package com.daml.ledger.api.auth;

import akka.actor.Scheduler;
import com.daml.error.ContextualizedErrorLogger;
import com.daml.error.DamlContextualizedErrorLogger;
import com.daml.error.definitions.groups.AuthorizationChecks;
import com.daml.jwt.JwtTimestampLeeway;
import com.daml.ledger.api.auth.ClaimSet;
import com.daml.ledger.api.auth.interceptor.AuthorizationInterceptor$;
import com.daml.ledger.api.v1.transaction_filter.TransactionFilter;
import com.daml.ledger.api.validation.ValidationErrors$;
import com.daml.logging.ContextualizedLogger;
import com.daml.logging.ContextualizedLogger$;
import com.daml.logging.LoggingContext;
import com.daml.platform.localstore.api.UserManagementStore;
import io.grpc.StatusRuntimeException;
import io.grpc.stub.ServerCallStreamObserver;
import io.grpc.stub.StreamObserver;
import java.time.Instant;
import scala.Function0;
import scala.Function1;
import scala.Function2;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.Iterable;
import scala.collection.IterableOnce;
import scala.collection.StringOps$;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.util.Either;
import scala.util.Failure;
import scala.util.Left;
import scala.util.Right;
import scala.util.Success;
import scala.util.Try;
import scalapb.lenses.Lens;

