package org.apereo.cas.config;

import com.duosecurity.Client;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.duo.DuoSecurityHealthIndicator;
import org.apereo.cas.adaptors.duo.authn.DefaultDuoSecurityMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationHandler;
import org.apereo.cas.adaptors.duo.authn.DuoSecurityAuthenticationService;
import org.apereo.cas.adaptors.duo.authn.DuoSecurityDirectCredential;
import org.apereo.cas.adaptors.duo.authn.DuoSecurityMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.duo.authn.UniversalPromptDuoSecurityAuthenticationService;
import org.apereo.cas.adaptors.duo.web.DuoSecurityAdminApiEndpoint;
import org.apereo.cas.adaptors.duo.web.DuoSecurityPingEndpoint;
import org.apereo.cas.adaptors.duo.web.DuoSecurityUserAccountStatusEndpoint;
import org.apereo.cas.adaptors.duo.web.flow.DuoSecurityMultifactorWebflowConfigurer;
import org.apereo.cas.adaptors.duo.web.flow.action.DuoSecurityDetermineUserAccountAction;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationHandler;
import org.apereo.cas.authentication.MultifactorAuthenticationPrincipalResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.MultifactorAuthenticationUtils;
import org.apereo.cas.authentication.bypass.ChainingMultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.metadata.BaseAuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.metadata.MultifactorAuthenticationProviderMetadataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.support.mfa.duo.DuoSecurityMultifactorAuthenticationProperties;
import org.apereo.cas.services.CasRegisteredService;
import org.apereo.cas.services.ImmutableInMemoryServiceRegistry;
import org.apereo.cas.services.ServiceRegistryExecutionPlanConfigurer;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.http.HttpClient;
import org.apereo.cas.util.spring.ApplicationContextProvider;
import org.apereo.cas.util.spring.DirectObjectProvider;
import org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver;
import org.apereo.cas.util.spring.beans.BeanContainer;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.actions.ConsumerExecutionAction;
import org.apereo.cas.web.flow.actions.WebflowActionBeanSupplier;
import org.apereo.cas.web.flow.configurer.AbstractCasWebflowConfigurer;
import org.apereo.cas.web.flow.configurer.CasMultifactorWebflowCustomizer;
import org.apereo.cas.web.flow.util.MultifactorAuthenticationWebflowUtils;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.actuate.autoconfigure.health.ConditionalOnEnabledHealthIndicator;
import org.springframework.boot.actuate.health.HealthIndicator;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.TransitionableState;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@AutoConfiguration
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.MultifactorAuthentication}, module = "duo")
/* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration.class */
public class DuoSecurityAuthenticationEventExecutionPlanConfiguration {
    private static final int WEBFLOW_CONFIGURER_ORDER = 0;

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "DuoSecurityAuthenticationEventExecutionConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$DuoSecurityAuthenticationEventExecutionConfiguration.class */
    public static class DuoSecurityAuthenticationEventExecutionConfiguration {
        private static BeanContainer<AuthenticationMetaDataPopulator> duoAuthenticationMetaDataPopulator(ConfigurableApplicationContext configurableApplicationContext, MultifactorAuthenticationHandler multifactorAuthenticationHandler, CasConfigurationProperties casConfigurationProperties) {
            return (BeanContainer) BeanSupplier.of(BeanContainer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return BeanContainer.of(new BaseAuthenticationMetaDataPopulator[]{new AuthenticationContextAttributeMetaDataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), multifactorAuthenticationHandler, ((MultifactorAuthenticationProvider) multifactorAuthenticationHandler.getMultifactorAuthenticationProvider().getObject()).getId()), new MultifactorAuthenticationProviderMetadataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), multifactorAuthenticationHandler.getMultifactorAuthenticationProvider(), (ServicesManager) configurableApplicationContext.getBean(ServicesManager.class, new Object[]{ServicesManager.class}))});
            }).otherwise(BeanContainer::empty).get();
        }

