package com.gu.janus.config;

import cats.implicits$;
import com.gu.janus.model.ACL;
import com.gu.janus.model.AwsAccount;
import com.gu.janus.model.ConfiguredAccess;
import com.gu.janus.model.ConfiguredAccounts;
import com.gu.janus.model.ConfiguredAclEntry;
import com.gu.janus.model.ConfiguredAdmin;
import com.gu.janus.model.ConfiguredPermission;
import com.gu.janus.model.ConfiguredPermissions;
import com.gu.janus.model.ConfiguredSupport;
import com.gu.janus.model.JanusData;
import com.gu.janus.model.Permission;
import com.gu.janus.model.SupportACL;
import com.gu.janus.model.SupportACL$;
import com.typesafe.config.Config;
import io.circe.Decoder;
import io.circe.Decoder$;
import io.circe.config.syntax$;
import io.circe.config.syntax$CirceConfigOps$;
import io.circe.generic.decoding.DerivedDecoder;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.joda.time.Period;
import org.joda.time.format.ISODateTimeFormat;
import scala.$less$colon$less$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Tuple2;
import scala.collection.immutable.$colon;
import scala.collection.immutable.List;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.Set;
import scala.package$;
import scala.runtime.BoxesRunTime;
import scala.util.Either;
import scala.util.Try$;
import scala.util.control.NonFatal$;
import shapeless.Lazy$;
import shapeless.lazily$;

/* compiled from: Loader.scala */
/* loaded from: input_file:com/gu/janus/config/Loader$.class */
public final class Loader$ {
    public static final Loader$ MODULE$ = new Loader$();
    private static final Decoder<DateTime> com$gu$janus$config$Loader$$decodeDateTime = Decoder$.MODULE$.decodeString().emap(str -> {
        try {
            return package$.MODULE$.Right().apply(DateTime.parse(str, ISODateTimeFormat.dateTime()).withZone(DateTimeZone.UTC));
        } catch (Throwable th) {
            if (th != null) {
                Option unapply = NonFatal$.MODULE$.unapply(th);
                if (!unapply.isEmpty()) {
                    return package$.MODULE$.Left().apply(((Throwable) unapply.get()).getMessage());
                }
            }
            throw th;
        }
    });

    public Either<String, JanusData> fromConfig(Config config) {
        return loadPermissionsRepo(config).flatMap(option -> {
            return MODULE$.loadAccounts(config).flatMap(set -> {
                return MODULE$.loadPermissions(config, set).flatMap(set -> {
                    return MODULE$.loadAccess(config, set).flatMap(acl -> {
                        return MODULE$.loadAdmin(config, set).flatMap(acl -> {
                            return MODULE$.loadSupport(config, set).map(supportACL -> {
                                return new JanusData(set, acl, acl, supportACL, option);
                            });
                        });
                    });
                });
            });
        });
    }

    public Either<String, Option<String>> loadPermissionsRepo(Config config) {
        String str = "janus.permissionsRepo";
        return (config.hasPath("janus.permissionsRepo") ? Try$.MODULE$.apply(() -> {
            return Option$.MODULE$.apply(config.getString(str));
        }).toEither().left().map(th -> {
            return th.getMessage();
        }) : package$.MODULE$.Right().apply(None$.MODULE$)).map(option -> {
            return option;
        });
    }

    public Either<String, Set<AwsAccount>> loadAccounts(Config config) {
        syntax$CirceConfigOps$ syntax_circeconfigops_ = syntax$CirceConfigOps$.MODULE$;
        Config CirceConfigOps = syntax$.MODULE$.CirceConfigOps(config);
        Decoder$ decoder$ = Decoder$.MODULE$;
        lazily$ lazily_ = lazily$.MODULE$;
        DerivedDecoder<ConfiguredAccounts> inst$macro$1 = new Loader$anon$importedDecoder$macro$15$1().inst$macro$1();
        return syntax_circeconfigops_.as$extension(CirceConfigOps, "janus", decoder$.importedDecoder((Decoder) lazily_.apply(Lazy$.MODULE$.apply(() -> {
            return inst$macro$1;
        })))).left().map(error -> {
            return error.getMessage();
        }).map(configuredAccounts -> {
            return configuredAccounts.accounts().map(configuredAccount -> {
                return new AwsAccount(configuredAccount.name(), configuredAccount.key());
            }).toSet();
        });
    }