/* compiled from: Authorizer.scala */
@ScalaSignature(bytes = "\u0006\u0005\r\rf\u0001B\u0014)\u0005MB\u0001B\u000f\u0001\u0003\u0002\u0003\u0006Ia\u000f\u0005\t\r\u0002\u0011\t\u0011)A\u0005\u000f\"A!\u000b\u0001B\u0001B\u0003%q\t\u0003\u0005T\u0001\t\u0005\t\u0015!\u0003U\u0011!i\u0006A!A!\u0002\u0013q\u0006\u0002\u00033\u0001\u0005\u0003\u0005\u000b\u0011B3\t\u0011!\u0004!\u0011!Q\u0001\n%D\u0001\"\u001d\u0001\u0003\u0002\u0003\u0006IA\u001d\u0005\tw\u0002\u0011\t\u0011)A\u0006y\"9\u0011Q\u0001\u0001\u0005\u0002\u0005\u001d\u0001\"CA\u0011\u0001\t\u0007I\u0011BA\u0012\u0011!\tY\u0003\u0001Q\u0001\n\u0005\u0015\u0002\"CA\u0017\u0001\t\u0007I1BA\u0018\u0011!\ti\u0004\u0001Q\u0001\n\u0005E\u0002bBA \u0001\u0011%\u0011\u0011\t\u0005\b\u0003g\u0002A\u0011AA;\u0011\u001d\t\u0019\f\u0001C\u0001\u0003kCq!a4\u0001\t\u0003\t\t\u000e\u0003\u0005\u0002d\u0002\u0001K\u0011BAs\u0011\u001d\ty\u0010\u0001C\u0001\u0005\u0003AqA!\b\u0001\t\u0003\u0011y\u0002C\u0004\u0003H\u0001!\tA!\u0013\t\u000f\tu\u0003\u0001\"\u0001\u0003`!9!1\u0011\u0001\u0005\u0002\t\u0015\u0005b\u0002BW\u0001\u0011\u0005!q\u0016\u0005\b\u0005\u007f\u0003A\u0011\u0002Ba\u0011\u001d\u0011\u0019\u000e\u0001C\u0005\u0005+DqA!:\u0001\t\u0013\u00119\u000fC\u0004\u0003~\u0002!IAa@\t\u000f\r5\u0001\u0001\"\u0003\u0004\u0010!911\u0003\u0001\u0005\n\rU\u0001bBB\u001b\u0001\u0011%1q\u0007\u0005\t\u0007'\u0001A\u0011\u0001\u0015\u0004T!A1Q\u0007\u0001\u0005\u0002!\u001aigB\u0005\u0004\u0004\"\n\t\u0011#\u0001\u0004\u0006\u001aAq\u0005KA\u0001\u0012\u0003\u00199\tC\u0004\u0002\u0006\u0011\"\ta!#\t\u0013\r-E%%A\u0005\u0002\r5%AC!vi\"|'/\u001b>fe*\u0011\u0011FK\u0001\u0005CV$\bN\u0003\u0002,Y\u0005\u0019\u0011\r]5\u000b\u00055r\u0013A\u00027fI\u001e,'O\u0003\u00020a\u0005!A-Y7m\u0015\u0005\t\u0014aA2p[\u000e\u00011C\u0001\u00015!\t)\u0004(D\u00017\u0015\u00059\u0014!B:dC2\f\u0017BA\u001d7\u0005\u0019\te.\u001f*fM\u0006\u0019an\\<\u0011\u0007Ubd(\u0003\u0002>m\tIa)\u001e8di&|g\u000e\r\t\u0003\u007f\u0011k\u0011\u0001\u0011\u0006\u0003\u0003\n\u000bA\u0001^5nK*\t1)\u0001\u0003kCZ\f\u0017BA#A\u0005\u001dIen\u001d;b]R\f\u0001\u0002\\3eO\u0016\u0014\u0018\n\u001a\t\u0003\u0011>s!!S'\u0011\u0005)3T\"A&\u000b\u00051\u0013\u0014A\u0002\u001fs_>$h(\u0003\u0002Om\u00051\u0001K]3eK\u001aL!\u0001U)\u0003\rM#(/\u001b8h\u0015\tqe'A\u0007qCJ$\u0018nY5qC:$\u0018\nZ\u0001\u0014kN,'/T1oC\u001e,W.\u001a8u'R|'/\u001a\t\u0003+nk\u0011A\u0016\u0006\u0003W]S!\u0001W-\u0002\u00151|7-\u00197ti>\u0014XM\u0003\u0002[]\u0005A\u0001\u000f\\1uM>\u0014X.\u0003\u0002]-\n\u0019Rk]3s\u001b\u0006t\u0017mZ3nK:$8\u000b^8sK\u0006\u0011Qm\u0019\t\u0003?\nl\u0011\u0001\u0019\u0006\u0003CZ\n!bY8oGV\u0014(/\u001a8u\u0013\t\u0019\u0007M\u0001\tFq\u0016\u001cW\u000f^5p]\u000e{g\u000e^3yi\u0006\u0001So]3s%&<\u0007\u000e^:DQ\u0016\u001c7.\u00138uKJ4\u0018\r\\%o'\u0016\u001cwN\u001c3t!\t)d-\u0003\u0002hm\t\u0019\u0011J\u001c;\u0002\u001b\u0005\\7.Y*dQ\u0016$W\u000f\\3s!\tQw.D\u0001l\u0015\taW.A\u0003bGR|'OC\u0001o\u0003\u0011\t7n[1\n\u0005A\\'!C*dQ\u0016$W\u000f\\3s\u0003IQw\u000f\u001e+j[\u0016\u001cH/Y7q\u0019\u0016,w/Y=\u0011\u0007U\u001aX/\u0003\u0002um\t1q\n\u001d;j_:\u0004\"A^=\u000e\u0003]T!\u0001\u001f\u0018\u0002\u0007)<H/\u0003\u0002{o\n\u0011\"j\u001e;US6,7\u000f^1na2+Wm^1z\u00039awnZ4j]\u001e\u001cuN\u001c;fqR\u00042!`A\u0001\u001b\u0005q(BA@/\u0003\u001dawnZ4j]\u001eL1!a\u0001\u007f\u00059aunZ4j]\u001e\u001cuN\u001c;fqR\fa\u0001P5oSRtDCEA\u0005\u0003#\t\u0019\"!