package com.google.crypto.tink.jwt;

import com.google.errorprone.annotations.Immutable;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Objects;
import java.util.Optional;
import k.g.f.a.i0.d;

@Immutable
/* loaded from: classes4.dex */
public final class JwtValidator {
    private static final Duration MAX_CLOCK_SKEW = Duration.ofMinutes(10);
    private final boolean allowMissingExpiration;
    private final Clock clock;
    private final Duration clockSkew;
    private final boolean expectIssuedInThePast;
    private final Optional<String> expectedAudience;
    private final Optional<String> expectedIssuer;
    private final Optional<String> expectedTypeHeader;
    private final boolean ignoreAudiences;
    private final boolean ignoreIssuer;
    private final boolean ignoreTypeHeader;

    /* loaded from: classes4.dex */
    public static final class b {

        /* renamed from: a, reason: collision with root package name */
        private Clock f30129a;

        /* renamed from: a, reason: collision with other field name */
        private Duration f4836a;

        /* renamed from: a, reason: collision with other field name */
        private Optional<String> f4837a;

        /* renamed from: a, reason: collision with other field name */
        private boolean f4838a;
        private Optional<String> b;

        /* renamed from: b, reason: collision with other field name */
        private boolean f4839b;
        private Optional<String> c;

        /* renamed from: c, reason: collision with other field name */
        private boolean f4840c;

        /* renamed from: d, reason: collision with root package name */
        private boolean f30130d;

        /* renamed from: e, reason: collision with root package name */
        private boolean f30131e;

        private b() {
            this.f30129a = Clock.systemUTC();
            this.f4836a = Duration.ZERO;
            this.f4837a = Optional.empty();
            this.f4838a = false;
            this.b = Optional.empty();
            this.f4839b = false;
            this.c = Optional.empty();
            this.f4840c = false;
            this.f30130d = false;
            this.f30131e = false;
        }

        public b k() {
            this.f30130d = true;
            return this;
        }

        public JwtValidator l() {
            if (this.f4838a && this.f4837a.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.f4839b && this.b.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.f4840c && this.c.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        public b m(String str) {
            Objects.requireNonNull(str, "audience cannot be null");
            this.c = Optional.of(str);
            return this;
        }

        public b n() {
            this.f30131e = true;
            return this;
        }

        public b o(String str) {
            Objects.requireNonNull(str, "issuer cannot be null");
            this.b = Optional.of(str);
            return this;
        }

        public b p(String str) {
            Objects.requireNonNull(str, "typ header cannot be null");
            this.f4837a = Optional.of(str);
            return this;
        }

        public b q() {
            this.f4840c = true;
            return this;
        }

        public b r() {
            this.f4839b = true;
            return this;
        }

        public b s() {
            this.f4838a = true;
            return this;
        }

        public b t(Clock clock) {
            Objects.requireNonNull(clock, "clock cannot be null");
            this.f30129a = clock;
            return this;
        }

        public b u(Duration duration) {
            if (duration.compareTo(JwtValidator.MAX_CLOCK_SKEW) > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.f4836a = duration;
            return this;
        }
    }

    private JwtValidator(b bVar) {
        this.expectedTypeHeader = bVar.f4837a;
        this.ignoreTypeHeader = bVar.f4838a;
        this.expectedIssuer = bVar.b;
        this.ignoreIssuer = bVar.f4839b;
        this.expectedAudience = bVar.c;
        this.ignoreAudiences = bVar.f4840c;
        this.allowMissingExpiration = bVar.f30130d;
        this.expectIssuedInThePast = bVar.f30131e;
        this.clock = bVar.f30129a;
        this.clockSkew = bVar.f4836a;
    }

    public static b newBuilder() {
        return new b();
    }

    private void validateAudiences(RawJwt rawJwt) throws d {
        if (this.expectedAudience.isPresent()) {
            if (!rawJwt.hasAudiences() || !rawJwt.getAudiences().contains(this.expectedAudience.get())) {
                throw new d(String.format("invalid JWT; missing expected audience %s.", this.expectedAudience.get()));
            }
        } else if (rawJwt.hasAudiences() && !this.ignoreAudiences) {
            throw new d("invalid JWT; token has audience set, but validator not.");
        }
    }

