package io.helidon.security.jwt;

import io.helidon.common.Errors;
import io.helidon.security.jwt.jwk.Jwk;
import io.helidon.security.jwt.jwk.JwkPki;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/security/jwt/CriticalValidator.class */
final class CriticalValidator implements ClaimValidator {
    private static final Set<String> INVALID_CRIT_HEADERS;

    @Override // io.helidon.security.jwt.ClaimValidator
    public JwtScope jwtScope() {
        return JwtScope.HEADER;
    }

    @Override // io.helidon.security.jwt.ClaimValidator
    public Set<String> claims() {
        return Set.of("crit");
    }

    @Override // io.helidon.security.jwt.ClaimValidator
    public void validate(Jwt jwt, Errors.Collector collector, List<ClaimValidator> list) {
        Optional<List<String>> critical = jwt.headers().critical();
        if (critical.isPresent()) {
            List<String> list2 = critical.get();
            if (list2.isEmpty()) {
                collector.fatal(jwt, "JWT critical header must not be empty");
                return;
            }
            checkAllCriticalAvailable(jwt, list2, collector);
            if (collector.hasFatal()) {
                return;
            }
            checkDuplicity(jwt, list2, collector);
            if (collector.hasFatal()) {
                return;
            }
            checkInvalidHeaders(jwt, list2, collector);
            if (collector.hasFatal()) {
                return;
            }
            checkNotSupportedHeaders(jwt, list2, collector, list);
        }
    }

    private void checkAllCriticalAvailable(Jwt jwt, List<String> list, Errors.Collector collector) {
        Set<String> keySet = jwt.headers().headerClaims().keySet();
        if (keySet.containsAll(list)) {
            return;
        }
        collector.fatal(jwt, "JWT must contain " + String.valueOf(list) + ", yet it contains: " + String.valueOf(keySet));
    }

    private void checkNotSupportedHeaders(Jwt jwt, List<String> list, Errors.Collector collector, List<ClaimValidator> list2) {
        Set set = (Set) list2.stream().filter(claimValidator -> {
            return claimValidator.jwtScope() == JwtScope.HEADER;
        }).map((v0) -> {
            return v0.claims();
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toSet());
        if (set.containsAll(list)) {
            return;
        }
        collector.fatal(jwt, "JWT is required to process " + String.valueOf(list) + ", yet it process only " + String.valueOf(set));
    }

    private void checkDuplicity(Jwt jwt, List<String> list, Errors.Collector collector) {
        if (new HashSet(list).size() != list.size()) {
            collector.fatal(jwt, "JWT critical header contains duplicated values: " + String.valueOf(list));
        }
    }

    private void checkInvalidHeaders(Jwt jwt, List<String> list, Errors.Collector collector) {
        for (String str : list) {
            if (INVALID_CRIT_HEADERS.contains(str)) {
                collector.fatal(jwt, "Required critical header value '" + str + "' is invalid. This required header is defined among JWA, JWE or JWS headers.");
            }
        }
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add(Jwk.PARAM_ALGORITHM);
        hashSet.add(Jwk.USE_ENCRYPTION);
        hashSet.add("typ");
        hashSet.add("cty");
        hashSet.add(Jwk.PARAM_KEY_ID);
        hashSet.add("jku");
        hashSet.add("jwk");
        hashSet.add(JwkPki.PARAM_X509_CHAIN_URL);
        hashSet.add(JwkPki.PARAM_X509_CHAIN);
        hashSet.add(JwkPki.PARAM_X509_SHA_1);
        hashSet.add(JwkPki.PARAM_X509_SHA_256);
        hashSet.add("crit");
        hashSet.add("zip");
        hashSet.add("apu");
        hashSet.add("apv");
        hashSet.add("epk");
        INVALID_CRIT_HEADERS = Set.copyOf(hashSet);
    }
}