        @DependsOn({"duoMultifactorAuthenticationProviders"})
        @ConditionalOnMissingBean(name = {"duoAuthenticationHandlers"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public BeanContainer<MultifactorAuthenticationHandler> duoAuthenticationHandlers(ConfigurableApplicationContext configurableApplicationContext, List<MultifactorAuthenticationPrincipalResolver> list, CasConfigurationProperties casConfigurationProperties, @Qualifier("duoPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return (BeanContainer) BeanSupplier.of(BeanContainer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                AnnotationAwareOrderComparator.sort(list);
                return BeanContainer.of((List) casConfigurationProperties.getAuthn().getMfa().getDuo().stream().map(duoSecurityMultifactorAuthenticationProperties -> {
                    Optional multifactorAuthenticationProviderById = MultifactorAuthenticationUtils.getMultifactorAuthenticationProviderById(duoSecurityMultifactorAuthenticationProperties.getId(), configurableApplicationContext);
                    Class<DuoSecurityMultifactorAuthenticationProvider> cls = DuoSecurityMultifactorAuthenticationProvider.class;
                    Objects.requireNonNull(DuoSecurityMultifactorAuthenticationProvider.class);
                    return new DuoSecurityAuthenticationHandler(duoSecurityMultifactorAuthenticationProperties.getName(), servicesManager, principalFactory, new DirectObjectProvider((DuoSecurityMultifactorAuthenticationProvider) multifactorAuthenticationProviderById.map((v1) -> {
                        return r1.cast(v1);
                    }).orElseThrow(() -> {
                        return new IllegalArgumentException("Unable to locate multifactor authentication provider by id " + duoSecurityMultifactorAuthenticationProperties.getId());
                    })), Integer.valueOf(duoSecurityMultifactorAuthenticationProperties.getOrder()), list);
                }).sorted(Comparator.comparing((v0) -> {
                    return v0.getOrder();
                })).collect(Collectors.toList()));
            }).otherwise(BeanContainer::empty).get();
        }

        @ConditionalOnMissingBean(name = {"duoSecurityAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer duoSecurityAuthenticationEventExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("duoAuthenticationHandlers") BeanContainer<MultifactorAuthenticationHandler> beanContainer) {
            return (AuthenticationEventExecutionPlanConfigurer) BeanSupplier.of(AuthenticationEventExecutionPlanConfigurer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return authenticationEventExecutionPlan -> {
                    beanContainer.toList().forEach(multifactorAuthenticationHandler -> {
                        authenticationEventExecutionPlan.registerAuthenticationHandler(multifactorAuthenticationHandler);
                        authenticationEventExecutionPlan.registerAuthenticationMetadataPopulators(duoAuthenticationMetaDataPopulator(configurableApplicationContext, multifactorAuthenticationHandler, casConfigurationProperties).toList());
                    });
                    authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{DuoSecurityDirectCredential.class}));
                };
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "DuoSecurityAuthenticationEventExecutionPlanCoreConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$DuoSecurityAuthenticationEventExecutionPlanCoreConfiguration.class */
    public static class DuoSecurityAuthenticationEventExecutionPlanCoreConfiguration {

        @Generated
        private static final Logger LOGGER = LoggerFactory.getLogger(DuoSecurityAuthenticationEventExecutionPlanCoreConfiguration.class);
        private static final int USER_ACCOUNT_CACHE_INITIAL_SIZE = 50;
        private static final long USER_ACCOUNT_CACHE_MAX_SIZE = 1000;
        private static final int USER_ACCOUNT_CACHE_EXPIRATION_SECONDS = 5;

