package uk.ac.diamond.shibbolethecpauthclient;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.ProxySelector;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import javax.security.sasl.AuthenticationException;
import org.apache.http.Header;
import org.apache.http.HttpException;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpRequestWrapper;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContextBuilder;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.cookie.Cookie;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.BasicCookieStore;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.impl.conn.SystemDefaultRoutePlanner;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.apache.log4j.Logger;
import org.opensaml.DefaultBootstrap;
import org.opensaml.saml2.core.Response;
import org.opensaml.saml2.core.StatusCode;
import org.opensaml.ws.soap.client.SOAPClientException;
import org.opensaml.ws.soap.soap11.Body;
import org.opensaml.ws.soap.soap11.Envelope;
import org.opensaml.ws.soap.soap11.impl.EnvelopeBuilder;
import org.opensaml.xml.ConfigurationException;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.util.Base64;

/* loaded from: input_file:uk/ac/diamond/shibbolethecpauthclient/ShibbolethECPAuthClient.class */
public class ShibbolethECPAuthClient {
    private static final String MIME_TYPE_PAOS = "application/vnd.paos+xml";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String HEADER_CONTENT_TYPE = "Content-Type";
    private static final String HEADER_ACCEPT = "Accept";
    private static final String HEADER_PAOS = "PAOS";
    private CloseableHttpClient client;
    private BasicCookieStore cookieStore;
    private String IdP;
    private String SP;
    private BasicParserPool parserPool;
    private HttpHost proxyHost;
    private static final Logger log = Logger.getLogger(ShibbolethECPAuthClient.class);
    private static final String AUTH_IN_PROGRESS = ShibbolethECPAuthClient.class.getName() + ".AUTH_IN_PROGRESS";
    private static final List<String> REDIRECTABLE = Arrays.asList("HEAD", "GET");

    /* loaded from: input_file:uk/ac/diamond/shibbolethecpauthclient/ShibbolethECPAuthClient$HttpRequestPreprocessor.class */
    private final class HttpRequestPreprocessor implements HttpRequestInterceptor {
        private HttpRequestPreprocessor() {
        }

        @Override // org.apache.http.HttpRequestInterceptor
        public void process(HttpRequest httpRequest, HttpContext httpContext) throws HttpException, IOException {
            httpRequest.addHeader(ShibbolethECPAuthClient.HEADER_ACCEPT, ShibbolethECPAuthClient.MIME_TYPE_PAOS);
            httpRequest.addHeader(ShibbolethECPAuthClient.HEADER_PAOS, "ver=\"urn:liberty:paos:2003-08\";\"urn:oasis:names:tc:SAML:2.0:profiles:SSO:ecp\"");
            HttpRequest httpRequest2 = httpRequest;
            if (httpRequest instanceof HttpRequestWrapper) {
                httpRequest2 = ((HttpRequestWrapper) httpRequest).getOriginal();
            }
            if (ShibbolethECPAuthClient.REDIRECTABLE.contains(httpRequest2.getRequestLine().getMethod()) || !httpRequest2.getParams().isParameterFalse(ShibbolethECPAuthClient.AUTH_IN_PROGRESS)) {
                return;
            }
            ShibbolethECPAuthClient.log.trace("Unredirectable request [" + httpRequest2.getRequestLine().getMethod() + "], trying to knock first at " + httpRequest2.getRequestLine().getUri());
            ShibbolethECPAuthClient.this.client.execute(new HttpHead(httpRequest2.getRequestLine().getUri()));
            Iterator<Cookie> it = ShibbolethECPAuthClient.this.cookieStore.getCookies().iterator();
            while (it.hasNext()) {
                ShibbolethECPAuthClient.log.trace(it.next().toString());
            }
            ShibbolethECPAuthClient.log.trace("Knocked");
        }
    }

