package com.google.cloud.spring.security.iap;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/google/cloud/spring/security/iap/AudienceValidator.class */
public class AudienceValidator implements OAuth2TokenValidator<Jwt>, InitializingBean {
    private static final Log LOGGER = LogFactory.getLog(AudienceValidator.class);
    private static final OAuth2Error INVALID_AUDIENCE = new OAuth2Error("invalid_request", "This aud claim is not equal to the configured audience", "https://tools.ietf.org/html/rfc6750#section-3.1");
    private final AudienceProvider audienceProvider;
    private String audience;
    private String[] audiences;

    public AudienceValidator(AudienceProvider audienceProvider) {
        Assert.notNull(audienceProvider, "Audience Provider cannot be null");
        this.audienceProvider = audienceProvider;
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        if (jwt.getAudience() != null) {
            for (String str : this.audiences) {
                if (jwt.getAudience().contains(str)) {
                    return OAuth2TokenValidatorResult.success();
                }
            }
        }
        if (LOGGER.isWarnEnabled()) {
            LOGGER.warn(String.format("Expected audience %s did not match token audience %s", this.audience, jwt.getAudience()));
        }
        return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{INVALID_AUDIENCE});
    }

    public void afterPropertiesSet() throws Exception {
        this.audience = this.audienceProvider.getAudience();
        Assert.notNull(this.audience, "Audience cannot be null.");
        this.audiences = StringUtils.trimArrayElements(StringUtils.commaDelimitedListToStringArray(this.audience));
    }

    public String getAudience() {
        return this.audience;
    }
}
