package com.google.crypto.tink.jwt;

import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.Immutable;
import com.google.gson.JsonObject;
import com.microsoft.identity.common.internal.providers.microsoft.MicrosoftIdToken;
import com.microsoft.identity.common.internal.providers.microsoft.microsoftsts.MicrosoftStsIdToken;
import j$.time.Clock;
import j$.time.Duration;
import j$.time.Instant;
import j$.util.Optional;
import java.util.ArrayList;
import java.util.Iterator;

@Immutable
/* loaded from: classes7.dex */
public final class JwtValidator {

    /* renamed from: k, reason: collision with root package name */
    public static final Duration f42409k = Duration.ofMinutes(10);

    /* renamed from: a, reason: collision with root package name */
    public final Optional f42410a;
    public final boolean b;
    public final Optional c;

    /* renamed from: d, reason: collision with root package name */
    public final boolean f42411d;

    /* renamed from: e, reason: collision with root package name */
    public final Optional f42412e;

    /* renamed from: f, reason: collision with root package name */
    public final boolean f42413f;

    /* renamed from: g, reason: collision with root package name */
    public final boolean f42414g;

    /* renamed from: h, reason: collision with root package name */
    public final boolean f42415h;

    /* renamed from: i, reason: collision with root package name */
    public final Clock f42416i;

    /* renamed from: j, reason: collision with root package name */
    public final Duration f42417j;

    /* loaded from: classes7.dex */
    public static final class Builder {

        /* renamed from: a, reason: collision with root package name */
        public Optional f42418a;
        public boolean b;
        public Optional c;

        /* renamed from: d, reason: collision with root package name */
        public boolean f42419d;

        /* renamed from: e, reason: collision with root package name */
        public Optional f42420e;

        /* renamed from: f, reason: collision with root package name */
        public boolean f42421f;

        /* renamed from: g, reason: collision with root package name */
        public boolean f42422g;

        /* renamed from: h, reason: collision with root package name */
        public boolean f42423h;

        /* renamed from: i, reason: collision with root package name */
        public Clock f42424i;

        /* renamed from: j, reason: collision with root package name */
        public Duration f42425j;

        @CanIgnoreReturnValue
        public Builder allowMissingExpiration() {
            this.f42422g = true;
            return this;
        }

        public JwtValidator build() {
            if (this.b && this.f42418a.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.f42419d && this.c.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.f42421f && this.f42420e.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        @CanIgnoreReturnValue
        public Builder expectAudience(String str) {
            if (str == null) {
                throw new NullPointerException("audience cannot be null");
            }
            this.f42420e = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuedInThePast() {
            this.f42423h = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuer(String str) {
            if (str == null) {
                throw new NullPointerException("issuer cannot be null");
            }
            this.c = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectTypeHeader(String str) {
            if (str == null) {
                throw new NullPointerException("typ header cannot be null");
            }
            this.f42418a = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreAudiences() {
            this.f42421f = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreIssuer() {
            this.f42419d = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreTypeHeader() {
            this.b = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClock(Clock clock) {
            if (clock == null) {
                throw new NullPointerException("clock cannot be null");
            }
            this.f42424i = clock;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClockSkew(Duration duration) {
            if (duration.compareTo(JwtValidator.f42409k) > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.f42425j = duration;
            return this;
        }
    }

    public JwtValidator(Builder builder) {
        this.f42410a = builder.f42418a;
        this.b = builder.b;
        this.c = builder.c;
        this.f42411d = builder.f42419d;
        this.f42412e = builder.f42420e;
        this.f42413f = builder.f42421f;
        this.f42414g = builder.f42422g;
        this.f42415h = builder.f42423h;
        this.f42416i = builder.f42424i;
        this.f42417j = builder.f42425j;
    }

    /* JADX WARN: Type inference failed for: r0v0, types: [com.google.crypto.tink.jwt.JwtValidator$Builder, java.lang.Object] */
    public static Builder newBuilder() {
        ?? obj = new Object();
        obj.f42424i = Clock.systemUTC();
        obj.f42425j = Duration.ZERO;
        obj.f42418a = Optional.empty();
        obj.b = false;
        obj.c = Optional.empty();
        obj.f42419d = false;
        obj.f42420e = Optional.empty();
        obj.f42421f = false;
        obj.f42422g = false;
        obj.f42423h = false;
        return obj;
    }

