package org.apereo.cas.config;

import java.security.PublicKey;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.mfa.AccepttoMultifactorProperties;
import org.apereo.cas.integration.pac4j.DistributedJ2ESessionStore;
import org.apereo.cas.mfa.accepto.AccepttoEmailCredential;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorAuthenticationWebflowEventResolver;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorDetermineUserAccountStatusAction;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorFetchChannelAction;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorFinalizeAuthenticationWebflowAction;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorValidateChannelAction;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorValidateUserDeviceRegistrationAction;
import org.apereo.cas.mfa.accepto.web.flow.AccepttoMultifactorWebflowConfigurer;
import org.apereo.cas.mfa.accepto.web.flow.qr.AccepttoQRCodeAuthenticationHandler;
import org.apereo.cas.mfa.accepto.web.flow.qr.AccepttoQRCodeValidateWebSocketChannelAction;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.crypto.PublicKeyFactoryBean;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlan;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.SessionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.BeanCreationException;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.core.io.Resource;
import org.springframework.retry.annotation.EnableRetry;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.webflow.config.FlowDefinitionRegistryBuilder;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@EnableScheduling
@Configuration("accepttoMultifactorAuthenticationConfiguration")
@EnableRetry
/* loaded from: input_file:org/apereo/cas/config/AccepttoMultifactorAuthenticationConfiguration.class */
public class AccepttoMultifactorAuthenticationConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AccepttoMultifactorAuthenticationConfiguration.class);

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private ObjectProvider<AuthenticationSystemSupport> authenticationSystemSupport;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private ObjectProvider<TicketRegistrySupport> ticketRegistrySupport;

    @Autowired
    @Qualifier("warnCookieGenerator")
    private ObjectProvider<CasCookieBuilder> warnCookieGenerator;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private ObjectProvider<CentralAuthenticationService> centralAuthenticationService;

    @Autowired
    @Qualifier("loginFlowRegistry")
    private ObjectProvider<FlowDefinitionRegistry> loginFlowDefinitionRegistry;

    @Autowired
    @Qualifier("ticketRegistry")
    private ObjectProvider<TicketRegistry> ticketRegistry;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private ObjectProvider<AuthenticationServiceSelectionPlan> authenticationRequestServiceSelectionStrategies;

    @Autowired
    @Qualifier("registeredServiceAccessStrategyEnforcer")
    private ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;

    @Autowired
    private ApplicationEventPublisher applicationEventPublisher;

    @Autowired
    private FlowBuilderServices flowBuilderServices;

    @Autowired
    @Qualifier("defaultTicketFactory")
    private ObjectProvider<TicketFactory> ticketFactory;

    @Autowired
    @Qualifier("defaultPrincipalResolver")
    private ObjectProvider<PrincipalResolver> defaultPrincipalResolver;

    @Autowired
    @Qualifier("casAccepttoMultifactorAuthenticationProvider")
    private ObjectProvider<MultifactorAuthenticationProvider> casAccepttoMultifactorAuthenticationProvider;

    @Bean
    public FlowDefinitionRegistry mfaAccepttoAuthenticatorFlowRegistry() {
        FlowDefinitionRegistryBuilder flowDefinitionRegistryBuilder = new FlowDefinitionRegistryBuilder(this.applicationContext, this.flowBuilderServices);
        flowDefinitionRegistryBuilder.setBasePath("classpath*:/webflow");
        flowDefinitionRegistryBuilder.addFlowLocationPattern("/mfa-acceptto/*-webflow.xml");
        return flowDefinitionRegistryBuilder.build();
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorWebflowConfigurer"})
    @DependsOn({"defaultWebflowConfigurer"})
    @Bean
    public CasWebflowConfigurer mfaAccepttoMultifactorWebflowConfigurer() {
        return new AccepttoMultifactorWebflowConfigurer(this.flowBuilderServices, (FlowDefinitionRegistry) this.loginFlowDefinitionRegistry.getIfAvailable(), mfaAccepttoAuthenticatorFlowRegistry(), this.applicationContext, this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoCasWebflowExecutionPlanConfigurer"})
    @Bean
    public CasWebflowExecutionPlanConfigurer mfaAccepttoCasWebflowExecutionPlanConfigurer() {
        return new CasWebflowExecutionPlanConfigurer() { // from class: org.apereo.cas.config.AccepttoMultifactorAuthenticationConfiguration.1
            public void configureWebflowExecutionPlan(CasWebflowExecutionPlan casWebflowExecutionPlan) {
                casWebflowExecutionPlan.registerWebflowConfigurer(AccepttoMultifactorAuthenticationConfiguration.this.mfaAccepttoMultifactorWebflowConfigurer());
            }
        };
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoDistributedSessionStore"})
    @Bean
    public SessionStore<JEEContext> mfaAccepttoDistributedSessionStore() {
        return new DistributedJ2ESessionStore((TicketRegistry) this.ticketRegistry.getIfAvailable(), (TicketFactory) this.ticketFactory.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorFetchChannelAction"})
    @RefreshScope
    @Bean
    public Action mfaAccepttoMultifactorFetchChannelAction() throws Exception {
        return new AccepttoMultifactorFetchChannelAction(this.casProperties, mfaAccepttoDistributedSessionStore(), mfaAccepttoApiPublicKey());
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorValidateChannelAction"})
    @RefreshScope
    @Bean
    public Action mfaAccepttoMultifactorValidateChannelAction() {
        return new AccepttoMultifactorValidateChannelAction(mfaAccepttoDistributedSessionStore(), (AuthenticationSystemSupport) this.authenticationSystemSupport.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoQRCodeValidateWebSocketChannelAction"})
    @Bean
    public Action mfaAccepttoQRCodeValidateWebSocketChannelAction() {
        return new AccepttoQRCodeValidateWebSocketChannelAction(this.casProperties, mfaAccepttoDistributedSessionStore());
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorDetermineUserAccountStatusAction"})
    @RefreshScope
    @Bean
    public Action mfaAccepttoMultifactorDetermineUserAccountStatusAction() throws Exception {
        return new AccepttoMultifactorDetermineUserAccountStatusAction(this.casProperties, mfaAccepttoApiPublicKey());
    }