\u0006\u0002\u0018\u0005e\u00111DA\u000f\u0003?!B!a\u0003\u0002\u0010A\u0019\u0011Q\u0002\u0001\u000e\u0003!BQa\u001f\u0006A\u0004qDQA\u000f\u0006A\u0002mBQA\u0012\u0006A\u0002\u001dCQA\u0015\u0006A\u0002\u001dCQa\u0015\u0006A\u0002QCQ!\u0018\u0006A\u0002yCQ\u0001\u001a\u0006A\u0002\u0015DQ\u0001\u001b\u0006A\u0002%Dq!\u001d\u0006\u0011\u0002\u0003\u0007!/\u0001\u0004m_\u001e<WM]\u000b\u0003\u0003K\u00012!`A\u0014\u0013\r\tIC \u0002\u0015\u0007>tG/\u001a=uk\u0006d\u0017N_3e\u0019><w-\u001a:\u0002\u000f1|wmZ3sA\u0005YQM\u001d:pe2{wmZ3s+\t\t\t\u0004\u0005\u0003\u00024\u0005eRBAA\u001b\u0015\r\t9DL\u0001\u0006KJ\u0014xN]\u0005\u0005\u0003w\t)DA\rD_:$X\r\u001f;vC2L'0\u001a3FeJ|'\u000fT8hO\u0016\u0014\u0018\u0001D3se>\u0014Hj\\4hKJ\u0004\u0013!\u0002<bY&$G\u0003BA\"\u0003C\u0002\u0002\"!\u0012\u0002P\u0005U\u00131\f\b\u0005\u0003\u000f\nYED\u0002K\u0003\u0013J\u0011aN\u0005\u0004\u0003\u001b2\u0014a\u00029bG.\fw-Z\u0005\u0005\u0003#\n\u0019F\u0001\u0004FSRDWM\u001d\u0006\u0004\u0003\u001b2\u0004\u0003BA\u0007\u0003/J1!!\u0017)\u0005I\tU\u000f\u001e5pe&T\u0018\r^5p]\u0016\u0013(o\u001c:\u0011\u0007U\ni&C\u0002\u0002`Y\u0012A!\u00168ji\"9\u00111M\bA\u0002\u0005\u0015\u0014AB2mC&l7\u000f\u0005\u0003\u0002h\u00055d\u0002BA\u0007\u0003SJ1!a\u001b)\u0003!\u0019E.Y5n'\u0016$\u0018\u0002BA8\u0003c\u0012aa\u00117bS6\u001c(bAA6Q\u0005Y\"/Z9vSJ,\u0007+\u001e2mS\u000e\u001cE.Y5ng>s7\u000b\u001e:fC6,b!a\u001e\u0002\u0004\u0006-F\u0003BA=\u0003_\u0003\u0012\"NA>\u0003\u007f\n)*a\u0017\n\u0007\u0005udGA\u0005Gk:\u001cG/[8oeA!\u0011\u0011QAB\u0019\u0001!q!!\"\u0011\u0005\u0004\t9IA\u0002SKF\fB!!#\u0002\u0010B\u0019Q'a#\n\u0007\u00055eGA\u0004O_RD\u0017N\\4\u0011\u0007U\n\t*C\u0002\u0002\u0014Z\u00121!\u00118z!\u0019\t9*!*\u0002*6\u0011\u0011\u0011\u0014\u0006\u0005\u00037\u000bi*\u0001\u0003tiV\u0014'\u0002BAP\u0003C\u000bAa\u001a:qG*\u0011\u00111U\u0001\u0003S>LA!a*\u0002\u001a\nq1\u000b\u001e:fC6|%m]3sm\u0016\u0014\b\u0003BAA\u0003W#q!!,\u0011\u0005\u0004\t9IA\u0002SKNDq!!-\u0011\u0001\u0004\tI(\u0001\u0003dC2d\u0017a\u0005:fcVL'/\u001a)vE2L7m\u00117bS6\u001cXCBA\\\u0003\u0003\fY\r\u0006\u0003\u0002:\u00065\u0007cB\u001b\u0002<\u0006}\u00161Y\u0005\u0004\u0003{3$!\u0003$v]\u000e$\u0018n\u001c82!\u0011\t\t)!1\u0005\u000f\u0005\u0015\u0015C1\u0001\u0002\bB)q,!2\u0002J&\u0019\u0011q\u00191\u0003\r\u0019+H/\u001e:f!\u0011\t\t)a3\u0005\u000f\u00055\u0016C1\u0001\u0002\b\"9\u0011\u0011W\tA\u0002\u0005e\u0016A\u0005:fcVL'/Z!e[&t7\t\\1j[N,b!a5\u0002Z\u0006}G\u0003BAk\u0003C\u0004r!NA^\u0003/\fY\u000e\u0005\u0003\u0002\u0002\u0006eGaBAC%\t\u0007\u0011q\u0011\t\u0006?\u0006\u0015\u0017Q\u001c\t\u0005\u0003\u0003\u000by\u000eB\u0004\u0002.J\u0011\r!a\"\t\u000f\u0005E&\u00031\u0001\u0002V\u0006i!/Z9vSJ,gi\u001c:BY2,B!a:\u0002vR1\u00111IAu\u0003sDq!a;\u0014\u0001\u0004\ti/\u0001\u0002ygB1\u0011QIAx\u0003gLA!!=\u0002T\ta\u0011\n^3sC\ndWm\u00148dKB!\u0011\u0011QA{\t\u001d\t9p\u0005b\u0001\u0003\u000f\u0013\u0011\u0001\u0016\u0005\b\u0003w\u001c\u0002\u0019AA\u007f\u0003\u00051\u0007cB\u001b\u0002<\u0006M\u00181I\u0001'e\u0016\fX/\u001b:f%\u0016\fGm\u00117bS6\u001chi\u001c:BY2\u0004\u0016M\u001d;jKN|en\u0015;sK\u0006lWC\u0002B\u0002\u0005\u0013\u0011y\u0001\u0006\u0004\u0003\u0006\tE!1\u0004\t\nk\u0005m$q\u0001B\u0006\u00037\u0002B!!!\u0003\n\u00119\u0011Q\u0011\u000bC\u0002\u0005\u001d\u0005CBAL\u0003K\u0013i\u0001\u0005\u0003\u0002\u0002\n=AaBAW)\t\u0007\u0011q\u0011\u0005\b\u0005'!