package com.daml.ledger.api.auth;

import akka.actor.Scheduler;
import com.daml.error.ContextualizedErrorLogger;
import com.daml.error.DamlContextualizedErrorLogger;
import com.daml.error.definitions.groups.AuthorizationChecks;
import com.daml.jwt.JwtTimestampLeeway;
import com.daml.ledger.api.auth.ClaimSet;
import com.daml.ledger.api.auth.interceptor.AuthorizationInterceptor$;
import com.daml.ledger.api.v1.transaction_filter.TransactionFilter;
import com.daml.ledger.api.validation.ValidationErrors$;
import com.daml.ledger.participant.state.index.v2.UserManagementStore;
import com.daml.logging.ContextualizedLogger;
import com.daml.logging.ContextualizedLogger$;
import com.daml.logging.LoggingContext;
import io.grpc.StatusRuntimeException;
import io.grpc.stub.ServerCallStreamObserver;
import io.grpc.stub.StreamObserver;
import java.time.Instant;
import scala.Function0;
import scala.Function1;
import scala.Function2;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.Iterable;
import scala.collection.IterableOnce;
import scala.collection.StringOps$;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.util.Either;
import scala.util.Failure;
import scala.util.Left;
import scala.util.Right;
import scala.util.Success;
import scala.util.Try;
import scalapb.lenses.Lens;

