package net.shibboleth.idp.plugin.authn.duo.nimbus.impl;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.util.IOUtils;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.text.ParseException;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.idp.plugin.authn.duo.AbstractDuoOIDCClient;
import net.shibboleth.idp.plugin.authn.duo.DuoClientException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.model.DuoHealthCheck;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.protocol.HttpContext;
import org.opensaml.security.httpclient.HttpClientSecurityParameters;
import org.opensaml.security.httpclient.HttpClientSecuritySupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/nimbus/impl/NimbusClient.class */
final class NimbusClient extends AbstractDuoOIDCClient {

    @NotEmpty
    @Nonnull
    private static final String CLIENT_ASSERTION_TYPE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";

    @NotEmpty
    @Nonnull
    private static final String HTTPS = "https";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(NimbusClient.class);

    @Nonnull
    private final DuoOIDCIntegration duoIntegration;

    @Nonnull
    private final HttpClient httpClient;

    @Nullable
    private final HttpClientSecurityParameters httpClientSecurityParameters;

    @Nonnull
    private final ObjectMapper objectMapper;

    /* JADX INFO: Access modifiers changed from: protected */
    public NimbusClient(@Nonnull DuoOIDCIntegration duoOIDCIntegration, @Nonnull HttpClient httpClient, @Nullable HttpClientSecurityParameters httpClientSecurityParameters, @Nonnull ObjectMapper objectMapper) {
        this.duoIntegration = (DuoOIDCIntegration) Constraint.isNotNull(duoOIDCIntegration, "Nimbus Client requires a non-null Duo Integration");
        this.httpClient = (HttpClient) Constraint.isNotNull(httpClient, "Nimbus Client requires a non-null http client");
        this.httpClientSecurityParameters = httpClientSecurityParameters;
        this.objectMapper = objectMapper;
    }

    @Nonnull
    public DuoHealthCheck healthCheck() throws DuoClientException {
        try {
            URI build = new URIBuilder().setScheme(HTTPS).setHost(this.duoIntegration.getAPIHost()).setPath(this.duoIntegration.getHealthCheckEndpoint()).build();
            this.log.trace("Using health check endpoint '{}'", build);
            return (DuoHealthCheck) executeRequest(RequestBuilder.post().setUri(build).addParameter("client_id", this.duoIntegration.getClientId()).addParameter("client_assertion", NimbusClientSupport.createJWS(build.toString(), this.duoIntegration.getClientId(), this.duoIntegration.getSecretKey())).build(), new TypeReference<DuoHealthCheck>() { // from class: net.shibboleth.idp.plugin.authn.duo.nimbus.impl.NimbusClient.1
            });
        } catch (URISyntaxException e) {
            this.log.error("Error performing a Duo health check", e);
            throw new DuoClientException(e);
        }
    }

    @Nonnull
    public String createAuthUrl(@NotEmpty @Nonnull String str, @NotEmpty @Nonnull String str2, @Nonnull String str3, @Nullable String str4) throws DuoClientException {
        String redirectURI;
        Constraint.isNotEmpty(str, "Username can not be null or empty");
        Constraint.isNotEmpty(str2, "State can not be null or empty");
        Constraint.isNotEmpty(str3, "Nonce can not be null or empty for this client");
        Constraint.isGreaterThan(21, str2.length(), "State must be at least 22 characters");
        Constraint.isLessThan(1025, str2.length(), "State must be at maximum 1024 characters");
        if (str4 != null) {
            redirectURI = str4;
        } else {
            try {
                redirectURI = this.duoIntegration.getRedirectURI();
            } catch (URISyntaxException e) {
                this.log.error("Unable to create a Duo authorization URL", e);
                throw new DuoClientException(e);
            }
        }
        String str5 = redirectURI;
        return new URIBuilder().setScheme(HTTPS).setHost(this.duoIntegration.getAPIHost()).setPath(this.duoIntegration.getAuthorizeEndpoint()).setParameter("scope", "openid").setParameter("nonce", str3).setParameter("response_type", "code").setParameter("redirect_uri", str5).setParameter("client_id", this.duoIntegration.getClientId()).setParameter("request", NimbusClientSupport.createJWSRequestObject(this.duoIntegration.getClientId(), str5, this.duoIntegration.getSecretKey(), str2, str)).build().toString();
    }

    public JWT exchangeAuthorizationCodeFor2FAResult(@Nonnull String str, @Nonnull String str2, @Nullable String str3) throws DuoClientException {
        Constraint.isNotEmpty(str, "Auth_code can not be null");
        try {
            URI build = new URIBuilder().setScheme(HTTPS).setHost(this.duoIntegration.getAPIHost()).setPath(this.duoIntegration.getTokenEndpoint()).build();
            this.log.trace("Using authorization endpoint and audience '{}'", build);
            TokenResponse tokenResponse = (TokenResponse) executeRequest(RequestBuilder.post().setUri(build).addParameter("grant_type", "authorization_code").addParameter("code", str).addParameter("redirect_uri", str3 != null ? str3 : this.duoIntegration.getRedirectURI()).addParameter("client_assertion_type", CLIENT_ASSERTION_TYPE).addParameter("client_assertion", NimbusClientSupport.createJWS(build.toString(), this.duoIntegration.getClientId(), this.duoIntegration.getSecretKey())).build(), new TypeReference<TokenResponse>() { // from class: net.shibboleth.idp.plugin.authn.duo.nimbus.impl.NimbusClient.2
            });
            this.log.trace("Duo token response: '{}'", tokenResponse);
            return SignedJWT.parse(tokenResponse.getIdToken());
        } catch (URISyntaxException | ParseException e) {
            this.log.error("Unable to swap auth_code for id_token", e);
            throw new DuoClientException(e);
        }
    }

    private <T> T executeRequest(@Nonnull HttpUriRequest httpUriRequest, @Nonnull TypeReference<T> typeReference) throws DuoClientException {
        try {
            HttpContext create = HttpClientContext.create();
            HttpClientSecuritySupport.marshalSecurityParameters(create, this.httpClientSecurityParameters, true);
            HttpClientSecuritySupport.addDefaultTLSTrustEngineCriteria(create, httpUriRequest);
            HttpResponse execute = this.httpClient.execute(httpUriRequest, create);
            HttpClientSecuritySupport.checkTLSCredentialEvaluated(create, httpUriRequest.getURI().getScheme());
            int statusCode = execute.getStatusLine().getStatusCode();
            if (statusCode != 200) {
                if (execute.getEntity() != null && execute.getEntity().getContent() != null) {
                    this.log.error("Duo returned a Non-ok message of '{}'", IOUtils.readInputStreamToString(execute.getEntity().getContent()));
                }
                throw new DuoClientException("Non-ok status code (" + statusCode + ") returned from Duo: " + execute.getStatusLine().getReasonPhrase());
            }
            if (execute.getEntity() == null) {
                throw new DuoClientException("No response body returned from Duo");
            }
            T t = (T) this.objectMapper.readValue(execute.getEntity().getContent(), typeReference);
            if (t == null) {
                throw new DuoClientException("Unable to parse JSON response");
            }
            return t;
        } catch (IOException e) {
            throw new DuoClientException("Could not execute Duo HTTP request", e);
        }
    }

    public boolean isSupportsNonce() {
        return true;
    }

    public boolean isSupportsDynamicRedirectURI() {
        return true;
    }
}
