package org.apereo.cas.config.support.authentication;

import com.warrenstrange.googleauth.GoogleAuthenticator;
import com.warrenstrange.googleauth.GoogleAuthenticatorConfig;
import com.warrenstrange.googleauth.IGoogleAuthenticator;
import com.warrenstrange.googleauth.KeyRepresentation;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler;
import org.apereo.cas.adaptors.gauth.GoogleAuthenticatorMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.gauth.repository.credentials.InMemoryGoogleAuthenticatorTokenCredentialRepository;
import org.apereo.cas.adaptors.gauth.repository.credentials.JsonGoogleAuthenticatorTokenCredentialRepository;
import org.apereo.cas.adaptors.gauth.repository.credentials.RestGoogleAuthenticatorTokenCredentialRepository;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProperties;
import org.apereo.cas.otp.repository.credentials.OneTimeTokenCredentialRepository;
import org.apereo.cas.otp.repository.token.OneTimeTokenRepository;
import org.apereo.cas.otp.repository.token.OneTimeTokenRepositoryCleaner;
import org.apereo.cas.otp.web.flow.OneTimeTokenAccountCheckRegistrationAction;
import org.apereo.cas.otp.web.flow.OneTimeTokenAccountSaveRegistrationAction;
import org.apereo.cas.services.DefaultMultifactorAuthenticationProviderBypass;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.MultifactorAuthenticationProviderBypass;
import org.apereo.cas.services.ServicesManager;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.web.client.RestTemplate;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("googleAuthenticatorAuthenticationEventExecutionPlanConfiguration")
/* loaded from: input_file:org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration.class */
public class GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration implements AuthenticationEventExecutionPlanConfigurer {

    @Autowired
    @Lazy
    @Qualifier("googleAuthenticatorAccountRegistry")
    private OneTimeTokenCredentialRepository googleAuthenticatorAccountRegistry;

    @Autowired
    @Lazy
    @Qualifier("oneTimeTokenAuthenticatorTokenRepository")
    private OneTimeTokenRepository oneTimeTokenAuthenticatorTokenRepository;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    /* loaded from: input_file:org/apereo/cas/config/support/authentication/GoogleAuthenticatorAuthenticationEventExecutionPlanConfiguration$GoogleAuthenticatorOneTimeTokenRepositoryCleaner.class */
    public class GoogleAuthenticatorOneTimeTokenRepositoryCleaner extends OneTimeTokenRepositoryCleaner {
        public GoogleAuthenticatorOneTimeTokenRepositoryCleaner(OneTimeTokenRepository oneTimeTokenRepository) {
            super(oneTimeTokenRepository);
        }

        @Scheduled(initialDelayString = "${cas.authn.mfa.gauth.cleaner.startDelay:PT30S}", fixedDelayString = "${cas.authn.mfa.gauth.cleaner.repeatInterval:PT35S}")
        public void clean() {
            super.clean();
        }
    }

    @RefreshScope
    @Bean
    public IGoogleAuthenticator googleAuthenticatorInstance() {
        MultifactorAuthenticationProperties.GAuth gauth = this.casProperties.getAuthn().getMfa().getGauth();
        GoogleAuthenticatorConfig.GoogleAuthenticatorConfigBuilder googleAuthenticatorConfigBuilder = new GoogleAuthenticatorConfig.GoogleAuthenticatorConfigBuilder();
        googleAuthenticatorConfigBuilder.setCodeDigits(gauth.getCodeDigits());
        googleAuthenticatorConfigBuilder.setTimeStepSizeInMillis(TimeUnit.SECONDS.toMillis(gauth.getTimeStepSize()));
        googleAuthenticatorConfigBuilder.setWindowSize(gauth.getWindowSize());
        googleAuthenticatorConfigBuilder.setKeyRepresentation(KeyRepresentation.BASE32);
        return new GoogleAuthenticator(googleAuthenticatorConfigBuilder.build());
    }

    @ConditionalOnMissingBean(name = {"googleAuthenticatorAuthenticationHandler"})
    @RefreshScope
    @Bean
    public AuthenticationHandler googleAuthenticatorAuthenticationHandler() {
        GoogleAuthenticatorAuthenticationHandler googleAuthenticatorAuthenticationHandler = new GoogleAuthenticatorAuthenticationHandler(googleAuthenticatorInstance(), this.oneTimeTokenAuthenticatorTokenRepository, this.googleAuthenticatorAccountRegistry);
        googleAuthenticatorAuthenticationHandler.setPrincipalFactory(googlePrincipalFactory());
        googleAuthenticatorAuthenticationHandler.setServicesManager(this.servicesManager);
        googleAuthenticatorAuthenticationHandler.setName(this.casProperties.getAuthn().getMfa().getGauth().getName());
        return googleAuthenticatorAuthenticationHandler;
    }

