package com.auth0;

import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import org.apache.commons.lang3.Validate;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/auth0/IdTokenVerifier.class */
public class IdTokenVerifier {
    private static final Integer DEFAULT_CLOCK_SKEW = 60;
    private static final String NONCE_CLAIM = "nonce";
    private static final String AZP_CLAIM = "azp";
    private static final String AUTH_TIME_CLAIM = "auth_time";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/auth0/IdTokenVerifier$Options.class */
    public static class Options {
        final String issuer;
        final String audience;
        final SignatureVerifier verifier;
        String nonce;
        private Integer maxAge;
        Integer clockSkew;
        Date clock;
        String organization;

        public Options(String str, String str2, SignatureVerifier signatureVerifier) {
            Validate.notNull(str);
            Validate.notNull(str2);
            Validate.notNull(signatureVerifier);
            this.issuer = str;
            this.audience = str2;
            this.verifier = signatureVerifier;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setNonce(String str) {
            this.nonce = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setMaxAge(Integer num) {
            this.maxAge = num;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setClockSkew(Integer num) {
            this.clockSkew = num;
        }

        void setClock(Date date) {
            this.clock = date;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Integer getMaxAge() {
            return this.maxAge;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setOrganization(String str) {
            this.organization = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verify(String str, Options options) throws TokenValidationException {
        Validate.notNull(options);
        if (isEmpty(str)) {
            throw new TokenValidationException("ID token is required but missing");
        }
        DecodedJWT verifySignature = options.verifier.verifySignature(str);
        if (isEmpty(verifySignature.getIssuer())) {
            throw new TokenValidationException("Issuer (iss) claim must be a string present in the ID token");
        }
        if (!verifySignature.getIssuer().equals(options.issuer)) {
            throw new TokenValidationException(String.format("Issuer (iss) claim mismatch in the ID token, expected \"%s\", found \"%s\"", options.issuer, verifySignature.getIssuer()));
        }
        if (isEmpty(verifySignature.getSubject())) {
            throw new TokenValidationException("Subject (sub) claim must be a string present in the ID token");
        }
        List audience = verifySignature.getAudience();
        if (audience == null) {
            throw new TokenValidationException("Audience (aud) claim must be a string or array of strings present in the ID token");
        }
        if (!audience.contains(options.audience)) {
            throw new TokenValidationException(String.format("Audience (aud) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", options.audience, verifySignature.getAudience()));
        }
        if (options.organization != null) {
            String trim = options.organization.trim();
            if (trim.startsWith("org_")) {
                String asString = verifySignature.getClaim("org_id").asString();
                if (isEmpty(asString)) {
                    throw new TokenValidationException("Organization Id (org_id) claim must be a string present in the ID token");
                }
                if (!trim.equals(asString)) {
                    throw new TokenValidationException(String.format("Organization (org_id) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", options.organization, asString));
                }
            } else {
                String asString2 = verifySignature.getClaim("org_name").asString();
                if (isEmpty(asString2)) {
                    throw new TokenValidationException("Organization name (org_name) claim must be a string present in the ID token");
                }
                if (!trim.toLowerCase().equals(asString2)) {
                    throw new TokenValidationException(String.format("Organization (org_name) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", options.organization, asString2));
                }
            }
        }
        Calendar calendar = Calendar.getInstance();
        Date time = options.clock != null ? options.clock : calendar.getTime();
        int intValue = (options.clockSkew != null ? options.clockSkew : DEFAULT_CLOCK_SKEW).intValue();
        if (verifySignature.getExpiresAt() == null) {
            throw new TokenValidationException("Expiration Time (exp) claim must be a number present in the ID token");
        }
        calendar.setTime(verifySignature.getExpiresAt());
        calendar.add(13, intValue);
        Date time2 = calendar.getTime();
        if (time.after(time2)) {
            throw new TokenValidationException(String.format("Expiration Time (exp) claim error in the ID token; current time (%d) is after expiration time (%d)", Long.valueOf(time.getTime() / 1000), Long.valueOf(time2.getTime() / 1000)));
        }
        if (verifySignature.getIssuedAt() == null) {
            throw new TokenValidationException("Issued At (iat) claim must be a number present in the ID token");
        }
        calendar.setTime(verifySignature.getIssuedAt());
        calendar.add(13, (-1) * intValue);
        if (options.nonce != null) {
            String asString3 = verifySignature.getClaim(NONCE_CLAIM).asString();
            if (isEmpty(asString3)) {
                throw new TokenValidationException("Nonce (nonce) claim must be a string present in the ID token");
            }
            if (!options.nonce.equals(asString3)) {
                throw new TokenValidationException(String.format("Nonce (nonce) claim mismatch in the ID token; expected \"%s\", found \"%s\"", options.nonce, asString3));
            }
        }
        if (audience.size() > 1) {
            String asString4 = verifySignature.getClaim(AZP_CLAIM).asString();
            if (isEmpty(asString4)) {
                throw new TokenValidationException("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");
            }
            if (!options.audience.equals(asString4)) {
                throw new TokenValidationException(String.format("Authorized Party (azp) claim mismatch in the ID token; expected \"%s\", found \"%s\"", options.audience, asString4));
            }
        }
        if (options.maxAge != null) {
            Date asDate = verifySignature.getClaim(AUTH_TIME_CLAIM).asDate();
            if (asDate == null) {
                throw new TokenValidationException("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");
            }
            calendar.setTime(asDate);
            calendar.add(13, options.maxAge.intValue());
            calendar.add(13, intValue);
            Date time3 = calendar.getTime();
            if (time.after(time3)) {
                throw new TokenValidationException(String.format("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (%d) is after last auth at (%d)", Long.valueOf(time.getTime() / 1000), Long.valueOf(time3.getTime() / 1000)));
            }
        }
    }

    private boolean isEmpty(String str) {
        return str == null || str.isEmpty();
    }
}
