package org.springframework.security.oauth2.jwt;

import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.6.RELEASE.jar:org/springframework/security/oauth2/jwt/JwtTimestampValidator.class */
public final class JwtTimestampValidator implements OAuth2TokenValidator<Jwt> {
    private final Log logger;
    private static final Duration DEFAULT_MAX_CLOCK_SKEW = Duration.of(60, ChronoUnit.SECONDS);
    private final Duration clockSkew;
    private Clock clock;

    public JwtTimestampValidator() {
        this(DEFAULT_MAX_CLOCK_SKEW);
    }

    public JwtTimestampValidator(Duration duration) {
        this.logger = LogFactory.getLog(getClass());
        this.clock = Clock.systemUTC();
        Assert.notNull(duration, "clockSkew cannot be null");
        this.clockSkew = duration;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        Assert.notNull(jwt, "jwt cannot be null");
        Instant expiresAt = jwt.getExpiresAt();
        if (expiresAt != null && Instant.now(this.clock).minus((TemporalAmount) this.clockSkew).isAfter(expiresAt)) {
            return OAuth2TokenValidatorResult.failure(createOAuth2Error(String.format("Jwt expired at %s", jwt.getExpiresAt())));
        }
        Instant notBefore = jwt.getNotBefore();
        return (notBefore == null || !Instant.now(this.clock).plus((TemporalAmount) this.clockSkew).isBefore(notBefore)) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(createOAuth2Error(String.format("Jwt used before %s", jwt.getNotBefore())));
    }

    private OAuth2Error createOAuth2Error(String str) {
        this.logger.debug(str);
        return new OAuth2Error("invalid_request", str, "https://tools.ietf.org/html/rfc6750#section-3.1");
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }
}
