package org.eclipse.hono.adapter.mqtt;

import io.vertx.core.Future;
import io.vertx.core.Promise;
import io.vertx.core.json.JsonObject;
import io.vertx.mqtt.MqttAuth;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import org.eclipse.hono.adapter.auth.device.DeviceCredentialsAuthProvider;
import org.eclipse.hono.adapter.auth.device.ExecutionContextAuthHandler;
import org.eclipse.hono.adapter.auth.device.PreCredentialsValidationHandler;
import org.eclipse.hono.client.ClientErrorException;
import org.eclipse.hono.service.auth.ExternalJwtAuthTokenValidator;

/* loaded from: input_file:org/eclipse/hono/adapter/mqtt/JwtAuthHandler.class */
public class JwtAuthHandler extends ExecutionContextAuthHandler<MqttConnectContext> {
    static final String REQUIRED_AUD = "hono-adapter";
    private final ExternalJwtAuthTokenValidator authTokenValidator;

    public JwtAuthHandler(DeviceCredentialsAuthProvider<?> deviceCredentialsAuthProvider) {
        this(deviceCredentialsAuthProvider, null, new ExternalJwtAuthTokenValidator());
    }

    protected JwtAuthHandler(DeviceCredentialsAuthProvider<?> deviceCredentialsAuthProvider, PreCredentialsValidationHandler<MqttConnectContext> preCredentialsValidationHandler, ExternalJwtAuthTokenValidator externalJwtAuthTokenValidator) {
        super(deviceCredentialsAuthProvider, preCredentialsValidationHandler);
        this.authTokenValidator = externalJwtAuthTokenValidator;
    }

    public Future<JsonObject> parseCredentials(MqttConnectContext mqttConnectContext) {
        Objects.requireNonNull(mqttConnectContext);
        if (mqttConnectContext.deviceEndpoint() == null) {
            throw new IllegalArgumentException("no device endpoint");
        }
        Promise promise = Promise.promise();
        MqttAuth auth = mqttConnectContext.deviceEndpoint().auth();
        if (auth == null || !passwordMatchesJwtSyntax(auth.getPassword())) {
            promise.fail(new ClientErrorException(401, "device credentials in CONNECT packet are empty or malformed"));
        } else {
            Map<String, String> tenantIdAndAuthIdFromClientIdentifier = getTenantIdAndAuthIdFromClientIdentifier(mqttConnectContext.deviceEndpoint().clientIdentifier());
            boolean z = false;
            if (tenantIdAndAuthIdFromClientIdentifier == null) {
                tenantIdAndAuthIdFromClientIdentifier = getTenantIdAuthIdAndAudienceFromJwtClaims(auth.getPassword());
                if (tenantIdAndAuthIdFromClientIdentifier == null) {
                    z = true;
                    promise.fail(new ClientErrorException(401, "Could not get tenant identifier and authentication identifier. They must be either provided in the client identifier in CONNECT packet or in the 'iss' and 'sub'claims of the JWT."));
                }
                if (!z && !REQUIRED_AUD.equalsIgnoreCase(tenantIdAndAuthIdFromClientIdentifier.get("aud"))) {
                    z = true;
                    promise.fail(new ClientErrorException(401, String.format("JWT did not specify the correct audience (aud claim). In case the tenant identifier and authentication identifier are provided inside the claims of the JWT, it also has to provide \"%s\" within the aud claim.", REQUIRED_AUD)));
                }
            }
            if (!z) {
                promise.complete(new JsonObject().put("tenant-id", tenantIdAndAuthIdFromClientIdentifier.get("tenant-id")).put("auth-id", tenantIdAndAuthIdFromClientIdentifier.get("auth-id")).put("password", auth.getPassword()));
            }
        }
        return promise.future();
    }

    private boolean passwordMatchesJwtSyntax(String str) {
        return (str == null || str.trim().isEmpty() || str.split("\\.").length != 3) ? false : true;
    }

    private Map<String, String> getTenantIdAndAuthIdFromClientIdentifier(String str) {
        String[] split = str.split("/");
        int length = split.length;
        if (length < 3) {
            return null;
        }
        HashMap hashMap = new HashMap();
        hashMap.put("tenant-id", split[length - 3]);
        hashMap.put("auth-id", split[length - 1]);
        return hashMap;
    }

    private Map<String, String> getTenantIdAuthIdAndAudienceFromJwtClaims(String str) {
        try {
            JsonObject jwtClaims = this.authTokenValidator.getJwtClaims(str);
            HashMap hashMap = new HashMap();
            hashMap.put("tenant-id", jwtClaims.getString("iss"));
            hashMap.put("auth-id", jwtClaims.getString("sub"));
            hashMap.put("aud", jwtClaims.getString("aud"));
            return hashMap;
        } catch (RuntimeException e) {
            return null;
        }
    }
}
