package net.shibboleth.oidc.security.jwt.claims.impl;

import com.google.common.base.Predicates;
import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AuthenticationTimeClaimsValidator.class */
public class AuthenticationTimeClaimsValidator extends AbstractClaimsValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AuthenticationTimeClaimsValidator.class);

    @Nonnull
    private Duration authnLifetime = Duration.ofSeconds(60);

    @Nonnull
    private Predicate<ProfileRequestContext> requested = Predicates.alwaysTrue();

    public void setRequested(Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requested = predicate;
    }

    public void setAuthnLifetime(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(duration, "Token authentication lifetime cannot be null");
        Constraint.isFalse(duration.isNegative(), "Token authentication lifetime cannot be negative");
        this.authnLifetime = duration;
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        if (this.requested.test(profileRequestContext)) {
            try {
                Date dateClaim = jWTClaimsSet.getDateClaim(IDTokenClaims.AUTHENTICATION_TIME.getClaimName());
                if (dateClaim == null) {
                    throw new JWTValidationException("No authentication time found in token");
                }
                Instant instant = dateClaim.toInstant();
                Instant now = Instant.now();
                Instant plus = instant.plus((TemporalAmount) this.authnLifetime);
                if (instant.isAfter(now)) {
                    this.log.warn("Authentication is not yet valid: auth_time was {}, latest valid is: {}", instant, now);
                    throw new JWTValidationException("JWT token authentication time is not yet valid");
                }
                if (plus.isBefore(now)) {
                    this.log.warn("Authentication has expired: auth_time was '{}', expired at: '{}', current time: '{}'", new Object[]{instant, plus, now});
                    throw new JWTValidationException("JWT token authentication time has expired");
                }
            } catch (ParseException e) {
                throw new JWTValidationException("Autentication forced, but no authentication time found in token", e);
            }
        }
    }
}
