package org.apereo.cas.config;

import java.util.HashSet;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.api.AuthenticationRequestRiskCalculator;
import org.apereo.cas.api.AuthenticationRiskContingencyPlan;
import org.apereo.cas.api.AuthenticationRiskEvaluator;
import org.apereo.cas.api.AuthenticationRiskMitigator;
import org.apereo.cas.api.AuthenticationRiskNotifier;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.authentication.RiskBasedAuthenticationProperties;
import org.apereo.cas.configuration.model.support.sms.SmsProperties;
import org.apereo.cas.impl.calcs.DateTimeAuthenticationRequestRiskCalculator;
import org.apereo.cas.impl.calcs.GeoLocationAuthenticationRequestRiskCalculator;
import org.apereo.cas.impl.calcs.IpAddressAuthenticationRequestRiskCalculator;
import org.apereo.cas.impl.calcs.UserAgentAuthenticationRequestRiskCalculator;
import org.apereo.cas.impl.engine.DefaultAuthenticationRiskEvaluator;
import org.apereo.cas.impl.engine.DefaultAuthenticationRiskMitigator;
import org.apereo.cas.impl.notify.AuthenticationRiskEmailNotifier;
import org.apereo.cas.impl.notify.AuthenticationRiskTwilioSmsNotifier;
import org.apereo.cas.impl.plans.BaseAuthenticationRiskContingencyPlan;
import org.apereo.cas.impl.plans.BlockAuthenticationContingencyPlan;
import org.apereo.cas.impl.plans.MultifactorAuthenticationContingencyPlan;
import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.events.CasEventRepository;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.io.CommunicationsManager;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.RiskAwareAuthenticationWebflowConfigurer;
import org.apereo.cas.web.flow.RiskAwareAuthenticationWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@EnableScheduling
@Configuration("electronicFenceConfiguration")
/* loaded from: input_file:org/apereo/cas/config/ElectronicFenceConfiguration.class */
public class ElectronicFenceConfiguration {
    private static final Logger LOGGER = LoggerFactory.getLogger(ElectronicFenceConfiguration.class);

    @Autowired
    @Qualifier("communicationsManager")
    private CommunicationsManager communicationsManager;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService centralAuthenticationService;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private TicketRegistrySupport ticketRegistrySupport;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("warnCookieGenerator")
    private CookieGenerator warnCookieGenerator;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;

    @Autowired(required = false)
    private FlowBuilderServices flowBuilderServices;

    @Autowired(required = false)
    @Qualifier("loginFlowRegistry")
    private FlowDefinitionRegistry loginFlowDefinitionRegistry;

    @Autowired
    @Qualifier("casEventRepository")
    private CasEventRepository casEventRepository;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("multifactorAuthenticationProviderSelector")
    private MultifactorAuthenticationProviderSelector selector;

    @Autowired
    @Qualifier("initialAuthenticationAttemptWebflowEventResolver")
    private CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEventResolver;

    @ConditionalOnMissingBean(name = {"authenticationRiskEmailNotifier"})
    @RefreshScope
    @Bean
    public AuthenticationRiskNotifier authenticationRiskEmailNotifier() {
        return new AuthenticationRiskEmailNotifier(this.communicationsManager);
    }

    @ConditionalOnMissingBean(name = {"authenticationRiskSmsNotifier"})
    @RefreshScope
    @Bean
    public AuthenticationRiskNotifier authenticationRiskSmsNotifier() {
        return new AuthenticationRiskTwilioSmsNotifier(this.communicationsManager);
    }

    @ConditionalOnMissingBean(name = {"riskAwareAuthenticationWebflowEventResolver"})
    @Autowired
    @RefreshScope
    @Bean
    public CasWebflowEventResolver riskAwareAuthenticationWebflowEventResolver(@Qualifier("defaultAuthenticationSystemSupport") AuthenticationSystemSupport authenticationSystemSupport) {
        RiskAwareAuthenticationWebflowEventResolver riskAwareAuthenticationWebflowEventResolver = new RiskAwareAuthenticationWebflowEventResolver(authenticationSystemSupport, this.centralAuthenticationService, this.servicesManager, this.ticketRegistrySupport, this.warnCookieGenerator, this.authenticationRequestServiceSelectionStrategies, this.selector, authenticationRiskEvaluator(), authenticationRiskMitigator(), this.casProperties);
        this.initialAuthenticationAttemptWebflowEventResolver.addDelegate(riskAwareAuthenticationWebflowEventResolver, 0);
        return riskAwareAuthenticationWebflowEventResolver;
    }

    @ConditionalOnMissingBean(name = {"blockAuthenticationContingencyPlan"})
    @RefreshScope
    @Bean
    public AuthenticationRiskContingencyPlan blockAuthenticationContingencyPlan() {
        BlockAuthenticationContingencyPlan blockAuthenticationContingencyPlan = new BlockAuthenticationContingencyPlan();
        configureContingencyPlan(blockAuthenticationContingencyPlan);
        return blockAuthenticationContingencyPlan;
    }

