package com.google.crypto.tink.jwt;

import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.Immutable;
import defpackage.dg0;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;

@Immutable
/* loaded from: classes4.dex */
public final class JwtValidator {
    public static final Duration k = Duration.ofMinutes(10);
    public final Optional<String> a;
    public final boolean b;
    public final Optional<String> c;
    public final boolean d;
    public final Optional<String> e;
    public final boolean f;
    public final boolean g;
    public final boolean h;
    public final Clock i;
    public final Duration j;

    /* loaded from: classes4.dex */
    public static final class Builder {
        public Optional<String> a;
        public boolean b;
        public Optional<String> c;
        public boolean d;
        public Optional<String> e;
        public boolean f;
        public boolean g;
        public boolean h;
        public Clock i;
        public Duration j;

        public Builder() {
            this.i = Clock.systemUTC();
            this.j = Duration.ZERO;
            this.a = Optional.empty();
            this.b = false;
            this.c = Optional.empty();
            this.d = false;
            this.e = Optional.empty();
            this.f = false;
            this.g = false;
            this.h = false;
        }

        @CanIgnoreReturnValue
        public Builder allowMissingExpiration() {
            this.g = true;
            return this;
        }

        public JwtValidator build() {
            if (this.b && this.a.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.d && this.c.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.f && this.e.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        @CanIgnoreReturnValue
        public Builder expectAudience(String str) {
            Objects.requireNonNull(str, "audience cannot be null");
            this.e = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuedInThePast() {
            this.h = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuer(String str) {
            Objects.requireNonNull(str, "issuer cannot be null");
            this.c = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectTypeHeader(String str) {
            Objects.requireNonNull(str, "typ header cannot be null");
            this.a = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreAudiences() {
            this.f = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreIssuer() {
            this.d = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreTypeHeader() {
            this.b = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClock(Clock clock) {
            Objects.requireNonNull(clock, "clock cannot be null");
            this.i = clock;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClockSkew(Duration duration) {
            if (duration.compareTo(JwtValidator.k) > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.j = duration;
            return this;
        }
    }

    public JwtValidator(Builder builder) {
        this.a = builder.a;
        this.b = builder.b;
        this.c = builder.c;
        this.d = builder.d;
        this.e = builder.e;
        this.f = builder.f;
        this.g = builder.g;
        this.h = builder.h;
        this.i = builder.i;
        this.j = builder.j;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public VerifiedJwt b(RawJwt rawJwt) throws JwtInvalidException {
        e(rawJwt);
        f(rawJwt);
        d(rawJwt);
        c(rawJwt);
        return new VerifiedJwt(rawJwt);
    }

    public final void c(RawJwt rawJwt) throws JwtInvalidException {
        if (this.e.isPresent()) {
            if (!rawJwt.s() || !rawJwt.c().contains(this.e.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected audience %s.", this.e.get()));
            }
        } else if (rawJwt.s() && !this.f) {
            throw new JwtInvalidException("invalid JWT; token has audience set, but validator not.");
        }
    }

    public final void d(RawJwt rawJwt) throws JwtInvalidException {
        if (!this.c.isPresent()) {
            if (rawJwt.w() && !this.d) {
                throw new JwtInvalidException("invalid JWT; token has issuer set, but validator not.");
            }
        } else {
            if (!rawJwt.w()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected issuer %s.", this.c.get()));
            }
            if (!rawJwt.h().equals(this.c.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected issuer %s, but got %s", this.c.get(), rawJwt.h()));
            }
        }
    }

    public final void e(RawJwt rawJwt) throws JwtInvalidException {
        Instant instant = this.i.instant();
        if (!rawJwt.u() && !this.g) {
            throw new JwtInvalidException("token does not have an expiration set");
        }
        if (rawJwt.u() && !rawJwt.e().isAfter(instant.minus((TemporalAmount) this.j))) {
            StringBuilder a2 = dg0.a("token has expired since ");
            a2.append(rawJwt.e());
            throw new JwtInvalidException(a2.toString());
        }
        if (rawJwt.A() && rawJwt.m().isAfter(instant.plus((TemporalAmount) this.j))) {
            StringBuilder a3 = dg0.a("token cannot be used before ");
            a3.append(rawJwt.m());
            throw new JwtInvalidException(a3.toString());
        }
        if (this.h) {
            if (!rawJwt.v()) {
                throw new JwtInvalidException("token does not have an iat claim");
            }
            if (rawJwt.g().isAfter(instant.plus((TemporalAmount) this.j))) {
                StringBuilder a4 = dg0.a("token has a invalid iat claim in the future: ");
                a4.append(rawJwt.g());
                throw new JwtInvalidException(a4.toString());
            }
        }
    }

    public final void f(RawJwt rawJwt) throws JwtInvalidException {
        if (!this.a.isPresent()) {
            if (rawJwt.E() && !this.b) {
                throw new JwtInvalidException("invalid JWT; token has type header set, but validator not.");
            }
        } else {
            if (!rawJwt.E()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected type header %s.", this.a.get()));
            }
            if (!rawJwt.r().equals(this.a.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected type header %s, but got %s", this.a.get(), rawJwt.r()));
            }
        }
    }

    public String toString() {
        ArrayList arrayList = new ArrayList();
        if (this.a.isPresent()) {
            StringBuilder a2 = dg0.a("expectedTypeHeader=");
            a2.append(this.a.get());
            arrayList.add(a2.toString());
        }
        if (this.b) {
            arrayList.add("ignoreTypeHeader");
        }
        if (this.c.isPresent()) {
            StringBuilder a3 = dg0.a("expectedIssuer=");
            a3.append(this.c.get());
            arrayList.add(a3.toString());
        }
        if (this.d) {
            arrayList.add("ignoreIssuer");
        }
        if (this.e.isPresent()) {
            StringBuilder a4 = dg0.a("expectedAudience=");
            a4.append(this.e.get());
            arrayList.add(a4.toString());
        }
        if (this.f) {
            arrayList.add("ignoreAudiences");
        }
        if (this.g) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.h) {
            arrayList.add("expectIssuedInThePast");
        }
        if (!this.j.isZero()) {
            StringBuilder a5 = dg0.a("clockSkew=");
            a5.append(this.j);
            arrayList.add(a5.toString());
        }
        StringBuilder a6 = dg0.a("JwtValidator{");
        Iterator it = arrayList.iterator();
        String str = "";
        while (it.hasNext()) {
            String str2 = (String) it.next();
            a6.append(str);
            a6.append(str2);
            str = ",";
        }
        a6.append("}");
        return a6.toString();
    }
}
