package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import java.net.URI;
import java.net.URISyntaxException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtIssuerValidator.class */
class JwtIssuerValidator implements Validator<Token> {
    private final URI url;
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtIssuerValidator(URI uri) {
        Assertions.assertNotNull(uri, "JwtIssuerValidator requires a url.");
        this.url = uri;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        String claimAsString = token.getClaimAsString("iss");
        return (claimAsString == null || claimAsString.trim().isEmpty()) ? ValidationResults.createInvalid("Issuer validation can not be performed because Jwt token does not contain 'iss' claim.") : matchesTokenIssuerUrl(claimAsString);
    }

    private ValidationResult matchesTokenIssuerUrl(String str) {
        try {
        } catch (URISyntaxException e) {
            this.logger.error("Error: 'iss' claim '{}' does not provide a valid URI: {}.", new Object[]{str, e.getMessage(), e});
        }
        if (!str.startsWith("http")) {
            return ValidationResults.createInvalid("Issuer is not trusted because 'iss' claim '{}' does not provide a valid URI (missing http scheme). Please contact your Identity Provider Administrator.", str);
        }
        URI uri = new URI(str);
        if (uri.getQuery() == null && uri.getFragment() == null && uri.getHost() != null && uri.getHost().endsWith(this.url.getHost())) {
            return ValidationResults.createValid();
        }
        return ValidationResults.createInvalid("Issuer is not trusted because 'iss' '{}' does not match host '{}' of the identity provider.", str, this.url.getHost());
    }
}
