QF\u0001\bQ\u0016\fG-\u001a:t!\r\u0001\u0014qF\u0005\u0004\u0003c\t$\u0001C'fi\u0006$\u0017\r^1\t\u000f\u0005U2\u00021\u0001\u00028\u0005aa.\u001a=u\u0019&\u001cH/\u001a8feB9\u0001'!\u000f\u0002\u0004\u0005\r\u0012bAA\u001ec\t\t2+\u001a:wKJ\u001c\u0015\r\u001c7IC:$G.\u001a:\u0002=I,7o\u001c7wK\u0006+H\u000f[3oi&\u001c\u0017\r^3e+N,'OU5hQR\u001cH\u0003BA!\u0003\u001b\u0002RAUA\"\u0003\u000fJ1!!\u0012T\u0005\u00191U\u000f^;sKB\u0019\u0011(!\u0013\n\u0007\u0005-3D\u0001\u0005DY\u0006LWnU3u\u0011\u001d\ty\u0005\u0004a\u0001\u0003\u000f\n\u0001b\u00197bS6\u001cV\r^\u0001\u0017O\u0016$Xk]3s\u001b\u0006t\u0017mZ3nK:$8\u000b^8sKR!\u0011QKA,!\u0011\u0011\u00161I\"\t\u000bqj\u0001\u0019A\u001f\u0002\u0013\u001d,G/V:fe&#G\u0003BA/\u0003o\u0002RAUA\"\u0003?\u0002B!!\u0019\u0002r9!\u00111MA7\u001b\t\t)G\u0003\u0003\u0002h\u0005%\u0014\u0001\u00023bi\u0006T1!a\u001b\"\u0003\tag-\u0003\u0003\u0002p\u0005\u0015\u0014a\u0001*fM&!\u00111OA;\u0005\u0019)6/\u001a:JI*!\u0011qNA3\u0011\u001d\tIH\u0004a\u0001\u0003w\n\u0011\"^:fe&#7\u000b\u001e:\u0011\t\u0005u\u00141\u0012\b\u0005\u0003\u007f\n9\tE\u0002\u0002\u0002~j!!a!\u000b\u0007\u0005\u0015U%\u0001\u0004=e>|GOP\u0005\u0004\u0003\u0013{\u0014A\u0002)sK\u0012,g-\u0003\u0003\u0002\u000e\u0006=%AB*ue&twMC\u0002\u0002\n~\n\u0001$Q;uQ>\u0014\u0018N_1uS>t\u0017J\u001c;fe\u000e,\u0007\u000f^8s!\t\u0019\u0007cE\u0002\u0011\u0003/\u00032APAM\u0013\r\tYj\u0010\u0002\u0007\u0003:L(+\u001a4\u0015\u0005\u0005M\u0015AE2p]R,\u0007\u0010^&fs\u000ec\u0017-[7TKR,\"!a)\u0011\r\u0005\u0015\u00161VA$\u001d\r\u0001\u0014qU\u0005\u0004\u0003S\u000b\u0014aB\"p]R,\u0007\u0010^\u0005\u0005\u0003[\u000byKA\u0002LKfT1!!+2\u0003M\u0019wN\u001c;fqR\\U-_\"mC&l7+\u001a;!\u0003i)\u0007\u0010\u001e:bGR\u001cE.Y5n'\u0016$hI]8n\u0007>tG/\u001a=u)\t\t9\f\u0005\u0004\u0002:\u0006}\u0016qI\u0007\u0003\u0003wS1!!0@\u0003\u0011)H/\u001b7\n\t\u0005\u0005\u00171\u0018\u0002\u0004)JL\u0018!B1qa2LHc\u00022\u0002H\u0006%\u00171\u001a\u0005\u0006oU\u0001\r\u0001\u000f\u0005\u0006yU\u0001\r!\u0010\u0005\u0006\u001fV\u0001\r!U\u0001\u001aG>tg/\u001a:u+N,'OU5hQR\u001cHk\\\"mC&l7\u000f\u0006\u0003\u0002R\u0006%\bCBAj\u0003;\f\u0019O\u0004\u0003\u0002V\u0006eg\u0002BAA\u0003/L\u0011\u0001Q\u0005\u0004\u00037|\u0014a\u00029bG.\fw-Z\u0005\u0005\u0003?\f\tOA\u0002TKFT1!a7@!\rI\u0014Q]\u0005\u0004\u0003O\\\"!B\"mC&l\u0007bBAv-\u0001\u0007\u0011Q^\u0001\u000bkN,'OU5hQR\u001c\bCBA?\u0003_\f\u00190\u0003\u0003\u0002r\u0006=%aA*fiB!\u0011Q\u001fB\u0006\u001d\u0011\t9Pa\u0002\u000f\t\u0005e(Q\u0001\b\u0005\u0003w\u0014\u0019A\u0004\u0003\u0002~\n\u0005a\u0002BAA\u0003\u007fL\u0011\u0001J\u0005\u0003E\rJ!\u0001I\u0011\n\u0005yy\u0012b\u0001B\u0005;\u00051Am\\7bS:LAA!\u0004\u0003\u0010\tIQk]3s%&<\u0007\u000e\u001e\u0006\u0004\u0005\u0013i\u0012\u0001E;tKJ\u0014\u0016n\u001a5u)>\u001cE.Y5n)\u0011\t\u0019O!\u0006\t\u000f\t]q\u00031\u0001\u0002t\u0006\t!\u000f")
/* loaded from: input_file:com/daml/ledger/api/auth/interceptor/AuthorizationInterceptor.class */
public final class AuthorizationInterceptor implements ServerInterceptor {
    public final AuthService com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$authService;
    private final Option<UserManagementStore> userManagementStoreO;
    private final ExecutionContext ec;
    private final LoggingContext loggingContext;
    private final ContextualizedLogger logger = ContextualizedLogger$.MODULE$.get(getClass());
    private final DamlContextualizedErrorLogger com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger;