    @RefreshScope
    @Bean
    public MultifactorAuthenticationProviderBypass googleBypassEvaluator() {
        return new DefaultMultifactorAuthenticationProviderBypass(this.casProperties.getAuthn().getMfa().getGauth().getBypass());
    }

    @RefreshScope
    @Bean
    public MultifactorAuthenticationProvider googleAuthenticatorAuthenticationProvider() {
        MultifactorAuthenticationProperties.GAuth gauth = this.casProperties.getAuthn().getMfa().getGauth();
        GoogleAuthenticatorMultifactorAuthenticationProvider googleAuthenticatorMultifactorAuthenticationProvider = new GoogleAuthenticatorMultifactorAuthenticationProvider();
        googleAuthenticatorMultifactorAuthenticationProvider.setBypassEvaluator(googleBypassEvaluator());
        googleAuthenticatorMultifactorAuthenticationProvider.setGlobalFailureMode(this.casProperties.getAuthn().getMfa().getGlobalFailureMode());
        googleAuthenticatorMultifactorAuthenticationProvider.setOrder(gauth.getRank());
        googleAuthenticatorMultifactorAuthenticationProvider.setId(gauth.getId());
        return googleAuthenticatorMultifactorAuthenticationProvider;
    }

    @RefreshScope
    @Bean
    public AuthenticationMetaDataPopulator googleAuthenticatorAuthenticationMetaDataPopulator() {
        return new AuthenticationContextAttributeMetaDataPopulator(this.casProperties.getAuthn().getMfa().getAuthenticationContextAttribute(), googleAuthenticatorAuthenticationHandler(), googleAuthenticatorAuthenticationProvider());
    }

    @RefreshScope
    @Bean
    public Action googleAccountRegistrationAction() {
        MultifactorAuthenticationProperties.GAuth gauth = this.casProperties.getAuthn().getMfa().getGauth();
        return new OneTimeTokenAccountCheckRegistrationAction(this.googleAuthenticatorAccountRegistry, gauth.getLabel(), gauth.getIssuer());
    }

    @Autowired
    @ConditionalOnProperty(prefix = "cas.authn.mfa.gauth.cleaner", name = {"enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public OneTimeTokenRepositoryCleaner googleAuthenticatorTokenRepositoryCleaner(@Qualifier("oneTimeTokenAuthenticatorTokenRepository") OneTimeTokenRepository oneTimeTokenRepository) {
        return new GoogleAuthenticatorOneTimeTokenRepositoryCleaner(oneTimeTokenRepository);
    }

    @ConditionalOnMissingBean(name = {"googleAuthenticatorAccountRegistry"})
    @RefreshScope
    @Bean
    public OneTimeTokenCredentialRepository googleAuthenticatorAccountRegistry() {
        MultifactorAuthenticationProperties.GAuth gauth = this.casProperties.getAuthn().getMfa().getGauth();
        return gauth.getJson().getConfig().getLocation() != null ? new JsonGoogleAuthenticatorTokenCredentialRepository(gauth.getJson().getConfig().getLocation(), googleAuthenticatorInstance()) : StringUtils.isNotBlank(gauth.getRest().getEndpointUrl()) ? new RestGoogleAuthenticatorTokenCredentialRepository(googleAuthenticatorInstance(), new RestTemplate(), gauth) : new InMemoryGoogleAuthenticatorTokenCredentialRepository(googleAuthenticatorInstance());
    }

    @RefreshScope
    @Bean
    public Action googleSaveAccountRegistrationAction() {
        return new OneTimeTokenAccountSaveRegistrationAction(this.googleAuthenticatorAccountRegistry);
    }

    @ConditionalOnMissingBean(name = {"googlePrincipalFactory"})
    @Bean
    public PrincipalFactory googlePrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    public void configureAuthenticationExecutionPlan(AuthenticationEventExecutionPlan authenticationEventExecutionPlan) {
        if (StringUtils.isNotBlank(this.casProperties.getAuthn().getMfa().getGauth().getIssuer())) {
            authenticationEventExecutionPlan.registerAuthenticationHandler(googleAuthenticatorAuthenticationHandler());
            authenticationEventExecutionPlan.registerMetadataPopulator(googleAuthenticatorAuthenticationMetaDataPopulator());
        }
    }
}
