package org.eclipse.ditto.services.gateway.security.authentication.jwt;

import akka.http.javadsl.server.RequestContext;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.function.Function;
import javax.annotation.concurrent.NotThreadSafe;
import org.eclipse.ditto.model.base.auth.AuthorizationContext;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.model.jwt.ImmutableJsonWebToken;
import org.eclipse.ditto.model.jwt.JsonWebToken;
import org.eclipse.ditto.services.gateway.security.HttpHeader;
import org.eclipse.ditto.services.gateway.security.authentication.DefaultAuthenticationResult;
import org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider;
import org.eclipse.ditto.services.gateway.security.utils.HttpUtils;
import org.eclipse.ditto.services.utils.akka.LogUtil;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationFailedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NotThreadSafe
/* loaded from: input_file:org/eclipse/ditto/services/gateway/security/authentication/jwt/JwtAuthenticationProvider.class */
public final class JwtAuthenticationProvider extends TimeMeasuringAuthenticationProvider<DefaultAuthenticationResult> {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JwtAuthenticationProvider.class);
    private static final String AUTHENTICATION_TYPE = "JWT";
    private static final String AUTHORIZATION_JWT = "Bearer";
    private final JwtAuthorizationContextProvider jwtAuthorizationContextProvider;
    private final JwtValidator jwtValidator;

    private JwtAuthenticationProvider(JwtAuthorizationContextProvider jwtAuthorizationContextProvider, JwtValidator jwtValidator) {
        this.jwtAuthorizationContextProvider = jwtAuthorizationContextProvider;
        this.jwtValidator = jwtValidator;
    }

    public static JwtAuthenticationProvider newInstance(JwtAuthorizationContextProvider jwtAuthorizationContextProvider, JwtValidator jwtValidator) {
        ConditionChecker.checkNotNull(jwtAuthorizationContextProvider, "jwtAuthorizationContextProvider");
        ConditionChecker.checkNotNull(jwtValidator, "jwtValidator");
        return new JwtAuthenticationProvider(jwtAuthorizationContextProvider, jwtValidator);
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.AuthenticationProvider
    public boolean isApplicable(RequestContext requestContext) {
        return HttpUtils.containsAuthorizationForPrefix(requestContext, AUTHORIZATION_JWT);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    public DefaultAuthenticationResult tryToAuthenticate(RequestContext requestContext, CharSequence charSequence) {
        Optional<JsonWebToken> extractJwtFromRequest = extractJwtFromRequest(requestContext);
        if (extractJwtFromRequest.isPresent()) {
            return waitForResult(getAuthorizationContext(extractJwtFromRequest.get(), charSequence).thenApply(DefaultAuthenticationResult::successful).exceptionally((Function<Throwable, ? extends U>) th -> {
                return toFailedAuthenticationResult(th, charSequence);
            }), charSequence);
        }
        LOGGER.debug("JWT is missing.");
        return DefaultAuthenticationResult.failed(buildMissingJwtException(charSequence));
    }

    private static Optional<JsonWebToken> extractJwtFromRequest(RequestContext requestContext) {
        return HttpUtils.getRequestHeader(requestContext, HttpHeader.AUTHORIZATION.toString()).map(ImmutableJsonWebToken::fromAuthorization);
    }

    private CompletableFuture<AuthorizationContext> getAuthorizationContext(JsonWebToken jsonWebToken, CharSequence charSequence) {
        return this.jwtValidator.validate(jsonWebToken).thenApply(binaryValidationResult -> {
            LogUtil.enhanceLogWithCorrelationId(charSequence);
            if (binaryValidationResult.isValid()) {
                AuthorizationContext tryToGetAuthorizationContext = tryToGetAuthorizationContext(jsonWebToken, charSequence);
                LOGGER.info("Completed JWT authentication successfully.");
                return tryToGetAuthorizationContext;
            }
            Throwable reasonForInvalidity = binaryValidationResult.getReasonForInvalidity();
            LOGGER.debug("The JWT is invalid.", reasonForInvalidity);
            throw buildJwtUnauthorizedException(charSequence, reasonForInvalidity);
        });
    }

    private AuthorizationContext tryToGetAuthorizationContext(JsonWebToken jsonWebToken, CharSequence charSequence) {
        try {
            return this.jwtAuthorizationContextProvider.getAuthorizationContext(jsonWebToken);
        } catch (Exception e) {
            throw buildJwtUnauthorizedException(charSequence, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    public DefaultAuthenticationResult toFailedAuthenticationResult(Throwable th, CharSequence charSequence) {
        LOGGER.debug("JWT Authentication failed.", th);
        return DefaultAuthenticationResult.failed(toDittoRuntimeException(th, charSequence));
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    public String getType() {
        return "JWT";
    }

    private static DittoRuntimeException buildMissingJwtException(CharSequence charSequence) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT was missing.").description("Please provide a valid JWT in the authorization header prefixed with 'Bearer '").dittoHeaders(DittoHeaders.newBuilder().correlationId(charSequence).build()).build();
    }

    private static DittoRuntimeException buildJwtUnauthorizedException(CharSequence charSequence, Throwable th) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT could not be verified.").description(th.getMessage()).dittoHeaders(DittoHeaders.newBuilder().correlationId(charSequence).build()).cause2(th).build();
    }
}