/* compiled from: Authorizer.scala */
@ScalaSignature(bytes = "\u0006\u0005\r%f\u0001B\u0014)\u0005MB\u0001B\u000f\u0001\u0003\u0002\u0003\u0006Ia\u000f\u0005\t\r\u0002\u0011\t\u0011)A\u0005\u000f\"A!\u000b\u0001B\u0001B\u0003%q\t\u0003\u0005T\u0001\t\u0005\t\u0015!\u0003U\u0011!\u0001\u0007A!A!\u0002\u0013\t\u0007\u0002C4\u0001\u0005\u0003\u0005\u000b\u0011\u00025\t\u0011-\u0004!\u0011!Q\u0001\n1D\u0001\u0002\u001e\u0001\u0003\u0002\u0003\u0006I!\u001e\u0005\t}\u0002\u0011\t\u0011)A\u0006\u007f\"9\u00111\u0002\u0001\u0005\u0002\u00055\u0001\"CA\u0014\u0001\t\u0007I\u0011BA\u0015\u0011!\t\t\u0004\u0001Q\u0001\n\u0005-\u0002\"CA\u001a\u0001\t\u0007I1BA\u001b\u0011!\t\u0019\u0005\u0001Q\u0001\n\u0005]\u0002bBA#\u0001\u0011%\u0011q\t\u0005\b\u0003s\u0002A\u0011AA>\u0011\u001d\tI\f\u0001C\u0001\u0003wCq!!6\u0001\t\u0003\t9\u000e\u0003\u0005\u0002j\u0002\u0001K\u0011BAv\u0011\u001d\u0011)\u0001\u0001C\u0001\u0005\u000fAqAa\t\u0001\t\u0003\u0011)\u0003C\u0004\u0003N\u0001!\tAa\u0014\t\u000f\t\r\u0004\u0001\"\u0001\u0003f!9!\u0011\u0012\u0001\u0005\u0002\t-\u0005b\u0002BZ\u0001\u0011\u0005!Q\u0017\u0005\b\u0005\u000b\u0004A\u0011\u0002Bd\u0011\u001d\u0011I\u000e\u0001C\u0005\u00057DqAa;\u0001\t\u0013\u0011i\u000fC\u0004\u0004\u0004\u0001!Ia!\u0002\t\u000f\rM\u0001\u0001\"\u0003\u0004\u0016!91\u0011\u0004\u0001\u0005\n\rm\u0001bBB\u001e\u0001\u0011%1Q\b\u0005\t\u00073\u0001A\u0011\u0001\u0015\u0004Z!A11\b\u0001\u0005\u0002!\u001a\u0019hB\u0005\u0004\n\"\n\t\u0011#\u0001\u0004\f\u001aAq\u0005KA\u0001\u0012\u0003\u0019i\tC\u0004\u0002\f\u0011\"\taa$\t\u0013\rEE%%A\u0005\u0002\rM%AC!vi\"|'/\u001b>fe*\u0011\u0011FK\u0001\u0005CV$\bN\u0003\u0002,Y\u0005\u0019\u0011\r]5\u000b\u00055r\u0013A\u00027fI\u001e,'O\u0003\u00020a\u0005!A-Y7m\u0015\u0005\t\u0014aA2p[\u000e\u00011C\u0001\u00015!\t)\u0004(D\u00017\u0015\u00059\u0014!B:dC2\f\u0017BA\u001d7\u0005\u0019\te.\u001f*fM\u0006\u0019an\\<\u0011\u0007Ubd(\u0003\u0002>m\tIa)\u001e8di&|g\u000e\r\t\u0003\u007f\u0011k\u0011\u0001\u0011\u0006\u0003\u0003\n\u000bA\u0001^5nK*\t1)\u0001\u0003kCZ\f\u0017BA#A\u0005\u001dIen\u001d;b]R\f\u0001\u0002\\3eO\u0016\u0014\u0018\n\u001a\t\u0003\u0011>s!!S'\u0011\u0005)3T\"A&\u000b\u00051\u0013\u0014A\u0002\u001fs_>$h(\u0003\u0002Om\u00051\u0001K]3eK\u001aL!\u0001U)\u0003\rM#(/\u001b8h\u0015\tqe'A\u0007qCJ$\u0018nY5qC:$\u0018\nZ\u0001\u0014kN,'/T1oC\u001e,W.\u001a8u'R|'/\u001a\t\u0003+zk\u0011A\u0016\u0006\u0003/b\u000b!A\u001e\u001a\u000b\u0005eS\u0016!B5oI\u0016D(BA.]\u0003\u0015\u0019H/\u0019;f\u0015\tiF&A\u0006qCJ$\u0018nY5qC:$\u0018BA0W\u0005M)6/\u001a:NC:\fw-Z7f]R\u001cFo\u001c:f\u0003\t)7\r\u0005\u0002cK6\t1M\u0003\u0002em\u0005Q1m\u001c8dkJ\u0014XM\u001c;\n\u0005\u0019\u001c'\u0001E#yK\u000e,H/[8o\u0007>tG/\u001a=u\u0003\u0001*8/\u001a:SS\u001eDGo]\"iK\u000e\\\u0017J\u001c;feZ\fG.\u00138TK\u000e|g\u000eZ:\u0011\u0005UJ\u0017B\u000167\u0005\rIe\u000e^\u0001\u000eC.\\\u0017mU2iK\u0012,H.\u001a:\u0011\u00055\u0014X\"\u00018\u000b\u0005=\u0004\u0018!B1di>\u0014(\"A9\u0002\t\u0005\\7.Y\u0005\u0003g:\u0014\u0011bU2iK\u0012,H.\u001a:\u0002%)<H\u000fV5nKN$\u0018-\u001c9MK\u0016<\u0018-\u001f\t\u0004kYD\u0018BA<7\u0005\u0019y\u0005\u000f^5p]B\u0011\u0011\u0010`\u0007\u0002u*\u00111PL\u0001\u0004U^$\u0018BA?{\u0005IQu\u000f\u001e+j[\u0016\u001cH/Y7q\u0019\u0016,w/Y=\u0002\u001d1|wmZ5oO\u000e{g\u000e^3yiB!