package org.eclipse.ditto.gateway.service.security.authentication.preauth;

import akka.http.javadsl.server.RequestContext;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.function.Predicate;
import javax.annotation.concurrent.Immutable;
import org.eclipse.ditto.base.model.auth.AuthorizationContext;
import org.eclipse.ditto.base.model.auth.AuthorizationContextType;
import org.eclipse.ditto.base.model.auth.AuthorizationModelFactory;
import org.eclipse.ditto.base.model.auth.AuthorizationSubject;
import org.eclipse.ditto.base.model.auth.DittoAuthorizationContextType;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.headers.DittoHeaders;
import org.eclipse.ditto.gateway.api.GatewayAuthenticationFailedException;
import org.eclipse.ditto.gateway.service.security.HttpHeader;
import org.eclipse.ditto.gateway.service.security.authentication.AuthenticationResult;
import org.eclipse.ditto.gateway.service.security.authentication.DefaultAuthenticationResult;
import org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider;
import org.eclipse.ditto.gateway.service.security.utils.HttpUtils;
import org.eclipse.ditto.internal.utils.akka.logging.DittoLoggerFactory;
import org.eclipse.ditto.internal.utils.akka.logging.ThreadSafeDittoLogger;
import org.eclipse.ditto.utils.jsr305.annotations.AllValuesAreNonnullByDefault;

@AllValuesAreNonnullByDefault
@Immutable
/* loaded from: input_file:org/eclipse/ditto/gateway/service/security/authentication/preauth/PreAuthenticatedAuthenticationProvider.class */
public final class PreAuthenticatedAuthenticationProvider extends TimeMeasuringAuthenticationProvider<AuthenticationResult> {
    private static final ThreadSafeDittoLogger LOGGER = DittoLoggerFactory.getThreadSafeLogger(PreAuthenticatedAuthenticationProvider.class);
    private static final PreAuthenticatedAuthenticationProvider INSTANCE = new PreAuthenticatedAuthenticationProvider();

    private PreAuthenticatedAuthenticationProvider() {
        super(LOGGER);
    }

    public static PreAuthenticatedAuthenticationProvider getInstance() {
        return INSTANCE;
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.AuthenticationProvider
    public boolean isApplicable(RequestContext requestContext) {
        return containsHeader(requestContext, HttpHeader.X_DITTO_PRE_AUTH);
    }

    private static boolean containsHeader(RequestContext requestContext, HttpHeader httpHeader) {
        return HttpUtils.getRequestHeader(requestContext, httpHeader.getName()).isPresent() || getRequestParam(requestContext, httpHeader).isPresent();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<String> getRequestParam(RequestContext requestContext, HttpHeader httpHeader) {
        return requestContext.getRequest().getUri().query().get(httpHeader.getName());
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    protected CompletableFuture<AuthenticationResult> tryToAuthenticate(RequestContext requestContext, DittoHeaders dittoHeaders) {
        Optional<String> preAuthenticated = getPreAuthenticated(requestContext);
        if (preAuthenticated.isEmpty()) {
            return CompletableFuture.completedFuture(DefaultAuthenticationResult.failed(dittoHeaders, getAuthenticationFailedException(dittoHeaders)));
        }
        String str = preAuthenticated.get();
        List<AuthorizationSubject> authorizationSubjects = getAuthorizationSubjects(str);
        if (authorizationSubjects.isEmpty()) {
            return CompletableFuture.completedFuture(toFailedAuthenticationResult(buildFailedToExtractAuthorizationSubjectsException(str, dittoHeaders), dittoHeaders));
        }
        AuthorizationContext newAuthContext = AuthorizationModelFactory.newAuthContext(DittoAuthorizationContextType.PRE_AUTHENTICATED_HTTP, authorizationSubjects);
        LOGGER.withCorrelationId(dittoHeaders).info("Pre-authentication has been applied resulting in AuthorizationContext <{}>.", newAuthContext);
        return CompletableFuture.completedFuture(DefaultAuthenticationResult.successful(dittoHeaders, newAuthContext));
    }

    private static Optional<String> getPreAuthenticated(RequestContext requestContext) {
        return HttpUtils.getRequestHeader(requestContext, HttpHeader.X_DITTO_PRE_AUTH.getName()).or(() -> {
            return getRequestParam(requestContext, HttpHeader.X_DITTO_PRE_AUTH);
        });
    }

    private static DittoRuntimeException getAuthenticationFailedException(DittoHeaders dittoHeaders) {
        return GatewayAuthenticationFailedException.newBuilder("No pre-authenticated subject was provided!").dittoHeaders(dittoHeaders).build();
    }

    private static List<AuthorizationSubject> getAuthorizationSubjects(String str) {
        return Arrays.stream(str.split(",")).map((v0) -> {
            return v0.trim();
        }).filter(Predicate.not((v0) -> {
            return v0.isEmpty();
        })).map((v0) -> {
            return AuthorizationModelFactory.newAuthSubject(v0);
        }).toList();
    }

    private static DittoRuntimeException buildFailedToExtractAuthorizationSubjectsException(String str, DittoHeaders dittoHeaders) {
        return GatewayAuthenticationFailedException.newBuilder(MessageFormat.format("Failed to extract AuthorizationSubjects from pre-authenticated header value <{0}>!", str)).dittoHeaders(dittoHeaders).build();
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    protected AuthenticationResult toFailedAuthenticationResult(Throwable th, DittoHeaders dittoHeaders) {
        return DefaultAuthenticationResult.failed(dittoHeaders, toDittoRuntimeException(th, dittoHeaders));
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    public AuthorizationContextType getType(RequestContext requestContext) {
        return DittoAuthorizationContextType.PRE_AUTHENTICATED_HTTP;
    }
}