\u0002\u0019\u0001B\u000b\u0003\u001d\u0001\u0018M\u001d;jKN\u0004R!!\u0012\u0003\u0018\u001dKAA!\u0007\u0002T\tA\u0011\n^3sC\ndW\rC\u0004\u00022R\u0001\rA!\u0002\u0002oI,\u0017/^5sKJ+\u0017\rZ\"mC&l7OR8s\u00032d\u0007+\u0019:uS\u0016\u001cxJ\\*ue\u0016\fWnV5uQ\u0006\u0003\b\u000f\\5dCRLwN\\%e+\u0019\u0011\tCa\n\u0003.QA!1\u0005B\u0018\u0005c\u0011)\u0005E\u00056\u0003w\u0012)C!\u000b\u0002\\A!\u0011\u0011\u0011B\u0014\t\u001d\t))\u0006b\u0001\u0003\u000f\u0003b!a&\u0002&\n-\u0002\u0003BAA\u0005[!q!!,\u0016\u0005\u0004\t9\tC\u0004\u0003\u0014U\u0001\rA!\u0006\t\u000f\tMR\u00031\u0001\u00036\u0005q\u0011\r\u001d9mS\u000e\fG/[8o\u0013\u0012d\u0005c\u0002B\u001c\u0005\u0003\u0012)cR\u0007\u0003\u0005sQAAa\u000f\u0003>\u00051A.\u001a8tKNT!Aa\u0010\u0002\u000fM\u001c\u0017\r\\1qE&!!1\tB\u001d\u0005\u0011aUM\\:\t\u000f\u0005EV\u00031\u0001\u0003$\u0005q\"/Z9vSJ,'+Z1e\u00072\f\u0017.\\:G_J\fE\u000e\u001c)beRLWm]\u000b\u0007\u0005\u0017\u0012\tFa\u0016\u0015\r\t5#\u0011\fB.!\u001d)\u00141\u0018B(\u0005'\u0002B!!!\u0003R\u00119\u0011Q\u0011\fC\u0002\u0005\u001d\u0005#B0\u0002F\nU\u0003\u0003BAA\u0005/\"q!!,\u0017\u0005\u0004\t9\tC\u0004\u0003\u0014Y\u0001\rA!\u0006\t\u000f\u0005Ef\u00031\u0001\u0003N\u0005\t#/Z9vSJ,\u0017i\u0019;B]\u0012\u0014V-\u00193DY\u0006LWn\u001d$peB\u000b'\u000f^5fgV1!\u0011\rB4\u0005[\"\"Ba\u0019\u0003p\te$Q\u0010BA!\u001d)\u00141\u0018B3\u0005S\u0002B!!!\u0003h\u00119\u0011QQ\fC\u0002\u0005\u001d\u0005#B0\u0002F\n-\u0004\u0003BAA\u0005[\"q!!,\u0018\u0005\u0004\t9\tC\u0004\u0003r]\u0001\rAa\u001d\u0002\u000b\u0005\u001cG/Q:\u0011\t!\u0013)hR\u0005\u0004\u0005o\n&aA*fi\"9!1P\fA\u0002\tM\u0014A\u0002:fC\u0012\f5\u000fC\u0004\u00034]\u0001\rAa \u0011\u000f\t]\"\u0011\tB3\u000f\"9\u0011\u0011W\fA\u0002\t\r\u0014!\f:fcVL'/\u001a*fC\u0012\u001cE.Y5ng\u001a{'\u000f\u0016:b]N\f7\r^5p]\u001aKG\u000e^3s\u001f:\u001cFO]3b[V1!q\u0011BG\u0005'#bA!#\u0003\u0016\n-\u0006#C\u001b\u0002|\t-%qRA.!\u0011\t\tI!$\u0005\u000f\u0005\u0015\u0005D1\u0001\u0002\bB1\u0011qSAS\u0005#\u0003B!!!\u0003\u0014\u00129\u0011Q\u0016\rC\u0002\u0005\u001d\u0005b\u0002BL1\u0001\u0007!\u0011T\u0001\u0007M&dG/\u001a:\u0011\tU\u001a(1\u0014\t\u0005\u0005;\u00139+\u0004\u0002\u0003 *!!\u0011\u0015BR\u0003I!(/\u00198tC\u000e$\u0018n\u001c8`M&dG/\u001a:\u000b\u0007\t\u0015&&\u0001\u0002wc%!!\u0011\u0016BP\u0005E!&/\u00198tC\u000e$\u0018n\u001c8GS2$XM\u001d\u0005\b\u0003cC\u0002\u0019\u0001BE\u0003M\tW\u000f\u001e5f]RL7-\u0019;fIV\u001bXM]%e)\t\u0011\t\f\u0005\u0004\u00034\ne&QX\u0007\u0003\u0005kS1Aa.7\u0003\u0011)H/\u001b7\n\t\tm&Q\u0017\u0002\u0004)JL\bcA\u001bt\u000f\u0006!B-\u001a4bk2$\u0018\t\u001d9mS\u000e\fG/[8o\u0013\u0012$bAa1\u0003N\nE\u0007cBA#\u0003\u001f\u0012)m\u0012\t\u0005\u0005\u000f\u0014I-\u0004\u0002\u0002\u001e&!!1ZAO\u0005Y\u0019F/\u0019;vgJ+h\u000e^5nK\u0016C8-\u001a9uS>t\u0007B\u0002Bh5\u0001\u0007q)\u0001\tsKF\f\u0005\u000f\u001d7jG\u0006$\u0018n\u001c8JI\"9\u00111\r\u000eA\u0002\u0005\u0015\u0014\u0001G1vi\"|'/\u001b>bi&|g.\u0012:s_J\f5o\u0012:qGV!!q\u001bBo)\u0011\u0011INa8\u0011\u0011\u0005\u0015\u0013q\nBc\u00057\u0004B!!!\u0003^\u00129\u0011q_\u000eC\u0002\u0005\u001d\u0005b\u0002Bq7\u0001\u0007!1]\u0001\u0007KJ\u0014xJ\u001d,\u0011\u0011\u0005\u0015\u0013qJA+\u00057\f\u0001#Y:tKJ$8+\u001a:wKJ\u001c\u0015\r\u001c7\u0016\t\t%(1\u001f\u000b\u0005\u0005W\u00149\u0010\u0005\u0004\u0002\u0018\n5(\u0011_\u0005\u0005\u0005_\fIJ\u0001\rTKJ4XM]\"bY2\u001cFO]3b[>\u00137/\u001a:wKJ\u0004B!!!