package datahub.shaded.org.apache.kafka.common.security.oauthbearer.internals.secured;

import datahub.shaded.org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import datahub.shaded.org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException;
import datahub.shaded.org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:datahub/shaded/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidator.class */
public class LoginAccessTokenValidator implements AccessTokenValidator {
    private static final Logger log = LoggerFactory.getLogger(LoginAccessTokenValidator.class);
    public static final String EXPIRATION_CLAIM_NAME = "exp";
    public static final String ISSUED_AT_CLAIM_NAME = "iat";
    private final String scopeClaimName;
    private final String subClaimName;

    public LoginAccessTokenValidator(String str, String str2) {
        this.scopeClaimName = ClaimValidationUtils.validateClaimNameOverride("scope", str);
        this.subClaimName = ClaimValidationUtils.validateClaimNameOverride("sub", str2);
    }

    @Override // datahub.shaded.org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator
    public OAuthBearerToken validate(String str) throws ValidateException {
        try {
            Map<String, Object> map = OAuthBearerUnsecuredJws.toMap(new SerializedJwt(str).getPayload());
            Object claim = getClaim(map, this.scopeClaimName);
            Collection singletonList = claim instanceof String ? Collections.singletonList((String) claim) : claim instanceof Collection ? (Collection) claim : Collections.emptySet();
            Number number = (Number) getClaim(map, EXPIRATION_CLAIM_NAME);
            String str2 = (String) getClaim(map, this.subClaimName);
            Number number2 = (Number) getClaim(map, ISSUED_AT_CLAIM_NAME);
            return new BasicOAuthBearerToken(str, ClaimValidationUtils.validateScopes(this.scopeClaimName, singletonList), ClaimValidationUtils.validateExpiration(EXPIRATION_CLAIM_NAME, number != null ? Long.valueOf(number.longValue() * 1000) : null), ClaimValidationUtils.validateSubject(this.subClaimName, str2), ClaimValidationUtils.validateIssuedAt(ISSUED_AT_CLAIM_NAME, number2 != null ? Long.valueOf(number2.longValue() * 1000) : null));
        } catch (OAuthBearerIllegalTokenException e) {
            throw new ValidateException(String.format("Could not validate the access token: %s", e.getMessage()), e);
        }
    }

    private Object getClaim(Map<String, Object> map, String str) {
        Object obj = map.get(str);
        log.debug("getClaim - {}: {}", str, obj);
        return obj;
    }
}
