package net.shibboleth.idp.plugin.authn.duo.impl;

import com.google.common.escape.Escaper;
import com.google.common.net.UrlEscapers;
import java.net.URI;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.ThreadSafe;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import net.shibboleth.idp.authn.duo.DuoIntegration;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.codec.Base64Support;
import net.shibboleth.shared.codec.EncodingException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.apache.hc.core5.http.NameValuePair;
import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DuoSupport.class */
public final class DuoSupport {
    public static final DateTimeFormatter RFC_2822_DATE_FORMAT;
    static final /* synthetic */ boolean $assertionsDisabled;

    private DuoSupport() {
    }

    private static String canonRequest(@Nonnull ClassicRequestBuilder classicRequestBuilder, @Nonnull String str, int i) {
        String str2;
        URI uri = classicRequestBuilder.getUri();
        str2 = "";
        String str3 = (((i == 2 ? str2 + str + "\n" : "") + classicRequestBuilder.getMethod().toUpperCase() + "\n") + uri.getHost().toLowerCase() + "\n") + uri.getPath() + "\n";
        List parameters = classicRequestBuilder.getParameters();
        if (parameters != null) {
            str3 = str3 + createQueryString(parameters);
        }
        return str3;
    }

    private static String createQueryString(@Nonnull List<NameValuePair> list) {
        ArrayList arrayList = new ArrayList();
        Collections.sort(list, new Comparator<NameValuePair>() { // from class: net.shibboleth.idp.plugin.authn.duo.impl.DuoSupport.1
            @Override // java.util.Comparator
            public int compare(NameValuePair nameValuePair, NameValuePair nameValuePair2) {
                return nameValuePair.getName().compareTo(nameValuePair2.getName());
            }
        });
        Escaper urlFormParameterEscaper = UrlEscapers.urlFormParameterEscaper();
        for (NameValuePair nameValuePair : list) {
            arrayList.add(urlFormParameterEscaper.escape(nameValuePair.getName()).replace("+", "%20").replace("*", "%2A").replace("%7E", "~") + "=" + urlFormParameterEscaper.escape(nameValuePair.getValue()).replace("+", "%20").replace("*", "%2A").replace("%7E", "~"));
        }
        return StringSupport.listToStringValue(arrayList, "&");
    }

    @NotEmpty
    public static void signRequest(@Nonnull ClassicRequestBuilder classicRequestBuilder, @Nonnull DuoIntegration duoIntegration) throws InvalidKeyException, NoSuchAlgorithmException, EncodingException {
        String integrationKey = duoIntegration.getIntegrationKey();
        String secretKey = duoIntegration.getSecretKey();
        String format = RFC_2822_DATE_FORMAT.format(ZonedDateTime.now());
        if (!$assertionsDisabled && format == null) {
            throw new AssertionError();
        }
        String canonRequest = canonRequest(classicRequestBuilder, format, 2);
        SecretKeySpec secretKeySpec = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
        Mac mac = Mac.getInstance("HmacSHA1");
        mac.init(secretKeySpec);
        classicRequestBuilder.addHeader("Authorization", "Basic " + Base64Support.encode((integrationKey + ":" + Hex.encodeHexString(mac.doFinal(canonRequest.getBytes()))).getBytes(), false));
        classicRequestBuilder.addHeader("Date", format);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static String generateNonce(@Nonnull Integer num) {
        Constraint.isGreaterThan(22, num.intValue(), "Nonce must be at least 22 characters");
        SecureRandom secureRandom = new SecureRandom();
        StringBuilder sb = new StringBuilder();
        while (sb.length() < num.intValue()) {
            sb.append(Integer.toHexString(secureRandom.nextInt()));
        }
        return sb.toString().substring(0, num.intValue());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static String generateState(@Nonnull String str, @Nonnull String str2) {
        Constraint.isNotNull(str, "Nonce Hex key can not be null");
        Constraint.isNotNull(str2, "Webflow execution key can not be null");
        return str + "." + Hex.encodeHexString(str2.getBytes());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static String extractKeyFromState(@Nonnull String str) throws DuoException {
        Constraint.isNotNull(str, "State can not be null");
        String[] split = str.split("\\.");
        if (split.length != 2) {
            throw new DuoException("State does not contain the key component");
        }
        try {
            return new String(Hex.decodeHex(split[1]));
        } catch (DecoderException e) {
            throw new DuoException("Can not hex decode key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static String extractNonceFromState(@Nonnull String str) throws DuoException {
        Constraint.isNotNull(str, "State can not be null");
        String[] split = str.split("\\.");
        if (split.length != 2) {
            throw new DuoException("State does not contain the nonce component");
        }
        return split[0];
    }

    static {
        $assertionsDisabled = !DuoSupport.class.desiredAssertionStatus();
        RFC_2822_DATE_FORMAT = DateTimeFormatter.ofPattern("EEE', 'dd' 'MMM' 'yyyy' 'HH:mm:ss' 'Z");
    }
}
