package io.camunda.zeebe.shared.security;

import io.camunda.identity.sdk.Identity;
import io.camunda.zeebe.gateway.impl.configuration.MultiTenancyCfg;
import java.util.Collections;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import reactor.core.publisher.Mono;

@Component
/* loaded from: input_file:io/camunda/zeebe/shared/security/IdentityAuthenticationManager.class */
public final class IdentityAuthenticationManager implements ReactiveAuthenticationManager {
    private final Identity identity;
    private final MultiTenancyCfg multiTenancy;

    @Autowired
    public IdentityAuthenticationManager(Identity identity, MultiTenancyCfg multiTenancyCfg) {
        this.identity = identity;
        this.multiTenancy = multiTenancyCfg;
    }

    public Mono<Authentication> authenticate(Authentication authentication) {
        if (!(authentication instanceof PreAuthToken)) {
            return Mono.just(authentication);
        }
        String str = ((PreAuthToken) authentication).token();
        try {
            return Mono.just(new IdentityAuthentication(this.identity.authentication().verifyToken(str), getTenants(str)));
        } catch (Exception e) {
            throw new BadCredentialsException(e.getMessage(), e);
        }
    }

    private List<String> getTenants(String str) {
        if (!this.multiTenancy.isEnabled()) {
            return Collections.singletonList("<default>");
        }
        try {
            return this.identity.tenants().forToken(str).stream().map((v0) -> {
                return v0.getTenantId();
            }).toList();
        } catch (RuntimeException e) {
            throw new InternalAuthenticationServiceException("Expected Identity to provide authorized tenants, see cause for details", e);
        }
    }
}
