package org.iris_events.auth;

import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.jwt.auth.principal.JWTParser;
import io.smallrye.jwt.auth.principal.ParseException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.util.Optional;
import java.util.Set;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.iris_events.context.EventContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:org/iris_events/auth/IrisJwtValidator.class */
public class IrisJwtValidator {
    private static final Logger log = LoggerFactory.getLogger(IrisJwtValidator.class);
    private final EventContext eventContext;
    final JWTParser parser;

    @Inject
    public IrisJwtValidator(EventContext eventContext, JWTParser jWTParser) {
        this.eventContext = eventContext;
        this.parser = jWTParser;
    }

    public SecurityIdentity authenticate(Set<String> set) {
        Optional<String> token = getToken();
        if (token.isPresent()) {
            SecurityIdentity createSecurityIdentity = createSecurityIdentity(token.get());
            checkRolesAllowed(createSecurityIdentity, set);
            return createSecurityIdentity;
        }
        if (set.isEmpty()) {
            return null;
        }
        throw new UnauthorizedException("Client is not authorized");
    }

    private void checkRolesAllowed(SecurityIdentity securityIdentity, Set<String> set) {
        if (!set.isEmpty() && !set.stream().anyMatch(str -> {
            return securityIdentity.hasRole(str) || "**".equals(str);
        })) {
            throw new ForbiddenException("Role is not allowed");
        }
    }

    private SecurityIdentity createSecurityIdentity(String str) {
        try {
            TokenCredential tokenCredential = new TokenCredential(str, "bearer");
            JsonWebToken parse = this.parser.parse(str);
            return QuarkusSecurityIdentity.builder().setPrincipal(parse).addCredential(tokenCredential).addRoles(parse.getGroups()).addAttribute("quarkus.user", parse).build();
        } catch (ParseException e) {
            log.error("Authentication failed. Error message: " + e.getMessage(), e);
            throw new AuthenticationFailedException("Invalid authorization token", e);
        }
    }

    public Optional<String> getToken() {
        return Optional.ofNullable(this.eventContext.getHeaders().get("x-jwt")).map((v0) -> {
            return v0.toString();
        });
    }
}
