package io.camunda.zeebe.gateway.interceptors.impl;

import io.camunda.search.entities.UserEntity;
import io.camunda.search.query.SearchQueryBuilders;
import io.camunda.service.UserServices;
import io.camunda.zeebe.util.Either;
import io.grpc.Context;
import io.grpc.Status;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;

/* loaded from: input_file:io/camunda/zeebe/gateway/interceptors/impl/AuthenticationHandler.class */
public interface AuthenticationHandler {

    /* loaded from: input_file:io/camunda/zeebe/gateway/interceptors/impl/AuthenticationHandler$BasicAuth.class */
    public static final class BasicAuth implements AuthenticationHandler {
        public static final Context.Key<String> USERNAME = Context.key("io.camunda.zeebe:username");
        private static final String BASIC_PREFIX = "Basic ";
        private final UserServices userServices;
        private final PasswordEncoder passwordEncoder;

        public BasicAuth(UserServices userServices, PasswordEncoder passwordEncoder) {
            this.userServices = userServices;
            this.passwordEncoder = passwordEncoder;
        }

        @Override // io.camunda.zeebe.gateway.interceptors.impl.AuthenticationHandler
        public Either<Status, Context> authenticate(String str) {
            if (!str.startsWith(BASIC_PREFIX)) {
                return Either.left(Status.UNAUTHENTICATED.augmentDescription("Expected authentication information to start with '%s'".formatted(BASIC_PREFIX)));
            }
            String[] split = new String(Base64.getDecoder().decode(str.substring(BASIC_PREFIX.length()))).split(":", 2);
            String str2 = split[0];
            String str3 = split[1];
            try {
                Optional<UserEntity> loadUserByUsername = loadUserByUsername(str2);
                if (loadUserByUsername.isEmpty()) {
                    return Either.left(Status.UNAUTHENTICATED.augmentDescription("Invalid credentials"));
                }
                UserEntity userEntity = loadUserByUsername.get();
                return !isPasswordValid(str3, userEntity.password()) ? Either.left(Status.UNAUTHENTICATED.augmentDescription("Invalid credentials")) : Either.right(Context.current().withValue(USERNAME, userEntity.username()));
            } catch (RuntimeException e) {
                return Either.left(Status.UNAUTHENTICATED.augmentDescription("Failed to authenticate").withCause(e));
            }
        }

        private Optional<UserEntity> loadUserByUsername(String str) {
            return this.userServices.search(SearchQueryBuilders.userSearchQuery(builder -> {
                return builder.filter(builder -> {
                    return builder.username(str);
                }).page(builder2 -> {
                    return builder2.size(1);
                });
            })).items().stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst();
        }

        private boolean isPasswordValid(String str, String str2) {
            return this.passwordEncoder.matches(str, str2);
        }
    }

    /* loaded from: input_file:io/camunda/zeebe/gateway/interceptors/impl/AuthenticationHandler$Oidc.class */
    public static final class Oidc implements AuthenticationHandler {
        public static final Context.Key<Map<String, Object>> USER_CLAIMS = Context.key("io.camunda.zeebe:user_claim");
        public static final String BEARER_PREFIX = "Bearer ";
        private final JwtDecoder jwtDecoder;

        public Oidc(JwtDecoder jwtDecoder) {
            this.jwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder);
        }

        @Override // io.camunda.zeebe.gateway.interceptors.impl.AuthenticationHandler
        public Either<Status, Context> authenticate(String str) {
            if (!str.startsWith(BEARER_PREFIX)) {
                return Either.left(Status.UNAUTHENTICATED.augmentDescription("Expected authentication information to start with '%s'".formatted(BEARER_PREFIX)));
            }
            try {
                return Either.right(Context.current().withValue(USER_CLAIMS, this.jwtDecoder.decode(str.substring(BEARER_PREFIX.length())).getClaims()));
            } catch (JwtException e) {
                return Either.left(Status.UNAUTHENTICATED.augmentDescription("Expected a valid token, see cause for details").withCause(e));
            }
        }
    }

    Either<Status, Context> authenticate(String str);
}
