package org.apache.kafka.common.security.oauthbearer.internals.unsecured;

import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-2.8.0.jar:org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerValidationUtils.class */
public class OAuthBearerValidationUtils {
    public static OAuthBearerValidationResult validateClaimForExistenceAndType(OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws, boolean z, String str, Class<?>... clsArr) {
        Object rawClaim = ((OAuthBearerUnsecuredJws) Objects.requireNonNull(oAuthBearerUnsecuredJws)).rawClaim((String) Objects.requireNonNull(str));
        if (rawClaim == null) {
            return z ? OAuthBearerValidationResult.newFailure(String.format("Required claim missing: %s", str)) : OAuthBearerValidationResult.newSuccess();
        }
        for (Class<?> cls : clsArr) {
            if (cls != null && cls.isAssignableFrom(rawClaim.getClass())) {
                return OAuthBearerValidationResult.newSuccess();
            }
        }
        return OAuthBearerValidationResult.newFailure(String.format("The %s claim had the incorrect type: %s", str, rawClaim.getClass().getSimpleName()));
    }

    public static OAuthBearerValidationResult validateIssuedAt(OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws, boolean z, long j, int i) throws OAuthBearerConfigException {
        try {
            Number issuedAt = ((OAuthBearerUnsecuredJws) Objects.requireNonNull(oAuthBearerUnsecuredJws)).issuedAt();
            if (!(issuedAt != null)) {
                return doesNotExistResult(z, "iat");
            }
            double doubleValue = issuedAt.doubleValue();
            return 1000.0d * doubleValue > ((double) (j + ((long) confirmNonNegative(i)))) ? OAuthBearerValidationResult.newFailure(String.format("The Issued At value (%f seconds) was after the indicated time (%d ms) plus allowable clock skew (%d ms)", Double.valueOf(doubleValue), Long.valueOf(j), Integer.valueOf(i))) : OAuthBearerValidationResult.newSuccess();
        } catch (OAuthBearerIllegalTokenException e) {
            return e.reason();
        }
    }

    public static OAuthBearerValidationResult validateExpirationTime(OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws, long j, int i) throws OAuthBearerConfigException {
        try {
            Number expirationTime = ((OAuthBearerUnsecuredJws) Objects.requireNonNull(oAuthBearerUnsecuredJws)).expirationTime();
            if (!(expirationTime != null)) {
                return doesNotExistResult(true, AccessTokenConverter.EXP);
            }
            double doubleValue = expirationTime.doubleValue();
            return ((double) (j - ((long) confirmNonNegative(i)))) >= 1000.0d * doubleValue ? OAuthBearerValidationResult.newFailure(String.format("The indicated time (%d ms) minus allowable clock skew (%d ms) was on or after the Expiration Time value (%f seconds)", Long.valueOf(j), Integer.valueOf(i), Double.valueOf(doubleValue))) : OAuthBearerValidationResult.newSuccess();
        } catch (OAuthBearerIllegalTokenException e) {
            return e.reason();
        }
    }

    public static OAuthBearerValidationResult validateTimeConsistency(OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws) {
        try {
            Number issuedAt = ((OAuthBearerUnsecuredJws) Objects.requireNonNull(oAuthBearerUnsecuredJws)).issuedAt();
            Number expirationTime = oAuthBearerUnsecuredJws.expirationTime();
            return (expirationTime == null || issuedAt == null || expirationTime.doubleValue() > issuedAt.doubleValue()) ? OAuthBearerValidationResult.newSuccess() : OAuthBearerValidationResult.newFailure(String.format("The Expiration Time time (%f seconds) was not after the Issued At time (%f seconds)", Double.valueOf(expirationTime.doubleValue()), Double.valueOf(issuedAt.doubleValue())));
        } catch (OAuthBearerIllegalTokenException e) {
            return e.reason();
        }
    }

    public static OAuthBearerValidationResult validateScope(OAuthBearerToken oAuthBearerToken, List<String> list) {
        Set<String> scope = oAuthBearerToken.scope();
        if (list == null || list.isEmpty()) {
            return OAuthBearerValidationResult.newSuccess();
        }
        for (String str : list) {
            if (!scope.contains(str)) {
                return OAuthBearerValidationResult.newFailure(String.format("The provided scope (%s) was mising a required scope (%s).  All required scope elements: %s", String.valueOf(scope), str, list.toString()), list.toString(), null);
            }
        }
        return OAuthBearerValidationResult.newSuccess();
    }

    private static int confirmNonNegative(int i) throws OAuthBearerConfigException {
        if (i < 0) {
            throw new OAuthBearerConfigException(String.format("Allowable clock skew must not be negative: %d", Integer.valueOf(i)));
        }
        return i;
    }

    private static OAuthBearerValidationResult doesNotExistResult(boolean z, String str) {
        return z ? OAuthBearerValidationResult.newFailure(String.format("Required claim missing: %s", str)) : OAuthBearerValidationResult.newSuccess();
    }

    private OAuthBearerValidationUtils() {
    }
}