    public static Seq<Claim> convertUserRightsToClaims(Set<domain.UserRight> set) {
        return AuthorizationInterceptor$.MODULE$.convertUserRightsToClaims(set);
    }

    public static AuthorizationInterceptor apply(AuthService authService, Option<UserManagementStore> option, ExecutionContext executionContext) {
        return AuthorizationInterceptor$.MODULE$.apply(authService, option, executionContext);
    }

    public static Try<ClaimSet> extractClaimSetFromContext() {
        return AuthorizationInterceptor$.MODULE$.extractClaimSetFromContext();
    }

    public ExecutionContext ec() {
        return this.ec;
    }

    private ContextualizedLogger logger() {
        return this.logger;
    }

    public DamlContextualizedErrorLogger com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger() {
        return this.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger;
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(final ServerCall<ReqT, RespT> serverCall, final Metadata metadata, final ServerCallHandler<ReqT, RespT> serverCallHandler) {
        final Context current = Context.current();
        return new AsyncForwardingListener<ReqT>(this, metadata, current, serverCall, serverCallHandler) { // from class: com.daml.ledger.api.auth.interceptor.AuthorizationInterceptor$$anon$1
            private final /* synthetic */ AuthorizationInterceptor $outer;
            private final ServerCall call$1;

            private ServerCall.Listener<Nothing$> closeWithError(StatusRuntimeException statusRuntimeException) {
                this.call$1.close(statusRuntimeException.getStatus(), statusRuntimeException.getTrailers());
                final AuthorizationInterceptor$$anon$1 authorizationInterceptor$$anon$1 = null;
                return new ServerCall.Listener<Nothing$>(authorizationInterceptor$$anon$1) { // from class: com.daml.ledger.api.auth.interceptor.AuthorizationInterceptor$$anon$1$$anon$2
                };
            }

