package org.jfrog.access.client.token.verifier;

import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nonnull;
import org.jfrog.access.client.token.TokenVerifyResult;
import org.jfrog.access.common.AudienceMatcher;
import org.jfrog.access.common.ServiceId;
import org.jfrog.access.token.JwtAccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jfrog/access/client/token/verifier/TokenAudienceVerifier.class */
class TokenAudienceVerifier implements TokenVerifier {
    private static final Logger log = LoggerFactory.getLogger(TokenAudienceVerifier.class);

    @Override // org.jfrog.access.client.token.verifier.TokenVerifier
    @Nonnull
    public Optional<TokenVerifyResult> verify(@Nonnull JwtAccessToken jwtAccessToken, @Nonnull TokenVerifyContext tokenVerifyContext) {
        Optional<TokenVerifyResult> empty = Optional.empty();
        ServiceId serviceId = (ServiceId) Objects.requireNonNull(tokenVerifyContext.getServiceId(), "serviceId is required");
        Optional match = AudienceMatcher.match(serviceId, jwtAccessToken.getAudience());
        if (match.isPresent()) {
            log.debug("Token '{}' audience verification passed successfully (service ID '{}' matches audience '{}')", new Object[]{jwtAccessToken.getTokenId(), serviceId, match});
        } else {
            log.debug("Token '{}' audience verification failed (aud={}, serviceID='{}')", new Object[]{jwtAccessToken.getTokenId(), jwtAccessToken.getAudience(), serviceId});
            empty = Optional.of(TokenVerifyResultImpl.failure(jwtAccessToken, "audience"));
        }
        return empty;
    }
}