    public final VerifiedJwt a(RawJwt rawJwt) {
        Instant instant = this.f42416i.instant();
        JsonObject jsonObject = rawJwt.f42426a;
        if (!jsonObject.has(MicrosoftStsIdToken.EXPIRATION_TIME) && !this.f42414g) {
            throw new JwtInvalidException("token does not have an expiration set");
        }
        boolean has = jsonObject.has(MicrosoftStsIdToken.EXPIRATION_TIME);
        Duration duration = this.f42417j;
        if (has && !rawJwt.b(MicrosoftStsIdToken.EXPIRATION_TIME).isAfter(instant.minus(duration))) {
            throw new JwtInvalidException("token has expired since " + rawJwt.b(MicrosoftStsIdToken.EXPIRATION_TIME));
        }
        if (jsonObject.has(MicrosoftIdToken.NOT_BEFORE) && rawJwt.b(MicrosoftIdToken.NOT_BEFORE).isAfter(instant.plus(duration))) {
            throw new JwtInvalidException("token cannot be used before " + rawJwt.b(MicrosoftIdToken.NOT_BEFORE));
        }
        if (this.f42415h) {
            if (!jsonObject.has(MicrosoftIdToken.ISSUED_AT)) {
                throw new JwtInvalidException("token does not have an iat claim");
            }
            if (rawJwt.b(MicrosoftIdToken.ISSUED_AT).isAfter(instant.plus(duration))) {
                throw new JwtInvalidException("token has a invalid iat claim in the future: " + rawJwt.b(MicrosoftIdToken.ISSUED_AT));
            }
        }
        Optional optional = this.f42410a;
        boolean isPresent = optional.isPresent();
        Optional optional2 = rawJwt.b;
        if (isPresent) {
            if (!optional2.isPresent()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected type header %s.", optional.get()));
            }
            if (!rawJwt.d().equals(optional.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected type header %s, but got %s", optional.get(), rawJwt.d()));
            }
        } else if (optional2.isPresent() && !this.b) {
            throw new JwtInvalidException("invalid JWT; token has type header set, but validator not.");
        }
        Optional optional3 = this.c;
        if (optional3.isPresent()) {
            if (!jsonObject.has(MicrosoftIdToken.ISSUER)) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected issuer %s.", optional3.get()));
            }
            if (!rawJwt.c(MicrosoftIdToken.ISSUER).equals(optional3.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected issuer %s, but got %s", optional3.get(), rawJwt.c(MicrosoftIdToken.ISSUER)));
            }
        } else if (jsonObject.has(MicrosoftIdToken.ISSUER) && !this.f42411d) {
            throw new JwtInvalidException("invalid JWT; token has issuer set, but validator not.");
        }
        Optional optional4 = this.f42412e;
        if (optional4.isPresent()) {
            if (!jsonObject.has(MicrosoftIdToken.AUDIENCE) || !rawJwt.a().contains(optional4.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected audience %s.", optional4.get()));
            }
        } else if (jsonObject.has(MicrosoftIdToken.AUDIENCE) && !this.f42413f) {
            throw new JwtInvalidException("invalid JWT; token has audience set, but validator not.");
        }
        return new VerifiedJwt(rawJwt);
    }

    public String toString() {
        ArrayList arrayList = new ArrayList();
        Optional optional = this.f42410a;
        if (optional.isPresent()) {
            arrayList.add("expectedTypeHeader=" + ((String) optional.get()));
        }
        if (this.b) {
            arrayList.add("ignoreTypeHeader");
        }
        Optional optional2 = this.c;
        if (optional2.isPresent()) {
            arrayList.add("expectedIssuer=" + ((String) optional2.get()));
        }
        if (this.f42411d) {
            arrayList.add("ignoreIssuer");
        }
        Optional optional3 = this.f42412e;
        if (optional3.isPresent()) {
            arrayList.add("expectedAudience=" + ((String) optional3.get()));
        }
        if (this.f42413f) {
            arrayList.add("ignoreAudiences");
        }
        if (this.f42414g) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.f42415h) {
            arrayList.add("expectIssuedInThePast");
        }
        Duration duration = this.f42417j;
        if (!duration.isZero()) {
            arrayList.add("clockSkew=" + duration);
        }
        StringBuilder sb = new StringBuilder("JwtValidator{");
        Iterator it = arrayList.iterator();
        String str = "";
        while (it.hasNext()) {
            String str2 = (String) it.next();
            sb.append(str);
            sb.append(str2);
            str = ",";
        }
        sb.append("}");
        return sb.toString();
    }
}