\u0003t\u00129!Q\u001f\u000fC\u0002\u0005\u001d%!A!\t\u000f\teH\u00041\u0001\u0003|\u0006AqNY:feZ,'\u000f\u0005\u0004\u0002\u0018\u0006\u0015&\u0011_\u0001\u0015_:<w.\u001b8h\u0003V$\bn\u001c:ju\u0006$\u0018n\u001c8\u0016\t\r\u00051q\u0001\u000b\u0007\u0007\u0007\u0019Iaa\u0003\u0011\r\u0005]%Q^B\u0003!\u0011\t\tia\u0002\u0005\u000f\u00055VD1\u0001\u0002\b\"9!\u0011`\u000fA\u0002\r\r\u0001bBA2;\u0001\u0007\u0011QM\u0001\u001fCV$\b.\u001a8uS\u000e\fG/\u001a3DY\u0006LWn\u001d$s_6\u001cuN\u001c;fqR$\"a!\u0005\u0011\r\tM&\u0011XA3\u0003A\tW\u000f\u001e5pe&TXmV5uQJ+\u0017/\u0006\u0004\u0004\u0018\r}1Q\u0005\u000b\u0005\u00073\u0019y\u0003\u0006\u0003\u0004\u001c\r\u001d\u0002#C\u001b\u0002|\ru1\u0011EA.!\u0011\t\tia\b\u0005\u000f\u0005\u0015uD1\u0001\u0002\bB1\u0011qSAS\u0007G\u0001B!!!\u0004&\u00119\u0011QV\u0010C\u0002\u0005\u001d\u0005bBB\u0015?\u0001\u000711F\u0001\u000bCV$\bn\u001c:ju\u0016$\u0007#C\u001b\u0002|\u0005\u00154QDB\u0017!!\t)%a\u0014\u0003F\u000eu\u0001bBAY?\u0001\u00071\u0011\u0007\t\nk\u0005m4QDB\u001a\u00037\u0002b!a&\u0003n\u000e\r\u0012!C1vi\"|'/\u001b>f+\u0019\u0019Id!\u0011\u0004HQ!11HB')\u0011\u0019id!\u0013\u0011\u0013U\nYha\u0010\u0004D\u0005m\u0003\u0003BAA\u0007\u0003\"q!!\"!\u0005\u0004\t9\t\u0005\u0004\u0002\u0018\u0006\u00156Q\t\t\u0005\u0003\u0003\u001b9\u0005B\u0004\u0002.\u0002\u0012\r!a\"\t\u000f\r%\u0002\u00051\u0001\u0004LA9Q'a/\u0002f\u0005\r\u0003bBAYA\u0001\u00071q\n\t\nk\u0005m4qHB)\u00037\u0002b!a&\u0003n\u000e\u0015SCBB+\u0007;\u001a\u0019\u0007\u0006\u0003\u0004X\r-D\u0003BB-\u0007K\u0002r!NA^\u00077\u001ay\u0006\u0005\u0003\u0002\u0002\u000euCaBACC\t\u0007\u0011q\u0011\t\u0006?\u0006\u00157\u0011\r\t\u0005\u0003\u0003\u001b\u0019\u0007B\u0004\u0002.\u0006\u0012\r!a\"\t\u000f\r%\u0012\u00051\u0001\u0004hAIQ'a\u001f\u0002f\rm3\u0011\u000e\t\t\u0003\u000b\nyE!2\u0004\\!9\u0011\u0011W\u0011A\u0002\reSCBB8\u0007o\u001ai\b\u0006\u0003\u0004r\r\u0005E\u0003BB:\u0007\u007f\u0002r!NA^\u0007k\u001aI\b\u0005\u0003\u0002\u0002\u000e]DaBACE\t\u0007\u0011q\u0011\t\u0006?\u0006\u001571\u0010\t\u0005\u0003\u0003\u001bi\bB\u0004\u0002.\n\u0012\r!a\"\t\u000f\r%\"\u00051\u0001\u0004L!9\u0011\u0011\u0017\u0012A\u0002\rM\u0014AC!vi\"|'/\u001b>feB\u0019\u0011Q\u0002\u0013\u0014\u0005\u0011\"DCABC\u0003m!C.Z:tS:LG\u000fJ4sK\u0006$XM\u001d\u0013eK\u001a\fW\u000f\u001c;%qU\u00111q\u0012\u0016\u0004e\u000eE5FABJ!\u0011\u0019)ja(\u000e\u0005\r]%\u0002BBM\u00077\u000b\u0011\"\u001e8dQ\u0016\u001c7.\u001a3\u000b\u0007\rue'\u0001\u0006b]:|G/\u0019;j_:LAa!)\u0004\u0018\n\tRO\\2iK\u000e\\W\r\u001a,be&\fgnY3")
/* loaded from: input_file:com/daml/ledger/api/auth/Authorizer.class */
public final class Authorizer {
    private final Function0<Instant> now;
    private final String ledgerId;
    private final String participantId;
    private final UserManagementStore userManagementStore;
    private final ExecutionContext ec;
    private final int userRightsCheckIntervalInSeconds;
    private final Scheduler akkaScheduler;
    private final Option<JwtTimestampLeeway> jwtTimestampLeeway;
    private final LoggingContext loggingContext;
    private final ContextualizedLogger logger = ContextualizedLogger$.MODULE$.get(getClass());
    private final ContextualizedErrorLogger errorLogger;