\u0011\u0011AA\u0004\u001b\t\t\u0019AC\u0002\u0002\u00069\nq\u0001\\8hO&tw-\u0003\u0003\u0002\n\u0005\r!A\u0004'pO\u001eLgnZ\"p]R,\u0007\u0010^\u0001\u0007y%t\u0017\u000e\u001e \u0015%\u0005=\u0011qCA\r\u00037\ti\"a\b\u0002\"\u0005\r\u0012Q\u0005\u000b\u0005\u0003#\t)\u0002E\u0002\u0002\u0014\u0001i\u0011\u0001\u000b\u0005\u0006}*\u0001\u001da \u0005\u0006u)\u0001\ra\u000f\u0005\u0006\r*\u0001\ra\u0012\u0005\u0006%*\u0001\ra\u0012\u0005\u0006'*\u0001\r\u0001\u0016\u0005\u0006A*\u0001\r!\u0019\u0005\u0006O*\u0001\r\u0001\u001b\u0005\u0006W*\u0001\r\u0001\u001c\u0005\bi*\u0001\n\u00111\u0001v\u0003\u0019awnZ4feV\u0011\u00111\u0006\t\u0005\u0003\u0003\ti#\u0003\u0003\u00020\u0005\r!\u0001F\"p]R,\u0007\u0010^;bY&TX\r\u001a'pO\u001e,'/A\u0004m_\u001e<WM\u001d\u0011\u0002\u0017\u0015\u0014(o\u001c:M_\u001e<WM]\u000b\u0003\u0003o\u0001B!!\u000f\u0002@5\u0011\u00111\b\u0006\u0004\u0003{q\u0013!B3se>\u0014\u0018\u0002BA!\u0003w\u0011\u0011dQ8oi\u0016DH/^1mSj,G-\u0012:s_JdunZ4fe\u0006aQM\u001d:pe2{wmZ3sA\u0005)a/\u00197jIR!\u0011\u0011JA4!!\tY%!\u0016\u0002\\\u0005\u0005d\u0002BA'\u0003#r1ASA(\u0013\u00059\u0014bAA*m\u00059\u0001/Y2lC\u001e,\u0017\u0002BA,\u00033\u0012a!R5uQ\u0016\u0014(bAA*mA!\u00111CA/\u0013\r\ty\u0006\u000b\u0002\u0013\u0003V$\bn\u001c:ju\u0006$\u0018n\u001c8FeJ|'\u000fE\u00026\u0003GJ1!!\u001a7\u0005\u0011)f.\u001b;\t\u000f\u0005%t\u00021\u0001\u0002l\u000511\r\\1j[N\u0004B!!\u001c\u0002t9!\u00111CA8\u0013\r\t\t\bK\u0001\t\u00072\f\u0017.\\*fi&!\u0011QOA<\u0005\u0019\u0019E.Y5ng*\u0019\u0011\u0011\u000f\u0015\u00027I,\u0017/^5sKB+(\r\\5d\u00072\f\u0017.\\:P]N#(/Z1n+\u0019\ti(!#\u00022R!\u0011qPA[!%)\u0014\u0011QAC\u00037\u000b\t'C\u0002\u0002\u0004Z\u0012\u0011BR;oGRLwN\u001c\u001a\u0011\t\u0005\u001d\u0015\u0011\u0012\u0007\u0001\t\u001d\tY\t\u0005b\u0001\u0003\u001b\u00131AU3r#\u0011\ty)!&\u0011\u0007U\n\t*C\u0002\u0002\u0014Z\u0012qAT8uQ&tw\rE\u00026\u0003/K1!!'7\u0005\r\te.\u001f\t\u0007\u0003;\u000bY+a,\u000e\u0005\u0005}%\u0002BAQ\u0003G\u000bAa\u001d;vE*!\u0011QUAT\u0003\u00119'\u000f]2\u000b\u0005\u0005%\u0016AA5p\u0013\u0011\ti+a(\u0003\u001dM#(/Z1n\u001f\n\u001cXM\u001d<feB!\u0011qQAY\t\u001d\t\u0019\f\u0005b\u0001\u0003\u001b\u00131AU3t\u0011\u001d\t9\f\u0005a\u0001\u0003\u007f\nAaY1mY\u0006\u0019\"/Z9vSJ,\u0007+\u001e2mS\u000e\u001cE.Y5ngV1\u0011QXAd\u0003#$B!a0\u0002TB9Q'!1\u0002F\u0006%\u0017bAAbm\tIa)\u001e8di&|g.\r\t\u0005\u0003\u000f\u000b9\rB\u0004\u0002\fF\u0011\r!!$\u0011\u000b\t\fY-a4\n\u0007\u000557M\u0001\u0004GkR,(/\u001a\t\u0005\u0003\u000f\u000b\t\u000eB\u0004\u00024F\u0011\r!!$\t\u000f\u0005]\u0016\u00031\u0001\u0002@\u0006\u0011\"/Z9vSJ,\u0017\tZ7j]\u000ec\u0017-[7t+\u0019\tI.a8\u0002fR!\u00111\\At!\u001d)\u0014\u0011YAo\u0003C\u0004B!a\"\u0002`\u00129\u00111\u0012\nC\u0002\u00055\u0005#\u00022\u0002L\u0006\r\b\u0003BAD\u0003K$q!a-\u0013\u0005\u0004\ti\tC\u0004\u00028J\u0001\r!a7\u0002\u001bI,\u0017/^5sK\u001a{'/\u00117m+\u0011\ti/a?\u0015\r\u0005%\u0013q^A��\u0011\u001d\t\tp\u0005a\u0001\u0003g\f!\u0001_:\u0011\r\u0005-\u0013Q_A}\u0013\u0011\t90!\u0017\u0003\u0019%#XM]1cY\u0016|enY3\u0011\t\u0005\u001d\u00151 \u0003\b\u0003{\u001c\"\u0019AAG\u0005\u0005!\u0006b\u0002B\u0001'\u0001\u0007!1A\u0001\u0002MB9Q'!1\u0002z\u0006%\u0013A\n:fcVL'/\u001a*fC\u0012\u001cE.Y5ng\u001a{'/\u00117m!\u0006\u0014H/[3t\u001f:\u001cFO]3b[V1!\u0011\u0002B\b\u0005+!bAa\u0003\u0003\u0018\t\u0005\u0002#C\u001b\u0002\u0002\n5!