package org.opensaml.saml.metadata.resolver.impl;

import com.google.common.io.ByteStreams;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.Collections;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.test.repository.RepositorySupport;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.testing.XMLObjectBaseTestCase;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.impl.SecurityEnhancedHttpClientSupport;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.trust.impl.ExplicitKeyTrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/opensaml/saml/metadata/resolver/impl/HTTPMetadataResolverTest.class */
public class HTTPMetadataResolverTest extends XMLObjectBaseTestCase {
    private HttpClientBuilder httpClientBuilder;
    private String metadataURLHttp;
    private String metadataURLHttps;
    private String badMDURL;
    private String entityID;
    private HTTPMetadataResolver metadataProvider;
    private CriteriaSet criteriaSet;
    static final String DATA_PATH = "/org/opensaml/saml/metadata/resolver/impl/";

    @BeforeClass
    protected void setUpClass() {
        this.metadataURLHttps = RepositorySupport.buildHTTPSResourceURL("java-opensaml", "opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/08ced64cddc9f1578598b2cf71ae747b11d11472.xml");
        this.metadataURLHttp = RepositorySupport.buildHTTPResourceURL("java-opensaml", "opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/08ced64cddc9f1578598b2cf71ae747b11d11472.xml", false);
    }

    @BeforeMethod
    protected void setUpMethod() throws Exception {
        this.httpClientBuilder = new HttpClientBuilder();
        this.badMDURL = "http://www.google.com/";
        this.entityID = "https://www.example.org/sp";
        this.criteriaSet = new CriteriaSet(new Criterion[]{new EntityIdCriterion(this.entityID)});
    }

    @Test
    public void testGetEntityDescriptor() throws Exception {
        try {
            this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttp);
            this.metadataProvider.setParserPool(parserPool);
            this.metadataProvider.setId("test");
            this.metadataProvider.initialize();
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNull(this.metadataProvider.getLastFailureCause());
        } catch (ComponentInitializationException e) {
            Assert.fail("Valid metadata failed init");
        }
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testFailFastBadURL() throws Exception {
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.badMDURL);
        this.metadataProvider.setFailFastInitialization(true);
        this.metadataProvider.setId("test");
        this.metadataProvider.setParserPool(parserPool);
        try {
            this.metadataProvider.initialize();
            Assert.fail("metadata provider claims to have parsed known invalid data");
        } catch (ComponentInitializationException e) {
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        }
    }

    @Test
    public void testNoFailFastBadURL() throws Exception {
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.badMDURL);
        this.metadataProvider.setFailFastInitialization(false);
        this.metadataProvider.setId("test");
        this.metadataProvider.setParserPool(parserPool);
        try {
            this.metadataProvider.initialize();
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        } catch (ComponentInitializationException e) {
            Assert.fail("Provider failed init with fail-fast=false");
        }
        Assert.assertNull(this.metadataProvider.resolveSingle(this.criteriaSet));
    }

    @Test
    public void testTrustEngineSocketFactoryNoHTTPSNoTrustEngine() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory(true));
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttp);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        this.metadataProvider.initialize();
        Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
        Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
        Assert.assertNull(this.metadataProvider.getLastFailureCause());
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testTrustEngineSocketFactoryNoHTTPSWithTrustEngine() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildExplicitKeyTrustEngine("repo-entity.crt"));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        this.metadataProvider.initialize();
        Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
        Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
        Assert.assertNull(this.metadataProvider.getLastFailureCause());
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testHTTPSNoTrustEngine() throws Exception {
        try {
            System.setProperty("javax.net.ssl.trustStore", getClass().getResource("repo.truststore.jks").getFile());
            System.setProperty("javax.net.ssl.trustStorePassword", "shibboleth");
            this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory(false));
            this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
            this.metadataProvider.setParserPool(parserPool);
            this.metadataProvider.setId("test");
            this.metadataProvider.initialize();
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNull(this.metadataProvider.getLastFailureCause());
            EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
            Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
            Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
            System.setProperty("javax.net.ssl.trustStore", "");
            System.setProperty("javax.net.ssl.trustStorePassword", "");
        } catch (Throwable th) {
            System.setProperty("javax.net.ssl.trustStore", "");
            System.setProperty("javax.net.ssl.trustStorePassword", "");
            throw th;
        }
    }

    @Test
    public void testHTTPSTrustEngineExplicitKey() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildExplicitKeyTrustEngine("repo-entity.crt"));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        this.metadataProvider.initialize();
        Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
        Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
        Assert.assertNull(this.metadataProvider.getLastFailureCause());
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testHTTPSTrustEngineInvalidKey() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildExplicitKeyTrustEngine("badKey.crt"));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        try {
            this.metadataProvider.initialize();
            Assert.fail("Invalid metadata TLS should have failed init");
        } catch (ComponentInitializationException e) {
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        }
    }

