package org.apereo.cas.web.config;

import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.cipher.TicketGrantingCookieCipherExecutor;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.cas.web.cookie.CookieValueManager;
import org.apereo.cas.web.support.CookieUtils;
import org.apereo.cas.web.support.gen.TicketGrantingCookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.gen.WarningCookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager;
import org.apereo.cas.web.support.mgmr.NoOpCookieValueManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("casCookieConfiguration")
/* loaded from: input_file:org/apereo/cas/web/config/CasCookieConfiguration.class */
public class CasCookieConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CasCookieConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @RefreshScope
    @Bean
    public CasCookieBuilder warnCookieGenerator() {
        return new WarningCookieRetrievingCookieGenerator(CookieUtils.buildCookieGenerationContext(this.casProperties.getWarningCookie()));
    }

    @ConditionalOnMissingBean(name = {"cookieValueManager"})
    @Bean
    public CookieValueManager cookieValueManager() {
        return this.casProperties.getTgc().getCrypto().isEnabled() ? new DefaultCasCookieValueManager(cookieCipherExecutor(), this.casProperties.getTgc()) : NoOpCookieValueManager.INSTANCE;
    }

    @ConditionalOnMissingBean(name = {"cookieCipherExecutor"})
    @RefreshScope
    @Bean
    public CipherExecutor cookieCipherExecutor() {
        EncryptionJwtSigningJwtCryptographyProperties crypto = this.casProperties.getTgc().getCrypto();
        boolean isEnabled = crypto.isEnabled();
        if (!isEnabled && StringUtils.isNotBlank(crypto.getEncryption().getKey()) && StringUtils.isNotBlank(crypto.getSigning().getKey())) {
            LOGGER.warn("Token encryption/signing is not enabled explicitly in the configuration, yet signing/encryption keys are defined for operations. CAS will proceed to enable the cookie encryption/signing functionality.");
            isEnabled = true;
        }
        if (isEnabled) {
            return CipherExecutorUtils.newStringCipherExecutor(crypto, TicketGrantingCookieCipherExecutor.class);
        }
        LOGGER.warn("Ticket-granting cookie encryption/signing is turned off. This MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of ticket-granting cookies.");
        return CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {"ticketGrantingTicketCookieGenerator"})
    @RefreshScope
    @Bean
    public CasCookieBuilder ticketGrantingTicketCookieGenerator() {
        return new TicketGrantingCookieRetrievingCookieGenerator(CookieUtils.buildCookieGenerationContext(this.casProperties.getTgc()), cookieValueManager());
    }
}