    @ConditionalOnMissingBean(name = {"multifactorAuthenticationContingencyPlan"})
    @RefreshScope
    @Bean
    public AuthenticationRiskContingencyPlan multifactorAuthenticationContingencyPlan() {
        MultifactorAuthenticationContingencyPlan multifactorAuthenticationContingencyPlan = new MultifactorAuthenticationContingencyPlan();
        configureContingencyPlan(multifactorAuthenticationContingencyPlan);
        return multifactorAuthenticationContingencyPlan;
    }

    @ConditionalOnMissingBean(name = {"authenticationRiskMitigator"})
    @RefreshScope
    @Bean
    public AuthenticationRiskMitigator authenticationRiskMitigator() {
        return this.casProperties.getAuthn().getAdaptive().getRisk().getResponse().isBlockAttempt() ? new DefaultAuthenticationRiskMitigator(blockAuthenticationContingencyPlan()) : new DefaultAuthenticationRiskMitigator(multifactorAuthenticationContingencyPlan());
    }

    @ConditionalOnMissingBean(name = {"ipAddressAuthenticationRequestRiskCalculator"})
    @RefreshScope
    @Bean
    public AuthenticationRequestRiskCalculator ipAddressAuthenticationRequestRiskCalculator() {
        return new IpAddressAuthenticationRequestRiskCalculator(this.casEventRepository);
    }

    @ConditionalOnMissingBean(name = {"userAgentAuthenticationRequestRiskCalculator"})
    @RefreshScope
    @Bean
    public AuthenticationRequestRiskCalculator userAgentAuthenticationRequestRiskCalculator() {
        return new UserAgentAuthenticationRequestRiskCalculator(this.casEventRepository);
    }

    @ConditionalOnMissingBean(name = {"dateTimeAuthenticationRequestRiskCalculator"})
    @RefreshScope
    @Bean
    public AuthenticationRequestRiskCalculator dateTimeAuthenticationRequestRiskCalculator() {
        return new DateTimeAuthenticationRequestRiskCalculator(this.casEventRepository, this.casProperties.getAuthn().getAdaptive().getRisk().getDateTime().getWindowInHours());
    }

    @ConditionalOnMissingBean(name = {"geoLocationAuthenticationRequestRiskCalculator"})
    @RefreshScope
    @Bean
    public AuthenticationRequestRiskCalculator geoLocationAuthenticationRequestRiskCalculator() {
        return new GeoLocationAuthenticationRequestRiskCalculator(this.casEventRepository);
    }

    @ConditionalOnMissingBean(name = {"riskAwareAuthenticationWebflowConfigurer"})
    @RefreshScope
    @Bean
    public CasWebflowConfigurer riskAwareAuthenticationWebflowConfigurer() {
        return new RiskAwareAuthenticationWebflowConfigurer(this.flowBuilderServices, this.loginFlowDefinitionRegistry);
    }

    @ConditionalOnMissingBean(name = {"authenticationRiskEvaluator"})
    @RefreshScope
    @Bean
    public AuthenticationRiskEvaluator authenticationRiskEvaluator() {
        RiskBasedAuthenticationProperties risk = this.casProperties.getAuthn().getAdaptive().getRisk();
        HashSet hashSet = new HashSet();
        if (risk.getIp().isEnabled()) {
            hashSet.add(ipAddressAuthenticationRequestRiskCalculator());
        }
        if (risk.getAgent().isEnabled()) {
            hashSet.add(userAgentAuthenticationRequestRiskCalculator());
        }
        if (risk.getDateTime().isEnabled()) {
            hashSet.add(dateTimeAuthenticationRequestRiskCalculator());
        }
        if (risk.getGeoLocation().isEnabled()) {
            hashSet.add(geoLocationAuthenticationRequestRiskCalculator());
        }
        if (hashSet.isEmpty()) {
            LOGGER.warn("No risk calculators are defined to examine authentication requests");
        }
        return new DefaultAuthenticationRiskEvaluator(hashSet);
    }

    private void configureContingencyPlan(BaseAuthenticationRiskContingencyPlan baseAuthenticationRiskContingencyPlan) {
        RiskBasedAuthenticationProperties.Response.Mail mail = this.casProperties.getAuthn().getAdaptive().getRisk().getResponse().getMail();
        if (StringUtils.isNotBlank(mail.getText()) && StringUtils.isNotBlank(mail.getFrom()) && StringUtils.isNotBlank(mail.getSubject())) {
            baseAuthenticationRiskContingencyPlan.getNotifiers().add(authenticationRiskEmailNotifier());
        }
        SmsProperties sms = this.casProperties.getAuthn().getAdaptive().getRisk().getResponse().getSms();
        if (StringUtils.isNotBlank(sms.getText()) && StringUtils.isNotBlank(sms.getFrom())) {
            baseAuthenticationRiskContingencyPlan.getNotifiers().add(authenticationRiskSmsNotifier());
        }
    }
}
