package com.google.cloud.spring.security.firebase;

import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;

/* loaded from: input_file:com/google/cloud/spring/security/firebase/FirebaseTokenValidator.class */
public class FirebaseTokenValidator implements OAuth2TokenValidator<Jwt> {
    private final String projectId;
    private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
    private final Duration clockSkew;
    private Clock clock;
    private static final String OAUTH2_ERROR_URI = "https://tools.ietf.org/html/rfc6750#section-3.1";

    public FirebaseTokenValidator(String str) {
        this(str, DEFAULT_MAX_CLOCK_SKEW);
    }

    public FirebaseTokenValidator(String str, Duration duration) {
        this.clock = Clock.systemUTC();
        Assert.notNull(str, "ProjectId can't be null");
        this.projectId = str;
        this.clockSkew = duration;
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        LinkedList linkedList = new LinkedList();
        validateAudience(linkedList, jwt);
        validateIssuedAt(linkedList, jwt);
        validateSubject(linkedList, jwt);
        validateAuthTime(linkedList, jwt);
        return OAuth2TokenValidatorResult.failure(linkedList);
    }

    private void validateIssuedAt(List<OAuth2Error> list, Jwt jwt) {
        Instant issuedAt = jwt.getIssuedAt();
        if (issuedAt == null || Instant.now(this.clock).plus((TemporalAmount) this.clockSkew).isBefore(issuedAt)) {
            list.add(new OAuth2Error("invalid_request", "iat claim header must be in the past", OAUTH2_ERROR_URI));
        }
    }

    private void validateSubject(List<OAuth2Error> list, Jwt jwt) {
        String subject = jwt.getSubject();
        if (subject == null || subject.length() == 0) {
            list.add(new OAuth2Error("invalid_request", "sub claim can not be empty", OAUTH2_ERROR_URI));
        }
    }

    private void validateAuthTime(List<OAuth2Error> list, Jwt jwt) {
        Instant claimAsInstant = jwt.getClaimAsInstant("auth_time");
        if (claimAsInstant == null || Instant.now(this.clock).plus((TemporalAmount) this.clockSkew).isBefore(claimAsInstant)) {
            list.add(new OAuth2Error("invalid_request", "auth_time claim header must be in the past", OAUTH2_ERROR_URI));
        }
    }

    private void validateAudience(List<OAuth2Error> list, Jwt jwt) {
        List audience = jwt.getAudience();
        if (audience != null) {
            Iterator it = audience.iterator();
            while (it.hasNext()) {
                if (((String) it.next()).equals(this.projectId)) {
                    return;
                }
            }
        }
        list.add(new OAuth2Error("invalid_request", "This aud claim is not equal to the configured audience", OAUTH2_ERROR_URI));
    }
}
