package net.shibboleth.idp.cas.proxy.impl;

import com.beust.jcommander.internal.Nullable;
import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.annotation.Nonnull;
import javax.net.ssl.SSLException;
import net.shibboleth.utilities.java.support.annotation.constraint.Positive;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.opensaml.security.SecurityException;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/cas/proxy/impl/HttpClientProxyAuthenticator.class */
public class HttpClientProxyAuthenticator extends AbstractProxyAuthenticator {
    private static final int DEFAULT_TIMEOUT = 800;
    private final Logger log = LoggerFactory.getLogger(HttpClientProxyAuthenticator.class);

    @Positive
    private int t = DEFAULT_TIMEOUT;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/shibboleth/idp/cas/proxy/impl/HttpClientProxyAuthenticator$TrustEngineTrustStrategy.class */
    public static class TrustEngineTrustStrategy implements TrustStrategy {
        private final TrustEngine<? super X509Credential> trustEngine;
        private final Logger log = LoggerFactory.getLogger(TrustEngineTrustStrategy.class);

        public TrustEngineTrustStrategy(TrustEngine<? super X509Credential> trustEngine) {
            this.trustEngine = trustEngine;
        }

        public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            if (this.trustEngine == null || x509CertificateArr == null || x509CertificateArr.length < 1) {
                return false;
            }
            try {
                this.log.debug("Validating cert {} issued by {}", x509CertificateArr[0].getSubjectDN().getName(), x509CertificateArr[0].getIssuerDN().getName());
                return this.trustEngine.validate(new BasicX509Credential(x509CertificateArr[0]), new CriteriaSet());
            } catch (SecurityException e) {
                throw new CertificateException("X509 validation error", e);
            }
        }
    }

    public void setTimeout(@Positive int i) {
        this.t = (int) Constraint.isGreaterThan(0L, i, "Timeout must be positive");
    }

    @Override // net.shibboleth.idp.cas.proxy.impl.AbstractProxyAuthenticator
    protected int authenticateProxyCallback(@Nonnull URI uri, @Nullable TrustEngine<? super X509Credential> trustEngine) throws GeneralSecurityException {
        CloseableHttpClient closeableHttpClient = null;
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            try {
                try {
                    try {
                        closeableHttpClient = createHttpClient(trustEngine);
                        this.log.debug("Attempting to connect to {}", uri);
                        HttpGet httpGet = new HttpGet(uri);
                        httpGet.setConfig(RequestConfig.custom().setConnectTimeout(this.t).setSocketTimeout(this.t).build());
                        closeableHttpResponse = closeableHttpClient.execute(httpGet);
                        int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
                        close(closeableHttpResponse);
                        close(closeableHttpClient);
                        return statusCode;
                    } catch (IOException e) {
                        throw new GeneralSecurityException("IO error", e);
                    }
                } catch (SSLException e2) {
                    if (e2.getCause() instanceof CertificateException) {
                        throw ((CertificateException) e2.getCause());
                    }
                    throw new GeneralSecurityException("SSL connection error", e2);
                }
            } catch (ClientProtocolException e3) {
                throw new GeneralSecurityException("HTTP protocol error", e3);
            }
        } catch (Throwable th) {
            close(closeableHttpResponse);
            close(closeableHttpClient);
            throw th;
        }
    }

    private CloseableHttpClient createHttpClient(TrustEngine<? super X509Credential> trustEngine) {
        try {
            return HttpClients.custom().setConnectionManager(new BasicHttpClientConnectionManager(RegistryBuilder.create().register("https", new SSLConnectionSocketFactory(SSLContexts.custom().useTLS().loadTrustMaterial((KeyStore) null, new TrustEngineTrustStrategy(trustEngine)).build(), SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER)).build())).build();
        } catch (Exception e) {
            throw new RuntimeException("SSL initialization error", e);
        }
    }

    private void close(Closeable closeable) {
        if (closeable != null) {
            try {
                closeable.close();
            } catch (IOException e) {
                this.log.warn("Error closing " + closeable, e);
            }
        }
    }
}