    @Test
    public void testHTTPSTrustEngineValidPKIX() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildPKIXTrustEngine("repo-rootCA.crt", null, false));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        this.metadataProvider.initialize();
        Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
        Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
        Assert.assertNull(this.metadataProvider.getLastFailureCause());
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testHTTPSTrustEngineValidPKIXExplicitName() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildPKIXTrustEngine("repo-rootCA.crt", "test.shibboleth.net", true));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        this.metadataProvider.initialize();
        Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
        Assert.assertTrue(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
        Assert.assertNull(this.metadataProvider.getLastFailureCause());
        EntityDescriptor resolveSingle = this.metadataProvider.resolveSingle(this.criteriaSet);
        Assert.assertNotNull(resolveSingle, "Retrieved entity descriptor was null");
        Assert.assertEquals(resolveSingle.getEntityID(), this.entityID, "Entity's ID does not match requested ID");
    }

    @Test
    public void testHTTPSTrustEngineInvalidPKIX() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildPKIXTrustEngine("badCA.crt", null, false));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        try {
            this.metadataProvider.initialize();
            Assert.fail("Invalid metadata TLS should have failed init");
        } catch (ComponentInitializationException e) {
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        }
    }

    @Test
    public void testHTTPSTrustEngineValidPKIXInvalidName() throws Exception {
        this.httpClientBuilder.setTLSSocketFactory(buildSocketFactory());
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildPKIXTrustEngine("repo-rootCA.crt", "foobar.shibboleth.net", true));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        try {
            this.metadataProvider.initialize();
            Assert.fail("Invalid metadata TLS should have failed init");
        } catch (ComponentInitializationException e) {
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        }
    }

    @Test
    public void testHTTPSTrustEngineWrongSocketFactory() throws Exception {
        this.metadataProvider = new HTTPMetadataResolver(this.httpClientBuilder.buildClient(), this.metadataURLHttps);
        this.metadataProvider.setParserPool(parserPool);
        this.metadataProvider.setId("test");
        HttpClientSecurityParameters httpClientSecurityParameters = new HttpClientSecurityParameters();
        httpClientSecurityParameters.setTLSTrustEngine(buildExplicitKeyTrustEngine("repo-entity.crt"));
        this.metadataProvider.setHttpClientSecurityParameters(httpClientSecurityParameters);
        try {
            this.metadataProvider.initialize();
            Assert.fail("Invalid metadata TLS should have failed init");
        } catch (ComponentInitializationException e) {
            Assert.assertNotNull(this.metadataProvider.wasLastRefreshSuccess());
            Assert.assertFalse(this.metadataProvider.wasLastRefreshSuccess().booleanValue());
            Assert.assertNotNull(this.metadataProvider.getLastFailureCause());
            Assert.assertTrue(ResolverException.class.isInstance(this.metadataProvider.getLastFailureCause()));
        }
    }

    public static TrustEngine<? super X509Credential> buildPKIXTrustEngine(String str, String str2, boolean z) throws URISyntaxException, CertificateException, IOException {
        BasicPKIXValidationInformation basicPKIXValidationInformation = new BasicPKIXValidationInformation(Collections.singletonList(X509Support.decodeCertificate(ByteStreams.toByteArray(FileBackedHTTPMetadataResolver.class.getResourceAsStream("/org/opensaml/saml/metadata/resolver/impl/" + str)))), (Collection) null, 5);
        return new PKIXX509CredentialTrustEngine(new StaticPKIXValidationInformationResolver(Collections.singletonList(basicPKIXValidationInformation), str2 != null ? Collections.singleton(str2) : Collections.emptySet()), new CertPathPKIXTrustEvaluator(), z ? new BasicX509CredentialNameEvaluator() : null);
    }

    public static TrustEngine<? super X509Credential> buildExplicitKeyTrustEngine(String str) throws URISyntaxException, CertificateException, IOException {
        return new ExplicitKeyTrustEngine(new StaticCredentialResolver(new BasicX509Credential(X509Support.decodeCertificate(ByteStreams.toByteArray(FileBackedHTTPMetadataResolver.class.getResourceAsStream("/org/opensaml/saml/metadata/resolver/impl/" + str))))));
    }

    public static LayeredConnectionSocketFactory buildSocketFactory() {
        return buildSocketFactory(true);
    }

    public static LayeredConnectionSocketFactory buildSocketFactory(boolean z) {
        return SecurityEnhancedHttpClientSupport.buildTLSSocketFactory(z, false);
    }
}
