package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.class */
class JwtIssuerValidator implements Validator<Token> {
    private final List<String> domains;
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtIssuerValidator(List<String> list) {
        Assertions.assertNotEmpty(list, "JwtIssuerValidator requires a domain(s).");
        this.domains = list;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        String issuer = token.getIssuer();
        if (token.getService().equals(Service.IAS) && !issuer.startsWith("http")) {
            issuer = "https://" + issuer;
        }
        ValidationResult validateUrl = validateUrl(issuer);
        return validateUrl.isErroneous() ? validateUrl : matchesTokenIssuerUrl(issuer);
    }

    private ValidationResult matchesTokenIssuerUrl(String str) {
        URI create = URI.create(str);
        if (create.getQuery() == null && create.getFragment() == null && create.getHost() != null) {
            Iterator<String> it = this.domains.iterator();
            while (it.hasNext()) {
                if (create.getHost().endsWith(it.next())) {
                    return ValidationResults.createValid();
                }
            }
        }
        return ValidationResults.createInvalid("Issuer is not trusted because issuer '{}' doesn't match any of these domains '{}' of the identity provider.", str, this.domains);
    }

    private ValidationResult validateUrl(String str) {
        if (str != null) {
            try {
            } catch (URISyntaxException e) {
                this.logger.error("Error: issuer claim '{}' does not provide a valid URI: {}. Please contact your Identity Provider Administrator.", new Object[]{str, e.getMessage(), e});
            }
            if (!str.trim().isEmpty()) {
                if (!str.startsWith("http")) {
                    return ValidationResults.createInvalid("Issuer is not trusted because issuer '{}' does not provide a valid URI (missing http scheme). Please contact your Identity Provider Administrator.", str);
                }
                URI uri = new URI(str);
                if (uri.getQuery() == null && uri.getFragment() == null && uri.getHost() != null) {
                    return ValidationResults.createValid();
                }
                return ValidationResults.createInvalid("Issuer is not trusted because issuer does not provide a valid URI. Please contact your Identity Provider Administrator.", str);
            }
        }
        return ValidationResults.createInvalid("Issuer validation can not be performed because Jwt token does not contain an issuer claim.");
    }
}
