package com.atlassian.asap.core.server.http;

import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.exception.AuthenticationFailedException;
import com.atlassian.asap.api.exception.CannotRetrieveKeyException;
import com.atlassian.asap.api.exception.InvalidTokenException;
import com.atlassian.asap.api.exception.PermanentAuthenticationFailedException;
import com.atlassian.asap.api.exception.TransientAuthenticationFailedException;
import com.atlassian.asap.api.server.http.RequestAuthenticator;
import com.atlassian.asap.core.exception.PublicKeyNotFoundException;
import com.atlassian.asap.core.validator.JwtValidator;
import java.net.URI;
import java.util.Objects;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/asap/core/server/http/RequestAuthenticatorImpl.class */
public class RequestAuthenticatorImpl implements RequestAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(RequestAuthenticatorImpl.class);
    private final JwtValidator jwtValidator;

    public RequestAuthenticatorImpl(JwtValidator jwtValidator) {
        this.jwtValidator = (JwtValidator) Objects.requireNonNull(jwtValidator);
    }

    public Jwt authenticateRequest(String str) throws AuthenticationFailedException {
        if (StringUtils.isBlank(str)) {
            throw new PermanentAuthenticationFailedException("Authorization header is missing");
        }
        if (!str.startsWith("Bearer ")) {
            throw new PermanentAuthenticationFailedException("Authorization header is not in the expected format. Expected format is 'Bearer <jwt token>'");
        }
        String removeStart = StringUtils.removeStart(str, "Bearer ");
        try {
            return this.jwtValidator.readAndValidate(removeStart);
        } catch (InvalidTokenException e) {
            logger.debug("Failed to authenticate request", e);
            Optional<String> unverifiedIssuer = getUnverifiedIssuer(removeStart);
            throw new PermanentAuthenticationFailedException(String.format("Failed to authenticate request from %s: %s", formatIssuer(unverifiedIssuer), e.getSafeDetails()), unverifiedIssuer.orElse(null));
        } catch (CannotRetrieveKeyException e2) {
            logger.error("Error retrieving key required to authenticate request", e2);
            Optional<String> unverifiedIssuer2 = getUnverifiedIssuer(removeStart);
            throw new TransientAuthenticationFailedException(String.format("Failed to retrieve the key required to authenticate request from %s: %s", formatIssuer(unverifiedIssuer2), e2.getMessage()), (String) e2.getKeyId().orElse(null), (URI) e2.getKeyUri().orElse(null), unverifiedIssuer2.orElse(null));
        } catch (PublicKeyNotFoundException e3) {
            logger.debug("Public key not found when authenticating request: {}", e3.getKeyId(), e3);
            Optional<String> unverifiedIssuer3 = getUnverifiedIssuer(removeStart);
            throw new PermanentAuthenticationFailedException(String.format("Failed to authenticate request from %s: %s", formatIssuer(unverifiedIssuer3), e3.getSafeDetails()), unverifiedIssuer3.orElse(null));
        }
    }

    private Optional<String> getUnverifiedIssuer(String str) {
        return this.jwtValidator.determineUnverifiedIssuer(str);
    }

    private static String formatIssuer(Optional<String> optional) {
        return (String) optional.map(str -> {
            return str + " (issuer not verified)";
        }).orElse("unknown issuer");
    }
}
