package io.confluent.kafka.clients.plugins.auth.oauth.internals;

import java.util.Collections;
import java.util.Map;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.internals.secured.SerializedJwt;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/internals/SpireJwtTokenLoginValidator.class */
public class SpireJwtTokenLoginValidator implements AccessTokenValidator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SpireJwtTokenLoginValidator.class);
    public static final String EXPIRATION_CLAIM_NAME = "exp";
    public static final String ISSUED_AT_CLAIM_NAME = "iat";
    public static final String SUBJECT_CLAIM_NAME = "sub";

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator
    public OAuthBearerToken validate(String str) throws ValidateException {
        try {
            Map<String, Object> map = OAuthBearerUnsecuredJws.toMap(new SerializedJwt(str).getPayload());
            return new BasicOAuthBearerToken(str, Collections.emptySet(), validateExpiration(getClaim(map, "exp")), validateSubject(getClaim(map, "sub")), Long.valueOf(validateIat(getClaim(map, "iat"))));
        } catch (OAuthBearerIllegalTokenException e) {
            throw new ValidateException(String.format("Could not validate the access token: %s", e.getMessage()), e);
        }
    }

    private long validateExpiration(Object obj) {
        validateNonNullClaim("exp", obj);
        if (!(obj instanceof Number)) {
            throw new ValidateException("exp value must be a number");
        }
        Number number = (Number) obj;
        if (number.longValue() < 0) {
            throw new ValidateException("exp value must be non-negative");
        }
        if (System.currentTimeMillis() >= number.longValue() * 1000) {
            throw new ValidateException("Token has expired");
        }
        return number.longValue() * 1000;
    }

    private String validateSubject(Object obj) {
        validateNonNullClaim("sub", obj);
        if (!(obj instanceof String)) {
            throw new ValidateException("sub value must be a string");
        }
        String str = (String) obj;
        if (str.startsWith("spiffe")) {
            return str;
        }
        throw new ValidateException("sub value must be a spiffe id");
    }

    private long validateIat(Object obj) {
        validateNonNullClaim("iat", obj);
        if (!(obj instanceof Number)) {
            throw new ValidateException("iat value must be a number");
        }
        Number number = (Number) obj;
        if (number.longValue() < 0) {
            throw new ValidateException("iat value must be non-negative");
        }
        if (System.currentTimeMillis() < number.longValue() * 1000) {
            throw new ValidateException("iat has future value");
        }
        return number.longValue() * 1000;
    }

    private void validateNonNullClaim(String str, Object obj) {
        if (obj == null) {
            throw new ValidateException(String.format("%s value must be non-null", str));
        }
    }

    private Object getClaim(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        log.debug("getClaim - {}: {}", str, obj);
        return obj;
    }
}
