package org.eclipse.edc.identityhub.api;

import java.util.Base64;
import java.util.List;
import org.eclipse.edc.identityhub.spi.ParticipantContextService;
import org.eclipse.edc.identityhub.spi.authentication.ServicePrincipal;
import org.eclipse.edc.identityhub.spi.authentication.ServicePrincipalResolver;
import org.eclipse.edc.identityhub.spi.model.participant.ParticipantContext;
import org.eclipse.edc.spi.security.Vault;
import org.eclipse.edc.web.spi.exception.AuthenticationFailedException;

/* loaded from: input_file:org/eclipse/edc/identityhub/api/ParticipantServicePrincipalResolver.class */
class ParticipantServicePrincipalResolver implements ServicePrincipalResolver {
    private final ParticipantContextService participantContextService;
    private final Vault vault;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ParticipantServicePrincipalResolver(ParticipantContextService participantContextService, Vault vault) {
        this.participantContextService = participantContextService;
        this.vault = vault;
    }

    public ServicePrincipal findByCredential(String str) {
        String[] split = str.split("\\.");
        if (split.length != 2) {
            throw new AuthenticationFailedException("Invalid API token");
        }
        ServicePrincipal findByPrincipal = findByPrincipal(new String(Base64.getDecoder().decode(split[0])));
        if (findByPrincipal.getCredential().equals(str)) {
            return findByPrincipal;
        }
        throw new AuthenticationFailedException("Invalid API token");
    }

    private ServicePrincipal findByPrincipal(String str) {
        return (ServicePrincipal) this.participantContextService.getParticipantContext(str).map(this::toUser).orElseThrow(serviceFailure -> {
            return new AuthenticationFailedException("Invalid Authentication '%s': %s".formatted(str, serviceFailure.getFailureDetail()));
        });
    }

    private ServicePrincipal toUser(final ParticipantContext participantContext) {
        final String resolveSecret = this.vault.resolveSecret(participantContext.getApiTokenAlias());
        final String participantId = participantContext.getParticipantId();
        return new ServicePrincipal() { // from class: org.eclipse.edc.identityhub.api.ParticipantServicePrincipalResolver.1
            public String getPrincipal() {
                return participantId;
            }

            public String getCredential() {
                return resolveSecret;
            }

            public List<String> getRoles() {
                return participantContext.getRoles();
            }
        };
    }
}
