package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.ReplayCache;

/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/JWTIdentifierClaimsValidator.class */
public class JWTIdentifierClaimsValidator extends AbstractClaimsValidator {

    @NonnullAfterInit
    private ReplayCache replayCache;

    @Nonnull
    private Duration clockSkew = Duration.ofMinutes(1);

    public void setReplayCache(@Nonnull ReplayCache replayCache) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.replayCache = (ReplayCache) Constraint.isNotNull(replayCache, "ReplayCache cannot be null");
    }

    public void setClockSkew(@Nonnull Duration duration) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.clockSkew = (Duration) Constraint.isNotNull(duration, "Clock skew cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.replayCache == null) {
            throw new ComponentInitializationException("ReplayCache can not be null");
        }
    }

    protected void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nullable ProfileRequestContext profileRequestContext) throws JWTValidationException {
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime == null) {
            throw new JWTValidationException("The claims set is missing required expiration time (exp)");
        }
        String jwtid = jWTClaimsSet.getJWTID();
        if (StringSupport.trimOrNull(jwtid) == null) {
            throw new JWTValidationException("The claims set is missing required JWT identifier (jit)");
        }
        if (!this.replayCache.check(getClass().getName(), jwtid, expirationTime.toInstant().plus((TemporalAmount) this.clockSkew))) {
            throw new JWTValidationException("Replay detected for jit '" + jwtid + "'");
        }
    }
}
