package org.opensaml.saml.metadata.resolver.impl;

import java.io.File;
import java.net.URISyntaxException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import net.shibboleth.utilities.java.support.codec.StringDigester;
import net.shibboleth.utilities.java.support.httpclient.HttpClientBuilder;
import net.shibboleth.utilities.java.support.httpclient.HttpClientSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.velocity.VelocityEngine;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.core.xml.XMLObjectBaseTestCase;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.security.credential.impl.StaticCredentialResolver;
import org.opensaml.security.httpclient.impl.SecurityEnhancedTLSSocketFactory;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.trust.impl.ExplicitKeyTrustEngine;
import org.opensaml.security.x509.BasicX509Credential;
import org.opensaml.security.x509.X509Credential;
import org.opensaml.security.x509.X509Support;
import org.opensaml.security.x509.impl.BasicPKIXValidationInformation;
import org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator;
import org.opensaml.security.x509.impl.CertPathPKIXTrustEvaluator;
import org.opensaml.security.x509.impl.PKIXX509CredentialTrustEngine;
import org.opensaml.security.x509.impl.StaticPKIXValidationInformationResolver;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/opensaml/saml/metadata/resolver/impl/FunctionDrivenDynamicHTTPMetadataResolverTest.class */
public class FunctionDrivenDynamicHTTPMetadataResolverTest extends XMLObjectBaseTestCase {
    private static final String DATA_PATH = "/org/opensaml/saml/metadata/resolver/impl/";
    private FunctionDrivenDynamicHTTPMetadataResolver resolver;
    private HttpClientBuilder httpClientBuilder;

    @BeforeMethod
    public void setUp() {
        this.httpClientBuilder = new HttpClientBuilder();
    }

    @AfterMethod
    public void tearDown() {
        if (this.resolver != null) {
            this.resolver.destroy();
        }
    }

    @Test
    public void testTemplateFromRepoDefaultContentTypes() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://svn.shibboleth.net/view/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml?view=co", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testTemplateFromRepoWithExplicitContentType() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://svn.shibboleth.net/view/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml?content-type=text%2Fplain&view=co", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setSupportedContentTypes(Arrays.asList("application/samlmetadata+xml", "application/xml", "text/xml", "TEXT/PLAIN"));
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testTemplateFromRepoUnsupportedContentType() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://svn.shibboleth.net/view/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml?content-type=text%2Fplain&view=co", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testTemplateNonexistentDomain() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://bogus.example.org/metadata?entityID=${entityID}", true);
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testTemplateNonexistentPath() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://shibboleth.net/unittests/metadata?entityID=${entityID}", true);
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testWellKnownLocation() throws Exception {
        HTTPEntityIDRequestURLBuilder hTTPEntityIDRequestURLBuilder = new HTTPEntityIDRequestURLBuilder();
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(hTTPEntityIDRequestURLBuilder);
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://issues.shibboleth.net/shibboleth")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://issues.shibboleth.net/shibboleth");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testMDQ() throws Exception {
        MetadataQueryProtocolRequestURLBuilder metadataQueryProtocolRequestURLBuilder = new MetadataQueryProtocolRequestURLBuilder("http://shibboleth.net:9000");
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(metadataQueryProtocolRequestURLBuilder);
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://foo1.example.org/idp/shibboleth")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://foo1.example.org/idp/shibboleth");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testTrustEngineSocketFactoryNoHTTPSNoTrustEngine() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://svn.shibboleth.net/view/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml?view=co", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testTrustEngineSocketFactoryNoHTTPSWithTrustEngine() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "http://svn.shibboleth.net/view/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml?view=co", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildExplicitKeyTrustEngine("svn-entity.crt"));
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testHTTPSNoTrustEngine() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testHTTPSTrustEngineExplicitKey() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildExplicitKeyTrustEngine("svn-entity.crt"));
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testHTTPSTrustEngineInvalidKey() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildExplicitKeyTrustEngine("badKey.crt"));
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testHTTPSTrustEngineValidPKIX() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildPKIXTrustEngine("svn-rootCA.crt", null, false));
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testHTTPSTrustEngineValidPKIXExplicitName() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildPKIXTrustEngine("svn-rootCA.crt", "*.shibboleth.net", true));
        this.resolver.initialize();
        EntityDescriptor resolveSingle = this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")}));
        Assert.assertNotNull(resolveSingle);
        Assert.assertEquals(resolveSingle.getEntityID(), "https://www.example.org/sp");
        Assert.assertNull(resolveSingle.getDOM());
    }

    @Test
    public void testHTTPSTrustEngineInvalidPKIX() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildPKIXTrustEngine("badCA.crt", null, false));
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testHTTPSTrustEngineValidPKIXInvalidName() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.httpClientBuilder.setTLSSocketFactory(buildTrustEngineSocketFactory());
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildPKIXTrustEngine("svn-rootCA.crt", "foobar.shibboleth.net", true));
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    @Test
    public void testHTTPSTrustEngineWrongSocketFactory() throws Exception {
        TemplateRequestURLBuilder templateRequestURLBuilder = new TemplateRequestURLBuilder(VelocityEngine.newVelocityEngine(), "https://svn.shibboleth.net/java-opensaml/trunk/opensaml-saml-impl/src/test/resources/org/opensaml/saml/metadata/resolver/impl/${entityID}.xml", true, new StringDigester("SHA-1", StringDigester.OutputFormat.HEX_LOWER));
        this.resolver = new FunctionDrivenDynamicHTTPMetadataResolver(this.httpClientBuilder.buildClient());
        this.resolver.setId("myDynamicResolver");
        this.resolver.setParserPool(parserPool);
        this.resolver.setRequestURLBuilder(templateRequestURLBuilder);
        this.resolver.setTLSTrustEngine(buildExplicitKeyTrustEngine("svn-entity.crt"));
        this.resolver.initialize();
        Assert.assertNull(this.resolver.resolveSingle(new CriteriaSet(new Criterion[]{new EntityIdCriterion("https://www.example.org/sp")})));
    }

    private LayeredConnectionSocketFactory buildTrustEngineSocketFactory() {
        return new SecurityEnhancedTLSSocketFactory(HttpClientSupport.buildNoTrustTLSSocketFactory(), SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER);
    }

    private TrustEngine<? super X509Credential> buildExplicitKeyTrustEngine(String str) throws URISyntaxException, CertificateException {
        return new ExplicitKeyTrustEngine(new StaticCredentialResolver(new BasicX509Credential(X509Support.decodeCertificate(new File(getClass().getResource(DATA_PATH + str).toURI())))));
    }

    private TrustEngine<? super X509Credential> buildPKIXTrustEngine(String str, String str2, boolean z) throws URISyntaxException, CertificateException {
        return new PKIXX509CredentialTrustEngine(new StaticPKIXValidationInformationResolver(Collections.singletonList(new BasicPKIXValidationInformation(Collections.singletonList(X509Support.decodeCertificate(new File(getClass().getResource(DATA_PATH + str).toURI()))), (Collection) null, 5)), str2 != null ? Collections.singleton(str2) : Collections.emptySet()), new CertPathPKIXTrustEvaluator(), z ? new BasicX509CredentialNameEvaluator() : null);
    }
}
