package org.eclipse.edc.connector.transfer.dataplane.api;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.HeaderParam;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import org.eclipse.edc.connector.transfer.dataplane.spi.security.DataEncrypter;
import org.eclipse.edc.jwt.spi.TokenValidationService;
import org.eclipse.edc.spi.iam.ClaimToken;
import org.eclipse.edc.spi.result.Result;
import org.eclipse.edc.spi.types.TypeManager;
import org.eclipse.edc.spi.types.domain.DataAddress;
import org.eclipse.edc.web.spi.exception.NotAuthorizedException;

@Path("/token")
/* loaded from: input_file:org/eclipse/edc/connector/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.class */
public class ConsumerPullTransferTokenValidationApiController implements ConsumerPullTransferTokenValidationApi {
    private final TokenValidationService service;
    private final DataEncrypter dataEncrypter;
    private final TypeManager typeManager;

    public ConsumerPullTransferTokenValidationApiController(TokenValidationService tokenValidationService, DataEncrypter dataEncrypter, TypeManager typeManager) {
        this.service = tokenValidationService;
        this.dataEncrypter = dataEncrypter;
        this.typeManager = typeManager;
    }

    @Override // org.eclipse.edc.connector.transfer.dataplane.api.ConsumerPullTransferTokenValidationApi
    @Produces({"application/json"})
    @GET
    public DataAddress validate(@HeaderParam("Authorization") String str) {
        Result validate = this.service.validate(str);
        if (validate.failed()) {
            throw new NotAuthorizedException("Token validation failed: " + String.join(", ", validate.getFailureMessages()));
        }
        Object claim = ((ClaimToken) validate.getContent()).getClaim("dad");
        if (claim instanceof String) {
            return (DataAddress) this.typeManager.readValue(this.dataEncrypter.decrypt((String) claim), DataAddress.class);
        }
        throw new IllegalArgumentException(String.format("Missing claim `%s` in token", "dad"));
    }
}