        @ConditionalOnMissingBean(name = {"duoPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory duoPrincipalFactory(ConfigurableApplicationContext configurableApplicationContext) {
            return (PrincipalFactory) BeanSupplier.of(PrincipalFactory.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(PrincipalFactoryUtils::newPrincipalFactory).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"duoMultifactorAuthenticationProviders"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public BeanContainer<MultifactorAuthenticationProvider> duoMultifactorAuthenticationProviders(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, List<MultifactorAuthenticationPrincipalResolver> list, @Qualifier("httpClient") HttpClient httpClient, @Qualifier("duoSecurityBypassEvaluator") ChainingMultifactorAuthenticationProviderBypassEvaluator chainingMultifactorAuthenticationProviderBypassEvaluator, @Qualifier("failureModeEvaluator") MultifactorAuthenticationFailureModeEvaluator multifactorAuthenticationFailureModeEvaluator) {
            return (BeanContainer) BeanSupplier.of(BeanContainer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                AnnotationAwareOrderComparator.sort(list);
                ArrayList arrayList = new ArrayList();
                casConfigurationProperties.getAuthn().getMfa().getDuo().stream().map(duoSecurityMultifactorAuthenticationProperties -> {
                    DefaultDuoSecurityMultifactorAuthenticationProvider defaultDuoSecurityMultifactorAuthenticationProvider = new DefaultDuoSecurityMultifactorAuthenticationProvider();
                    defaultDuoSecurityMultifactorAuthenticationProvider.setFailureMode(duoSecurityMultifactorAuthenticationProperties.getFailureMode());
                    defaultDuoSecurityMultifactorAuthenticationProvider.setFailureModeEvaluator(multifactorAuthenticationFailureModeEvaluator);
                    defaultDuoSecurityMultifactorAuthenticationProvider.setOrder(duoSecurityMultifactorAuthenticationProperties.getRank());
                    defaultDuoSecurityMultifactorAuthenticationProvider.setId(duoSecurityMultifactorAuthenticationProperties.getId());
                    defaultDuoSecurityMultifactorAuthenticationProvider.setRegistration(duoSecurityMultifactorAuthenticationProperties.getRegistration());
                    DuoSecurityAuthenticationService duoAuthenticationService = getDuoAuthenticationService(configurableApplicationContext, list, httpClient, casConfigurationProperties, duoSecurityMultifactorAuthenticationProperties);
                    ApplicationContextProvider.registerBeanIntoApplicationContext(configurableApplicationContext, duoAuthenticationService, defaultDuoSecurityMultifactorAuthenticationProvider.getId().concat("-duoAuthenticationService"));
                    defaultDuoSecurityMultifactorAuthenticationProvider.setDuoAuthenticationService(duoAuthenticationService);
                    MultifactorAuthenticationProviderBypassEvaluator filterMultifactorAuthenticationProviderBypassEvaluatorsBy = chainingMultifactorAuthenticationProviderBypassEvaluator.filterMultifactorAuthenticationProviderBypassEvaluatorsBy(duoSecurityMultifactorAuthenticationProperties.getId());
                    ApplicationContextProvider.registerBeanIntoApplicationContext(configurableApplicationContext, filterMultifactorAuthenticationProviderBypassEvaluatorsBy, defaultDuoSecurityMultifactorAuthenticationProvider.getId().concat("-duoBypassEvaluator"));
                    defaultDuoSecurityMultifactorAuthenticationProvider.setBypassEvaluator(filterMultifactorAuthenticationProviderBypassEvaluatorsBy);
                    return defaultDuoSecurityMultifactorAuthenticationProvider;
                }).forEach(defaultDuoSecurityMultifactorAuthenticationProvider -> {
                    ApplicationContextProvider.registerBeanIntoApplicationContext(configurableApplicationContext, defaultDuoSecurityMultifactorAuthenticationProvider, defaultDuoSecurityMultifactorAuthenticationProvider.getId().concat("-duoSecurityMfaProvider"));
                    arrayList.add(defaultDuoSecurityMultifactorAuthenticationProvider);
                });
                return BeanContainer.of(arrayList);
            }).otherwise(BeanContainer::empty).get();
        }

        private static DuoSecurityAuthenticationService getDuoAuthenticationService(ConfigurableApplicationContext configurableApplicationContext, List<MultifactorAuthenticationPrincipalResolver> list, HttpClient httpClient, CasConfigurationProperties casConfigurationProperties, DuoSecurityMultifactorAuthenticationProperties duoSecurityMultifactorAuthenticationProperties) {
            return (DuoSecurityAuthenticationService) FunctionUtils.doUnchecked(() -> {
                Cache build = Caffeine.newBuilder().initialCapacity(USER_ACCOUNT_CACHE_INITIAL_SIZE).maximumSize(USER_ACCOUNT_CACHE_MAX_SIZE).expireAfterWrite(Duration.ofSeconds(5L)).build();
                LOGGER.trace("Activating universal prompt authentication service for duo security");
                SpringExpressionLanguageValueResolver springExpressionLanguageValueResolver = SpringExpressionLanguageValueResolver.getInstance();
                return new UniversalPromptDuoSecurityAuthenticationService(duoSecurityMultifactorAuthenticationProperties, httpClient, (Client) configurableApplicationContext.getBeanProvider(Client.class).getIfAvailable(Unchecked.supplier(() -> {
                    return new Client.Builder(springExpressionLanguageValueResolver.resolve(duoSecurityMultifactorAuthenticationProperties.getDuoIntegrationKey()), springExpressionLanguageValueResolver.resolve(duoSecurityMultifactorAuthenticationProperties.getDuoSecretKey()), springExpressionLanguageValueResolver.resolve(duoSecurityMultifactorAuthenticationProperties.getDuoApiHost()), casConfigurationProperties.getServer().getLoginUrl()).build();
                })), list, build);
            });
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "DuoSecurityAuthenticationEventExecutionPlanWebConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$DuoSecurityAuthenticationEventExecutionPlanWebConfiguration.class */
    public static class DuoSecurityAuthenticationEventExecutionPlanWebConfiguration {
        @ConditionalOnAvailableEndpoint
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public DuoSecurityPingEndpoint duoPingEndpoint(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return new DuoSecurityPingEndpoint(casConfigurationProperties, configurableApplicationContext);
        }

