package io.confluent.security.authentication.oauthbearer;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
import java.util.Locale;
import org.jose4j.jws.JsonWebSignature;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JkuDomainWhitelist.class */
final class JkuDomainWhitelist implements Constraint {
    private final List<String> domainWhitelist;

    public JkuDomainWhitelist(List<String> list) {
        this.domainWhitelist = list;
    }

    @Override // io.confluent.security.authentication.oauthbearer.Constraint
    public void validate(JsonWebSignature jsonWebSignature) throws KeyConstraintException {
        String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("jku");
        if (!hasValidJkuDomain(stringHeaderValue)) {
            throw new KeyConstraintException("Invalid jku: " + stringHeaderValue);
        }
    }

    public boolean hasValidJkuDomain(String str) {
        try {
            URL url = new URL(str);
            if (!url.getProtocol().equalsIgnoreCase("https")) {
                return false;
            }
            String lowerCase = url.getHost().toLowerCase(Locale.US);
            for (String str2 : this.domainWhitelist) {
                if ((str2.startsWith(".") && lowerCase.endsWith(str2)) || lowerCase.equals(str2)) {
                    return true;
                }
            }
            return false;
        } catch (MalformedURLException e) {
            return false;
        }
    }
}
