package com.atlassian.asap.core.validator;

import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.JwtClaims;
import com.atlassian.asap.api.exception.InvalidTokenException;
import com.atlassian.asap.core.exception.InvalidClaimException;
import com.atlassian.asap.core.exception.TokenExpiredException;
import com.atlassian.asap.core.exception.TokenTooEarlyException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/asap/core/validator/JwtClaimsValidator.class */
public class JwtClaimsValidator {
    public static final Duration TIME_CLAIM_LEEWAY = Duration.ofSeconds(Long.parseLong(System.getProperty("asap.resource.server.leeway.seconds", "30")));
    public static final Duration MAX_LIFETIME = Duration.ofHours(1);
    private static final Logger logger = LoggerFactory.getLogger(JwtClaimsValidator.class);
    private final Clock clock;

    public JwtClaimsValidator(Clock clock) {
        this.clock = (Clock) Objects.requireNonNull(clock);
    }

    public void validate(Jwt jwt, String str) throws InvalidTokenException {
        JwtClaims claims = jwt.getClaims();
        String issuer = claims.getIssuer();
        Optional<String> subject = claims.getSubject();
        Set<String> audience = claims.getAudience();
        Instant issuedAt = claims.getIssuedAt();
        Instant expiry = claims.getExpiry();
        Optional<Instant> notBefore = claims.getNotBefore();
        issuerAndSubjectValidation(issuer, subject, jwt.getHeader().getKeyId());
        audienceValidation(audience, str);
        formalTimeClaimsValidation(issuedAt, expiry, notBefore);
        relativeTimeValidation(issuedAt, expiry, notBefore);
    }

    private void issuerAndSubjectValidation(String str, Optional<String> optional, String str2) throws InvalidClaimException {
        if (StringUtils.isBlank(str)) {
            logger.debug("Rejecting blank issuer");
            throw new InvalidClaimException("Issuer cannot be blank");
        }
        if (str2.startsWith(str + "/")) {
            return;
        }
        logger.debug("The issuer {} does not match the key id {}", str, str2);
        throw new InvalidClaimException("The issuer claim does not match the key id");
    }

    private void audienceValidation(Set<String> set, String str) throws InvalidClaimException {
        if (set.contains(str)) {
            return;
        }
        logger.debug("Rejected unrecognised audience {}", set);
        throw new InvalidClaimException("Unrecongised audience");
    }

    private void formalTimeClaimsValidation(Instant instant, Instant instant2, Optional<Instant> optional) throws InvalidClaimException {
        if (instant2.isBefore(instant)) {
            logger.debug("Expiry time {} set before issue time {}", instant2, instant);
            throw new InvalidClaimException("Expiry time set before issue time");
        }
        if (instant.plus((TemporalAmount) MAX_LIFETIME).isBefore(instant2)) {
            logger.debug("Token exceeds lifetime limit, issued at {} and expires at {}", instant, instant2);
            throw new InvalidClaimException("Token exceeds lifetime limit");
        }
        if (optional.isPresent()) {
            Instant instant3 = optional.get();
            if (instant3.isAfter(instant2)) {
                logger.debug("The expiry time {} must be after the not-before time {}", instant2, instant3);
                throw new InvalidClaimException("The expiry time must be after the not-before time");
            }
            if (instant3.isBefore(instant)) {
                logger.debug("The token was valid since {} but was issued later at {}", instant3, instant);
                throw new InvalidClaimException("The token must not be valid before it was issued");
            }
        }
    }

    private void relativeTimeValidation(Instant instant, Instant instant2, Optional<Instant> optional) throws TokenExpiredException, TokenTooEarlyException {
        Instant now = Instant.now(this.clock);
        Instant minus = now.minus((TemporalAmount) TIME_CLAIM_LEEWAY);
        Instant plus = now.plus((TemporalAmount) TIME_CLAIM_LEEWAY);
        if (instant2.isBefore(minus)) {
            logger.info("Rejecting expired token, now={}, expiry={}, leeway={}", new Object[]{now, instant2, TIME_CLAIM_LEEWAY});
            throw new TokenExpiredException(instant2, now);
        }
        Instant orElse = optional.orElse(instant);
        if (orElse.isAfter(plus)) {
            logger.info("Rejecting token that arrives too early, now={}, not before={}, leeway={}", new Object[]{now, orElse, TIME_CLAIM_LEEWAY});
            throw new TokenTooEarlyException(orElse, now);
        }
    }
}
