package org.eclipse.ditto.services.gateway.security.authentication.jwt;

import akka.http.javadsl.server.RequestContext;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import javax.annotation.concurrent.NotThreadSafe;
import org.eclipse.ditto.model.base.auth.AuthorizationContextType;
import org.eclipse.ditto.model.base.auth.DittoAuthorizationContextType;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.model.base.exceptions.DittoRuntimeException;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.model.jwt.ImmutableJsonWebToken;
import org.eclipse.ditto.model.jwt.JsonWebToken;
import org.eclipse.ditto.services.gateway.security.HttpHeader;
import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
import org.eclipse.ditto.services.gateway.security.authentication.DefaultAuthenticationResult;
import org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider;
import org.eclipse.ditto.services.gateway.security.utils.HttpUtils;
import org.eclipse.ditto.services.utils.akka.logging.DittoLogger;
import org.eclipse.ditto.services.utils.akka.logging.DittoLoggerFactory;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationFailedException;

@NotThreadSafe
/* loaded from: input_file:org/eclipse/ditto/services/gateway/security/authentication/jwt/JwtAuthenticationProvider.class */
public final class JwtAuthenticationProvider extends TimeMeasuringAuthenticationProvider<AuthenticationResult> {
    private static final String AUTHORIZATION_JWT = "Bearer";
    private static final DittoLogger LOGGER = DittoLoggerFactory.getLogger(JwtAuthenticationProvider.class);
    private final JwtAuthenticationResultProvider jwtAuthResultProvider;
    private final JwtValidator jwtValidator;

    private JwtAuthenticationProvider(JwtAuthenticationResultProvider jwtAuthenticationResultProvider, JwtValidator jwtValidator) {
        super(LOGGER);
        this.jwtAuthResultProvider = (JwtAuthenticationResultProvider) ConditionChecker.checkNotNull(jwtAuthenticationResultProvider, "jwtAuthorizationContextProvider");
        this.jwtValidator = (JwtValidator) ConditionChecker.checkNotNull(jwtValidator, "jwtValidator");
    }

    public static JwtAuthenticationProvider newInstance(JwtAuthenticationResultProvider jwtAuthenticationResultProvider, JwtValidator jwtValidator) {
        return new JwtAuthenticationProvider(jwtAuthenticationResultProvider, jwtValidator);
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.AuthenticationProvider
    public boolean isApplicable(RequestContext requestContext) {
        return HttpUtils.containsAuthorizationForPrefix(requestContext, AUTHORIZATION_JWT);
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    protected AuthenticationResult tryToAuthenticate(RequestContext requestContext, DittoHeaders dittoHeaders) {
        Optional<JsonWebToken> extractJwtFromRequest = extractJwtFromRequest(requestContext);
        if (!extractJwtFromRequest.isEmpty()) {
            return waitForResult(getAuthenticationResult(extractJwtFromRequest.get(), dittoHeaders).exceptionally(th -> {
                return toFailedAuthenticationResult(th, dittoHeaders);
            }), dittoHeaders);
        }
        LOGGER.withCorrelationId(dittoHeaders).debug("JWT is missing.");
        return DefaultAuthenticationResult.failed(dittoHeaders, buildMissingJwtException(dittoHeaders));
    }

    private static Optional<JsonWebToken> extractJwtFromRequest(RequestContext requestContext) {
        return HttpUtils.getRequestHeader(requestContext, HttpHeader.AUTHORIZATION.toString()).map(ImmutableJsonWebToken::fromAuthorization);
    }

    private static DittoRuntimeException buildMissingJwtException(DittoHeaders dittoHeaders) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT was missing.").description("Please provide a valid JWT in the authorization header prefixed with 'Bearer '").dittoHeaders(dittoHeaders).build();
    }

    private CompletableFuture<AuthenticationResult> getAuthenticationResult(JsonWebToken jsonWebToken, DittoHeaders dittoHeaders) {
        return this.jwtValidator.validate(jsonWebToken).thenApply(binaryValidationResult -> {
            if (binaryValidationResult.isValid()) {
                AuthenticationResult tryToGetAuthenticationResult = tryToGetAuthenticationResult(jsonWebToken, dittoHeaders);
                LOGGER.withCorrelationId(dittoHeaders).info("Completed JWT authentication successfully.");
                return tryToGetAuthenticationResult;
            }
            Throwable reasonForInvalidity = binaryValidationResult.getReasonForInvalidity();
            LOGGER.withCorrelationId(dittoHeaders).debug("The JWT is invalid.", reasonForInvalidity);
            throw buildJwtUnauthorizedException(dittoHeaders, reasonForInvalidity);
        });
    }

    private static DittoRuntimeException buildJwtUnauthorizedException(DittoHeaders dittoHeaders, Throwable th) {
        return GatewayAuthenticationFailedException.newBuilder("The JWT could not be verified.").description(th.getMessage()).dittoHeaders(dittoHeaders).cause(th).build();
    }

    private AuthenticationResult tryToGetAuthenticationResult(JsonWebToken jsonWebToken, DittoHeaders dittoHeaders) {
        try {
            return this.jwtAuthResultProvider.getAuthenticationResult(jsonWebToken, dittoHeaders);
        } catch (Exception e) {
            throw buildJwtUnauthorizedException(dittoHeaders, e);
        }
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    protected AuthenticationResult toFailedAuthenticationResult(Throwable th, DittoHeaders dittoHeaders) {
        LOGGER.withCorrelationId(dittoHeaders).debug("JWT Authentication failed.", th);
        return DefaultAuthenticationResult.failed(dittoHeaders, toDittoRuntimeException(th, dittoHeaders));
    }

    @Override // org.eclipse.ditto.services.gateway.security.authentication.TimeMeasuringAuthenticationProvider
    public AuthorizationContextType getType(RequestContext requestContext) {
        return DittoAuthorizationContextType.JWT;
    }
}
