package io.confluent.common.security.auth;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import java.security.Principal;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;

/* loaded from: input_file:io/confluent/common/security/auth/JwtPrincipal.class */
public class JwtPrincipal implements Principal {
    private final OAuthBearerToken idToken;
    private final String subClaimName;
    private final String groupsClaimName;

    public JwtPrincipal(OAuthBearerToken oAuthBearerToken, String str, String str2) {
        this.idToken = oAuthBearerToken;
        this.subClaimName = str;
        this.groupsClaimName = str2;
    }

    public JwtPrincipal(OAuthBearerToken oAuthBearerToken) {
        this(oAuthBearerToken, null, null);
    }

    @Override // java.security.Principal
    public String getName() {
        return (this.subClaimName == null || this.subClaimName.isEmpty()) ? this.idToken.principalName() : (String) jwtClaims().get(this.subClaimName);
    }

    public String getSubClaimName() {
        return this.subClaimName;
    }

    public String getGroupsClaimName() {
        return this.groupsClaimName;
    }

    public Set<String> getScope() {
        return Collections.unmodifiableSet(this.idToken.scope());
    }

    public String getJwt() {
        return this.idToken.value();
    }

    public Map<String, Object> jwtClaims() {
        return this.idToken instanceof OAuthBearerJwsToken ? this.idToken.jwtClaims() : Collections.emptyMap();
    }
}
