package org.springframework.security.oauth2.jwt;

import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-6.5.0.jar:org/springframework/security/oauth2/jwt/JwtIssuedAtValidator.class */
public final class JwtIssuedAtValidator implements OAuth2TokenValidator<Jwt> {
    private final boolean required;
    private Duration clockSkew;
    private Clock clock;

    public JwtIssuedAtValidator() {
        this(false);
    }

    public JwtIssuedAtValidator(boolean z) {
        this.clockSkew = Duration.ofSeconds(60L);
        this.clock = Clock.systemUTC();
        this.required = z;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        Assert.notNull(jwt, "jwt cannot be null");
        Instant issuedAt = jwt.getIssuedAt();
        if (issuedAt == null && this.required) {
            return OAuth2TokenValidatorResult.failure(createOAuth2Error("iat claim is required."));
        }
        if (issuedAt != null) {
            Instant now = Instant.now(this.clock);
            Instant minus = now.minus((TemporalAmount) this.clockSkew);
            Instant plus = now.plus((TemporalAmount) this.clockSkew);
            if (issuedAt.isBefore(minus) || issuedAt.isAfter(plus)) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("iat claim is invalid."));
            }
        }
        return OAuth2TokenValidatorResult.success();
    }

    public void setClockSkew(Duration duration) {
        Assert.notNull(duration, "clockSkew cannot be null");
        Assert.isTrue(duration.getSeconds() >= 0, "clockSkew must be >= 0");
        this.clockSkew = duration;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    private static OAuth2Error createOAuth2Error(String str) {
        return new OAuth2Error("invalid_token", str, null);
    }
}