\u0011CA1!\u0011\t9Ia\u0004\u0005\u000f\u0005-EC1\u0001\u0002\u000eB1\u0011QTAV\u0005'\u0001B!a\"\u0003\u0016\u00119\u00111\u0017\u000bC\u0002\u00055\u0005b\u0002B\r)\u0001\u0007!1D\u0001\ba\u0006\u0014H/[3t!\u0015\tYE!\bH\u0013\u0011\u0011y\"!\u0017\u0003\u0011%#XM]1cY\u0016Dq!a.\u0015\u0001\u0004\u0011Y!A\u001csKF,\u0018N]3SK\u0006$7\t\\1j[N4uN]!mYB\u000b'\u000f^5fg>s7\u000b\u001e:fC6<\u0016\u000e\u001e5BaBd\u0017nY1uS>t\u0017\nZ\u000b\u0007\u0005O\u0011iCa\r\u0015\u0011\t%\"Q\u0007B\u001c\u0005\u0017\u0002\u0012\"NAA\u0005W\u0011y#!\u0019\u0011\t\u0005\u001d%Q\u0006\u0003\b\u0003\u0017+\"\u0019AAG!\u0019\ti*a+\u00032A!\u0011q\u0011B\u001a\t\u001d\t\u0019,\u0006b\u0001\u0003\u001bCqA!\u0007\u0016\u0001\u0004\u0011Y\u0002C\u0004\u0003:U\u0001\rAa\u000f\u0002\u001d\u0005\u0004\b\u000f\\5dCRLwN\\%e\u0019B9!Q\bB$\u0005W9UB\u0001B \u0015\u0011\u0011\tEa\u0011\u0002\r1,gn]3t\u0015\t\u0011)%A\u0004tG\u0006d\u0017\r\u001d2\n\t\t%#q\b\u0002\u0005\u0019\u0016t7\u000fC\u0004\u00028V\u0001\rA!\u000b\u0002=I,\u0017/^5sKJ+\u0017\rZ\"mC&l7OR8s\u00032d\u0007+\u0019:uS\u0016\u001cXC\u0002B)\u0005/\u0012i\u0006\u0006\u0004\u0003T\t}#\u0011\r\t\bk\u0005\u0005'Q\u000bB-!\u0011\t9Ia\u0016\u0005\u000f\u0005-eC1\u0001\u0002\u000eB)!-a3\u0003\\A!\u0011q\u0011B/\t\u001d\t\u0019L\u0006b\u0001\u0003\u001bCqA!\u0007\u0017\u0001\u0004\u0011Y\u0002C\u0004\u00028Z\u0001\rAa\u0015\u0002CI,\u0017/^5sK\u0006\u001bG/\u00118e%\u0016\fGm\u00117bS6\u001chi\u001c:QCJ$\u0018.Z:\u0016\r\t\u001d$Q\u000eB:))\u0011IG!\u001e\u0003��\t\r%q\u0011\t\bk\u0005\u0005'1\u000eB8!\u0011\t9I!\u001c\u0005\u000f\u0005-uC1\u0001\u0002\u000eB)!-a3\u0003rA!\u0011q\u0011B:\t\u001d\t\u0019l\u0006b\u0001\u0003\u001bCqAa\u001e\u0018\u0001\u0004\u0011I(A\u0003bGR\f5\u000f\u0005\u0003I\u0005w:\u0015b\u0001B?#\n\u00191+\u001a;\t\u000f\t\u0005u\u00031\u0001\u0003z\u00051!/Z1e\u0003NDqA!\u000f\u0018\u0001\u0004\u0011)\tE\u0004\u0003>\t\u001d#1N$\t\u000f\u0005]v\u00031\u0001\u0003j\u0005i#/Z9vSJ,'+Z1e\u00072\f\u0017.\\:G_J$&/\u00198tC\u000e$\u0018n\u001c8GS2$XM](o'R\u0014X-Y7\u0016\r\t5%1\u0013BM)\u0019\u0011yIa'\u00032BIQ'!!\u0003\u0012\nU\u0015\u0011\r\t\u0005\u0003\u000f\u0013\u0019\nB\u0004\u0002\fb\u0011\r!!$\u0011\r\u0005u\u00151\u0016BL!\u0011\t9I!'\u0005\u000f\u0005M\u0006D1\u0001\u0002\u000e\"9!Q\u0014\rA\u0002\t}\u0015A\u00024jYR,'\u000f\u0005\u00036m\n\u0005\u0006\u0003\u0002BR\u0005[k!A!*\u000b\t\t\u001d&\u0011V\u0001\u0013iJ\fgn]1di&|gn\u00184jYR,'OC\u0002\u0003,*\n!A^\u0019\n\t\t=&Q\u0015\u0002\u0012)J\fgn]1di&|gNR5mi\u0016\u0014\bbBA\\1\u0001\u0007!qR\u0001\u0014CV$\b.\u001a8uS\u000e\fG/\u001a3Vg\u0016\u0014\u0018\n\u001a\u000b\u0003\u0005o\u0003bA!/\u0003@\n\rWB\u0001B^\u0015\r\u0011iLN\u0001\u0005kRLG.\u0003\u0003\u0003B\nm&a\u0001+ssB\u0019QG^$\u0002)\u0011,g-Y;mi\u0006\u0003\b\u000f\\5dCRLwN\\%e)\u0019\u0011IMa5\u0003XB9\u00111JA+\u0005\u0017<\u0005\u0003\u0002Bg\u0005\u001fl!!a)\n\t\tE\u00171\u0015\u0002\u0017'R\fG/^:Sk:$\u0018.\\3Fq\u000e,\u0007\u000f^5p]\"1!Q\u001b\u000eA\u0002\u001d\u000b\u0001C]3r\u0003B\u0004H.[2bi&|g.\u00133\t\u000f\u0005%$\u00041\u0001\u0002l\u0005A\u0012-\u001e;i_JL'0\u0019;j_:,%O]8s\u0003N<%\u000f]2\u0016\t\tu'1\u001d\u000b\u0005\u0005?\u0014)\u000f\u0005\u0005\u0002L\u0005U#1\u001aBq!\u0011\t9Ia9\u0005\u000f\u0005u8D1\u0001\u0002\u000e\"9!q]\u000eA\u0002\t%\u0018AB3se>\u0013h\u000b\u0005\u0005\u0002L\u0005U\u00131\fBq\u0003A\t7o]3siN+'O^3s\u0007\u0006dG.