package net.shibboleth.idp.cas.proxy.impl;

import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.FailedLoginException;
import net.shibboleth.idp.cas.config.AbstractProtocolConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolContext;
import net.shibboleth.idp.cas.proxy.ProxyValidator;
import net.shibboleth.idp.cas.service.Service;
import net.shibboleth.idp.cas.service.ServiceContext;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.apache.hc.client5.http.ClientProtocolException;
import org.apache.hc.client5.http.classic.HttpClient;
import org.apache.hc.client5.http.classic.methods.HttpGet;
import org.apache.hc.client5.http.protocol.HttpClientContext;
import org.apache.hc.core5.http.ClassicHttpResponse;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.httpclient.HttpClientSecurityConstants;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.HttpClientSecuritySupport;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-cas-impl-5.1.0.jar:net/shibboleth/idp/cas/proxy/impl/HttpClientProxyValidator.class */
public class HttpClientProxyValidator implements ProxyValidator {

    @Nonnull
    @NotEmpty
    protected static final String HTTPS_SCHEME = "https";

    @Nonnull
    private final HttpClient httpClient;

    @Nonnull
    private final HttpClientSecurityParameters securityParameters;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) HttpClientProxyValidator.class);

    @Nonnull
    private final Function<ProfileRequestContext, ServiceContext> serviceCtxLookupFunction = new ChildContextLookup(ServiceContext.class).compose(new ChildContextLookup(ProtocolContext.class));

    @NotEmpty
    private Set<Integer> allowedResponseCodes = CollectionSupport.singleton(200);

    public HttpClientProxyValidator(@Nonnull HttpClient httpClient, @Nonnull HttpClientSecurityParameters httpClientSecurityParameters) {
        this.httpClient = (HttpClient) Constraint.isNotNull(httpClient, "HTTP client cannot be null");
        this.securityParameters = (HttpClientSecurityParameters) Constraint.isNotNull(httpClientSecurityParameters, "HTTP client security parameters cannot be null");
    }

    public void setAllowedResponseCodes(@Nonnull @NotEmpty Set<Integer> set) {
        Constraint.isNotEmpty(set, "Response codes cannot be null or empty.");
        this.allowedResponseCodes = CollectionSupport.copyToSet(set);
    }

    @Override // net.shibboleth.idp.cas.proxy.ProxyValidator
    public void validate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull URI uri) throws GeneralSecurityException {
        Constraint.isNotNull(uri, "Proxy callback URI cannot be null");
        if (!HTTPS_SCHEME.equalsIgnoreCase(uri.getScheme())) {
            throw new GeneralSecurityException(uri + " is not an https URI as required.");
        }
        ServiceContext apply = this.serviceCtxLookupFunction.apply(profileRequestContext);
        if (apply == null) {
            throw new IllegalStateException("Service context not found in profile request context as required");
        }
        int connect = connect(uri, apply.getService());
        if (!this.allowedResponseCodes.contains(Integer.valueOf(connect))) {
            throw new FailedLoginException(uri + " returned unacceptable HTTP status code: " + connect);
        }
    }

    protected int connect(@Nonnull URI uri, @Nonnull Service service) throws GeneralSecurityException {
        HttpClientContext create = HttpClientContext.create();
        if (!$assertionsDisabled && create == null) {
            throw new AssertionError();
        }
        HttpClientSecuritySupport.marshalSecurityParameters(create, this.securityParameters, true);
        setCASTLSTrustEngineCriteria(create, uri, service);
        this.log.debug("Attempting to validate CAS proxy callback URI {}", uri);
        HttpGet httpGet = new HttpGet(uri);
        if (!$assertionsDisabled && httpGet == null) {
            throw new AssertionError();
        }
        try {
            ClassicHttpResponse executeOpen = this.httpClient.executeOpen(null, httpGet, create);
            try {
                String scheme = httpGet.getScheme();
                if (!$assertionsDisabled && scheme == null) {
                    throw new AssertionError();
                }
                HttpClientSecuritySupport.checkTLSCredentialEvaluated(create, scheme);
                int code = executeOpen.getCode();
                if (executeOpen != null) {
                    executeOpen.close();
                }
                return code;
            } catch (Throwable th) {
                if (executeOpen != null) {
                    try {
                        executeOpen.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (SSLPeerUnverifiedException e) {
            throw new CredentialException("Untrusted certificate presented by CAS proxy callback endpoint");
        } catch (SSLException e2) {
            if (e2.getCause() instanceof CertificateException) {
                throw ((CertificateException) e2.getCause());
            }
            throw new GeneralSecurityException("SSL connection error", e2);
        } catch (ClientProtocolException e3) {
            throw new GeneralSecurityException("HTTP protocol error", e3);
        } catch (IOException e4) {
            throw new GeneralSecurityException("IO error", e4);
        }
    }

    private static void setCASTLSTrustEngineCriteria(@Nonnull HttpClientContext httpClientContext, @Nonnull URI uri, @Nonnull Service service) {
        EntityDescriptor entityDescriptor = service.getEntityDescriptor();
        String entityID = entityDescriptor != null ? entityDescriptor.getEntityID() : service.getName();
        if (!$assertionsDisabled && entityID == null) {
            throw new AssertionError();
        }
        httpClientContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET, new CriteriaSet(new EntityIdCriterion(entityID), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new UsageCriterion(UsageType.SIGNING), new TrustedNamesCriterion(CollectionSupport.singleton(uri.getHost()))));
    }

    static {
        $assertionsDisabled = !HttpClientProxyValidator.class.desiredAssertionStatus();
    }
}
