package org.mitre.openid.connect.client.service.impl;

import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import org.apache.http.client.HttpClient;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.DefaultHttpClient;
import org.mitre.openid.connect.client.model.IssuerServiceResponse;
import org.mitre.openid.connect.client.service.IssuerService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/mitre/openid/connect/client/service/impl/WebfingerIssuerService.class */
public class WebfingerIssuerService implements IssuerService {
    private static Logger logger = LoggerFactory.getLogger(WebfingerIssuerService.class);
    private static final Pattern pattern = Pattern.compile("^((https|acct|http|mailto):(//)?)?((([^@]+)@)?(([^:]+)(:(\\d*))?))([^\\?]+)?(\\?([^#]+))?(#(.*))?$");
    private String loginPageUrl;
    private Set<String> whitelist = new HashSet();
    private Set<String> blacklist = new HashSet();
    private String parameterName = "identifier";
    private LoadingCache<UriComponents, String> issuers = CacheBuilder.newBuilder().build(new WebfingerIssuerFetcher());

    /* loaded from: input_file:org/mitre/openid/connect/client/service/impl/WebfingerIssuerService$WebfingerIssuerFetcher.class */
    private class WebfingerIssuerFetcher extends CacheLoader<UriComponents, String> {
        private HttpClient httpClient;
        private HttpComponentsClientHttpRequestFactory httpFactory;
        private JsonParser parser;

        private WebfingerIssuerFetcher() {
            this.httpClient = new DefaultHttpClient();
            this.httpFactory = new HttpComponentsClientHttpRequestFactory(this.httpClient);
            this.parser = new JsonParser();
        }

        public String load(UriComponents uriComponents) throws Exception {
            String str;
            RestTemplate restTemplate = new RestTemplate(this.httpFactory);
            String scheme = uriComponents.getScheme();
            if (Strings.isNullOrEmpty(scheme) || !scheme.equals("http")) {
                str = "https://";
            } else {
                str = "http://";
                WebfingerIssuerService.logger.warn("Webfinger endpoint MUST use the https URI scheme.");
            }
            URIBuilder uRIBuilder = new URIBuilder(str + uriComponents.getHost() + (uriComponents.getPort() >= 0 ? ":" + uriComponents.getPort() : "") + Strings.nullToEmpty(uriComponents.getPath()) + "/.well-known/webfinger" + (Strings.isNullOrEmpty(uriComponents.getQuery()) ? "" : "?" + uriComponents.getQuery()));
            uRIBuilder.addParameter("resource", uriComponents.toString());
            uRIBuilder.addParameter("rel", "http://openid.net/specs/connect/1.0/issuer");
            WebfingerIssuerService.logger.info("Loading: " + uRIBuilder.toString());
            JsonElement parse = this.parser.parse((String) restTemplate.getForObject(uRIBuilder.build(), String.class));
            if (parse != null && parse.isJsonObject()) {
                Iterator it = parse.getAsJsonObject().get("links").getAsJsonArray().iterator();
                while (it.hasNext()) {
                    JsonElement jsonElement = (JsonElement) it.next();
                    if (jsonElement.isJsonObject()) {
                        JsonObject asJsonObject = jsonElement.getAsJsonObject();
                        if (asJsonObject.has("href") && asJsonObject.has("rel") && asJsonObject.get("rel").getAsString().equals("http://openid.net/specs/connect/1.0/issuer")) {
                            return asJsonObject.get("href").getAsString();
                        }
                    }
                }
            }
            if (uriComponents.getScheme().equals("http") || uriComponents.getScheme().equals("https")) {
                WebfingerIssuerService.logger.warn("Returning normalized input string as issuer, hoping for the best: " + uriComponents.toString());
                return uriComponents.toString();
            }
            WebfingerIssuerService.logger.warn("Couldn't find issuer: " + uriComponents.toString());
            return null;
        }
    }

    @Override // org.mitre.openid.connect.client.service.IssuerService
    public IssuerServiceResponse getIssuer(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(this.parameterName);
        if (Strings.isNullOrEmpty(parameter)) {
            logger.warn("No user input given, directing to login page: " + this.loginPageUrl);
            return new IssuerServiceResponse(this.loginPageUrl);
        }
        try {
            String str = (String) this.issuers.get(normalizeResource(parameter));
            if (!this.whitelist.isEmpty() && !this.whitelist.contains(str)) {
                throw new AuthenticationServiceException("Whitelist was nonempty, issuer was not in whitelist: " + str);
            }
            if (this.blacklist.contains(str)) {
                throw new AuthenticationServiceException("Issuer was in blacklist: " + str);
            }
            return new IssuerServiceResponse(str, null, null);
        } catch (ExecutionException e) {
            logger.warn("Issue fetching issuer for user input: " + parameter, e);
            return null;
        }
    }

    private UriComponents normalizeResource(String str) {
        if (Strings.isNullOrEmpty(str)) {
            logger.warn("Can't normalize null or empty URI: " + str);
            return null;
        }
        UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
        Matcher matcher = pattern.matcher(str);
        if (!matcher.matches()) {
            logger.warn("Parser couldn't match input: " + str);
            return null;
        }
        newInstance.scheme(matcher.group(2));
        newInstance.userInfo(matcher.group(6));
        newInstance.host(matcher.group(8));
        String group = matcher.group(10);
        if (!Strings.isNullOrEmpty(group)) {
            newInstance.port(Integer.parseInt(group));
        }
        newInstance.path(matcher.group(11));
        newInstance.query(matcher.group(13));
        newInstance.fragment(matcher.group(15));
        UriComponents build = newInstance.build();
        if (Strings.isNullOrEmpty(build.getScheme())) {
            if (Strings.isNullOrEmpty(build.getUserInfo()) || !Strings.isNullOrEmpty(build.getPath()) || !Strings.isNullOrEmpty(build.getQuery()) || build.getPort() >= 0) {
                newInstance.scheme("https");
            } else {
                newInstance.scheme("acct");
            }
        }
        newInstance.fragment((String) null);
        return newInstance.build();
    }

    public String getParameterName() {
        return this.parameterName;
    }

    public void setParameterName(String str) {
        this.parameterName = str;
    }

    public String getLoginPageUrl() {
        return this.loginPageUrl;
    }

    public void setLoginPageUrl(String str) {
        this.loginPageUrl = str;
    }

    public Set<String> getWhitelist() {
        return this.whitelist;
    }

    public void setWhitelist(Set<String> set) {
        this.whitelist = set;
    }

    public Set<String> getBlacklist() {
        return this.blacklist;
    }

    public void setBlacklist(Set<String> set) {
        this.blacklist = set;
    }
}
