package org.eclipse.ditto.gateway.service.security.authentication.jwt;

import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import javax.annotation.concurrent.NotThreadSafe;
import org.apache.pekko.http.javadsl.server.RequestContext;
import org.eclipse.ditto.base.model.auth.AuthorizationContextType;
import org.eclipse.ditto.base.model.auth.DittoAuthorizationContextType;
import org.eclipse.ditto.base.model.common.ConditionChecker;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.headers.DittoHeaders;
import org.eclipse.ditto.gateway.api.GatewayAuthenticationFailedException;
import org.eclipse.ditto.gateway.service.security.authentication.AuthenticationResult;
import org.eclipse.ditto.gateway.service.security.authentication.DefaultAuthenticationResult;
import org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider;
import org.eclipse.ditto.internal.utils.pekko.logging.DittoLoggerFactory;
import org.eclipse.ditto.internal.utils.pekko.logging.ThreadSafeDittoLogger;
import org.eclipse.ditto.jwt.model.JsonWebToken;

@NotThreadSafe
/* loaded from: input_file:org/eclipse/ditto/gateway/service/security/authentication/jwt/JwtAuthenticationProvider.class */
public final class JwtAuthenticationProvider extends TimeMeasuringAuthenticationProvider<AuthenticationResult> {
    private static final ThreadSafeDittoLogger LOGGER = DittoLoggerFactory.getThreadSafeLogger(JwtAuthenticationProvider.class);
    private final JwtAuthenticationResultProvider jwtAuthResultProvider;
    private final JwtValidator jwtValidator;
    private final JwtExtractor jwtExtractor;

    private JwtAuthenticationProvider(JwtAuthenticationResultProvider jwtAuthenticationResultProvider, JwtValidator jwtValidator, JwtExtractor jwtExtractor) {
        super(LOGGER);
        this.jwtAuthResultProvider = (JwtAuthenticationResultProvider) ConditionChecker.checkNotNull(jwtAuthenticationResultProvider, "jwtAuthorizationContextProvider");
        this.jwtValidator = (JwtValidator) ConditionChecker.checkNotNull(jwtValidator, "jwtValidator");
        this.jwtExtractor = (JwtExtractor) ConditionChecker.checkNotNull(jwtExtractor, "jwtExtractor");
    }

    public static JwtAuthenticationProvider newInstance(JwtAuthenticationResultProvider jwtAuthenticationResultProvider, JwtValidator jwtValidator) {
        return new JwtAuthenticationProvider(jwtAuthenticationResultProvider, jwtValidator, DefaultJwtExtractor.getInstance());
    }

    public static JwtAuthenticationProvider newWsInstance(JwtAuthenticationResultProvider jwtAuthenticationResultProvider, JwtValidator jwtValidator) {
        return new JwtAuthenticationProvider(jwtAuthenticationResultProvider, jwtValidator, WebSocketJwtExtractor.getInstance());
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.AuthenticationProvider
    public boolean isApplicable(RequestContext requestContext) {
        return this.jwtExtractor.isApplicable(requestContext);
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    protected CompletableFuture<AuthenticationResult> tryToAuthenticate(RequestContext requestContext, DittoHeaders dittoHeaders) {
        Optional<JsonWebToken> apply = this.jwtExtractor.apply(requestContext, dittoHeaders);
        if (!apply.isEmpty()) {
            return failOnTimeout(getAuthenticationResult(apply.get(), dittoHeaders).exceptionally(th -> {
                return toFailedAuthenticationResult(th, dittoHeaders);
            }), dittoHeaders);
        }
        LOGGER.withCorrelationId(dittoHeaders).debug("JWT is missing.");
        return CompletableFuture.completedFuture(DefaultAuthenticationResult.failed(dittoHeaders, this.jwtExtractor.buildMissingJwtException(dittoHeaders)));
    }

    private CompletionStage<AuthenticationResult> getAuthenticationResult(JsonWebToken jsonWebToken, DittoHeaders dittoHeaders) {
        ThreadSafeDittoLogger withCorrelationId = LOGGER.withCorrelationId(dittoHeaders);
        return this.jwtValidator.validate(jsonWebToken).thenCompose(binaryValidationResult -> {
            if (binaryValidationResult.isValid()) {
                return tryToGetAuthenticationResult(jsonWebToken, dittoHeaders);
            }
            Throwable reasonForInvalidity = binaryValidationResult.getReasonForInvalidity();
            withCorrelationId.debug("The JWT is invalid.", reasonForInvalidity);
            return CompletableFuture.completedFuture(DefaultAuthenticationResult.failed(dittoHeaders, buildJwtUnauthorizedException(dittoHeaders, reasonForInvalidity)));
        }).thenApply((Function<? super U, ? extends U>) authenticationResult -> {
            withCorrelationId.info("Completed JWT authentication successfully.");
            return authenticationResult;
        });
    }

    private static DittoRuntimeException buildJwtUnauthorizedException(DittoHeaders dittoHeaders, Throwable th) {
        Throwable cause = th instanceof CompletionException ? th.getCause() : th;
        return GatewayAuthenticationFailedException.newBuilder("The JWT could not be verified.").description(cause.getMessage()).dittoHeaders(dittoHeaders).cause(cause).build();
    }

    private CompletionStage<AuthenticationResult> tryToGetAuthenticationResult(JsonWebToken jsonWebToken, DittoHeaders dittoHeaders) {
        return this.jwtAuthResultProvider.getAuthenticationResult(jsonWebToken, dittoHeaders).thenApply((v0) -> {
            return CompletableFuture.completedStage(v0);
        }).exceptionally(th -> {
            return CompletableFuture.failedStage(buildJwtUnauthorizedException(dittoHeaders, th));
        }).thenCompose(Function.identity());
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    protected AuthenticationResult toFailedAuthenticationResult(Throwable th, DittoHeaders dittoHeaders) {
        LOGGER.withCorrelationId(dittoHeaders).debug("JWT Authentication failed.", th);
        return DefaultAuthenticationResult.failed(dittoHeaders, toDittoRuntimeException(th, dittoHeaders));
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.TimeMeasuringAuthenticationProvider
    public AuthorizationContextType getType(RequestContext requestContext) {
        return DittoAuthorizationContextType.JWT;
    }
}
