package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.FunctionSupport;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AuthenticationTimeClaimsValidator.class */
public class AuthenticationTimeClaimsValidator extends AbstractClaimsValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AuthenticationTimeClaimsValidator.class);

    @Nonnull
    private Function<ProfileRequestContext, Duration> authnLifetimeLookupStrategy = profileRequestContext -> {
        return Duration.ofSeconds(60L);
    };

    @Nonnull
    private Duration clockSkew = Duration.ofSeconds(60);

    @Nonnull
    private Function<ProfileRequestContext, Instant> authnRequestTimeLookupStrategy = profileRequestContext -> {
        return Instant.now().minus((TemporalAmount) this.clockSkew);
    };

    @Nonnull
    private Predicate<ProfileRequestContext> requested = PredicateSupport.alwaysTrue();

    public void setClockSkew(@Nonnull Duration duration) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.clockSkew = (Duration) Constraint.isNotNull(duration, "Clock skew cannot be null");
    }

    public void setAuthnRequestTimeLookupStrategy(@Nonnull Function<ProfileRequestContext, Instant> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.authnRequestTimeLookupStrategy = (Function) Constraint.isNotNull(function, "authnRequestTimeLookupStrategy can not be null");
    }

    @Deprecated(forRemoval = true, since = "2.2.0")
    public void setRequested(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.requested = predicate;
    }

    public void setAuthnLifetime(@Nonnull Duration duration) {
        ifInitializedThrowUnmodifiabledComponentException();
        Constraint.isNotNull(duration, "Token authentication lifetime cannot be null");
        Constraint.isFalse(duration.isNegative(), "Token authentication lifetime cannot be negative");
        this.authnLifetimeLookupStrategy = FunctionSupport.constant(duration);
    }

    public void setAuthnLifetimeLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.authnLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "AuthnLifetime Lookup Strategy can not be null");
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        if (this.requested.test(profileRequestContext)) {
            try {
                Duration apply = this.authnLifetimeLookupStrategy.apply(profileRequestContext);
                Date dateClaim = jWTClaimsSet.getDateClaim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName());
                if (dateClaim == null) {
                    throw new JWTValidationException("No authentication time found in token");
                }
                if (apply == null) {
                    throw new JWTValidationException("No authentication lifetime set");
                }
                if (apply.equals(Duration.ofSeconds(0L))) {
                    Instant apply2 = this.authnRequestTimeLookupStrategy.apply(profileRequestContext);
                    if (apply2 == null) {
                        this.log.warn("Maximum authentication age of 0 seconds requested, but no authentication request time could be found, can not check for a fresh authentication");
                        throw new JWTValidationException("Maximum authentication age of 0 seconds requested, but no authentication request time could be found, can not check for a fresh authentication");
                    }
                    if (dateClaim.toInstant().isBefore(apply2)) {
                        this.log.warn("JWT token authentication time is not valid. Authentication is not fresh but max_age=0 was requested, re-authentication did not occur");
                        throw new JWTValidationException("JWT token authentication time is not valid. Authentication is not fresh but max_age=0 was requested, re-authentication did not occur");
                    }
                } else {
                    Instant instant = dateClaim.toInstant();
                    Instant now = Instant.now();
                    Instant plus = now.plus((TemporalAmount) this.clockSkew);
                    Instant plus2 = instant.plus((TemporalAmount) this.clockSkew).plus((TemporalAmount) apply);
                    if (instant.isAfter(plus)) {
                        this.log.warn("Authentication is not yet valid: auth_time was {}, latest valid is: {}", instant, plus);
                        throw new JWTValidationException("JWT token authentication time is not yet valid");
                    }
                    if (plus2.isBefore(now)) {
                        this.log.warn("Authentication has expired: auth_time was '{}', expired at: '{}', current time: '{}'", new Object[]{instant, plus2, now});
                        throw new JWTValidationException("JWT token authentication time has expired");
                    }
                }
            } catch (ParseException e) {
                throw new JWTValidationException("Autentication forced, but no authentication time found in token", e);
            }
        }
    }
}
