package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Supplier;
import javax.annotation.Nullable;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtTimestampValidator.class */
class JwtTimestampValidator implements Validator<Token> {
    private static final TemporalAmount DEFAULT_TOLERANCE = Duration.ofMinutes(1);
    private final Supplier<Instant> timeProvider;
    private final TemporalAmount tolerance;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtTimestampValidator() {
        this(Instant::now, DEFAULT_TOLERANCE);
    }

    JwtTimestampValidator(Supplier<Instant> supplier, @Nullable TemporalAmount temporalAmount) {
        this.timeProvider = supplier;
        this.tolerance = temporalAmount != null ? temporalAmount : DEFAULT_TOLERANCE;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        Instant expiration = token.getExpiration();
        if (expiration == null) {
            return ValidationResults.createInvalid("Jwt does not contain expiration (exp) claim. Cannot be validated!");
        }
        ValidationResult checkExpiration = checkExpiration(expiration);
        Instant notBefore = token.getNotBefore();
        if (notBefore != null && checkExpiration.isValid()) {
            checkExpiration = checkNotBefore(notBefore);
        }
        return checkExpiration;
    }

    private ValidationResult checkExpiration(Instant instant) {
        return isNotExpired(instant) ? ValidationResults.createValid() : ValidationResults.createInvalid("Jwt expired at {}, time now: {}", instant, now());
    }

    private ValidationResult checkNotBefore(Instant instant) {
        return canBeAccepted(instant) ? ValidationResults.createValid() : ValidationResults.createInvalid("Jwt cannot be accepted before {}, time now: {}", instant, now());
    }

    private boolean canBeAccepted(Instant instant) {
        return now().isAfter(instant.minus(this.tolerance));
    }

    private boolean isNotExpired(Instant instant) {
        return instant.plus(this.tolerance).isAfter(now());
    }

    private Instant now() {
        return this.timeProvider.get();
    }
}