\u0006\u0003\u0003p\neH\u0003\u0002By\u0005{\u0004b!!(\u0003t\n]\u0018\u0002\u0002B{\u0003?\u0013\u0001dU3sm\u0016\u00148)\u00197m'R\u0014X-Y7PEN,'O^3s!\u0011\t9I!?\u0005\u000f\tmHD1\u0001\u0002\u000e\n\t\u0011\tC\u0004\u0003��r\u0001\ra!\u0001\u0002\u0011=\u00147/\u001a:wKJ\u0004b!!(\u0002,\n]\u0018\u0001F8oO>LgnZ!vi\"|'/\u001b>bi&|g.\u0006\u0003\u0004\b\r5ACBB\u0005\u0007\u001f\u0019\t\u0002\u0005\u0004\u0002\u001e\nM81\u0002\t\u0005\u0003\u000f\u001bi\u0001B\u0004\u00024v\u0011\r!!$\t\u000f\t}X\u00041\u0001\u0004\n!9\u0011\u0011N\u000fA\u0002\u0005-\u0014AH1vi\",g\u000e^5dCR,Gm\u00117bS6\u001chI]8n\u0007>tG/\u001a=u)\t\u00199\u0002\u0005\u0004\u0003:\n}\u00161N\u0001\u0011CV$\bn\u001c:ju\u0016<\u0016\u000e\u001e5SKF,ba!\b\u0004&\r-B\u0003BB\u0010\u0007k!Ba!\t\u0004.AIQ'!!\u0004$\r\u001d\u0012\u0011\r\t\u0005\u0003\u000f\u001b)\u0003B\u0004\u0002\f~\u0011\r!!$\u0011\r\u0005u\u00151VB\u0015!\u0011\t9ia\u000b\u0005\u000f\u0005MvD1\u0001\u0002\u000e\"91qF\u0010A\u0002\rE\u0012AC1vi\"|'/\u001b>fIBIQ'!!\u0002l\r\r21\u0007\t\t\u0003\u0017\n)Fa3\u0004$!9\u0011qW\u0010A\u0002\r]\u0002#C\u001b\u0002\u0002\u000e\r2\u0011HA1!\u0019\tiJa=\u0004*\u0005I\u0011-\u001e;i_JL'0Z\u000b\u0007\u0007\u007f\u00199e!\u0014\u0015\t\r\u000531\u000b\u000b\u0005\u0007\u0007\u001ay\u0005E\u00056\u0003\u0003\u001b)e!\u0013\u0002bA!\u0011qQB$\t\u001d\tY\t\tb\u0001\u0003\u001b\u0003b!!(\u0002,\u000e-\u0003\u0003BAD\u0007\u001b\"q!a-!\u0005\u0004\ti\tC\u0004\u00040\u0001\u0002\ra!\u0015\u0011\u000fU\n\t-a\u001b\u0002J!9\u0011q\u0017\u0011A\u0002\rU\u0003#C\u001b\u0002\u0002\u000e\u00153qKA1!\u0019\tiJa=\u0004LU111LB2\u0007S\"Ba!\u0018\u0004rQ!1qLB6!\u001d)\u0014\u0011YB1\u0007K\u0002B!a\"\u0004d\u00119\u00111R\u0011C\u0002\u00055\u0005#\u00022\u0002L\u000e\u001d\u0004\u0003BAD\u0007S\"q!a-\"\u0005\u0004\ti\tC\u0004\u00040\u0005\u0002\ra!\u001c\u0011\u0013U\n\t)a\u001b\u0004b\r=\u0004\u0003CA&\u0003+\u0012Ym!\u0019\t\u000f\u0005]\u0016\u00051\u0001\u0004`U11QOB?\u0007\u0007#Baa\u001e\u0004\bR!1\u0011PBC!\u001d)\u0014\u0011YB>\u0007\u007f\u0002B!a\"\u0004~\u00119\u00111\u0012\u0012C\u0002\u00055\u0005#\u00022\u0002L\u000e\u0005\u0005\u0003BAD\u0007\u0007#q!a-#\u0005\u0004\ti\tC\u0004\u00040\t\u0002\ra!\u0015\t\u000f\u0005]&\u00051\u0001\u0004z\u0005Q\u0011)\u001e;i_JL'0\u001a:\u0011\u0007\u0005MAe\u0005\u0002%iQ\u001111R\u0001\u001cI1,7o]5oSR$sM]3bi\u0016\u0014H\u0005Z3gCVdG\u000f\n\u001d\u0016\u0005\rU%fA;\u0004\u0018.\u00121\u0011\u0014\t\u0005\u00077\u001b)+\u0004\u0002\u0004\u001e*!1qTBQ\u0003%)hn\u00195fG.,GMC\u0002\u0004$Z\n!\"\u00198o_R\fG/[8o\u0013\u0011\u00199k!(\u0003#Ut7\r[3dW\u0016$g+\u0019:jC:\u001cW\r")
/* loaded from: input_file:com/daml/ledger/api/auth/Authorizer.class */
public final class Authorizer {
    private final Function0<Instant> now;
    private final String ledgerId;
    private final String participantId;
    private final UserManagementStore userManagementStore;
    private final ExecutionContext ec;
    private final int userRightsCheckIntervalInSeconds;
    private final Scheduler akkaScheduler;
    private final Option<JwtTimestampLeeway> jwtTimestampLeeway;
    private final LoggingContext loggingContext;
    private final ContextualizedLogger logger = ContextualizedLogger$.MODULE$.get(getClass());
    private final ContextualizedErrorLogger errorLogger;

