package org.eclipse.ditto.services.gateway.endpoints.directives.auth.jwt;

import akka.http.javadsl.server.Directives;
import akka.http.javadsl.server.RequestContext;
import akka.http.javadsl.server.Route;
import akka.http.javadsl.server.directives.RouteAdapter;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.impl.DefaultJwtParser;
import java.security.PublicKey;
import java.util.concurrent.CompletionException;
import java.util.function.Function;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.auth.AuthorizationModelFactory;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.services.gateway.endpoints.directives.auth.AuthenticationProvider;
import org.eclipse.ditto.services.gateway.endpoints.utils.DirectivesLoggingUtils;
import org.eclipse.ditto.services.gateway.endpoints.utils.HttpUtils;
import org.eclipse.ditto.services.gateway.security.HttpHeader;
import org.eclipse.ditto.services.gateway.security.jwt.ImmutableJsonWebToken;
import org.eclipse.ditto.services.gateway.security.jwt.JsonWebToken;
import org.eclipse.ditto.services.utils.metrics.instruments.timer.StartedTimer;
import org.eclipse.ditto.services.utils.tracing.TraceUtils;
import org.eclipse.ditto.services.utils.tracing.TracingTags;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationFailedException;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationProviderUnavailableException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/endpoints/directives/auth/jwt/JwtAuthenticationDirective.class */
public final class JwtAuthenticationDirective implements AuthenticationProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JwtAuthenticationDirective.class);
    private static final String AUTHORIZATION_JWT = "Bearer";
    private static final String AUTHENTICATION_TYPE = "JWT";
    private static final String TRACE_FILTER_AUTH_JWT = "filter_auth_jwt";
    private final PublicKeyProvider publicKeyProvider;
    private final AuthorizationSubjectsProvider authorizationSubjectsProvider;

    public JwtAuthenticationDirective(PublicKeyProvider publicKeyProvider, AuthorizationSubjectsProvider authorizationSubjectsProvider) {
        this.publicKeyProvider = (PublicKeyProvider) ConditionChecker.checkNotNull(publicKeyProvider);
        this.authorizationSubjectsProvider = (AuthorizationSubjectsProvider) ConditionChecker.checkNotNull(authorizationSubjectsProvider);
    }

    @Override // org.eclipse.ditto.services.gateway.endpoints.directives.auth.AuthenticationProvider
    public boolean isApplicable(RequestContext requestContext) {
        return HttpUtils.containsAuthorizationForPrefix(requestContext, AUTHORIZATION_JWT);
    }

    @Override // org.eclipse.ditto.services.gateway.endpoints.directives.auth.AuthenticationProvider
    public Route unauthorized(String str) {
        throw buildMissingJwtException(str);
    }

    @Override // org.eclipse.ditto.services.gateway.endpoints.directives.auth.AuthenticationProvider
    public Route authenticate(String str, Function<AuthorizationContext, Route> function) {
        return Directives.extractRequestContext(requestContext -> {
            return (RouteAdapter) DirectivesLoggingUtils.enhanceLogWithCorrelationId(str, () -> {
                JsonWebToken jsonWebToken = (JsonWebToken) HttpUtils.getRequestHeader(requestContext, HttpHeader.AUTHORIZATION.toString().toLowerCase()).map(ImmutableJsonWebToken::fromAuthorizationString).orElseThrow(() -> {
                    return buildMissingJwtException(str);
                });
                StartedTimer build = TraceUtils.newAuthFilterTimer("JWT", requestContext.getRequest()).build();
                return Directives.onSuccess(() -> {
                    return this.publicKeyProvider.getPublicKey(jsonWebToken.getIssuer(), jsonWebToken.getKeyId()).thenApply(optional -> {
                        return (AuthorizationContext) DirectivesLoggingUtils.enhanceLogWithCorrelationId(str, () -> {
                            validateToken(jsonWebToken, (PublicKey) optional.orElseThrow(() -> {
                                return buildJwtUnauthorizedException(str);
                            }), str);
                            AuthorizationContext newAuthContext = AuthorizationModelFactory.newAuthContext(this.authorizationSubjectsProvider.getAuthorizationSubjects(jsonWebToken));
                            build.tag(TracingTags.AUTH_SUCCESS, true).stop();
                            return newAuthContext;
                        });
                    }).exceptionally((Function<Throwable, ? extends U>) th -> {
                        Throwable cause = th instanceof CompletionException ? th.getCause() : th;
                        if (!(cause instanceof GatewayAuthenticationFailedException)) {
                            build.tag(TracingTags.AUTH_SUCCESS, false).tag(TracingTags.AUTH_ERROR, true).stop();
                            LOGGER.warn("Unexpected error during JWT authentication.", cause);
                            throw buildAuthenticationProviderUnavailableException(str, cause);
                        }
                        build.tag(TracingTags.AUTH_SUCCESS, false).stop();
                        DittoRuntimeException dittoRuntimeException = (DittoRuntimeException) cause;
                        LOGGER.debug("JWT authentication failed.", (Throwable) dittoRuntimeException);
                        throw dittoRuntimeException;
                    });
                }, function);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static DittoRuntimeException buildMissingJwtException(String str) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT was missing.").dittoHeaders(DittoHeaders.newBuilder().correlationId(str).build()).build();
    }

    private void validateToken(JsonWebToken jsonWebToken, PublicKey publicKey, String str) {
        try {
            new DefaultJwtParser().setSigningKey(publicKey).parse(jsonWebToken.getToken());
        } catch (ExpiredJwtException | MalformedJwtException | SignatureException | IllegalArgumentException e) {
            LOGGER.info("Got Exception '{}' during parsing JWT: {}", e.getClass().getSimpleName(), e.getMessage(), e);
            throw buildJwtUnauthorizedException(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static DittoRuntimeException buildJwtUnauthorizedException(String str) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT could not be verified").description("Check if your token is not expired and set the token accordingly.").dittoHeaders(DittoHeaders.newBuilder().correlationId(str).build()).build();
    }

    private static DittoRuntimeException buildAuthenticationProviderUnavailableException(String str, Throwable th) {
        return GatewayAuthenticationProviderUnavailableException.newBuilder().dittoHeaders(DittoHeaders.newBuilder().correlationId(str).build()).cause(th).build();
    }
}
