package com.terracotta.management.security.impl;

import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientHandlerException;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.config.ClientConfig;
import com.sun.jersey.api.client.config.DefaultClientConfig;
import com.sun.jersey.api.json.JSONConfiguration;
import com.sun.jersey.client.urlconnection.HTTPSProperties;
import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.security.HMACBuilder;
import com.terracotta.management.security.IACredentials;
import com.terracotta.management.security.IdentityAssertionServiceClient;
import com.terracotta.management.security.InvalidIAInteractionException;
import com.terracotta.management.security.KeyChainAccessor;
import com.terracotta.management.security.MaskedUserInfo;
import com.terracotta.management.security.SSLContextFactory;
import com.terracotta.management.security.SecurityServiceDirectory;
import com.terracotta.management.user.UserInfo;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.UUID;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import javax.ws.rs.core.Response;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.config.Ini;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.terracotta.management.resource.exceptions.ExceptionUtils;

/* loaded from: input_file:ehcache/ehcache-ee-2.7.1.jar/rest-management-private-classpath/com/terracotta/management/security/impl/JerseyIdentityAssertionServiceClient.class_terracotta */
public class JerseyIdentityAssertionServiceClient implements IdentityAssertionServiceClient {
    private static final Logger LOG = LoggerFactory.getLogger(JerseyIdentityAssertionServiceClient.class);
    private static final int CONN_TIMEOUT = 5000;
    private static final int READ_TIMEOUT = 10000;
    private final Client client;
    private final KeyChainAccessor keyChainAccessor;
    private final SecurityServiceDirectory securityServiceDirectory;

    public JerseyIdentityAssertionServiceClient(KeyChainAccessor keyChainAccessor, SSLContextFactory sSLContextFactory, SecurityServiceDirectory securityServiceDirectory) {
        this.securityServiceDirectory = securityServiceDirectory;
        DefaultClientConfig defaultClientConfig = new DefaultClientConfig();
        if (sSLContextFactory != null) {
            try {
                defaultClientConfig.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(Boolean.getBoolean("tc.ssl.disableHostnameVerifier") ? new HostnameVerifier() { // from class: com.terracotta.management.security.impl.JerseyIdentityAssertionServiceClient.1
                    @Override // javax.net.ssl.HostnameVerifier
                    public boolean verify(String str, SSLSession sSLSession) {
                        return true;
                    }
                } : HttpsURLConnection.getDefaultHostnameVerifier(), sSLContextFactory.create()));
            } catch (IOException e) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to inability to load keyStore.", e);
            } catch (URISyntaxException e2) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to bad store location.", e2);
            } catch (KeyManagementException e3) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to one or more invalid keys in a KeyStore.", e3);
            } catch (KeyStoreException e4) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to invalid KeyStore type.", e4);
            } catch (NoSuchAlgorithmException e5) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to invalid KeyManagerFactory algorithm.", e5);
            } catch (UnrecoverableKeyException e6) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to bad key in a KeyStore.", e6);
            } catch (CertificateException e7) {
                throw new RuntimeException("Failure instantiating JerseyIdentityAssertionServiceClient due to invalid certificates in a KeyStore.", e7);
            }
        }
        defaultClientConfig.getFeatures().put(JSONConfiguration.FEATURE_POJO_MAPPING, Boolean.TRUE);
        Integer securityServiceTimeout = securityServiceDirectory.getSecurityServiceTimeout();
        defaultClientConfig.getProperties().put(ClientConfig.PROPERTY_CONNECT_TIMEOUT, Integer.valueOf(securityServiceTimeout == null ? 5000 : securityServiceTimeout.intValue()));
        defaultClientConfig.getProperties().put(ClientConfig.PROPERTY_READ_TIMEOUT, Integer.valueOf(securityServiceTimeout == null ? 10000 : securityServiceTimeout.intValue()));
        this.client = Client.create(defaultClientConfig);
        this.keyChainAccessor = keyChainAccessor;
    }

    @Override // com.terracotta.management.security.IdentityAssertionServiceClient
    public UserInfo retreiveUserDetail(IACredentials iACredentials) throws InvalidIAInteractionException {
        String uuid = iACredentials.isUsingClientCertAuth() ? null : UUID.randomUUID().toString();
        String requestTicket = iACredentials.getRequestTicket();
        String identityToken = iACredentials.getIdentityToken();
        String requestAlias = iACredentials.getRequestAlias();
        URI securityServiceLocation = this.securityServiceDirectory.getSecurityServiceLocation();
        if (securityServiceLocation == null) {
            throw new InvalidIAInteractionException(String.format("No security service location was specified, request ticket '%s', token id '%s'.", requestTicket, identityToken));
        }
        try {
            ClientResponse clientResponse = (ClientResponse) this.client.resource(securityServiceLocation).header(IACredentials.REQ_TICKET, (Object) requestTicket).header(IACredentials.TC_ID_TOKEN, identityToken).header(IACredentials.ALIAS, requestAlias).header(IACredentials.CLIENT_NONCE, uuid).get(ClientResponse.class);
            if (clientResponse.getStatus() == Response.Status.OK.getStatusCode()) {
                UserInfo userInfo = (UserInfo) clientResponse.getEntity(MaskedUserInfo.class);
                if (!iACredentials.isUsingClientCertAuth()) {
                    byte[] decode = Base64.decode(clientResponse.getHeaders().getFirst(IACredentials.SIGNATURE));
                    try {
                        byte[] retrieveSecret = this.keyChainAccessor.retrieveSecret(new URIKeyName(requestAlias));
                        if (retrieveSecret == null) {
                            throw new InvalidIAInteractionException("Missing keychain entry for URL [" + requestAlias + Ini.SECTION_SUFFIX);
                        }
                        if (!Arrays.equals(decode, HMACBuilder.getInstance(retrieveSecret).addMessageComponent(requestTicket).addMessageComponent(identityToken).addMessageComponent(requestAlias).addMessageComponent(uuid).addUserDetail(userInfo).build())) {
                            throw new InvalidIAInteractionException(String.format("Forgery detected from identity assertion service for request ticket '%s', token id '%s'.", requestTicket, identityToken));
                        }
                    } catch (URISyntaxException e) {
                        throw new RuntimeException("BUG Alert! Unable to determine uri alias for obtaining the key material to sign the hash.", e);
                    } catch (InvalidKeyException e2) {
                        throw new RuntimeException("BUG Alert! Failed to create signed hash.", e2);
                    } catch (NoSuchAlgorithmException e3) {
                        throw new RuntimeException("BUG Alert! Failed to create signed hash.", e3);
                    }
                }
                return userInfo;
            }
            if (LOG.isDebugEnabled()) {
                String str = "";
                StringBuilder sb = new StringBuilder();
                sb.append(System.getProperty("line.separator"));
                sb.append("HTTP(S) response was:");
                sb.append(System.getProperty("line.separator"));
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(clientResponse.getEntityInputStream()));
                while (true) {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        }
                        sb.append(readLine).append(System.getProperty("line.separator"));
                    } catch (IOException e4) {
                        LOG.debug("Unable to read response", (Throwable) e4);
                    }
                }
                str = sb.toString();
                LOG.debug("Failed to execute IA service request. " + str);
            }
            throw new InvalidIAInteractionException("Request to identity assertion service failed: IA service failed with HTTP error " + clientResponse.getStatus());
        } catch (ClientHandlerException e5) {
            throw new InvalidIAInteractionException("Communication with IA server failed: " + ExceptionUtils.getRootCause(e5).getMessage(), e5);
        }
    }
}
