package com.yahoo.athenz.auth.oauth.validator;

import com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessToken;
import com.yahoo.athenz.auth.oauth.token.OAuthJwtAccessTokenException;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:com/yahoo/athenz/auth/oauth/validator/DefaultOAuthJwtAccessTokenValidator.class */
public class DefaultOAuthJwtAccessTokenValidator implements OAuthJwtAccessTokenValidator {
    private final String trustedIssuer;
    private final Set<String> requiredAudiences;
    private final Set<String> requiredScopes;
    private final Map<String, Set<String>> authorizedClientIds;

    public DefaultOAuthJwtAccessTokenValidator(String str, Set<String> set, Set<String> set2, Map<String, Set<String>> map) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("trusted issuers must be configured");
        }
        if (set == null || set.isEmpty()) {
            throw new IllegalArgumentException("required audiences must be configured");
        }
        if (set2 == null || set2.isEmpty()) {
            throw new IllegalArgumentException("required scopes must be configured");
        }
        if (map == null) {
            throw new IllegalArgumentException("client ID mapping must be configured");
        }
        this.trustedIssuer = str;
        this.requiredAudiences = set;
        this.requiredScopes = set2;
        this.authorizedClientIds = map;
    }

    private void verifyIssuer(OAuthJwtAccessToken oAuthJwtAccessToken) throws OAuthJwtAccessTokenException {
        String issuer = oAuthJwtAccessToken.getIssuer();
        if (!this.trustedIssuer.equals(issuer)) {
            throw new OAuthJwtAccessTokenException("iss not trusted: got=" + issuer);
        }
    }

    private void verifyAudiences(OAuthJwtAccessToken oAuthJwtAccessToken) throws OAuthJwtAccessTokenException {
        List<String> audiences = oAuthJwtAccessToken.getAudiences();
        if (audiences == null || !new HashSet(audiences).containsAll(this.requiredAudiences)) {
            throw new OAuthJwtAccessTokenException("required aud not found: got=" + (audiences == null ? "null" : String.join(", ", audiences)));
        }
    }

    private void verifyScopes(OAuthJwtAccessToken oAuthJwtAccessToken) throws OAuthJwtAccessTokenException {
        List<String> scopes = oAuthJwtAccessToken.getScopes();
        if (scopes == null || !new HashSet(scopes).containsAll(this.requiredScopes)) {
            throw new OAuthJwtAccessTokenException("required scope not found: got=" + oAuthJwtAccessToken.getScope());
        }
    }

    private void verifyCertificateThumbprint(OAuthJwtAccessToken oAuthJwtAccessToken, String str) throws OAuthJwtAccessTokenException {
        String certificateThumbprint = oAuthJwtAccessToken.getCertificateThumbprint();
        if (str == null && certificateThumbprint == null) {
            return;
        }
        if (str == null || !str.equals(certificateThumbprint)) {
            throw new OAuthJwtAccessTokenException(String.format("client certificate thumbprint (%s) not match: got=%s", str, certificateThumbprint));
        }
    }

    private void verifyClientId(OAuthJwtAccessToken oAuthJwtAccessToken, String str) throws OAuthJwtAccessTokenException {
        String clientId = oAuthJwtAccessToken.getClientId();
        Set<String> set = this.authorizedClientIds.get(str);
        if (set == null) {
            throw new OAuthJwtAccessTokenException(String.format("NO mapping of authorized client IDs for certificate principal (%s)", str));
        }
        if (!set.contains(clientId)) {
            throw new OAuthJwtAccessTokenException(String.format("client_id is not authorized for certificate principal (%s): got=%s", str, clientId));
        }
    }

    @Override // com.yahoo.athenz.auth.oauth.validator.OAuthJwtAccessTokenValidator
    public void validate(OAuthJwtAccessToken oAuthJwtAccessToken) throws OAuthJwtAccessTokenException {
        verifyIssuer(oAuthJwtAccessToken);
        verifyAudiences(oAuthJwtAccessToken);
        verifyScopes(oAuthJwtAccessToken);
        if (oAuthJwtAccessToken.getExpiration() <= 0) {
            throw new OAuthJwtAccessTokenException("exp is empty");
        }
    }

    @Override // com.yahoo.athenz.auth.oauth.validator.OAuthJwtAccessTokenValidator
    public void validateClientId(OAuthJwtAccessToken oAuthJwtAccessToken, String str) throws OAuthJwtAccessTokenException {
        verifyClientId(oAuthJwtAccessToken, str);
    }

    @Override // com.yahoo.athenz.auth.oauth.validator.OAuthJwtAccessTokenValidator
    public void validateCertificateBinding(OAuthJwtAccessToken oAuthJwtAccessToken, String str) throws OAuthJwtAccessTokenException {
        verifyCertificateThumbprint(oAuthJwtAccessToken, str);
    }
}