    private ContextualizedLogger logger() {
        return this.logger;
    }

    private ContextualizedErrorLogger errorLogger() {
        return this.errorLogger;
    }

    private Either<AuthorizationError, BoxedUnit> valid(ClaimSet.Claims claims) {
        return claims.notExpired((Instant) this.now.apply(), this.jwtTimestampLeeway).flatMap(boxedUnit -> {
            return claims.validForLedger(this.ledgerId).flatMap(boxedUnit -> {
                return claims.validForParticipant(this.participantId).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requirePublicClaimsOnStream(Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorize(function2, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isPublic().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requirePublicClaims(Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isPublic().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireAdminClaims(Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return claims.isAdmin().map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    private <T> Either<AuthorizationError, BoxedUnit> requireForAll(IterableOnce<T> iterableOnce, Function1<T, Either<AuthorizationError, BoxedUnit>> function1) {
        return (Either) iterableOnce.iterator().foldLeft(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (either, obj) -> {
            return either.flatMap(boxedUnit -> {
                return (Either) function1.apply(obj);
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForAllPartiesOnStream(Iterable<String> iterable, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorize(function2, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return this.requireForAll(iterable, str -> {
                    return claims.canReadAs(str);
                }).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForAllPartiesOnStreamWithApplicationId(Iterable<String> iterable, Lens<Req, String> lens, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return authorizeWithReq(function2, (claims, obj) -> {
            String str = (String) lens.get(obj);
            return this.authorizationErrorAsGrpc(this.valid(claims)).flatMap(boxedUnit -> {
                return this.authorizationErrorAsGrpc(this.requireForAll(iterable, str2 -> {
                    return claims.canReadAs(str2);
                })).flatMap(boxedUnit -> {
                    return this.defaultApplicationId(str, claims).flatMap(str3 -> {
                        return this.authorizationErrorAsGrpc(claims.validForApplication(str3)).map(boxedUnit -> {
                            return lens.set(str3).apply(obj);
                        });
                    });
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireReadClaimsForAllParties(Iterable<String> iterable, Function1<Req, Future<Res>> function1) {
        return authorize(function1, claims -> {
            return this.valid(claims).flatMap(boxedUnit -> {
                return this.requireForAll(iterable, str -> {
                    return claims.canReadAs(str);
                }).map(boxedUnit -> {
                    BoxedUnit.UNIT;
                    return BoxedUnit.UNIT;
                });
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> requireActAndReadClaimsForParties(Set<String> set, Set<String> set2, Lens<Req, String> lens, Function1<Req, Future<Res>> function1) {
        return authorizeWithReq(function1, (claims, obj) -> {
            String str = (String) lens.get(obj);
            return this.authorizationErrorAsGrpc(this.valid(claims)).flatMap(boxedUnit -> {
                return this.authorizationErrorAsGrpc((Either) set.foldRight(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (str2, either) -> {
                    return either.flatMap(boxedUnit -> {
                        return claims.canActAs(str2);
                    });
                })).flatMap(boxedUnit -> {
                    return this.authorizationErrorAsGrpc((Either) set2.foldRight(package$.MODULE$.Right().apply(BoxedUnit.UNIT), (str3, either2) -> {
                        return either2.flatMap(boxedUnit -> {
                            return claims.canReadAs(str3);
                        });
                    })).flatMap(boxedUnit -> {
                        return this.defaultApplicationId(str, claims).flatMap(str4 -> {
                            return this.authorizationErrorAsGrpc(claims.validForApplication(str4)).map(boxedUnit -> {
                                return lens.set(str4).apply(obj);
                            });
                        });
                    });
                });
            });
        });
    }

