package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtAudienceValidator.class */
public class JwtAudienceValidator implements Validator<Token> {
    private static final Logger logger = LoggerFactory.getLogger(JwtAudienceValidator.class);
    private static final char DOT = '.';
    private final Set<String> trustedClientIds = new LinkedHashSet();

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtAudienceValidator(String str) {
        configureTrustedClientId(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtAudienceValidator configureTrustedClientId(String str) {
        Assertions.assertHasText(str, "JwtAudienceValidator requires a clientId.");
        this.trustedClientIds.add(str);
        logger.info("configured JwtAudienceValidator with clientId {}.", str);
        return this;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        Set<String> extractAudiencesFromToken = extractAudiencesFromToken(token);
        return (validateDefault(extractAudiencesFromToken) || validateAudienceOfXsuaaBrokerClone(extractAudiencesFromToken)) ? ValidationResults.createValid() : ValidationResults.createInvalid("Jwt token with audience {} is not issued for these clientIds: {}.", token.getAudiences(), this.trustedClientIds);
    }

    private boolean validateDefault(Set<String> set) {
        Iterator<String> it = this.trustedClientIds.iterator();
        while (it.hasNext()) {
            if (set.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    private boolean validateAudienceOfXsuaaBrokerClone(Set<String> set) {
        for (String str : this.trustedClientIds) {
            if (str.contains("!b")) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    if (it.next().endsWith("|" + str)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    static Set<String> extractAudiencesFromToken(Token token) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (String str : token.getAudiences()) {
            if (str.contains(".")) {
                String extractAppId = extractAppId(str);
                if (!extractAppId.isEmpty()) {
                    linkedHashSet.add(extractAppId);
                }
            } else {
                linkedHashSet.add(str);
            }
        }
        if (Service.XSUAA.equals(token.getService())) {
            if (token.hasClaim("azp")) {
                linkedHashSet.add(token.getClientId());
            }
            if (token.getAudiences().isEmpty()) {
                for (String str2 : token.getClaimAsStringList("scope")) {
                    if (str2.contains(".")) {
                        linkedHashSet.add(extractAppId(str2));
                    }
                }
            }
        }
        logger.info("The audiences that are derived from the token: {}.", linkedHashSet);
        return linkedHashSet;
    }

    static String extractAppId(String str) {
        return str.substring(0, str.indexOf(DOT)).trim();
    }

    public Set<String> getTrustedClientIds() {
        return this.trustedClientIds;
    }
}