    private ContextualizedLogger logger() {
        return this.logger;
    }

    private ContextualizedErrorLogger errorLogger() {
        return this.errorLogger;
    }

    private Either<AuthorizationError, BoxedUnit> valid(ClaimSet.Claims claims) {
        return claims.notExpired((Instant) this.now.apply(), this.jwtTimestampLeeway).flatMap(boxedUnit -> {
            return claims.validForLedger(this.ledgerId).flatMap(boxedUnit -> {
                return claims.validForParticipant(this.participantId).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requirePublicClaimsOnStream(Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorize(function2, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isPublic().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requirePublicClaims(Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isPublic().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireAdminClaims(Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isAdmin().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    private <T> Either<AuthorizationError, BoxedUnit> requireForAll(IterableOnce<T> iterableOnce, Function1<T, Either<AuthorizationError, BoxedUnit>> function1) {
        return (Either) iterableOnce.iterator().foldLeft(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (either, obj) -> {
            return either.flatMap(boxedUnit -> {
                return (Either) function1.apply(obj);
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForAllPartiesOnStream(Iterable<String> iterable, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorize(function2, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return this.requireForAll(iterable, str -> {
                    return claims.canReadAs(str);
                }).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForAllPartiesOnStreamWithApplicationId(Iterable<String> iterable, Lens<Req, String> lens, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorizeWithReq(function2, (claims, obj) -> {
            String str = (String) lens.get(obj);
            return this.authorizationErrorAsGrpc(this.valid(claims)).flatMap(boxedUnit -> {
                return this.authorizationErrorAsGrpc(this.requireForAll(iterable, str2 -> {
                    return claims.canReadAs(str2);
                })).flatMap(boxedUnit -> {
                    return this.defaultApplicationId(str, claims).flatMap(str3 -> {
                        return this.authorizationErrorAsGrpc(claims.validForApplication(str3)).map(boxedUnit -> {
                            return lens.set(str3).apply(obj);
                        });
                    });
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireReadClaimsForAllParties(Iterable<String> iterable, Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return this.requireForAll(iterable, str -> {
                    return claims.canReadAs(str);
                }).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireActAndReadClaimsForParties(Set<String> set, Set<String> set2, Lens<Req, String> lens, Function1<Req, Future<Res>> function1) {
        return authorizeWithReq(function1, (claims, obj) -> {
            String str = (String) lens.get(obj);
            return this.authorizationErrorAsGrpc(this.valid(claims)).flatMap(boxedUnit -> {
                return this.authorizationErrorAsGrpc((Either) set.foldRight(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (str2, either) -> {
                    return either.flatMap(boxedUnit -> {
                        return claims.canActAs(str2);
                    });
                })).flatMap(boxedUnit -> {
                    return this.authorizationErrorAsGrpc((Either) set2.foldRight(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (str3, either2) -> {
                        return either2.flatMap(boxedUnit -> {
                            return claims.canReadAs(str3);
                        });
                    })).flatMap(boxedUnit -> {
                        return this.defaultApplicationId(str, claims).flatMap(str4 -> {
                            return this.authorizationErrorAsGrpc(claims.validForApplication(str4)).map(boxedUnit -> {
                                return lens.set(str4).apply(obj);
                            });
                        });
                    });
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForTransactionFilterOnStream(Option<TransactionFilter> option, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return requireReadClaimsForAllPartiesOnStream((Iterable) option.map(transactionFilter -> {
            return transactionFilter.filtersByParty();
        }).fold(() -> {
            return Predef$.MODULE$.Set().empty();
        }, map -> {
            return map.keySet();
        }), function2);
    }

