package com.sap.cloud.security.xsuaa.token.authentication;

import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import java.util.ArrayList;
import java.util.List;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/authentication/XsuaaAudienceValidator.class */
public class XsuaaAudienceValidator implements OAuth2TokenValidator<Jwt> {
    private XsuaaServiceConfiguration xsuaaServiceConfiguration;

    public XsuaaAudienceValidator(XsuaaServiceConfiguration xsuaaServiceConfiguration) {
        this.xsuaaServiceConfiguration = xsuaaServiceConfiguration;
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        if (!this.xsuaaServiceConfiguration.getClientId().equals(jwt.getClaimAsString("client_id")) && !allowedAudiences(jwt).contains(this.xsuaaServiceConfiguration.getAppId())) {
            return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_client", "Missing audience " + this.xsuaaServiceConfiguration.getAppId(), (String) null)});
        }
        return OAuth2TokenValidatorResult.success();
    }

    private List<String> allowedAudiences(Jwt jwt) {
        ArrayList arrayList = new ArrayList();
        List<String> audience = jwt.getAudience();
        if (audience != null) {
            for (String str : audience) {
                if (str.contains(".")) {
                    arrayList.add(str.substring(0, str.indexOf(".")));
                } else {
                    arrayList.add(str);
                }
            }
        }
        if (arrayList.size() == 0) {
            for (String str2 : getScopes(jwt)) {
                if (str2.contains(".")) {
                    arrayList.add(str2.substring(0, str2.indexOf(".")));
                }
            }
        }
        return arrayList;
    }

    private List<String> getScopes(Jwt jwt) {
        List<String> claimAsStringList = jwt.getClaimAsStringList("scope");
        return claimAsStringList != null ? claimAsStringList : new ArrayList();
    }
}