    public ShibbolethECPAuthClient(HttpHost httpHost, String str, String str2, boolean z) throws ConfigurationException, IllegalStateException {
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager;
        setIDP(str);
        setSP(str2);
        setProxy(httpHost);
        if (z) {
            try {
                SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
                sSLContextBuilder.loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy());
                poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager(RegistryBuilder.create().register("http", new PlainConnectionSocketFactory()).register("https", new SSLConnectionSocketFactory(sSLContextBuilder.build())).build());
            } catch (GeneralSecurityException e) {
                throw new IllegalStateException(e);
            }
        } else {
            poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
        }
        poolingHttpClientConnectionManager.setMaxTotal(10);
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(5);
        SystemDefaultRoutePlanner systemDefaultRoutePlanner = new SystemDefaultRoutePlanner(ProxySelector.getDefault());
        this.cookieStore = new BasicCookieStore();
        RequestConfig build = RequestConfig.custom().setCookieSpec("compatibility").build();
        if (this.proxyHost == null) {
            this.client = HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).setRoutePlanner(systemDefaultRoutePlanner).setDefaultRequestConfig(build).setDefaultCookieStore(this.cookieStore).addInterceptorFirst(new HttpRequestPreprocessor()).build();
        } else {
            this.client = HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).setProxy(this.proxyHost).setDefaultRequestConfig(build).setDefaultCookieStore(this.cookieStore).addInterceptorFirst(new HttpRequestPreprocessor()).build();
        }
        DefaultBootstrap.bootstrap();
        this.parserPool = new BasicParserPool();
        this.parserPool.setNamespaceAware(true);
    }

    public ShibbolethECPAuthClient(String str, String str2, boolean z) throws ConfigurationException, IllegalStateException {
        this(null, str, str2, true);
    }

    private void setIDP(String str) {
        this.IdP = str;
    }

    private void setSP(String str) {
        this.SP = str;
    }

    private void setProxy(HttpHost httpHost) {
        this.proxyHost = httpHost;
    }

    public Response authenticate(String str, String str2) throws IOException, AuthenticationException, SOAPClientException {
        try {
            CloseableHttpResponse execute = this.client.execute(new HttpGet(this.SP));
            log.info("HttpResponse::Status: " + execute.getStatusLine());
            log.debug("HttpResponse::res: " + execute.toString());
            for (Header header : execute.getAllHeaders()) {
                log.debug(header.getName() + ": " + header.getValue());
            }
            String entityUtils = EntityUtils.toString(execute.getEntity());
            log.debug("HttpResponse::Content: " + entityUtils);
            if (!(execute.getFirstHeader(HEADER_CONTENT_TYPE) != null ? MIME_TYPE_PAOS.equals(ContentType.parse(execute.getFirstHeader(HEADER_CONTENT_TYPE).getValue()).getMimeType()) : false)) {
                throw new SOAPClientException("Service Provider not configured to accept ECP messages");
            }
            Envelope unmarshallMessage = Utils.unmarshallMessage(this.parserPool, new ByteArrayInputStream(entityUtils.getBytes()));
            log.debug("Logging into IdP [" + this.IdP + "]");
            Envelope buildObject = new EnvelopeBuilder().buildObject();
            Body body = unmarshallMessage.getBody();
            body.detach();
            buildObject.setBody(body);
            HttpPost httpPost = new HttpPost(this.IdP);
            httpPost.getParams().setBooleanParameter(AUTH_IN_PROGRESS, true);
            httpPost.addHeader(HEADER_AUTHORIZATION, "Basic " + Base64.encodeBytes((str + ":" + str2).getBytes()));
            httpPost.setEntity(new StringEntity(Utils.xmlToString((XMLObject) buildObject)));
            CloseableHttpResponse execute2 = this.client.execute(httpPost);
            log.debug("Status: " + execute2.getStatusLine());
            if (execute2.getStatusLine().getStatusCode() != 200) {
                throw new AuthenticationException(execute2.getStatusLine().toString());
            }
            String entityUtils2 = EntityUtils.toString(execute2.getEntity());
            log.debug("HttpResponse::Content: " + entityUtils2);
            Envelope unmarshallMessage2 = Utils.unmarshallMessage(this.parserPool, new ByteArrayInputStream(entityUtils2.getBytes()));
            EntityUtils.consume(execute2.getEntity());
            log.debug("assertionConsumerServiceURL: " + ((org.opensaml.saml2.ecp.Response) unmarshallMessage2.getHeader().getUnknownXMLObjects(org.opensaml.saml2.ecp.Response.DEFAULT_ELEMENT_NAME).get(0)).getAssertionConsumerServiceURL());
            List unknownXMLObjects = unmarshallMessage2.getBody().getUnknownXMLObjects(Response.DEFAULT_ELEMENT_NAME);
            if (unknownXMLObjects.isEmpty()) {
                this.client.close();
                return null;
            }
            Response response = (Response) unknownXMLObjects.get(0);
            StatusCode statusCode = response.getStatus().getStatusCode();
            while (statusCode.getStatusCode() != null) {
                statusCode = statusCode.getStatusCode();
            }
            if ("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed".equals(statusCode.getValue())) {
                throw new AuthenticationException(statusCode.getValue());
            }
            return response;
        } finally {
            this.client.close();
        }
    }
}
