package net.shibboleth.idp.authn.duo.impl;

import com.duosecurity.duoweb.Base64;
import com.duosecurity.duoweb.DuoWeb;
import com.duosecurity.duoweb.DuoWebException;
import com.duosecurity.duoweb.Util;
import com.google.common.escape.Escaper;
import com.google.common.net.UrlEscapers;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.duo.DuoIntegration;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.apache.http.NameValuePair;
import org.apache.http.client.methods.RequestBuilder;
import org.springframework.beans.factory.BeanFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.2.jar:net/shibboleth/idp/authn/duo/impl/DuoSupport.class */
public final class DuoSupport {
    public static final DateTimeFormatter RFC_2822_DATE_FORMAT = DateTimeFormatter.ofPattern("EEE', 'dd' 'MMM' 'yyyy' 'HH:mm:ss' 'Z");

    private DuoSupport() {
    }

    @NotEmpty
    @Nonnull
    public static String generateSignedRequestToken(@Nonnull DuoIntegration duoIntegration, @NotEmpty @Nonnull String str) throws DuoWebException {
        String signRequest = str == null ? DuoWeb.ERR_USER : duoIntegration.getApplicationKey() == null ? DuoWeb.ERR_AKEY : DuoWeb.signRequest(duoIntegration.getIntegrationKey(), duoIntegration.getSecretKey(), duoIntegration.getApplicationKey(), str);
        if (signRequest.startsWith("ERR|")) {
            throw new DuoWebException(signRequest);
        }
        return signRequest;
    }

    @NotEmpty
    @Nonnull
    public static String validateSignedResponseToken(@Nonnull DuoIntegration duoIntegration, @NotEmpty @Nonnull String str) throws DuoWebException, InvalidKeyException, IOException, NoSuchAlgorithmException {
        try {
            if (duoIntegration.getApplicationKey() == null) {
                throw new DuoWebException(DuoWeb.ERR_AKEY);
            }
            return DuoWeb.verifyResponse(duoIntegration.getIntegrationKey(), duoIntegration.getSecretKey(), duoIntegration.getApplicationKey(), str);
        } catch (ArrayIndexOutOfBoundsException e) {
            throw new DuoWebException(e.getMessage());
        }
    }

    @NotEmpty
    @Nonnull
    public static void signRequest(@Nonnull RequestBuilder requestBuilder, @Nonnull DuoIntegration duoIntegration) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException {
        String integrationKey = duoIntegration.getIntegrationKey();
        String secretKey = duoIntegration.getSecretKey();
        String format = RFC_2822_DATE_FORMAT.format(ZonedDateTime.now());
        requestBuilder.addHeader("Authorization", "Basic " + Base64.encodeBytes((integrationKey + ":" + Util.hmacSign(secretKey, canonRequest(requestBuilder, format, 2))).getBytes()));
        requestBuilder.addHeader("Date", format);
    }

    private static String canonRequest(@Nonnull RequestBuilder requestBuilder, @Nonnull String str, int i) throws UnsupportedEncodingException {
        String str2;
        URI uri = requestBuilder.getUri();
        str2 = "";
        return ((((i == 2 ? str2 + str + "\n" : "") + requestBuilder.getMethod().toUpperCase() + "\n") + uri.getHost().toLowerCase() + "\n") + uri.getPath() + "\n") + createQueryString(requestBuilder.getParameters());
    }

    private static String createQueryString(@Nonnull List<NameValuePair> list) throws UnsupportedEncodingException {
        ArrayList arrayList = new ArrayList();
        Collections.sort(list, new Comparator<NameValuePair>() { // from class: net.shibboleth.idp.authn.duo.impl.DuoSupport.1
            @Override // java.util.Comparator
            public int compare(NameValuePair nameValuePair, NameValuePair nameValuePair2) {
                return nameValuePair.getName().compareTo(nameValuePair2.getName());
            }
        });
        Escaper urlFormParameterEscaper = UrlEscapers.urlFormParameterEscaper();
        for (NameValuePair nameValuePair : list) {
            arrayList.add(urlFormParameterEscaper.escape(nameValuePair.getName()).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") + "=" + urlFormParameterEscaper.escape(nameValuePair.getValue()).replace("+", "%20").replace("*", "%2A").replace("%7E", "~"));
        }
        return StringSupport.listToStringValue(arrayList, BeanFactory.FACTORY_BEAN_PREFIX);
    }
}
