package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.net.URI;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/XsuaaJkuValidator.class */
class XsuaaJkuValidator implements Validator<Token> {
    private final String domain;
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJkuValidator(String str) {
        Assertions.assertHasText(str, "XsuaaJkuValidator requires uaaDomain.");
        this.domain = str;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        String headerParameterAsString = token.getHeaderParameterAsString("jku");
        if (headerParameterAsString == null || headerParameterAsString.trim().isEmpty()) {
            return ValidationResults.createInvalid("Issuer validation can not be performed because Jwt token does not contain 'jku' header parameter.");
        }
        try {
            URI create = URI.create(headerParameterAsString);
            return !matchesTokenKeyUrlDomain(create) ? ValidationResults.createInvalid("Issuer is not trusted because 'jku' '{}' does not match uaa domain '{}' of the identity service.", create, this.domain) : !matchesTokenKeyEndpoint(create) ? ValidationResults.createInvalid("Jwt token does not contain a valid 'jku' header parameter.", create, this.domain) : ValidationResults.createValid();
        } catch (IllegalArgumentException e) {
            return ValidationResults.createInvalid("Issuer validation can not be performed because Jwt token does not contain a valid uri as 'jku' header parameter.");
        }
    }

    private boolean matchesTokenKeyUrlDomain(URI uri) {
        return uri.getHost() != null && uri.getHost().endsWith(this.domain);
    }

    private boolean matchesTokenKeyEndpoint(URI uri) {
        return uri.getPath().endsWith("token_keys") && uri.getQuery() == null && uri.getFragment() == null;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return this.domain.equals(((XsuaaJkuValidator) obj).domain);
    }

    public int hashCode() {
        return this.domain.hashCode();
    }
}
