package com.peterphi.std.guice.common.auth;

import com.codahale.metrics.Meter;
import com.google.inject.Provider;
import com.peterphi.std.guice.common.auth.annotations.AuthConstraint;
import com.peterphi.std.guice.common.auth.iface.CurrentUser;
import org.aopalliance.intercept.MethodInterceptor;
import org.aopalliance.intercept.MethodInvocation;

/* loaded from: input_file:com/peterphi/std/guice/common/auth/AuthConstraintMethodInterceptor.class */
class AuthConstraintMethodInterceptor implements MethodInterceptor {
    private final Provider<CurrentUser> userProvider;
    private final Meter calls;
    private final Meter granted;
    private final Meter denied;
    private final Meter authenticatedDenied;

    public AuthConstraintMethodInterceptor(Provider<CurrentUser> provider, Meter meter, Meter meter2, Meter meter3, Meter meter4) {
        if (provider == null) {
            throw new IllegalArgumentException("Must have a Provider for CurrentUser!");
        }
        this.userProvider = provider;
        this.calls = meter;
        this.granted = meter2;
        this.denied = meter3;
        this.authenticatedDenied = meter4;
    }

    public Object invoke(MethodInvocation methodInvocation) throws Throwable {
        if (methodInvocation.getMethod().getDeclaringClass().equals(Object.class)) {
            return methodInvocation.proceed();
        }
        this.calls.mark();
        AuthConstraint readConstraint = readConstraint(methodInvocation);
        CurrentUser currentUser = (CurrentUser) this.userProvider.get();
        if (readConstraint == null) {
            throw new IllegalArgumentException("Cannot find AuthConstraint associated with method: " + methodInvocation.getMethod());
        }
        if (currentUser == null) {
            throw new IllegalArgumentException("Provider for CurrentUser returned null! Cannot apply AuthConstraint to method " + methodInvocation.getMethod());
        }
        if (passes(readConstraint, currentUser)) {
            this.granted.mark();
            return methodInvocation.proceed();
        }
        if (!currentUser.isAnonymous()) {
            this.authenticatedDenied.mark();
        }
        this.denied.mark();
        throw currentUser.getAccessRefuser().refuse(readConstraint, currentUser);
    }

    private boolean passes(AuthConstraint authConstraint, CurrentUser currentUser) {
        if (authConstraint.skip()) {
            return true;
        }
        return currentUser.hasRole(authConstraint.role());
    }

    private AuthConstraint readConstraint(MethodInvocation methodInvocation) {
        return methodInvocation.getMethod().isAnnotationPresent(AuthConstraint.class) ? (AuthConstraint) methodInvocation.getMethod().getAnnotation(AuthConstraint.class) : (AuthConstraint) methodInvocation.getMethod().getDeclaringClass().getAnnotation(AuthConstraint.class);
    }
}