    public Either<String, Set<Permission>> loadPermissions(Config config, Set<AwsAccount> set) {
        syntax$CirceConfigOps$ syntax_circeconfigops_ = syntax$CirceConfigOps$.MODULE$;
        Config CirceConfigOps = syntax$.MODULE$.CirceConfigOps(config);
        Decoder$ decoder$ = Decoder$.MODULE$;
        lazily$ lazily_ = lazily$.MODULE$;
        DerivedDecoder<ConfiguredPermissions> inst$macro$1 = new Loader$anon$importedDecoder$macro$21$1().inst$macro$1();
        return syntax_circeconfigops_.as$extension(CirceConfigOps, "janus", decoder$.importedDecoder((Decoder) lazily_.apply(Lazy$.MODULE$.apply(() -> {
            return inst$macro$1;
        })))).left().map(error -> {
            return new StringBuilder(46).append("Failed to load permissions from path `janus`: ").append(error.getMessage()).toString();
        }).flatMap(configuredPermissions -> {
            return ((Either) implicits$.MODULE$.toTraverseOps(configuredPermissions.permissions(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredPermission -> {
                return set.find(awsAccount -> {
                    return BoxesRunTime.boxToBoolean($anonfun$loadPermissions$5(configuredPermission, awsAccount));
                }).toRight(() -> {
                    return new StringBuilder(89).append("Account `").append(configuredPermission.account()).append("` is referenced in a permission (").append(configuredPermission.label()).append(") but is not defined in the list of AwsAccounts").toString();
                }).map(awsAccount2 -> {
                    return new Permission(awsAccount2, configuredPermission.label(), configuredPermission.description(), configuredPermission.policy(), configuredPermission.shortTerm());
                });
            }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                return list.toSet();
            });
        });
    }

    public Either<String, ACL> loadAccess(Config config, Set<Permission> set) {
        syntax$CirceConfigOps$ syntax_circeconfigops_ = syntax$CirceConfigOps$.MODULE$;
        Config CirceConfigOps = syntax$.MODULE$.CirceConfigOps(config);
        Decoder$ decoder$ = Decoder$.MODULE$;
        lazily$ lazily_ = lazily$.MODULE$;
        DerivedDecoder<ConfiguredAccess> inst$macro$1 = new Loader$anon$importedDecoder$macro$17$1().inst$macro$1();
        return syntax_circeconfigops_.as$extension(CirceConfigOps, "janus.access", decoder$.importedDecoder((Decoder) lazily_.apply(Lazy$.MODULE$.apply(() -> {
            return inst$macro$1;
        })))).left().map(error -> {
            return new StringBuilder(48).append("Failed to load access from path `janus.access`: ").append(error.getMessage()).toString();
        }).flatMap(configuredAccess -> {
            return ((Either) implicits$.MODULE$.toTraverseOps(configuredAccess.defaultPermissions(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredAclEntry -> {
                return set.find(permission -> {
                    return BoxesRunTime.boxToBoolean($anonfun$loadAccess$5(configuredAclEntry, permission));
                }).toRight(() -> {
                    return new StringBuilder(167).append("The 'default permissions' section of the access definition includes a permission that doesn't appear to be defined.\nIt has label `").append(configuredAclEntry.label()).append("` and refers to the account with key ").append(configuredAclEntry.account()).toString();
                });
            }, implicits$.MODULE$.catsStdInstancesForEither())).flatMap(list -> {
                return ((Either) implicits$.MODULE$.toTraverseOps(configuredAccess.acl().toList(), implicits$.MODULE$.catsStdInstancesForList()).traverse(tuple2 -> {
                    if (tuple2 == null) {
                        throw new MatchError(tuple2);
                    }
                    String str = (String) tuple2._1();
                    return ((Either) implicits$.MODULE$.toTraverseOps((List) tuple2._2(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredAclEntry2 -> {
                        return set.find(permission -> {
                            return BoxesRunTime.boxToBoolean($anonfun$loadAccess$10(configuredAclEntry2, permission));
                        }).toRight(() -> {
                            return new StringBuilder(140).append("The access configuration for `").append(str).append("` includes a permission that doesn't appear to be defined.\nIt has label `").append(configuredAclEntry2.label()).append("` and refers to the account with key ").append(configuredAclEntry2.account()).toString();
                        });
                    }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                        return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(str), list.toSet());
                    });
                }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                    return new ACL(list.toMap($less$colon$less$.MODULE$.refl()), list.toSet());
                });
            });
        });
    }

