package com.sap.cloud.security.xsuaa.token.authentication;

import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.XsuaaServicesParser;
import com.sap.cloud.security.xsuaa.token.Token;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/authentication/XsuaaAudienceValidator.class */
public class XsuaaAudienceValidator implements OAuth2TokenValidator<Jwt> {
    private Map<String, String> appIdClientIdMap = new HashMap();
    private final Log logger = LogFactory.getLog(XsuaaServicesParser.class);

    public XsuaaAudienceValidator(XsuaaServiceConfiguration xsuaaServiceConfiguration) {
        Assert.notNull(xsuaaServiceConfiguration, "'xsuaaServiceConfiguration' is required");
        this.appIdClientIdMap.put(xsuaaServiceConfiguration.getAppId(), xsuaaServiceConfiguration.getClientId());
    }

    public void configureAnotherXsuaaInstance(String str, String str2) {
        Assert.notNull(str, "'appId' is required");
        Assert.notNull(str2, "'clientId' is required");
        this.appIdClientIdMap.putIfAbsent(str, str2);
        this.logger.info(String.format("configured XsuaaAudienceValidator with appId %s and clientId %s", str, str2));
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        String claimAsString = jwt.getClaimAsString(Token.CLIENT_ID);
        if (claimAsString == null) {
            OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_client", "Jwt token must contain 'cid' (client_id)", (String) null)});
        }
        List<String> allowedAudiences = getAllowedAudiences(jwt);
        for (Map.Entry<String, String> entry : this.appIdClientIdMap.entrySet()) {
            if (checkMatch(entry.getKey(), entry.getValue(), claimAsString, allowedAudiences)) {
                return OAuth2TokenValidatorResult.success();
            }
        }
        return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_client", "Jwt token audience matches none of these: " + this.appIdClientIdMap.keySet().toString(), (String) null)});
    }

    private boolean checkMatch(String str, String str2, String str3, List<String> list) {
        if (str2.equals(str3)) {
            return true;
        }
        return (str.contains("!b") && str3.contains("|") && str3.endsWith(new StringBuilder().append("|").append(str).toString())) || list.contains(str);
    }

    static List<String> getAllowedAudiences(Jwt jwt) {
        ArrayList arrayList = new ArrayList();
        List<String> audience = jwt.getAudience();
        if (audience != null) {
            for (String str : audience) {
                if (str.contains(".")) {
                    arrayList.add(str.substring(0, str.indexOf(".")));
                } else {
                    arrayList.add(str);
                }
            }
        }
        if (arrayList.size() == 0) {
            for (String str2 : getScopes(jwt)) {
                if (str2.contains(".")) {
                    arrayList.add(str2.substring(0, str2.indexOf(".")));
                }
            }
        }
        return (List) arrayList.stream().distinct().filter(str3 -> {
            return !str3.isEmpty();
        }).collect(Collectors.toList());
    }

    static List<String> getScopes(Jwt jwt) {
        List<String> claimAsStringList = jwt.getClaimAsStringList("scope");
        return claimAsStringList != null ? claimAsStringList : new ArrayList();
    }
}
