package com.amazon.identity.auth.device.workflow;

import android.net.Uri;
import com.amazon.identity.auth.device.AuthError;
import com.amazon.identity.auth.device.utils.JSONUtils;
import com.amazon.identity.auth.device.utils.JWTDecoder;
import com.google.android.gms.common.internal.Constants;
import java.util.List;
import org.json.JSONObject;

/* loaded from: classes.dex */
public class WorkflowToken {

    /* renamed from: a, reason: collision with root package name */
    private final String f656a;

    /* renamed from: b, reason: collision with root package name */
    private final String[] f657b;
    private final List<String> c;

    public WorkflowToken(String str) throws AuthError {
        JSONObject decode = new JWTDecoder().decode(str);
        if (decode == null) {
            throw new AuthError("Workflow Token is invalid", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
        if (!decode.optString("type").equals("WorkflowToken")) {
            throw new AuthError("Workflow Token has invalid type", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
        if (!decode.optString("iss").equals("Amazon")) {
            throw new AuthError("Workflow Token has invalid issuer", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
        this.f656a = decode.optString("clientId");
        if (this.f656a == null) {
            throw new AuthError("Workflow Token missing clientId", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
        this.f657b = JSONUtils.getStringArray(decode, Constants.KEY_SCOPES);
        if (this.f657b == null) {
            throw new AuthError("Workflow Token missing scopes", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
        this.c = JSONUtils.getStringList(decode, "workflowEndpoints");
        if (this.c == null) {
            throw new AuthError("Workflow Token missing endpoints", AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
    }

    private Uri a(String str) {
        return Uri.parse(str).buildUpon().query("").fragment("").build();
    }

    public void assertWorkflowUrlIsAllowed(String str) throws AuthError {
        if (!this.c.contains(a(str).toString())) {
            throw new AuthError(String.format("Workflow URL %s is not allowed", str), AuthError.ERROR_TYPE.ERROR_ACCESS_DENIED);
        }
    }

    public String getClientId() {
        return this.f656a;
    }

    public String[] getScopes() {
        return this.f657b;
    }
}
