package org.eclipse.ditto.services.gateway.endpoints.directives.auth;

import akka.http.javadsl.server.AuthorizationFailedRejection;
import akka.http.javadsl.server.Directives;
import akka.http.javadsl.server.Rejection;
import akka.http.javadsl.server.RequestContext;
import akka.http.javadsl.server.Route;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.model.base.headers.DittoHeaders;
import org.eclipse.ditto.services.gateway.security.authentication.AuthenticationResult;
import org.eclipse.ditto.services.gateway.security.authentication.jwt.JwtAuthenticationProvider;
import org.eclipse.ditto.services.gateway.util.config.security.DevOpsConfig;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationFailedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.util.Try;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/endpoints/directives/auth/DevOpsOAuth2AuthenticationDirective.class */
public final class DevOpsOAuth2AuthenticationDirective implements DevopsAuthenticationDirective {
    private static final Logger LOGGER = LoggerFactory.getLogger(DevOpsOAuth2AuthenticationDirective.class);
    public static final String REALM_DEVOPS = "DITTO-DEVOPS";
    public static final String REALM_STATUS = "DITTO-STATUS";
    private final JwtAuthenticationProvider jwtAuthenticationProvider;
    private final Collection<String> expectedSubjects;

    private DevOpsOAuth2AuthenticationDirective(JwtAuthenticationProvider jwtAuthenticationProvider, Collection<String> collection) {
        this.jwtAuthenticationProvider = (JwtAuthenticationProvider) ConditionChecker.checkNotNull(jwtAuthenticationProvider, "jwtAuthenticationProvider");
        this.expectedSubjects = collection;
    }

    public static DevOpsOAuth2AuthenticationDirective status(DevOpsConfig devOpsConfig, JwtAuthenticationProvider jwtAuthenticationProvider) {
        return new DevOpsOAuth2AuthenticationDirective(jwtAuthenticationProvider, devOpsConfig.getStatusOAuth2Subjects());
    }

    public static DevOpsOAuth2AuthenticationDirective devops(DevOpsConfig devOpsConfig, JwtAuthenticationProvider jwtAuthenticationProvider) {
        return new DevOpsOAuth2AuthenticationDirective(jwtAuthenticationProvider, devOpsConfig.getDevopsOAuth2Subjects());
    }

    @Override // org.eclipse.ditto.services.gateway.endpoints.directives.auth.DevopsAuthenticationDirective
    public Route authenticateDevOps(String str, Route route) {
        LOGGER.debug("DevOps OAuth authentication is enabled for {}.", str);
        return Directives.extractRequestContext(requestContext -> {
            LOGGER.debug("Trying to use OAuth2 authentication for authorization header <{}>", (String) requestContext.getRequest().getHeader("authorization").map((v0) -> {
                return v0.value();
            }).orElse(""));
            return Directives.onComplete(this.jwtAuthenticationProvider.authenticate(requestContext, DittoHeaders.empty()), r8 -> {
                return handleAuthenticationTry(r8, route, requestContext);
            });
        });
    }

    private Route handleAuthenticationTry(Try<AuthenticationResult> r7, Route route, RequestContext requestContext) {
        if (!r7.isSuccess()) {
            return Directives.reject(AuthorizationFailedRejection.get(), new Rejection[0]);
        }
        AuthenticationResult authenticationResult = (AuthenticationResult) r7.get();
        if (!authenticationResult.isSuccess()) {
            LOGGER.warn("DevOps Oauth authentication was not successful for request: '{}' because of '{}'.", requestContext.getRequest(), authenticationResult.getReasonOfFailure().getMessage());
            return Directives.failWith(authenticationResult.getReasonOfFailure());
        }
        List authorizationSubjectIds = authenticationResult.getAuthorizationContext().getAuthorizationSubjectIds();
        Stream stream = authorizationSubjectIds.stream();
        Collection<String> collection = this.expectedSubjects;
        Objects.requireNonNull(collection);
        if (stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })) {
            LOGGER.info("DevOps Oauth authentication was successful.");
            return route;
        }
        GatewayAuthenticationFailedException fromMessage = GatewayAuthenticationFailedException.fromMessage(String.format("Unauthorized subject(s): <%s>. Expected: <%s>", authorizationSubjectIds, this.expectedSubjects), DittoHeaders.empty());
        LOGGER.warn("DevOps Oauth authentication failed.", fromMessage);
        return Directives.failWith(fromMessage);
    }
}
