package org.apereo.cas.oidc.web;

import java.io.Serializable;
import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import lombok.Generated;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.validator.DefaultOAuth20ClientSecretValidator;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/web/OidcClientSecretValidator.class */
public class OidcClientSecretValidator extends DefaultOAuth20ClientSecretValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcClientSecretValidator.class);

    public OidcClientSecretValidator(CipherExecutor<Serializable, String> cipherExecutor) {
        super(cipherExecutor);
    }

    @Override // org.apereo.cas.support.oauth.validator.DefaultOAuth20ClientSecretValidator, org.apereo.cas.support.oauth.validator.OAuth20ClientSecretValidator
    public boolean validate(OAuthRegisteredService oAuthRegisteredService, String str) {
        return super.validate(oAuthRegisteredService, str) && !isClientSecretExpired(oAuthRegisteredService);
    }

    @Override // org.apereo.cas.support.oauth.validator.DefaultOAuth20ClientSecretValidator, org.apereo.cas.support.oauth.validator.OAuth20ClientSecretValidator
    public boolean isClientSecretExpired(OAuthRegisteredService oAuthRegisteredService) {
        if (!(oAuthRegisteredService instanceof OidcRegisteredService)) {
            return false;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) oAuthRegisteredService;
        if (oidcRegisteredService.getClientSecretExpiration() <= 0) {
            return false;
        }
        ZonedDateTime zonedDateTimeOf = DateTimeUtils.zonedDateTimeOf(Instant.ofEpochSecond(oidcRegisteredService.getClientSecretExpiration()));
        ZonedDateTime now = ZonedDateTime.now(ZoneOffset.UTC);
        LOGGER.debug("Client secret is set to expire at [{}], while now is [{}]", zonedDateTimeOf, now);
        if (!now.isAfter(zonedDateTimeOf)) {
            return false;
        }
        LOGGER.debug("Client secret for service [{}] has expired at [{}] and must be renewed", oidcRegisteredService.getName(), zonedDateTimeOf);
        return true;
    }
}
