package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.TokenHeader;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.net.URI;
import java.net.URISyntaxException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/XsuaaJwtIssuerValidator.class */
public class XsuaaJwtIssuerValidator implements Validator<Token> {
    private final String domain;
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtIssuerValidator(String str) {
        Assertions.assertHasText(str, "XsuaaJwtIssuerValidator requires uaaDomain.");
        this.domain = str;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        String headerParameterAsString = token.getHeaderParameterAsString(TokenHeader.JWKS_URL);
        return (headerParameterAsString == null || headerParameterAsString.trim().isEmpty()) ? ValidationResults.createInvalid("Issuer validation can not be performed because Jwt token does not contain 'jku' header parameter.") : matchesTokenKeyUrlDomain(headerParameterAsString);
    }

    private ValidationResult matchesTokenKeyUrlDomain(String str) {
        try {
            URI uri = new URI(str);
            if (uri.getHost() != null && uri.getHost().endsWith(this.domain)) {
                return ValidationResults.createValid();
            }
        } catch (URISyntaxException e) {
            this.logger.error("Error: 'jku' header parameter '{}' does not provide a valid URI: {}.", new Object[]{str, e.getMessage(), e});
        }
        return ValidationResults.createInvalid("Issuer is not trusted because 'jku' '{}' does not match uaa domain '{}' of the identity service.", str, this.domain);
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return this.domain.equals(((XsuaaJwtIssuerValidator) obj).domain);
    }

    public int hashCode() {
        return this.domain.hashCode();
    }
}
