package com.sap.cloud.security.xsuaa.token.authentication;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import net.minidev.json.JSONObject;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport;
import org.springframework.util.Assert;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.class */
public class XsuaaJwtDecoder implements JwtDecoder {
    Cache<String, JwtDecoder> cache;
    private XsuaaServiceConfiguration xsuaaServiceConfiguration;
    private List<OAuth2TokenValidator<Jwt>> tokenValidators = new ArrayList();

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtDecoder(XsuaaServiceConfiguration xsuaaServiceConfiguration, int i, int i2, OAuth2TokenValidator<Jwt>... oAuth2TokenValidatorArr) {
        this.cache = Caffeine.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i2).build();
        this.xsuaaServiceConfiguration = xsuaaServiceConfiguration;
        this.tokenValidators.add(new JwtTimestampValidator());
        if (oAuth2TokenValidatorArr == null) {
            this.tokenValidators.add(new XsuaaAudienceValidator(xsuaaServiceConfiguration));
        } else {
            this.tokenValidators.addAll(Arrays.asList(oAuth2TokenValidatorArr));
        }
    }

    public Jwt decode(String str) throws JwtException {
        Assert.notNull(str, "token is required");
        try {
            JWT parse = JWTParser.parse(str);
            String subdomain = getSubdomain(parse);
            String stringClaim = parse.getJWTClaimsSet().getStringClaim("zid");
            return ((JwtDecoder) this.cache.get(subdomain, str2 -> {
                return getDecoder(stringClaim, subdomain);
            })).decode(str);
        } catch (ParseException e) {
            throw new JwtException("Error initializing JWT decoder:" + e.getMessage());
        }
    }

    protected JwtDecoder getDecoder(String str, String str2) {
        NimbusJwtDecoderJwkSupport nimbusJwtDecoderJwkSupport = new NimbusJwtDecoderJwkSupport(this.xsuaaServiceConfiguration.getTokenKeyUrl(str, str2));
        nimbusJwtDecoderJwkSupport.setJwtValidator(new DelegatingOAuth2TokenValidator(this.tokenValidators));
        return nimbusJwtDecoderJwkSupport;
    }

    protected String getSubdomain(JWT jwt) throws ParseException {
        String str = "";
        JSONObject jSONObjectClaim = jwt.getJWTClaimsSet().getJSONObjectClaim("ext_attr");
        if (jSONObjectClaim != null && jSONObjectClaim.getAsString("zdn") != null) {
            str = jSONObjectClaim.getAsString("zdn");
        }
        return str;
    }
}
