package org.springframework.security.saml.websso;

import java.io.IOException;
import javax.net.ssl.HostnameVerifier;
import org.apache.commons.httpclient.HostConfiguration;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.URI;
import org.apache.commons.httpclient.URIException;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.protocol.Protocol;
import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory;
import org.opensaml.common.SAMLException;
import org.opensaml.common.xml.SAMLConstants;
import org.opensaml.saml2.metadata.IDPSSODescriptor;
import org.opensaml.saml2.metadata.provider.MetadataProviderException;
import org.opensaml.security.MetadataCriteria;
import org.opensaml.ws.message.decoder.MessageDecodingException;
import org.opensaml.ws.message.encoder.MessageEncodingException;
import org.opensaml.ws.soap.client.http.TLSProtocolSocketFactory;
import org.opensaml.ws.transport.http.HttpClientInTransport;
import org.opensaml.ws.transport.http.HttpClientOutTransport;
import org.opensaml.xml.security.CriteriaSet;
import org.opensaml.xml.security.SecurityException;
import org.opensaml.xml.security.credential.UsageType;
import org.opensaml.xml.security.criteria.EntityIDCriteria;
import org.opensaml.xml.security.criteria.UsageCriteria;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.security.saml.context.SAMLMessageContext;
import org.springframework.security.saml.trust.X509KeyManager;
import org.springframework.security.saml.trust.X509TrustManager;

/* loaded from: input_file:WEB-INF/lib/spring-security-saml2-core-1.0.0.RELEASE.jar:org/springframework/security/saml/websso/ArtifactResolutionProfileImpl.class */
public class ArtifactResolutionProfileImpl extends ArtifactResolutionProfileBase {
    private HttpClient httpClient;

    public ArtifactResolutionProfileImpl(HttpClient httpClient) {
        this.httpClient = httpClient;
    }

    @Override // org.springframework.security.saml.websso.ArtifactResolutionProfileBase
    protected void getArtifactResponse(String str, SAMLMessageContext sAMLMessageContext) throws SAMLException, MessageEncodingException, MessageDecodingException, MetadataProviderException, SecurityException {
        HttpMethod httpMethod = null;
        try {
            try {
                URI uri = new URI(sAMLMessageContext.getPeerEntityEndpoint().getLocation(), true, "UTF-8");
                PostMethod postMethod = new PostMethod();
                postMethod.setPath(uri.getPath());
                HostConfiguration hostConfiguration = getHostConfiguration(uri, sAMLMessageContext);
                HttpClientOutTransport httpClientOutTransport = new HttpClientOutTransport(postMethod);
                sAMLMessageContext.setInboundMessageTransport(new HttpClientInTransport(postMethod, str));
                sAMLMessageContext.setOutboundMessageTransport(httpClientOutTransport);
                this.processor.sendMessage(sAMLMessageContext, sAMLMessageContext.getPeerExtendedMetadata().isRequireArtifactResolveSigned(), SAMLConstants.SAML2_SOAP11_BINDING_URI);
                this.log.debug("Sending ArtifactResolution message to {}", uri);
                int executeMethod = this.httpClient.executeMethod(hostConfiguration, postMethod);
                if (executeMethod != 200) {
                    throw new MessageDecodingException("Problem communicating with Artifact Resolution service, received response " + executeMethod + ", body " + postMethod.getResponseBodyAsString());
                }
                this.processor.retrieveMessage(sAMLMessageContext, SAMLConstants.SAML2_SOAP11_BINDING_URI);
                if (postMethod != null) {
                    postMethod.releaseConnection();
                }
            } catch (IOException e) {
                throw new MessageDecodingException("Error when sending request to artifact resolution service.", e);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                httpMethod.releaseConnection();
            }
            throw th;
        }
    }

    protected HostConfiguration getHostConfiguration(URI uri, SAMLMessageContext sAMLMessageContext) throws MessageEncodingException {
        try {
            HostConfiguration hostConfiguration = this.httpClient.getHostConfiguration();
            HostConfiguration hostConfiguration2 = hostConfiguration != null ? new HostConfiguration(hostConfiguration) : new HostConfiguration();
            if (uri.getScheme().equalsIgnoreCase("http")) {
                this.log.debug("Using HTTP configuration");
                hostConfiguration2.setHost(uri);
            } else {
                this.log.debug("Using HTTPS configuration");
                CriteriaSet criteriaSet = new CriteriaSet();
                criteriaSet.add(new EntityIDCriteria(sAMLMessageContext.getPeerEntityId()));
                criteriaSet.add(new MetadataCriteria(IDPSSODescriptor.DEFAULT_ELEMENT_NAME, SAMLConstants.SAML20P_NS));
                criteriaSet.add(new UsageCriteria(UsageType.UNSPECIFIED));
                hostConfiguration2.setHost(uri.getHost(), uri.getPort(), new Protocol(PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT, (ProtocolSocketFactory) getSSLSocketFactory(sAMLMessageContext, new X509KeyManager(sAMLMessageContext.getLocalSSLCredential()), new X509TrustManager(criteriaSet, sAMLMessageContext.getLocalSSLTrustEngine()), sAMLMessageContext.getLocalSSLHostnameVerifier()), 443));
            }
            return hostConfiguration2;
        } catch (URIException e) {
            throw new MessageEncodingException("Error parsing remote location URI", e);
        }
    }

    protected SecureProtocolSocketFactory getSSLSocketFactory(SAMLMessageContext sAMLMessageContext, X509KeyManager x509KeyManager, X509TrustManager x509TrustManager, HostnameVerifier hostnameVerifier) {
        return isHostnameVerificationSupported() ? new TLSProtocolSocketFactory(x509KeyManager, x509TrustManager, hostnameVerifier) : new TLSProtocolSocketFactory(x509KeyManager, x509TrustManager);
    }

    protected boolean isHostnameVerificationSupported() {
        try {
            TLSProtocolSocketFactory.class.getConstructor(javax.net.ssl.X509KeyManager.class, javax.net.ssl.X509TrustManager.class, HostnameVerifier.class);
            return true;
        } catch (NoSuchMethodException e) {
            this.log.warn("HostnameVerification is not supported, update your OpenSAML libraries");
            return false;
        }
    }
}
