package net.shibboleth.idp.cas.proxy.impl;

import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateException;
import java.util.Collections;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.login.CredentialException;
import javax.security.auth.login.FailedLoginException;
import net.shibboleth.idp.cas.config.AbstractProtocolConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolContext;
import net.shibboleth.idp.cas.proxy.ProxyValidator;
import net.shibboleth.idp.cas.service.Service;
import net.shibboleth.idp.cas.service.ServiceContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.HttpResponse;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.protocol.HttpClientContext;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.criterion.EntityRoleCriterion;
import org.opensaml.saml.criterion.ProtocolCriterion;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.httpclient.HttpClientSecurityConstants;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.HttpClientSecuritySupport;
import org.opensaml.security.x509.TrustedNamesCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-cas-impl-4.3.3.jar:net/shibboleth/idp/cas/proxy/impl/HttpClientProxyValidator.class */
public class HttpClientProxyValidator implements ProxyValidator {

    @NotEmpty
    @Nonnull
    protected static final String HTTPS_SCHEME = "https";

    @Nonnull
    private final HttpClient httpClient;

    @Nonnull
    private final HttpClientSecurityParameters securityParameters;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) HttpClientProxyValidator.class);

    @Nonnull
    private final Function<ProfileRequestContext, ServiceContext> serviceCtxLookupFunction = new ChildContextLookup(ServiceContext.class).compose(new ChildContextLookup(ProtocolContext.class));

    @NotEmpty
    @NonnullElements
    private Set<Integer> allowedResponseCodes = Collections.singleton(200);

    public HttpClientProxyValidator(@Nonnull HttpClient httpClient, @Nonnull HttpClientSecurityParameters httpClientSecurityParameters) {
        this.httpClient = (HttpClient) Constraint.isNotNull(httpClient, "HTTP client cannot be null");
        this.securityParameters = (HttpClientSecurityParameters) Constraint.isNotNull(httpClientSecurityParameters, "HTTP client security parameters cannot be null");
    }

    public void setAllowedResponseCodes(@NotEmpty @NonnullElements Set<Integer> set) {
        Constraint.isNotEmpty(set, "Response codes cannot be null or empty.");
        Constraint.noNullItems(set.toArray(), "Response codes cannot contain null elements.");
        this.allowedResponseCodes = Set.copyOf(set);
    }

    @Override // net.shibboleth.idp.cas.proxy.ProxyValidator
    public void validate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull URI uri) throws GeneralSecurityException {
        Constraint.isNotNull(uri, "Proxy callback URI cannot be null");
        if (!HTTPS_SCHEME.equalsIgnoreCase(uri.getScheme())) {
            throw new GeneralSecurityException(uri + " is not an https URI as required.");
        }
        ServiceContext apply = this.serviceCtxLookupFunction.apply(profileRequestContext);
        if (apply == null) {
            throw new IllegalStateException("Service context not found in profile request context as required");
        }
        int connect = connect(uri, apply.getService());
        if (!this.allowedResponseCodes.contains(Integer.valueOf(connect))) {
            throw new FailedLoginException(uri + " returned unacceptable HTTP status code: " + connect);
        }
    }

    protected int connect(@Nonnull URI uri, @Nonnull Service service) throws GeneralSecurityException {
        HttpClientContext create = HttpClientContext.create();
        HttpClientSecuritySupport.marshalSecurityParameters(create, this.securityParameters, true);
        setCASTLSTrustEngineCriteria(create, uri, service);
        HttpResponse httpResponse = null;
        try {
            try {
                try {
                    try {
                        try {
                            this.log.debug("Attempting to validate CAS proxy callback URI {}", uri);
                            HttpGet httpGet = new HttpGet(uri);
                            httpResponse = this.httpClient.execute(httpGet, create);
                            HttpClientSecuritySupport.checkTLSCredentialEvaluated(create, httpGet.getURI().getScheme());
                            int statusCode = httpResponse.getStatusLine().getStatusCode();
                            if (httpResponse != null && CloseableHttpResponse.class.isInstance(httpResponse)) {
                                try {
                                    ((CloseableHttpResponse) CloseableHttpResponse.class.cast(httpResponse)).close();
                                } catch (IOException e) {
                                    this.log.debug("Error closing HttpResponse", (Throwable) e);
                                }
                            }
                            return statusCode;
                        } catch (SSLPeerUnverifiedException e2) {
                            throw new CredentialException("Untrusted certificate presented by CAS proxy callback endpoint");
                        }
                    } catch (IOException e3) {
                        throw new GeneralSecurityException("IO error", e3);
                    }
                } catch (ClientProtocolException e4) {
                    throw new GeneralSecurityException("HTTP protocol error", e4);
                }
            } catch (Throwable th) {
                if (httpResponse != null && CloseableHttpResponse.class.isInstance(httpResponse)) {
                    try {
                        ((CloseableHttpResponse) CloseableHttpResponse.class.cast(httpResponse)).close();
                    } catch (IOException e5) {
                        this.log.debug("Error closing HttpResponse", (Throwable) e5);
                    }
                }
                throw th;
            }
        } catch (SSLException e6) {
            if (e6.getCause() instanceof CertificateException) {
                throw ((CertificateException) e6.getCause());
            }
            throw new GeneralSecurityException("SSL connection error", e6);
        }
    }

    private static void setCASTLSTrustEngineCriteria(HttpClientContext httpClientContext, URI uri, Service service) {
        httpClientContext.setAttribute(HttpClientSecurityConstants.CONTEXT_KEY_CRITERIA_SET, new CriteriaSet(new EntityIdCriterion(service.getEntityDescriptor() != null ? service.getEntityDescriptor().getEntityID() : service.getName()), new EntityRoleCriterion(SPSSODescriptor.DEFAULT_ELEMENT_NAME), new ProtocolCriterion(AbstractProtocolConfiguration.PROTOCOL_URI), new UsageCriterion(UsageType.SIGNING), new TrustedNamesCriterion(Collections.singleton(uri.getHost()))));
    }
}
