package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.google.gson.Gson;
import com.google.gson.JsonSyntaxException;
import com.google.gson.reflect.TypeToken;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.openid.connect.sdk.rp.ApplicationType;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientRegistrationRequest;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.http.HttpResponse;
import org.apache.http.ParseException;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.HttpClientSecuritySupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/CheckRedirectURIs.class */
public class CheckRedirectURIs extends AbstractProfileAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(CheckRedirectURIs.class);

    @Nullable
    private OIDCClientRegistrationRequest request;

    @NonnullAfterInit
    private HttpClient httpClient;

    @Nullable
    private HttpClientSecurityParameters httpClientSecurityParameters;

    public void setHttpClient(@Nonnull HttpClient httpClient) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.httpClient = (HttpClient) Constraint.isNotNull(httpClient, "HttpClient cannot be null");
    }

    public void setHttpClientSecurityParameters(@Nullable HttpClientSecurityParameters httpClientSecurityParameters) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.httpClientSecurityParameters = httpClientSecurityParameters;
    }

    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.httpClient == null) {
            throw new ComponentInitializationException(getLogPrefix() + " HttpClient cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        if (profileRequestContext.getInboundMessageContext() == null) {
            this.log.debug("{} No inbound message context associated with this profile request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        Object message = profileRequestContext.getInboundMessageContext().getMessage();
        if (message != null && (message instanceof OIDCClientRegistrationRequest)) {
            this.request = (OIDCClientRegistrationRequest) message;
            return true;
        }
        this.log.debug("{} No inbound message associated with this profile request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        OIDCClientMetadata oIDCClientMetadata = this.request.getOIDCClientMetadata();
        if (oIDCClientMetadata == null) {
            this.log.warn("{} No client metadata found in the request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        Set<URI> redirectionURIs = oIDCClientMetadata.getRedirectionURIs();
        if (redirectionURIs == null || redirectionURIs.isEmpty()) {
            this.log.warn("{} No redirection URIs found in the request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "MissingRedirectionURIs");
            return;
        }
        URI sectorIDURI = oIDCClientMetadata.getSectorIDURI();
        if (sectorIDURI != null) {
            this.log.debug("{} Found sector_identifier_uri {}", getLogPrefix(), sectorIDURI);
            if (!sectorIDURI.getScheme().equals("https")) {
                this.log.warn("{} Invalid sector_identifier_uri scheme {}", getLogPrefix(), sectorIDURI.getScheme());
                ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
                return;
            } else if (!verifySectorIdUri(sectorIDURI, redirectionURIs)) {
                this.log.warn("{} All redirect URIs are not found from sector_identifier_uri", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRedirectionURIs");
                return;
            }
        }
        ApplicationType applicationType = oIDCClientMetadata.getApplicationType();
        if (applicationType == null || applicationType.equals(ApplicationType.WEB)) {
            Set grantTypes = oIDCClientMetadata.getGrantTypes();
            if (grantTypes != null && grantTypes.contains(GrantType.IMPLICIT) && !checkScheme(redirectionURIs, "https")) {
                this.log.warn("{} Only https-scheme is allowed for implicit flow", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRedirectionURIs");
                return;
            } else if (checkForbiddenHostname(redirectionURIs, "localhost")) {
                this.log.warn("{} localhost as the hostname in the redirect URI for a Web app", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRedirectionURIs");
                return;
            }
        } else {
            if (checkForbiddenScheme(redirectionURIs, "https")) {
                this.log.warn("{} https-scheme is not allowed for a native application", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRedirectionURIs");
                return;
            }
            for (URI uri : redirectionURIs) {
                if (uri.getScheme().equalsIgnoreCase("http") && !uri.getHost().equalsIgnoreCase("localhost")) {
                    this.log.warn("{} http-scheme is only allowed to localhost for a native application", getLogPrefix());
                    ActionSupport.buildEvent(profileRequestContext, "InvalidRedirectionURIs");
                    return;
                }
                this.log.debug("{} Accepting a redirect URI {} for a native application", getLogPrefix(), uri);
            }
        }
        this.log.debug("{} Redirect URIs ({}) checked", getLogPrefix(), Integer.valueOf(redirectionURIs.size()));
    }