        @ConditionalOnAvailableEndpoint
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public DuoSecurityUserAccountStatusEndpoint duoAccountStatusEndpoint(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return new DuoSecurityUserAccountStatusEndpoint(casConfigurationProperties, configurableApplicationContext);
        }

        @ConditionalOnAvailableEndpoint
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public DuoSecurityAdminApiEndpoint duoAdminApiEndpoint(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return new DuoSecurityAdminApiEndpoint(casConfigurationProperties, configurableApplicationContext);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "DuoSecurityAuthenticationMonitorConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$DuoSecurityAuthenticationMonitorConfiguration.class */
    public static class DuoSecurityAuthenticationMonitorConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @ConditionalOnEnabledHealthIndicator("duoSecurityHealthIndicator")
        @Bean
        public HealthIndicator duoSecurityHealthIndicator(ConfigurableApplicationContext configurableApplicationContext) {
            return (HealthIndicator) BeanSupplier.of(HealthIndicator.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new DuoSecurityHealthIndicator(configurableApplicationContext);
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "DuoSecurityAuthenticationWebflowActionsConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$DuoSecurityAuthenticationWebflowActionsConfiguration.class */
    public static class DuoSecurityAuthenticationWebflowActionsConfiguration {
        @ConditionalOnMissingBean(name = {"duoMultifactorWebflowConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowConfigurer duoMultifactorWebflowConfigurer(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext, @Qualifier("loginFlowRegistry") FlowDefinitionRegistry flowDefinitionRegistry, @Qualifier("flowBuilderServices") FlowBuilderServices flowBuilderServices) {
            return (CasWebflowConfigurer) BeanSupplier.of(CasWebflowConfigurer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                DuoSecurityMultifactorWebflowConfigurer duoSecurityMultifactorWebflowConfigurer = new DuoSecurityMultifactorWebflowConfigurer(flowBuilderServices, flowDefinitionRegistry, configurableApplicationContext, casConfigurationProperties, MultifactorAuthenticationWebflowUtils.getMultifactorAuthenticationWebflowCustomizers(configurableApplicationContext));
                duoSecurityMultifactorWebflowConfigurer.setOrder(DuoSecurityAuthenticationEventExecutionPlanConfiguration.WEBFLOW_CONFIGURER_ORDER);
                return duoSecurityMultifactorWebflowConfigurer;
            }).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"duoSecurityCasWebflowExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowExecutionPlanConfigurer duoSecurityCasWebflowExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("duoMultifactorWebflowConfigurer") CasWebflowConfigurer casWebflowConfigurer) {
            return (CasWebflowExecutionPlanConfigurer) BeanSupplier.of(CasWebflowExecutionPlanConfigurer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return casWebflowExecutionPlan -> {
                    casWebflowExecutionPlan.registerWebflowConfigurer(casWebflowConfigurer);
                };
            }).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"determineDuoUserAccountAction"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public Action determineDuoUserAccountAction(@Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return WebflowActionBeanSupplier.builder().withApplicationContext(configurableApplicationContext).withProperties(casConfigurationProperties).withAction(() -> {
                return (Action) BeanSupplier.of(Action.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                    return new DuoSecurityDetermineUserAccountAction(casConfigurationProperties, servicesManager);
                }).otherwise(() -> {
                    return ConsumerExecutionAction.NONE;
                }).get();
            }).withId("determineDuoUserAccountAction").build().get();
        }

