package org.apereo.cas.config;

import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.uma.UmaProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.ticket.ExpirationPolicyBuilder;
import org.apereo.cas.ticket.IdTokenGeneratorService;
import org.apereo.cas.ticket.TicketFactoryExecutionPlanConfigurer;
import org.apereo.cas.ticket.UniqueTicketIdGenerator;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.uma.UmaConfigurationContext;
import org.apereo.cas.uma.claim.DefaultUmaResourceSetClaimPermissionExaminer;
import org.apereo.cas.uma.claim.UmaResourceSetClaimPermissionExaminer;
import org.apereo.cas.uma.discovery.UmaServerDiscoverySettings;
import org.apereo.cas.uma.discovery.UmaServerDiscoverySettingsFactory;
import org.apereo.cas.uma.ticket.permission.DefaultUmaPermissionTicketFactory;
import org.apereo.cas.uma.ticket.permission.UmaPermissionTicketExpirationPolicyBuilder;
import org.apereo.cas.uma.ticket.permission.UmaPermissionTicketFactory;
import org.apereo.cas.uma.ticket.resource.repository.ResourceSetRepository;
import org.apereo.cas.uma.ticket.resource.repository.impl.DefaultResourceSetRepository;
import org.apereo.cas.uma.ticket.rpt.UmaIdTokenGeneratorService;
import org.apereo.cas.uma.ticket.rpt.UmaRequestingPartyTokenSigningService;
import org.apereo.cas.uma.web.authn.UmaAuthorizationApiTokenAuthenticator;
import org.apereo.cas.uma.web.authn.UmaRequestingPartyTokenAuthenticator;
import org.apereo.cas.uma.web.controllers.authz.UmaAuthorizationRequestEndpointController;
import org.apereo.cas.uma.web.controllers.claims.UmaRequestingPartyClaimsCollectionEndpointController;
import org.apereo.cas.uma.web.controllers.discovery.UmaWellKnownEndpointController;
import org.apereo.cas.uma.web.controllers.permission.UmaPermissionRegistrationEndpointController;
import org.apereo.cas.uma.web.controllers.policy.UmaCreatePolicyForResourceSetEndpointController;
import org.apereo.cas.uma.web.controllers.policy.UmaDeletePolicyForResourceSetEndpointController;
import org.apereo.cas.uma.web.controllers.policy.UmaFindPolicyForResourceSetEndpointController;
import org.apereo.cas.uma.web.controllers.policy.UmaUpdatePolicyForResourceSetEndpointController;
import org.apereo.cas.uma.web.controllers.resource.UmaCreateResourceSetRegistrationEndpointController;
import org.apereo.cas.uma.web.controllers.resource.UmaDeleteResourceSetRegistrationEndpointController;
import org.apereo.cas.uma.web.controllers.resource.UmaFindResourceSetRegistrationEndpointController;
import org.apereo.cas.uma.web.controllers.resource.UmaUpdateResourceSetRegistrationEndpointController;
import org.apereo.cas.uma.web.controllers.rpt.UmaRequestingPartyTokenJwksEndpointController;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "CasOAuthUmaConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration.class */
public class CasOAuthUmaConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaContextConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaContextConfiguration.class */
    public static class CasOAuthUmaContextConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaConfigurationContext umaConfigurationContext(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("defaultUmaPermissionTicketFactory") UmaPermissionTicketFactory umaPermissionTicketFactory, @Qualifier("umaResourceSetClaimPermissionExaminer") UmaResourceSetClaimPermissionExaminer umaResourceSetClaimPermissionExaminer, @Qualifier("centralAuthenticationService") CentralAuthenticationService centralAuthenticationService, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, @Qualifier("oauthTokenGenerator") OAuth20TokenGenerator oAuth20TokenGenerator, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder, @Qualifier("umaRequestingPartyTokenGenerator") IdTokenGeneratorService idTokenGeneratorService, @Qualifier("servicesManager") ServicesManager servicesManager, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("umaResourceSetRepository") ResourceSetRepository resourceSetRepository, CasConfigurationProperties casConfigurationProperties) {
            UmaProperties uma = casConfigurationProperties.getAuthn().getOauth().getUma();
