package io.camunda.connector.runtime.saas.security;

import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;

/* loaded from: input_file:io/camunda/connector/runtime/saas/security/OrganizationIdAndRolesValidator.class */
public class OrganizationIdAndRolesValidator implements OAuth2TokenValidator<Jwt> {
    private final String organizationId;
    private static final String ORGS_CLAIM = "https://camunda.com/orgs";
    private static final String ORGS_CLAIM_ID_KEY = "id";
    private final List<String> allowedRoles;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OrganizationIdAndRolesValidator(String str, List<String> list) {
        this.organizationId = str;
        this.allowedRoles = list;
    }

    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        OAuth2Error oAuth2Error = new OAuth2Error("invalid_token", "The required 'https://camunda.com/orgs' claim is missing", (String) null);
        List list = (List) jwt.getClaim(ORGS_CLAIM);
        if (list == null) {
            return OAuth2TokenValidatorResult.failure(new OAuth2Error[]{oAuth2Error});
        }
        Stream flatMap = list.stream().filter(map -> {
            return this.organizationId.equals(map.get(ORGS_CLAIM_ID_KEY));
        }).map(map2 -> {
            return map2.get("roles");
        }).filter(Objects::nonNull).flatMap(obj -> {
            return ((List) obj).stream();
        });
        List<String> list2 = this.allowedRoles;
        Objects.requireNonNull(list2);
        return flatMap.anyMatch((v1) -> {
            return r1.contains(v1);
        }) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_token", "The 'https://camunda.com/orgs' claim has no id matching the organization id: [" + this.organizationId + "] or the roles are not in the allowed roles: " + String.valueOf(this.allowedRoles), (String) null)});
    }
}
