package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/IssuedAtClaimsValidator.class */
public class IssuedAtClaimsValidator extends AbstractClaimsValidator {

    @Nonnull
    private Duration messageLifetime = Duration.ofMinutes(1);

    @Nonnull
    private Duration clockSkew = Duration.ofMinutes(1);
    private boolean requiredRule = true;

    public void setMessageLifetime(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(duration, "Token lifetime cannot be null");
        Constraint.isFalse(duration.isNegative(), "Token lifetime cannot be negative");
        this.messageLifetime = duration;
    }

    public void setClockSkew(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clockSkew = (Duration) Constraint.isNotNull(duration, "Clock skew cannot be null");
    }

    public void setRequiredRule(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requiredRule = z;
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        Date issueTime = jWTClaimsSet.getIssueTime();
        if (issueTime == null) {
            if (this.requiredRule) {
                throw new JWTValidationException("JWT was rejected due to missing required 'iat' claim.");
            }
            return;
        }
        Instant instant = issueTime.toInstant();
        Instant now = Instant.now();
        Instant plus = now.plus((TemporalAmount) this.clockSkew.abs());
        Instant plus2 = instant.plus((TemporalAmount) this.clockSkew.abs()).plus((TemporalAmount) this.messageLifetime);
        if (instant.isAfter(plus)) {
            throw new JWTValidationException("JWT was rejected because it was issued in the future. Token issued at '" + instant + "' was too far away from the current time '" + now + "' with acceptable lifetime of '" + this.messageLifetime + "', clockSkew of '" + this.clockSkew + "'");
        }
        if (plus2.isBefore(now)) {
            throw new JWTValidationException("JWT was rejected due to issue instance expiration. Token issued at '" + instant + "' was too far away from the current time '" + now + "' with acceptable lifetime of '" + this.messageLifetime + "', clockSkew of '" + this.clockSkew + "'");
        }
    }
}
