package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Clock;
import java.time.Instant;
import java.util.Date;
import org.elasticsearch.core.Strings;
import org.elasticsearch.core.TimeValue;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtDateClaimValidator.class */
public class JwtDateClaimValidator implements JwtFieldValidator {
    private final Clock clock;
    private final String claimName;
    private final long allowedClockSkewSeconds;
    private final Relationship relationship;
    private final boolean allowNull;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtDateClaimValidator$Relationship.class */
    public enum Relationship {
        BEFORE_NOW,
        AFTER_NOW
    }

    public JwtDateClaimValidator(Clock clock, String str, TimeValue timeValue, Relationship relationship, boolean z) {
        this.clock = clock;
        this.claimName = str;
        this.allowedClockSkewSeconds = timeValue.seconds();
        this.relationship = relationship;
        this.allowNull = z;
    }

    @Override // org.elasticsearch.xpack.security.authc.jwt.JwtFieldValidator
    public void validate(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet) {
        try {
            Date dateClaim = jWTClaimsSet.getDateClaim(this.claimName);
            if (dateClaim == null) {
                if (!this.allowNull) {
                    throw new IllegalArgumentException("missing required date claim [" + this.claimName + "]");
                }
                return;
            }
            Instant instant = dateClaim.toInstant();
            Instant instant2 = this.clock.instant();
            switch (this.relationship) {
                case BEFORE_NOW:
                    if (false == instant.isBefore(instant2.plusSeconds(this.allowedClockSkewSeconds))) {
                        throw new IllegalArgumentException(Strings.format("date claim [%s] value [%s] must be before now [%s]", new Object[]{this.claimName, Long.valueOf(instant.toEpochMilli()), Long.valueOf(instant2.toEpochMilli())}));
                    }
                    return;
                case AFTER_NOW:
                    if (false == instant.isAfter(instant2.minusSeconds(this.allowedClockSkewSeconds))) {
                        throw new IllegalArgumentException(Strings.format("date claim [%s] value [%s] must be after now [%s]", new Object[]{this.claimName, Long.valueOf(instant.toEpochMilli()), Long.valueOf(instant2.toEpochMilli())}));
                    }
                    return;
                default:
                    if (!$assertionsDisabled) {
                        throw new AssertionError("unknown date claim relationship " + String.valueOf(this.relationship));
                    }
                    throw new IllegalStateException("unknown date claim relationship");
            }
        } catch (ParseException e) {
            throw new IllegalArgumentException("cannot parse date claim [" + this.claimName + "]", e);
        }
    }

    static {
        $assertionsDisabled = !JwtDateClaimValidator.class.desiredAssertionStatus();
    }
}