    @RefreshScope
    @Bean
    public PublicKey mfaAccepttoApiPublicKey() throws Exception {
        Resource location = this.casProperties.getAuthn().getMfa().getAcceptto().getRegistrationApiPublicKey().getLocation();
        if (location == null) {
            throw new BeanCreationException("No registration API public key is defined for the Acceptto integration.");
        }
        PublicKeyFactoryBean publicKeyFactoryBean = new PublicKeyFactoryBean();
        LOGGER.debug("Locating Acceptto registration API public key from [{}]", location);
        publicKeyFactoryBean.setResource(location);
        publicKeyFactoryBean.setSingleton(false);
        publicKeyFactoryBean.setAlgorithm("RSA");
        return (PublicKey) publicKeyFactoryBean.getObject();
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorValidateUserDeviceRegistrationAction"})
    @RefreshScope
    @Bean
    public Action mfaAccepttoMultifactorValidateUserDeviceRegistrationAction() {
        return new AccepttoMultifactorValidateUserDeviceRegistrationAction(this.casProperties, (AuthenticationSystemSupport) this.authenticationSystemSupport.getIfAvailable());
    }

    @RefreshScope
    @Bean
    public CasWebflowEventResolver mfaAccepttoMultifactorAuthenticationWebflowEventResolver() {
        return new AccepttoMultifactorAuthenticationWebflowEventResolver(CasWebflowEventResolutionConfigurationContext.builder().authenticationSystemSupport((AuthenticationSystemSupport) this.authenticationSystemSupport.getIfAvailable()).centralAuthenticationService((CentralAuthenticationService) this.centralAuthenticationService.getIfAvailable()).servicesManager((ServicesManager) this.servicesManager.getIfAvailable()).ticketRegistrySupport((TicketRegistrySupport) this.ticketRegistrySupport.getIfAvailable()).warnCookieGenerator((CasCookieBuilder) this.warnCookieGenerator.getIfAvailable()).authenticationRequestServiceSelectionStrategies((AuthenticationServiceSelectionPlan) this.authenticationRequestServiceSelectionStrategies.getIfAvailable()).registeredServiceAccessStrategyEnforcer((AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getIfAvailable()).casProperties(this.casProperties).ticketRegistry((TicketRegistry) this.ticketRegistry.getIfAvailable()).eventPublisher(this.applicationEventPublisher).applicationContext(this.applicationContext).build());
    }

    @ConditionalOnMissingBean(name = {"mfaAccepttoMultifactorFinalizeAuthenticationWebflowAction"})
    @Bean
    public Action mfaAccepttoMultifactorFinalizeAuthenticationWebflowAction() {
        return new AccepttoMultifactorFinalizeAuthenticationWebflowAction(mfaAccepttoMultifactorAuthenticationWebflowEventResolver());
    }

    @ConditionalOnMissingBean(name = {"casAccepttoQRCodePrincipalFactory"})
    @Bean
    public PrincipalFactory casAccepttoQRCodePrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"casAccepttoQRCodeAuthenticationHandler"})
    @RefreshScope
    @Bean
    public AuthenticationHandler casAccepttoQRCodeAuthenticationHandler() {
        AccepttoMultifactorProperties acceptto = this.casProperties.getAuthn().getMfa().getAcceptto();
        if (StringUtils.isBlank(acceptto.getApiUrl()) || StringUtils.isBlank(acceptto.getApplicationId()) || StringUtils.isBlank(acceptto.getSecret())) {
            throw new BeanCreationException("No API url, application id or secret is defined for the Acceptto integration. Examine your CAS configuration and adjust for correct values.");
        }
        return new AccepttoQRCodeAuthenticationHandler((ServicesManager) this.servicesManager.getIfAvailable(), casAccepttoQRCodePrincipalFactory());
    }

    @RefreshScope
    @Bean
    public AuthenticationMetaDataPopulator casAccepttoQRCodeAuthenticationMetaDataPopulator() {
        return new AuthenticationContextAttributeMetaDataPopulator(this.casProperties.getAuthn().getMfa().getAuthenticationContextAttribute(), casAccepttoQRCodeAuthenticationHandler(), ((MultifactorAuthenticationProvider) this.casAccepttoMultifactorAuthenticationProvider.getObject()).getId());
    }

    @ConditionalOnMissingBean(name = {"casAccepttoAuthenticationQRCodeEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer casAccepttoAuthenticationQRCodeEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(casAccepttoQRCodeAuthenticationHandler(), (PrincipalResolver) this.defaultPrincipalResolver.getIfAvailable());
            authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(casAccepttoQRCodeAuthenticationMetaDataPopulator());
            authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{AccepttoEmailCredential.class}));
        };
    }
}