    public <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> requireReadClaimsForTransactionFilterOnStream(Option<TransactionFilter> option, Function2<Req, StreamObserver<Res>, BoxedUnit> function2) {
        return requireReadClaimsForAllPartiesOnStream((Iterable) option.map(transactionFilter -> {
            return transactionFilter.filtersByParty();
        }).fold(() -> {
            return Predef$.MODULE$.Set().empty();
        }, map -> {
            return map.keySet();
        }), function2);
    }

    public Try<Option<String>> authenticatedUserId() {
        return authenticatedClaimsFromContext().flatMap(claims -> {
            Success failure;
            if (!claims.resolvedFromUser()) {
                return new Success(None$.MODULE$);
            }
            Some applicationId = claims.applicationId();
            if (applicationId instanceof Some) {
                failure = new Success(new Some((String) applicationId.value()));
            } else {
                if (!None$.MODULE$.equals(applicationId)) {
                    throw new MatchError(applicationId);
                }
                failure = new Failure(new AuthorizationChecks.InternalAuthorizationError.Reject("unexpectedly the user-id is not set in the authenticated claims", new RuntimeException(), this.errorLogger()).asGrpcError());
            }
            return failure;
        });
    }

    private Either<StatusRuntimeException, String> defaultApplicationId(String str, ClaimSet.Claims claims) {
        Right apply;
        if (!str.isEmpty()) {
            return package$.MODULE$.Right().apply(str);
        }
        Some applicationId = claims.applicationId();
        if (applicationId instanceof Some) {
            String str2 = (String) applicationId.value();
            if (StringOps$.MODULE$.nonEmpty$extension(Predef$.MODULE$.augmentString(str2))) {
                apply = package$.MODULE$.Right().apply(str2);
                return apply;
            }
        }
        apply = package$.MODULE$.Left().apply(ValidationErrors$.MODULE$.invalidArgument("Cannot default application_id field because claims do not specify an application-id or user-id. Is authentication turned on?", errorLogger()));
        return apply;
    }

    private <T> Either<StatusRuntimeException, T> authorizationErrorAsGrpc(Either<AuthorizationError, T> either) {
        return (Either) either.fold(authorizationError -> {
            return package$.MODULE$.Left().apply(new AuthorizationChecks.PermissionDenied.Reject(authorizationError.reason(), this.errorLogger()).asGrpcError());
        }, obj -> {
            return package$.MODULE$.Right().apply(obj);
        });
    }

    private <A> ServerCallStreamObserver<A> assertServerCall(StreamObserver<A> streamObserver) {
        if (streamObserver instanceof ServerCallStreamObserver) {
            return (ServerCallStreamObserver) streamObserver;
        }
        throw new IllegalArgumentException(new StringBuilder(29).append("The wrapped stream MUST be a ").append(ServerCallStreamObserver.class.getName()).toString());
    }

    private <Res> ServerCallStreamObserver<Res> ongoingAuthorization(ServerCallStreamObserver<Res> serverCallStreamObserver, ClaimSet.Claims claims) {
        return OngoingAuthorizationObserver$.MODULE$.apply(serverCallStreamObserver, claims, this.now, this.userManagementStore, this.userRightsCheckIntervalInSeconds, this.akkaScheduler, this.jwtTimestampLeeway, this.loggingContext, this.ec);
    }

    private Try<ClaimSet.Claims> authenticatedClaimsFromContext() {
        return AuthorizationInterceptor$.MODULE$.extractClaimSetFromContext().flatMap(claimSet -> {
            Failure success;
            if (ClaimSet$Unauthenticated$.MODULE$.equals(claimSet)) {
                success = new Failure(new AuthorizationChecks.Unauthenticated.MissingJwtToken(this.errorLogger()).asGrpcError());
            } else if (claimSet instanceof ClaimSet.AuthenticatedUser) {
                success = new Failure(new AuthorizationChecks.InternalAuthorizationError.Reject("Unexpected unresolved authenticated user claim", new RuntimeException(new StringBuilder(57).append("Unexpected unresolved authenticated user claim for user '").append(((ClaimSet.AuthenticatedUser) claimSet).userId()).toString()), this.errorLogger()).asGrpcError());
            } else {
                if (!(claimSet instanceof ClaimSet.Claims)) {
                    throw new MatchError(claimSet);
                }
                success = new Success((ClaimSet.Claims) claimSet);
            }
            return success;
        });
    }

