package io.apicurio.registry.auth;

import io.apicurio.registry.storage.RegistryStorage;
import io.apicurio.registry.types.Current;
import io.apicurio.registry.types.RoleType;
import io.quarkus.security.identity.SecurityIdentity;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.inject.Instance;
import jakarta.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;

@ApplicationScoped
/* loaded from: input_file:io/apicurio/registry/auth/StorageRoleProvider.class */
public class StorageRoleProvider implements RoleProvider {

    @Inject
    SecurityIdentity securityIdentity;

    @Inject
    Instance<JsonWebToken> identityToken;
    private static final String AZP_CLAIM = "azp";

    @Inject
    @Current
    RegistryStorage storage;

    private boolean hasRole(String str) {
        boolean equals = str.equals(this.storage.getRoleForPrincipal(this.securityIdentity.getPrincipal().getName()));
        if (!equals && tokenHasAzpClaim()) {
            equals = str.equals(this.storage.getRoleForPrincipal((String) ((JsonWebToken) this.identityToken.get()).getClaim(AZP_CLAIM)));
        }
        return equals;
    }

    private boolean tokenHasAzpClaim() {
        return this.identityToken.isResolvable() && ((JsonWebToken) this.identityToken.get()).getClaim(AZP_CLAIM) != null;
    }

    @Override // io.apicurio.registry.auth.RoleProvider
    public boolean isDeveloper() {
        return hasRole(RoleType.DEVELOPER.name());
    }

    @Override // io.apicurio.registry.auth.RoleProvider
    public boolean isReadOnly() {
        return hasRole(RoleType.READ_ONLY.name());
    }

    @Override // io.apicurio.registry.auth.RoleProvider
    public boolean isAdmin() {
        return hasRole(RoleType.ADMIN.name());
    }
}