            {
                if (this == null) {
                    throw null;
                }
                this.$outer = this;
                this.call$1 = serverCall;
                FutureConverters$CompletionStageOps$.MODULE$.asScala$extension(FutureConverters$.MODULE$.CompletionStageOps(this.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$authService.decodeMetadata(metadata))).flatMap(claimSet -> {
                    return this.$outer.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$resolveAuthenticatedUserRights(claimSet);
                }, this.ec()).onComplete(r11 -> {
                    ServerCall.Listener<Nothing$> listener;
                    Throwable exception;
                    boolean z = false;
                    Failure failure = null;
                    if (r11 instanceof Failure) {
                        z = true;
                        failure = (Failure) r11;
                        Throwable exception2 = failure.exception();
                        if (exception2 instanceof StatusRuntimeException) {
                            listener = this.closeWithError((StatusRuntimeException) exception2);
                            return listener;
                        }
                    }
                    if (z && (exception = failure.exception()) != null) {
                        listener = this.closeWithError(new AuthorizationChecks.InternalAuthorizationError.Reject("Failed to get claims from request metadata", exception, this.$outer.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger()).asGrpcError());
                    } else {
                        if (!(r11 instanceof Success)) {
                            throw new MatchError(r11);
                        }
                        ServerCall.Listener<Nothing$> interceptCall = Contexts.interceptCall(current.withValue(AuthorizationInterceptor$.MODULE$.contextKeyClaimSet(), (ClaimSet) ((Success) r11).value()), serverCall, metadata, serverCallHandler);
                        this.setNextListener(interceptCall);
                        listener = interceptCall;
                    }
                    return listener;
                }, this.ec());
            }
        };
    }

    public Future<ClaimSet> com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$resolveAuthenticatedUserRights(ClaimSet claimSet) {
        Future<ClaimSet> successful;
        if (claimSet instanceof ClaimSet.AuthenticatedUser) {
            ClaimSet.AuthenticatedUser authenticatedUser = (ClaimSet.AuthenticatedUser) claimSet;
            String userId = authenticatedUser.userId();
            Option<String> participantId = authenticatedUser.participantId();
            Option<Instant> expiration = authenticatedUser.expiration();
            successful = getUserManagementStore(this.userManagementStoreO).flatMap(userManagementStore -> {
                return this.getUserId(userId).flatMap(str -> {
                    return userManagementStore.listUserRights(str, this.loggingContext).flatMap(either -> {
                        Set<domain.UserRight> set;
                        Future successful2;
                        if (either instanceof Left) {
                            successful2 = Future$.MODULE$.failed(new AuthorizationChecks.PermissionDenied.Reject(new StringBuilder(46).append("Could not resolve rights for user '").append(str).append("' due to '").append((UserManagementStore.Error) ((Left) either).value()).append("'").toString(), this.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger()).asGrpcError());
                        } else {
                            if (!(either instanceof Right) || (set = (Set) ((Right) either).value()) == null) {
                                throw new MatchError(either);
                            }
                            successful2 = Future$.MODULE$.successful(new ClaimSet.Claims(AuthorizationInterceptor$.MODULE$.convertUserRightsToClaims(set), None$.MODULE$, participantId, new Some(str), expiration, true));
                        }
                        return successful2.map(claims -> {
                            return claims;
                        }, this.ec());
                    }, this.ec());
                }, this.ec());
            }, ec());
        } else {
            successful = Future$.MODULE$.successful(claimSet);
        }
        return successful;
    }

    private Future<UserManagementStore> getUserManagementStore(Option<UserManagementStore> option) {
        Future<UserManagementStore> successful;
        if (None$.MODULE$.equals(option)) {
            successful = Future$.MODULE$.failed(new AuthorizationChecks.Unauthenticated.UserBasedAuthenticationIsDisabled(com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger()).asGrpcError());
        } else {
            if (!(option instanceof Some)) {
                throw new MatchError(option);
            }
            successful = Future$.MODULE$.successful((UserManagementStore) ((Some) option).value());
        }
        return successful;
    }

    private Future<String> getUserId(String str) {
        Future<String> successful;
        Left fromString = Ref$.MODULE$.UserId().fromString(str);
        if (fromString instanceof Left) {
            successful = Future$.MODULE$.failed(ValidationErrors$.MODULE$.invalidArgument(new StringBuilder(6).append("token ").append((String) fromString.value()).toString(), com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger()));
        } else {
            if (!(fromString instanceof Right)) {
                throw new MatchError(fromString);
            }
            successful = Future$.MODULE$.successful((String) ((Right) fromString).value());
        }
        return successful;
    }

    public AuthorizationInterceptor(AuthService authService, Option<UserManagementStore> option, ExecutionContext executionContext, LoggingContext loggingContext) {
        this.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$authService = authService;
        this.userManagementStoreO = option;
        this.ec = executionContext;
        this.loggingContext = loggingContext;
        this.com$daml$ledger$api$auth$interceptor$AuthorizationInterceptor$$errorLogger = new DamlContextualizedErrorLogger(logger(), loggingContext, None$.MODULE$);
    }
}