    public Either<String, ACL> loadAdmin(Config config, Set<Permission> set) {
        syntax$CirceConfigOps$ syntax_circeconfigops_ = syntax$CirceConfigOps$.MODULE$;
        Config CirceConfigOps = syntax$.MODULE$.CirceConfigOps(config);
        Decoder$ decoder$ = Decoder$.MODULE$;
        lazily$ lazily_ = lazily$.MODULE$;
        DerivedDecoder<ConfiguredAdmin> inst$macro$1 = new Loader$anon$importedDecoder$macro$15$2().inst$macro$1();
        return syntax_circeconfigops_.as$extension(CirceConfigOps, "janus.admin", decoder$.importedDecoder((Decoder) lazily_.apply(Lazy$.MODULE$.apply(() -> {
            return inst$macro$1;
        })))).left().map(error -> {
            return new StringBuilder(53).append("Failed to load admin config from path `janus.admin`: ").append(error.getMessage()).toString();
        }).flatMap(configuredAdmin -> {
            return ((Either) implicits$.MODULE$.toTraverseOps(configuredAdmin.acl().toList(), implicits$.MODULE$.catsStdInstancesForList()).traverse(tuple2 -> {
                if (tuple2 == null) {
                    throw new MatchError(tuple2);
                }
                String str = (String) tuple2._1();
                return ((Either) implicits$.MODULE$.toTraverseOps((List) tuple2._2(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredAclEntry -> {
                    return set.find(permission -> {
                        return BoxesRunTime.boxToBoolean($anonfun$loadAdmin$6(configuredAclEntry, permission));
                    }).toRight(() -> {
                        return new StringBuilder(139).append("The admin configuration for `").append(str).append("` includes a permission that doesn't appear to be defined.\nIt has label `").append(configuredAclEntry.label()).append("` and refers to the account with key ").append(configuredAclEntry.account()).toString();
                    });
                }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                    return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(str), list.toSet());
                });
            }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                return new ACL(list.toMap($less$colon$less$.MODULE$.refl()), Predef$.MODULE$.Set().empty());
            });
        });
    }

