package io.camunda.zeebe.shared.security;

import io.camunda.identity.sdk.Identity;
import io.camunda.zeebe.gateway.impl.configuration.ExperimentalCfg;
import io.camunda.zeebe.gateway.impl.configuration.MultiTenancyCfg;
import io.camunda.zeebe.gateway.impl.identity.IdentityTenantService;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.ExecutionException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/camunda/zeebe/shared/security/IdentityAuthenticationManager.class */
public final class IdentityAuthenticationManager implements AuthenticationManager {
    private final Identity identity;
    private final IdentityTenantService tenantService;
    private final MultiTenancyCfg multiTenancy;

    @Autowired
    public IdentityAuthenticationManager(Identity identity, MultiTenancyCfg multiTenancyCfg, ExperimentalCfg experimentalCfg) {
        this.identity = identity;
        this.multiTenancy = multiTenancyCfg;
        this.tenantService = new IdentityTenantService(identity, experimentalCfg.getIdentityRequest());
    }

    public Authentication authenticate(Authentication authentication) {
        if (!(authentication instanceof PreAuthToken)) {
            return authentication;
        }
        String str = ((PreAuthToken) authentication).token();
        try {
            return new IdentityAuthentication(this.identity.authentication().verifyToken(str), getTenants(str));
        } catch (Exception e) {
            throw new BadCredentialsException(e.getMessage(), e);
        }
    }

    private List<String> getTenants(String str) {
        if (!this.multiTenancy.isEnabled()) {
            return Collections.singletonList("<default>");
        }
        try {
            return this.tenantService.getTenantsForToken(str).stream().map((v0) -> {
                return v0.getTenantId();
            }).toList();
        } catch (RuntimeException | ExecutionException e) {
            throw new InternalAuthenticationServiceException("Expected Identity to provide authorized tenants, see cause for details", e);
        }
    }
}
