package com.spotify.styx.api;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.spotify.apollo.Response;
import com.spotify.apollo.Status;
import com.spotify.styx.api.Middlewares;
import com.spotify.styx.model.Workflow;
import com.spotify.styx.model.WorkflowId;
import com.spotify.styx.storage.Storage;
import java.io.IOException;
import java.util.Objects;
import java.util.Optional;

/* loaded from: input_file:com/spotify/styx/api/WorkflowActionAuthorizer.class */
public class WorkflowActionAuthorizer {
    private final Storage storage;
    private final ServiceAccountUsageAuthorizer serviceAccountUsageAuthorizer;

    public WorkflowActionAuthorizer(Storage storage, ServiceAccountUsageAuthorizer serviceAccountUsageAuthorizer) {
        this.storage = (Storage) Objects.requireNonNull(storage, "storage");
        this.serviceAccountUsageAuthorizer = (ServiceAccountUsageAuthorizer) Objects.requireNonNull(serviceAccountUsageAuthorizer, "serviceAccountUsageAuthorizer");
    }

    public void authorizeWorkflowAction(Middlewares.AuthContext authContext, WorkflowId workflowId) {
        try {
            authorizeWorkflowAction(authContext, this.storage.workflow(workflowId).orElseThrow(() -> {
                return new ResponseException(Response.forStatus(Status.NOT_FOUND.withReasonPhrase("workflow not found")));
            }));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void authorizeWorkflowAction(Middlewares.AuthContext authContext, Workflow workflow) {
        GoogleIdToken orElseThrow = authContext.user().orElseThrow(AssertionError::new);
        Optional<String> serviceAccount = workflow.configuration().serviceAccount();
        if (serviceAccount.isPresent()) {
            this.serviceAccountUsageAuthorizer.authorizeServiceAccountUsage(workflow.id(), serviceAccount.get(), orElseThrow);
        }
    }
}
