package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.json.JsonParsingException;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
import java.util.Objects;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.class */
class JwtIssuerValidator implements Validator<Token> {
    protected static final String HTTPS_SCHEME = "https://";
    private final List<String> domains;
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtIssuerValidator(List<String> list) {
        Assertions.assertNotEmpty(list, "JwtIssuerValidator requires a domain(s).");
        this.domains = list;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        try {
            String issuer = token.getIssuer();
            if (issuer == null || issuer.trim().isEmpty()) {
                return ValidationResults.createInvalid("Issuer validation can not be performed because token does not contain an issuer claim.");
            }
            String str = (issuer.startsWith(HTTPS_SCHEME) || issuer.startsWith("http://localhost")) ? issuer : HTTPS_SCHEME + issuer;
            try {
                new URL(str);
                String substring = str.substring(str.indexOf("://") + 3);
                for (String str2 : this.domains) {
                    String format = String.format("^[a-zA-Z0-9-]{1,63}\\.%s$", Pattern.quote(str2));
                    if (Objects.equals(str2, substring) || substring.matches(format)) {
                        return ValidationResults.createValid();
                    }
                }
                return ValidationResults.createInvalid("Issuer {} was not a trusted domain or a subdomain of the trusted domains {}.", issuer, this.domains);
            } catch (MalformedURLException e) {
                return ValidationResults.createInvalid("Issuer validation can not be performed because token issuer is not a valid URL suitable for https.");
            }
        } catch (JsonParsingException e2) {
            return ValidationResults.createInvalid("Issuer validation can not be performed because token issuer claim was not a String value.");
        }
    }
}