    public Either<String, SupportACL> loadSupport(Config config, Set<Permission> set) {
        syntax$CirceConfigOps$ syntax_circeconfigops_ = syntax$CirceConfigOps$.MODULE$;
        Config CirceConfigOps = syntax$.MODULE$.CirceConfigOps(config);
        Decoder$ decoder$ = Decoder$.MODULE$;
        lazily$ lazily_ = lazily$.MODULE$;
        DerivedDecoder<ConfiguredSupport> inst$macro$1 = new Loader$anon$importedDecoder$macro$27$1().inst$macro$1();
        return syntax_circeconfigops_.as$extension(CirceConfigOps, "janus.support", decoder$.importedDecoder((Decoder) lazily_.apply(Lazy$.MODULE$.apply(() -> {
            return inst$macro$1;
        })))).left().map(error -> {
            return new StringBuilder(57).append("Failed to load support config from path `janus.support`: ").append(error.getMessage()).toString();
        }).flatMap(configuredSupport -> {
            return ((Either) implicits$.MODULE$.toTraverseOps(configuredSupport.supportAccess(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredAclEntry -> {
                return set.find(permission -> {
                    return BoxesRunTime.boxToBoolean($anonfun$loadSupport$5(configuredAclEntry, permission));
                }).toRight(() -> {
                    return new StringBuilder(138).append("The support access definition includes a permission that doesn't appear to be defined.\nIt has label `").append(configuredAclEntry.label()).append("` and refers to the account with key ").append(configuredAclEntry.account()).toString();
                });
            }, implicits$.MODULE$.catsStdInstancesForEither())).map(list -> {
                return new Tuple2(list, Period.seconds(configuredSupport.period()));
            }).flatMap(tuple2 -> {
                if (tuple2 == null) {
                    throw new MatchError(tuple2);
                }
                List list2 = (List) tuple2._1();
                Period period = (Period) tuple2._2();
                return ((Either) implicits$.MODULE$.toTraverseOps(configuredSupport.rota(), implicits$.MODULE$.catsStdInstancesForList()).traverse(configuredRotaEntry -> {
                    if (configuredRotaEntry != null) {
                        DateTime startTime = configuredRotaEntry.startTime();
                        $colon.colon supporting = configuredRotaEntry.supporting();
                        if (supporting instanceof $colon.colon) {
                            $colon.colon colonVar = supporting;
                            String str = (String) colonVar.head();
                            $colon.colon next$access$1 = colonVar.next$access$1();
                            if (next$access$1 instanceof $colon.colon) {
                                $colon.colon colonVar2 = next$access$1;
                                String str2 = (String) colonVar2.head();
                                if (Nil$.MODULE$.equals(colonVar2.next$access$1())) {
                                    return package$.MODULE$.Right().apply(Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(startTime), new Tuple2(str, str2)));
                                }
                            }
                        }
                    }
                    if (configuredRotaEntry == null) {
                        throw new MatchError(configuredRotaEntry);
                    }
                    return package$.MODULE$.Left().apply(new StringBuilder(78).append("The support rota expects precisely 2 users, but for ").append(configuredRotaEntry.startTime()).append(" it has been defined with ").append(configuredRotaEntry.supporting().mkString("`", ", ", "`")).toString());
                }, implicits$.MODULE$.catsStdInstancesForEither())).map(list3 -> {
                    return SupportACL$.MODULE$.create(list3.toMap($less$colon$less$.MODULE$.refl()), list2.toSet(), period);
                });
            });
        });
    }

    public Decoder<DateTime> com$gu$janus$config$Loader$$decodeDateTime() {
        return com$gu$janus$config$Loader$$decodeDateTime;
    }

    public static final /* synthetic */ boolean $anonfun$loadPermissions$5(ConfiguredPermission configuredPermission, AwsAccount awsAccount) {
        String authConfigKey = awsAccount.authConfigKey();
        String account = configuredPermission.account();
        return authConfigKey != null ? authConfigKey.equals(account) : account == null;
    }

    public static final /* synthetic */ boolean $anonfun$loadAccess$5(ConfiguredAclEntry configuredAclEntry, Permission permission) {
        String account = configuredAclEntry.account();
        String authConfigKey = permission.account().authConfigKey();
        if (account != null ? account.equals(authConfigKey) : authConfigKey == null) {
            String label = configuredAclEntry.label();
            String label2 = permission.label();
            if (label != null ? label.equals(label2) : label2 == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$loadAccess$10(ConfiguredAclEntry configuredAclEntry, Permission permission) {
        String account = configuredAclEntry.account();
        String authConfigKey = permission.account().authConfigKey();
        if (account != null ? account.equals(authConfigKey) : authConfigKey == null) {
            String label = configuredAclEntry.label();
            String label2 = permission.label();
            if (label != null ? label.equals(label2) : label2 == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$loadAdmin$6(ConfiguredAclEntry configuredAclEntry, Permission permission) {
        String account = configuredAclEntry.account();
        String authConfigKey = permission.account().authConfigKey();
        if (account != null ? account.equals(authConfigKey) : authConfigKey == null) {
            String label = configuredAclEntry.label();
            String label2 = permission.label();
            if (label != null ? label.equals(label2) : label2 == null) {
                return true;
            }
        }
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$loadSupport$5(ConfiguredAclEntry configuredAclEntry, Permission permission) {
        String account = configuredAclEntry.account();
        String authConfigKey = permission.account().authConfigKey();
        if (account != null ? account.equals(authConfigKey) : authConfigKey == null) {
            String label = configuredAclEntry.label();
            String label2 = permission.label();
            if (label != null ? label.equals(label2) : label2 == null) {
                return true;
            }
        }
        return false;
    }

    private Loader$() {
    }
}