    protected boolean verifySectorIdUri(URI uri, Set<URI> set) {
        try {
            HttpUriRequest build = RequestBuilder.get().setUri(uri).build();
            HttpContext create = HttpClientContext.create();
            HttpClientSecuritySupport.marshalSecurityParameters(create, this.httpClientSecurityParameters, true);
            HttpClientSecuritySupport.addDefaultTLSTrustEngineCriteria(create, build);
            HttpResponse execute = this.httpClient.execute(build, create);
            HttpClientSecuritySupport.checkTLSCredentialEvaluated(create, build.getURI().getScheme());
            try {
                if (execute == null) {
                    this.log.error("{} Could not get the sector_identifier_uri contents from {}", getLogPrefix(), uri);
                    return false;
                }
                try {
                    String entityUtils = EntityUtils.toString(execute.getEntity(), "UTF-8");
                    EntityUtils.consumeQuietly(execute.getEntity());
                    this.log.trace("{} Fetched the following response body: {}", getLogPrefix(), entityUtils);
                    try {
                        List list = (List) new Gson().fromJson(entityUtils, new TypeToken<ArrayList<URI>>() { // from class: net.shibboleth.idp.plugin.oidc.op.profile.impl.CheckRedirectURIs.1
                        }.getType());
                        if (list == null) {
                            this.log.error("{} sector_identifier_uris contents is empty, no URLs included: {}", getLogPrefix(), entityUtils);
                            return false;
                        }
                        for (URI uri2 : set) {
                            if (!list.contains(uri2)) {
                                this.log.error("{} Redirect URI {} was not found from the sector_identifier_uris", getLogPrefix(), uri2);
                                return false;
                            }
                            this.log.trace("{} Redirect URI was validated against the sector_identifier_uris", getLogPrefix());
                        }
                        return true;
                    } catch (JsonSyntaxException e) {
                        this.log.error("{} Could not parse the sector_identifier_uri contents from {}", getLogPrefix(), uri);
                        return false;
                    }
                } catch (IOException | ParseException e2) {
                    this.log.error("{} Could not parse the sector_identifier_uri contents from {}", getLogPrefix(), uri);
                    EntityUtils.consumeQuietly(execute.getEntity());
                    return false;
                }
            } catch (Throwable th) {
                EntityUtils.consumeQuietly(execute.getEntity());
                throw th;
            }
        } catch (Exception e3) {
            this.log.error("{} Could not get the sector_identifier_uri contents from {}", new Object[]{getLogPrefix(), uri, e3});
            return false;
        }
    }

    protected boolean checkScheme(Set<URI> set, String str) {
        for (URI uri : set) {
            if (!uri.getScheme().equals(str)) {
                this.log.trace("{} Found '{}' as the scheme in the redirect URI, all should be {}", new Object[]{getLogPrefix(), uri.getScheme(), str});
                return false;
            }
        }
        return true;
    }

    protected boolean checkForbiddenScheme(Set<URI> set, String str) {
        for (URI uri : set) {
            if (uri.getScheme().equals(str)) {
                this.log.trace("{} Found forbidden '{}' as the scheme in the redirect URI {}", new Object[]{getLogPrefix(), str, uri});
                return true;
            }
        }
        return false;
    }

    protected boolean checkForbiddenHostname(Set<URI> set, String str) {
        Iterator<URI> it = set.iterator();
        while (it.hasNext()) {
            if (str.equalsIgnoreCase(it.next().getHost())) {
                this.log.trace("{} Found forbidden {} as the hostname in the redirect URIs", getLogPrefix(), str);
                return true;
            }
        }
        return false;
    }
}
