package com.adobe.aem.repoapi.impl.controller;

import com.adobe.aem.dam.api.exception.AccessDeniedException;
import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.api.exception.InvalidOperationException;
import com.adobe.aem.repoapi.impl.Constants;
import com.adobe.aem.repoapi.impl.RepoApiResourceResolver;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrivilege;
import com.adobe.aem.repoapi.impl.api.controller.ControllerContext;
import com.adobe.aem.repoapi.impl.api.controller.RepoApiController;
import com.adobe.aem.repoapi.impl.api.exception.MethodNotAllowedException;
import com.adobe.aem.repoapi.impl.entity.AccessControlCheckResource;
import java.io.IOException;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(service = {RepoApiController.class}, property = {"service.ranking:Integer=100"})
/* loaded from: input_file:com/adobe/aem/repoapi/impl/controller/AccessControlCheckController.class */
public class AccessControlCheckController implements RepoApiController {
    private final RepoApiResourceResolver apiResourceResolver;

    @Activate
    public AccessControlCheckController(@Nonnull @Reference RepoApiResourceResolver repoApiResourceResolver) {
        this.apiResourceResolver = repoApiResourceResolver;
    }

    @Override // com.adobe.aem.repoapi.impl.api.controller.RepoApiController
    public boolean handleOperation(ControllerContext controllerContext) throws IOException, DamException {
        if (!controllerContext.isSingleSourceApiResource(this.apiResourceResolver, AccessControlCheckResource.class)) {
            return false;
        }
        if (!controllerContext.isReadRequest()) {
            throw new MethodNotAllowedException("'GET' request required for api:ac/check");
        }
        if (!((AccessControlCheckResource) controllerContext.getSingleSourceApiResourceAs(this.apiResourceResolver, AccessControlCheckResource.class)).hasPrivilege(controllerContext.getRelationPathParameter().orElse(Constants.REL_PRIMARY), validatePrivilegeParam(controllerContext))) {
            throw new AccessDeniedException("Permission denied");
        }
        controllerContext.setNoContentResponse();
        return true;
    }

    private RepoApiPrivilege validatePrivilegeParam(ControllerContext controllerContext) throws InvalidOperationException {
        Optional<String> privilegePathParameter = controllerContext.getPrivilegePathParameter();
        if (!privilegePathParameter.isPresent()) {
            throw new InvalidOperationException("'privilege' path parameter is required for api:ac/check");
        }
        try {
            return RepoApiPrivilege.valueOf(privilegePathParameter.get().toUpperCase());
        } catch (IllegalArgumentException e) {
            throw new InvalidOperationException("Supported 'privilege' path parameter values are: 'ACK', 'READ', 'WRITE', 'DELETE'");
        }
    }
}
