package org.ameba.oauth2.tenant;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwt;
import java.util.Optional;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.ameba.Constants;
import org.ameba.oauth2.InvalidTokenException;
import org.ameba.oauth2.JwtValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/ameba-lib-3.0.jar:org/ameba/oauth2/tenant/TenantValidator.class */
public class TenantValidator implements JwtValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) TenantValidator.class);
    private final TenantRepository repository;

    @Inject
    public TenantValidator(TenantRepository tenantRepository) {
        this.repository = tenantRepository;
    }

    @Override // org.ameba.oauth2.JwtValidator
    public void validate(Jwt jwt, HttpServletRequest httpServletRequest) {
        if (!(jwt instanceof Jws)) {
            throw new InvalidTokenException("Only signed JWT are supported");
        }
        Jws jws = (Jws) jwt;
        String issuer = ((Claims) jws.getBody()).getIssuer();
        Optional<TenantEO> findByHash = this.repository.findByHash(httpServletRequest.getHeader(Constants.HEADER_VALUE_X_TENANT));
        if (!findByHash.isPresent()) {
            throw new InvalidTokenException("Tenant not registered");
        }
        if (!findByHash.get().sameRealm(issuer.substring(issuer.lastIndexOf("/") + 1))) {
            throw new InvalidTokenException("The issue does not match the configured REALM for the Tenant");
        }
        if (!findByHash.get().getName().equals(((Claims) jws.getBody()).getAudience())) {
            throw new InvalidTokenException("The token has been issued for some other audience, is the token leaked or replayed?");
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("{} has been translated into [{}]", Constants.HEADER_VALUE_X_TENANT, findByHash.get().getName());
        }
        httpServletRequest.setAttribute(Constants.HEADER_VALUE_X_TENANT, findByHash.get().getName());
    }
}
