package com.nimbusds.oauth2.sdk.assertions.saml2;

import com.nimbusds.jwt.proc.ClockSkewAware;
import com.nimbusds.jwt.util.DateUtils;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import java.util.Date;
import java.util.Set;
import net.jcip.annotations.Immutable;

@Immutable
/* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/oauth2-oidc-sdk-9.9.1.jar:com/nimbusds/oauth2/sdk/assertions/saml2/SAML2AssertionDetailsVerifier.class */
public class SAML2AssertionDetailsVerifier implements ClockSkewAware {
    public static final int DEFAULT_MAX_CLOCK_SKEW_SECONDS = 60;
    private static final BadSAML2AssertionException EXPIRED_SAML2_ASSERTION_EXCEPTION = new BadSAML2AssertionException("Expired SAML 2.0 assertion");
    private static final BadSAML2AssertionException SAML2_ASSERTION_BEFORE_USE_EXCEPTION = new BadSAML2AssertionException("SAML 2.0 assertion before use time");
    private final Set<Audience> expectedAudience;
    private final BadSAML2AssertionException unexpectedAudienceException;
    private int maxClockSkewSeconds = 60;

    public SAML2AssertionDetailsVerifier(Set<Audience> set) {
        if (CollectionUtils.isEmpty(set)) {
            throw new IllegalArgumentException("The expected audience set must not be null or empty");
        }
        this.expectedAudience = set;
        this.unexpectedAudienceException = new BadSAML2AssertionException("Invalid SAML 2.0 audience, expected " + set);
    }

    public Set<Audience> getExpectedAudience() {
        return this.expectedAudience;
    }

    @Override // com.nimbusds.jwt.proc.ClockSkewAware
    public int getMaxClockSkew() {
        return this.maxClockSkewSeconds;
    }

    @Override // com.nimbusds.jwt.proc.ClockSkewAware
    public void setMaxClockSkew(int i) {
        this.maxClockSkewSeconds = i;
    }

    public void verify(SAML2AssertionDetails sAML2AssertionDetails) throws BadSAML2AssertionException {
        if (!Audience.matchesAny(this.expectedAudience, sAML2AssertionDetails.getAudience())) {
            throw this.unexpectedAudienceException;
        }
        Date date = new Date();
        if (!DateUtils.isAfter(sAML2AssertionDetails.getExpirationTime(), date, this.maxClockSkewSeconds)) {
            throw EXPIRED_SAML2_ASSERTION_EXCEPTION;
        }
        if (sAML2AssertionDetails.getNotBeforeTime() != null && !DateUtils.isBefore(sAML2AssertionDetails.getNotBeforeTime(), date, this.maxClockSkewSeconds)) {
            throw SAML2_ASSERTION_BEFORE_USE_EXCEPTION;
        }
    }
}