    private void validateIssuer(RawJwt rawJwt) throws d {
        if (!this.expectedIssuer.isPresent()) {
            if (rawJwt.hasIssuer() && !this.ignoreIssuer) {
                throw new d("invalid JWT; token has issuer set, but validator not.");
            }
        } else {
            if (!rawJwt.hasIssuer()) {
                throw new d(String.format("invalid JWT; missing expected issuer %s.", this.expectedIssuer.get()));
            }
            if (!rawJwt.getIssuer().equals(this.expectedIssuer.get())) {
                throw new d(String.format("invalid JWT; expected issuer %s, but got %s", this.expectedIssuer.get(), rawJwt.getIssuer()));
            }
        }
    }

    private void validateTimestampClaims(RawJwt rawJwt) throws d {
        Instant instant = this.clock.instant();
        if (!rawJwt.hasExpiration() && !this.allowMissingExpiration) {
            throw new d("token does not have an expiration set");
        }
        if (rawJwt.hasExpiration() && !rawJwt.getExpiration().isAfter(instant.minus((TemporalAmount) this.clockSkew))) {
            throw new d("token has expired since " + rawJwt.getExpiration());
        }
        if (rawJwt.hasNotBefore() && rawJwt.getNotBefore().isAfter(instant.plus((TemporalAmount) this.clockSkew))) {
            throw new d("token cannot be used before " + rawJwt.getNotBefore());
        }
        if (this.expectIssuedInThePast) {
            if (!rawJwt.hasIssuedAt()) {
                throw new d("token does not have an iat claim");
            }
            if (rawJwt.getIssuedAt().isAfter(instant.plus((TemporalAmount) this.clockSkew))) {
                throw new d("token has a invalid iat claim in the future: " + rawJwt.getIssuedAt());
            }
        }
    }

    private void validateTypeHeader(RawJwt rawJwt) throws d {
        if (!this.expectedTypeHeader.isPresent()) {
            if (rawJwt.hasTypeHeader() && !this.ignoreTypeHeader) {
                throw new d("invalid JWT; token has type header set, but validator not.");
            }
        } else {
            if (!rawJwt.hasTypeHeader()) {
                throw new d(String.format("invalid JWT; missing expected type header %s.", this.expectedTypeHeader.get()));
            }
            if (!rawJwt.getTypeHeader().equals(this.expectedTypeHeader.get())) {
                throw new d(String.format("invalid JWT; expected type header %s, but got %s", this.expectedTypeHeader.get(), rawJwt.getTypeHeader()));
            }
        }
    }

    public String toString() {
        ArrayList<String> arrayList = new ArrayList();
        if (this.expectedTypeHeader.isPresent()) {
            arrayList.add("expectedTypeHeader=" + this.expectedTypeHeader.get());
        }
        if (this.ignoreTypeHeader) {
            arrayList.add("ignoreTypeHeader");
        }
        if (this.expectedIssuer.isPresent()) {
            arrayList.add("expectedIssuer=" + this.expectedIssuer.get());
        }
        if (this.ignoreIssuer) {
            arrayList.add("ignoreIssuer");
        }
        if (this.expectedAudience.isPresent()) {
            arrayList.add("expectedAudience=" + this.expectedAudience.get());
        }
        if (this.ignoreAudiences) {
            arrayList.add("ignoreAudiences");
        }
        if (this.allowMissingExpiration) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.expectIssuedInThePast) {
            arrayList.add("expectIssuedInThePast");
        }
        if (!this.clockSkew.isZero()) {
            arrayList.add("clockSkew=" + this.clockSkew);
        }
        StringBuilder sb = new StringBuilder();
        sb.append("JwtValidator{");
        String str = "";
        for (String str2 : arrayList) {
            sb.append(str);
            sb.append(str2);
            str = ",";
        }
        sb.append("}");
        return sb.toString();
    }

    public VerifiedJwt validate(RawJwt rawJwt) throws d {
        validateTimestampClaims(rawJwt);
        validateTypeHeader(rawJwt);
        validateIssuer(rawJwt);
        validateAudiences(rawJwt);
        return new VerifiedJwt(rawJwt);
    }
}