    public Try<Option<String>> authenticatedUserId() {
        return authenticatedClaimsFromContext().flatMap(claims -> {
            Success failure;
            if (!claims.resolvedFromUser()) {
                return new Success(None$.MODULE$);
            }
            Some applicationId = claims.applicationId();
            if (applicationId instanceof Some) {
                failure = new Success(new Some((String) applicationId.value()));
            } else {
                if (!None$.MODULE$.equals(applicationId)) {
                    throw new MatchError(applicationId);
                }
                failure = new Failure(new AuthorizationChecks.InternalAuthorizationError.Reject("unexpectedly the user-id is not set in the authenticated claims", new RuntimeException(), this.errorLogger()).asGrpcError());
            }
            return failure;
        });
    }

    private Either<StatusRuntimeException, String> defaultApplicationId(String str, ClaimSet.Claims claims) {
        Right apply;
        if (!str.isEmpty()) {
            return package$.MODULE$.Right().apply(str);
        }
        Some applicationId = claims.applicationId();
        if (applicationId instanceof Some) {
            String str2 = (String) applicationId.value();
            if (StringOps$.MODULE$.nonEmpty$extension(Predef$.MODULE$.augmentString(str2))) {
                apply = package$.MODULE$.Right().apply(str2);
                return apply;
            }
        }
        apply = package$.MODULE$.Left().apply(ValidationErrors$.MODULE$.invalidArgument("Cannot default application_id field because claims do not specify an application-id or user-id. Is authentication turned on?", errorLogger()));
        return apply;
    }

    private <T> Either<StatusRuntimeException, T> authorizationErrorAsGrpc(Either<AuthorizationError, T> either) {
        return (Either) either.fold(authorizationError -> {
            return package$.MODULE$.Left().apply(new AuthorizationChecks.PermissionDenied.Reject(authorizationError.reason(), this.errorLogger()).asGrpcError());
        }, obj -> {
            return package$.MODULE$.Right().apply(obj);
        });
    }

    private <A> ServerCallStreamObserver<A> assertServerCall(StreamObserver<A> streamObserver) {
        if (streamObserver instanceof ServerCallStreamObserver) {
            return (ServerCallStreamObserver) streamObserver;
        }
        throw new IllegalArgumentException(new StringBuilder(29).append("The wrapped stream MUST be a ").append(ServerCallStreamObserver.class.getName()).toString());
    }

    private <Res> ServerCallStreamObserver<Res> ongoingAuthorization(ServerCallStreamObserver<Res> serverCallStreamObserver, ClaimSet.Claims claims) {
        return OngoingAuthorizationObserver$.MODULE$.apply(serverCallStreamObserver, claims, this.now, this.userManagementStore, this.userRightsCheckIntervalInSeconds, this.akkaScheduler, this.jwtTimestampLeeway, this.loggingContext, this.ec);
    }

    private Try<ClaimSet.Claims> authenticatedClaimsFromContext() {
        return AuthorizationInterceptor$.MODULE$.extractClaimSetFromContext().flatMap(claimSet -> {
            Failure success;
            if (ClaimSet$Unauthenticated$.MODULE$.equals(claimSet)) {
                success = new Failure(new AuthorizationChecks.Unauthenticated.MissingJwtToken(this.errorLogger()).asGrpcError());
            } else if (claimSet instanceof ClaimSet.AuthenticatedUser) {
                success = new Failure(new AuthorizationChecks.InternalAuthorizationError.Reject("Unexpected unresolved authenticated user claim", new RuntimeException(new StringBuilder(57).append("Unexpected unresolved authenticated user claim for user '").append(((ClaimSet.AuthenticatedUser) claimSet).userId()).toString()), this.errorLogger()).asGrpcError());
            } else {
                if (!(claimSet instanceof ClaimSet.Claims)) {
                    throw new MatchError(claimSet);
                }
                success = new Success((ClaimSet.Claims) claimSet);
            }
            return success;
        });
    }