    private <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> authorizeWithReq(Function2<Req, ServerCallStreamObserver<Res>, BoxedUnit> function2, Function2<ClaimSet.Claims, Req, Either<StatusRuntimeException, Req>> function22) {
        return (obj, streamObserver) -> {
            $anonfun$authorizeWithReq$1(this, function22, function2, obj, streamObserver);
            return BoxedUnit.UNIT;
        };
    }

    private <Req, Res> Function2<Req, StreamObserver<Res>, BoxedUnit> authorize(Function2<Req, ServerCallStreamObserver<Res>, BoxedUnit> function2, Function1<ClaimSet.Claims, Either<AuthorizationError, BoxedUnit>> function1) {
        return authorizeWithReq(function2, (claims, obj) -> {
            return this.authorizationErrorAsGrpc((Either) function1.apply(claims)).map(boxedUnit -> {
                return obj;
            });
        });
    }

    public <Req, Res> Function1<Req, Future<Res>> authorizeWithReq(Function1<Req, Future<Res>> function1, Function2<ClaimSet.Claims, Req, Either<StatusRuntimeException, Req>> function2) {
        return obj -> {
            Future failed;
            Future future;
            Failure authenticatedClaimsFromContext = this.authenticatedClaimsFromContext();
            if (authenticatedClaimsFromContext instanceof Failure) {
                future = Future$.MODULE$.failed(authenticatedClaimsFromContext.exception());
            } else {
                if (!(authenticatedClaimsFromContext instanceof Success)) {
                    throw new MatchError(authenticatedClaimsFromContext);
                }
                Right right = (Either) function2.apply((ClaimSet.Claims) ((Success) authenticatedClaimsFromContext).value(), obj);
                if (right instanceof Right) {
                    failed = (Future) function1.apply(right.value());
                } else {
                    if (!(right instanceof Left)) {
                        throw new MatchError(right);
                    }
                    failed = Future$.MODULE$.failed((StatusRuntimeException) ((Left) right).value());
                }
                future = failed;
            }
            return future;
        };
    }

    public <Req, Res> Function1<Req, Future<Res>> authorize(Function1<Req, Future<Res>> function1, Function1<ClaimSet.Claims, Either<AuthorizationError, BoxedUnit>> function12) {
        return authorizeWithReq(function1, (claims, obj) -> {
            return this.authorizationErrorAsGrpc((Either) function12.apply(claims)).map(boxedUnit -> {
                return obj;
            });
        });
    }

    public static final /* synthetic */ void $anonfun$authorizeWithReq$3(Authorizer authorizer, Function2 function2, Object obj, Function2 function22, ServerCallStreamObserver serverCallStreamObserver, StreamObserver streamObserver, ClaimSet.Claims claims) {
        Right right = (Either) function2.apply(claims, obj);
        if (right instanceof Right) {
        } else {
            if (!(right instanceof Left)) {
                throw new MatchError(right);
            }
            streamObserver.onError((StatusRuntimeException) ((Left) right).value());
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        }
    }

    public static final /* synthetic */ void $anonfun$authorizeWithReq$1(Authorizer authorizer, Function2 function2, Function2 function22, Object obj, StreamObserver streamObserver) {
        ServerCallStreamObserver assertServerCall = authorizer.assertServerCall(streamObserver);
        authorizer.authenticatedClaimsFromContext().fold(th -> {
            streamObserver.onError(th);
            return BoxedUnit.UNIT;
        }, claims -> {
            $anonfun$authorizeWithReq$3(authorizer, function2, obj, function22, assertServerCall, streamObserver, claims);
            return BoxedUnit.UNIT;
        });
    }

    public Authorizer(Function0<Instant> function0, String str, String str2, UserManagementStore userManagementStore, ExecutionContext executionContext, int i, Scheduler scheduler, Option<JwtTimestampLeeway> option, LoggingContext loggingContext) {
        this.now = function0;
        this.ledgerId = str;
        this.participantId = str2;
        this.userManagementStore = userManagementStore;
        this.ec = executionContext;
        this.userRightsCheckIntervalInSeconds = i;
        this.akkaScheduler = scheduler;
        this.jwtTimestampLeeway = option;
        this.loggingContext = loggingContext;
        this.errorLogger = new DamlContextualizedErrorLogger(logger(), loggingContext, None$.MODULE$);
    }
}
