package org.apache.tomee.security.http.openid;

import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import java.time.Instant;
import java.util.List;
import org.jose4j.jwt.ReservedClaimNames;
import org.jose4j.jwt.consumer.Validator;

/* loaded from: input_file:lib/tomee-security-10.0.0-M2.jar:org/apache/tomee/security/http/openid/JwtValidators.class */
public class JwtValidators {
    public static final Validator EXPIRATION = jwtContext -> {
        long longValue = ((Long) jwtContext.getJwtClaims().getClaimValue("exp", Long.class)).longValue();
        if (longValue < Instant.now().getEpochSecond()) {
            return "exp is not in the future (exp=" + longValue + ", current time is " + longValue + ")";
        }
        return null;
    };
    public static final Validator ISSUED_AT = jwtContext -> {
        long longValue = ((Long) jwtContext.getJwtClaims().getClaimValue(ReservedClaimNames.ISSUED_AT, Long.class)).longValue();
        if (longValue > Instant.now().getEpochSecond()) {
            return "iat is in the future (iat=" + longValue + ", current time is " + longValue + ")";
        }
        return null;
    };
    public static final Validator NOT_BEOFRE = jwtContext -> {
        Long l = (Long) jwtContext.getJwtClaims().getClaimValue(ReservedClaimNames.NOT_BEFORE, Long.class);
        if (l == null) {
            return null;
        }
        long epochSecond = Instant.now().getEpochSecond();
        if (l.longValue() > epochSecond) {
            return "nbf is in the future (nbf=" + l + ", current time is " + epochSecond + ")";
        }
        return null;
    };

    public static Validator nonce(String str) {
        return jwtContext -> {
            String stringClaimValue = jwtContext.getJwtClaims().getStringClaimValue(OpenIdConstant.NONCE);
            if (str.equals(stringClaimValue)) {
                return null;
            }
            return "nonce value does not match the stored value (expected " + str + " but got " + stringClaimValue + ")";
        };
    }

    public static Validator azp(String str) {
        return jwtContext -> {
            List<String> audience = jwtContext.getJwtClaims().getAudience();
            String stringClaimValue = jwtContext.getJwtClaims().getStringClaimValue(OpenIdConstant.AUTHORIZED_PARTY);
            if (audience.size() > 1 && stringClaimValue == null) {
                return "aud has " + audience.size() + " entries (" + String.join(", ", audience) + ") but no azp claim is present";
            }
            if (stringClaimValue == null || str.equals(stringClaimValue)) {
                return null;
            }
            return "azp is not equal to configured clientId (got " + stringClaimValue + " but expected " + str + ")";
        };
    }
}