        @ConditionalOnMissingBean(name = {"duoServiceRegistryExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ServiceRegistryExecutionPlanConfigurer duoServiceRegistryExecutionPlanConfigurer(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return serviceRegistryExecutionPlan -> {
                casConfigurationProperties.getAuthn().getMfa().getDuo().stream().filter(duoSecurityMultifactorAuthenticationProperties -> {
                    return StringUtils.isNotBlank(duoSecurityMultifactorAuthenticationProperties.getRegistration().getRegistrationUrl());
                }).forEach(duoSecurityMultifactorAuthenticationProperties2 -> {
                    String str = (String) FunctionUtils.doUnchecked(() -> {
                        return new URI(duoSecurityMultifactorAuthenticationProperties2.getRegistration().getRegistrationUrl()).toURL().getHost();
                    });
                    CasRegisteredService casRegisteredService = new CasRegisteredService();
                    casRegisteredService.setId(RandomUtils.nextLong());
                    casRegisteredService.setEvaluationOrder(Integer.MIN_VALUE);
                    casRegisteredService.setName(casRegisteredService.getClass().getSimpleName());
                    casRegisteredService.setDescription("Duo Security Registration URL for " + duoSecurityMultifactorAuthenticationProperties2.getId());
                    casRegisteredService.setServiceId(str);
                    serviceRegistryExecutionPlan.registerServiceRegistry(new ImmutableInMemoryServiceRegistry(List.of(casRegisteredService), configurableApplicationContext, List.of()));
                });
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "SurrogateAuthenticationDuoSecurityWebflowPlanConfiguration", proxyBeanMethods = false)
    @ConditionalOnClass({SurrogateAuthenticationService.class})
    /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$SurrogateAuthenticationDuoSecurityWebflowPlanConfiguration.class */
    public static class SurrogateAuthenticationDuoSecurityWebflowPlanConfiguration {

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/apereo/cas/config/DuoSecurityAuthenticationEventExecutionPlanConfiguration$SurrogateAuthenticationDuoSecurityWebflowPlanConfiguration$SurrogateWebflowConfigurer.class */
        public static final class SurrogateWebflowConfigurer extends AbstractCasWebflowConfigurer {
            SurrogateWebflowConfigurer(FlowBuilderServices flowBuilderServices, FlowDefinitionRegistry flowDefinitionRegistry, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
                super(flowBuilderServices, flowDefinitionRegistry, configurableApplicationContext, casConfigurationProperties);
                setOrder(1);
            }

            protected void doInitialize() {
                createTransitionForState(getState(getLoginFlow(), "duoUniversalPromptPrepareValidate"), "success", "loadSurrogatesAction", true);
                this.casProperties.getAuthn().getMfa().getDuo().forEach(duoSecurityMultifactorAuthenticationProperties -> {
                    TransitionableState state = getState(getLoginFlow(), duoSecurityMultifactorAuthenticationProperties.getId());
                    if (state != null) {
                        createTransitionForState(state, "success", "loadSurrogatesAction", true);
                    }
                });
            }
        }

        @ConditionalOnClass({DuoSecurityAuthenticationService.class})
        @ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.MultifactorAuthentication}, module = "duo")
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasMultifactorWebflowCustomizer surrogateDuoSecurityMultifactorWebflowCustomizer(ConfigurableApplicationContext configurableApplicationContext) {
            return (CasMultifactorWebflowCustomizer) BeanSupplier.of(CasMultifactorWebflowCustomizer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new CasMultifactorWebflowCustomizer(this) { // from class: org.apereo.cas.config.DuoSecurityAuthenticationEventExecutionPlanConfiguration.SurrogateAuthenticationDuoSecurityWebflowPlanConfiguration.1
                    public List<String> getWebflowAttributeMappings() {
                        return List.of("requestSurrogateAccount");
                    }
                };
            }).otherwiseProxy().get();
        }

        @ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.SurrogateAuthentication})
        @ConditionalOnMissingBean(name = {"surrogateDuoSecurityMultifactorAuthenticationWebflowConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowConfigurer surrogateDuoSecurityMultifactorAuthenticationWebflowConfigurer(@Qualifier("flowBuilderServices") FlowBuilderServices flowBuilderServices, @Qualifier("loginFlowRegistry") FlowDefinitionRegistry flowDefinitionRegistry, CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return (CasWebflowConfigurer) BeanSupplier.of(CasWebflowConfigurer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new SurrogateWebflowConfigurer(flowBuilderServices, flowDefinitionRegistry, configurableApplicationContext, casConfigurationProperties);
            }).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"surrogateDuoSecurityMultifactorAuthenticationWebflowExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowExecutionPlanConfigurer surrogateDuoSecurityMultifactorAuthenticationWebflowExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("surrogateDuoSecurityMultifactorAuthenticationWebflowConfigurer") CasWebflowConfigurer casWebflowConfigurer) {
            return (CasWebflowExecutionPlanConfigurer) BeanSupplier.of(CasWebflowExecutionPlanConfigurer.class).when(DuoSecurityAuthenticationService.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return casWebflowExecutionPlan -> {
                    casWebflowExecutionPlan.registerWebflowConfigurer(casWebflowConfigurer);
                };
            }).otherwiseProxy().get();
        }
    }
}
