package io.apicurio.registry.auth;

import javax.inject.Inject;
import javax.inject.Singleton;
import javax.interceptor.InvocationContext;

@Singleton
/* loaded from: input_file:io/apicurio/registry/auth/RoleBasedAccessController.class */
public class RoleBasedAccessController extends AbstractAccessController {

    @Inject
    StorageRoleProvider storageRoleProvider;

    @Inject
    TokenRoleProvider tokenRoleProvider;

    @Inject
    HeaderRoleProvider headerRoleProvider;

    @Override // io.apicurio.registry.auth.IAccessController
    public boolean isAuthorized(InvocationContext invocationContext) {
        AuthorizedLevel level = ((Authorized) invocationContext.getMethod().getAnnotation(Authorized.class)).level();
        switch (level) {
            case Admin:
                return isAdmin();
            case None:
                return true;
            case Read:
                return isReadOnly() || isDeveloper() || isAdmin();
            case Write:
                return isDeveloper() || isAdmin();
            case AdminOrOwner:
                return isAdmin() || isOwner(invocationContext);
            default:
                throw new RuntimeException("Unhandled case: " + level);
        }
    }

    public boolean isAdmin() {
        return getRoleProvider().isAdmin();
    }

    public boolean isDeveloper() {
        return getRoleProvider().isDeveloper();
    }

    public boolean isReadOnly() {
        return getRoleProvider().isReadOnly();
    }

    private RoleProvider getRoleProvider() {
        if ("token".equals(this.authConfig.roleSource)) {
            return this.tokenRoleProvider;
        }
        if ("application".equals(this.authConfig.roleSource)) {
            return this.storageRoleProvider;
        }
        if ("header".equals(this.authConfig.roleSource)) {
            return this.headerRoleProvider;
        }
        throw new RuntimeException("Unsupported RBAC role source: " + this.authConfig.roleSource);
    }
}