    private <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> authorizeWithReq(Function2<Req, ServerCallStreamObserver<Res>, BoxedUnit> function2, Function2<ClaimSet.Claims, Req, Either<StatusRuntimeException, Req>> function22) {
        return (obj, streamObserver) -> {
            $anonfun$authorizeWithReq$1(this, function22, function2, obj, streamObserver);
            return BoxedUnit.UNIT;
        };
    }

    private <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> authorize(Function2<Req, ServerCallStreamObserver<Res>, BoxedUnit> function2, Function1<ClaimSet.Claims, Either<AuthorizationError, BoxedUnit>> function1) {
        return authorizeWithReq(function2, (claims, obj) -> {
            return this.authorizationErrorAsGrpc((Either) function1.apply(claims)).map(boxedUnit -> {
                return obj;
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> authorizeWithReq(Function1<Req, Future<Res>> function1, Function2<ClaimSet.Claims, Req, Either<StatusRuntimeException, Req>> function2) {
        return obj -> {
            Future failed;
            Future future;
            Failure authenticatedClaimsFromContext = this.authenticatedClaimsFromContext();
            if (authenticatedClaimsFromContext instanceof Failure) {
                future = Future$.MODULE$.failed(authenticatedClaimsFromContext.exception());
            } else {
                if (!(authenticatedClaimsFromContext instanceof Success)) {
                    throw new MatchError(authenticatedClaimsFromContext);
                }
                Right right = (Either) function2.apply((ClaimSet.Claims) ((Success) authenticatedClaimsFromContext).value(), obj);
                if (right instanceof Right) {
                    failed = (Future) function1.apply(right.value());
                } else {
                    if (!(right instanceof Left)) {
                        throw new MatchError(right);
                    }
                    failed = Future$.MODULE$.failed((StatusRuntimeException) ((Left) right).value());
                }
                future = failed;
            }
            return future;
        };
    }

    public <Req, Res> Function1<Req, Future<Res>> authorize(Function1<Req, Future<Res>> function1, Function1<ClaimSet.Claims, Either<AuthorizationError, BoxedUnit>> function12) {
        return authorizeWithReq(function1, (claims, obj) -> {
            return this.authorizationErrorAsGrpc((Either) function12.apply(claims)).map(boxedUnit -> {
                return obj;
            });
        });
    }

    public static final /* synthetic */ void $anonfun$authorizeWithReq$3(Authorizer authorizer, Function2 function2, Object obj, Function2 function22, ServerCallStreamObserver serverCallStreamObserver, StreamObserver streamObserver, ClaimSet.Claims claims) {
        Right right = (Either) function2.apply(claims, obj);
        if (right instanceof Right) {
        } else {
            if (!(right instanceof Left)) {
                throw new MatchError(right);
            }
            streamObserver.onError((StatusRuntimeException) ((Left) right).value());
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        }
    }

    public static final /* synthetic */ void $anonfun$authorizeWithReq$1(Authorizer authorizer, Function2 function2, Function2 function22, Object obj, StreamObserver streamObserver) {
        ServerCallStreamObserver assertServerCall = authorizer.assertServerCall(streamObserver);
        authorizer.authenticatedClaimsFromContext().fold(th -> {
            streamObserver.onError(th);
            return BoxedUnit.UNIT;
        }, claims -> {
            $anonfun$authorizeWithReq$3(authorizer, function2, obj, function22, assertServerCall, streamObserver, claims);
            return BoxedUnit.UNIT;
        });
    }

    public Authorizer(Function0<Instant> function0, String str, String str2, UserManagementStore userManagementStore, ExecutionContext executionContext, int i, Scheduler scheduler, Option<JwtTimestampLeeway> option, LoggingContext loggingContext) {
        this.now = function0;
        this.ledgerId = str;
        this.participantId = str2;
        this.userManagementStore = userManagementStore;
        this.ec = executionContext;
        this.userRightsCheckIntervalInSeconds = i;
        this.akkaScheduler = scheduler;
        this.jwtTimestampLeeway = option;
        this.loggingContext = loggingContext;
        this.errorLogger = new DamlContextualizedErrorLogger(logger(), loggingContext, None$.MODULE$);
    }
}
