package org.opensaml.common.binding.security;

import org.joda.time.DateTime;
import org.opensaml.common.binding.SAMLMessageContext;
import org.opensaml.ws.message.MessageContext;
import org.opensaml.ws.security.SecurityPolicyException;
import org.opensaml.ws.security.SecurityPolicyRule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:wlp/lib/com.ibm.ws.org.opensaml.opensaml.2.5.3_1.0.10.jar:org/opensaml/common/binding/security/IssueInstantRule.class */
public class IssueInstantRule implements SecurityPolicyRule {
    private int clockSkew;
    private int expires;
    private final Logger log = LoggerFactory.getLogger(IssueInstantRule.class);
    private boolean requiredRule = true;

    public IssueInstantRule(int i, int i2) {
        this.clockSkew = i;
        this.expires = i2;
    }

    public boolean isRequiredRule() {
        return this.requiredRule;
    }

    public void setRequiredRule(boolean z) {
        this.requiredRule = z;
    }

    @Override // org.opensaml.ws.security.SecurityPolicyRule
    public void evaluate(MessageContext messageContext) throws SecurityPolicyException {
        if (!(messageContext instanceof SAMLMessageContext)) {
            this.log.debug("Invalid message context type, this policy rule only supports SAMLMessageContext");
            return;
        }
        SAMLMessageContext sAMLMessageContext = (SAMLMessageContext) messageContext;
        if (sAMLMessageContext.getInboundSAMLMessageIssueInstant() == null) {
            if (this.requiredRule) {
                this.log.warn("Inbound SAML message issue instant not present in message context");
                throw new SecurityPolicyException("Inbound SAML message issue instant not present in message context");
            }
            return;
        }
        DateTime inboundSAMLMessageIssueInstant = sAMLMessageContext.getInboundSAMLMessageIssueInstant();
        DateTime dateTime = new DateTime();
        DateTime plusSeconds = dateTime.plusSeconds(this.clockSkew);
        DateTime plusSeconds2 = inboundSAMLMessageIssueInstant.plusSeconds(this.clockSkew + this.expires);
        if (inboundSAMLMessageIssueInstant.isAfter(plusSeconds)) {
            this.log.warn("Message was not yet valid: message time was {}, latest valid is: {}", inboundSAMLMessageIssueInstant, plusSeconds);
            throw new SecurityPolicyException("Message was rejected because was issued in the future");
        }
        if (plusSeconds2.isBefore(dateTime)) {
            this.log.warn("Message was expired: message issue time was '" + inboundSAMLMessageIssueInstant + "', message expired at: '" + plusSeconds2 + "', current time: '" + dateTime + "'");
            throw new SecurityPolicyException("Message was rejected due to issue instant expiration");
        }
    }
}