            return UmaConfigurationContext.builder().applicationContext(configurableApplicationContext).accessTokenGenerator(oAuth20TokenGenerator).casProperties(casConfigurationProperties).accessTokenJwtBuilder(jwtBuilder).claimPermissionExaminer(umaResourceSetClaimPermissionExaminer).requestingPartyTokenGenerator(idTokenGeneratorService).servicesManager(servicesManager).sessionStore(sessionStore).ticketRegistry(ticketRegistry).centralAuthenticationService(centralAuthenticationService).umaPermissionTicketFactory(umaPermissionTicketFactory).umaResourceSetRepository(resourceSetRepository).idTokenSigningAndEncryptionService(new UmaRequestingPartyTokenSigningService(uma.getRequestingPartyToken().getJwksFile().getLocation(), uma.getCore().getIssuer())).build();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaControllersConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaControllersConfiguration.class */
    public static class CasOAuthUmaControllersConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaAuthorizationRequestEndpointController umaAuthorizationRequestEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaAuthorizationRequestEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaRequestingPartyTokenJwksEndpointController umaRequestingPartyTokenJwksEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaRequestingPartyTokenJwksEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaRequestingPartyClaimsCollectionEndpointController umaRequestingPartyClaimsCollectionEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaRequestingPartyClaimsCollectionEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaWellKnownEndpointController umaWellKnownEndpointController(@Qualifier("umaServerDiscoverySettingsFactory") UmaServerDiscoverySettings umaServerDiscoverySettings) {
            return new UmaWellKnownEndpointController(umaServerDiscoverySettings);
        }

        @Bean
        public UmaPermissionRegistrationEndpointController umaPermissionRegistrationEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaPermissionRegistrationEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaCreateResourceSetRegistrationEndpointController umaCreateResourceSetRegistrationEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaCreateResourceSetRegistrationEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaDeleteResourceSetRegistrationEndpointController umaDeleteResourceSetRegistrationEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaDeleteResourceSetRegistrationEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaUpdateResourceSetRegistrationEndpointController umaUpdateResourceSetRegistrationEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaUpdateResourceSetRegistrationEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaFindResourceSetRegistrationEndpointController umaFindResourceSetRegistrationEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaFindResourceSetRegistrationEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaCreatePolicyForResourceSetEndpointController umaCreatePolicyForResourceSetEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaCreatePolicyForResourceSetEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaDeletePolicyForResourceSetEndpointController umaDeletePolicyForResourceSetEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaDeletePolicyForResourceSetEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaUpdatePolicyForResourceSetEndpointController umaUpdatePolicyForResourceSetEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaUpdatePolicyForResourceSetEndpointController(umaConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaFindPolicyForResourceSetEndpointController umaFindPolicyForResourceSetEndpointController(@Qualifier("umaConfigurationContext") UmaConfigurationContext umaConfigurationContext) {
            return new UmaFindPolicyForResourceSetEndpointController(umaConfigurationContext);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaDiscoveryConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaDiscoveryConfiguration.class */
    public static class CasOAuthUmaDiscoveryConfiguration {
        @ConditionalOnMissingBean(name = {"umaServerDiscoverySettingsFactory"})
        @Bean
        public FactoryBean<UmaServerDiscoverySettings> umaServerDiscoverySettingsFactory(CasConfigurationProperties casConfigurationProperties) {
            return new UmaServerDiscoverySettingsFactory(casConfigurationProperties);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaInterceptorConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaInterceptorConfiguration.class */
    public static class CasOAuthUmaInterceptorConfiguration {
        private static SecurityInterceptor getSecurityInterceptor(Authenticator authenticator, String str, SessionStore sessionStore, CasConfigurationProperties casConfigurationProperties) {
            HeaderClient headerClient = new HeaderClient("Authorization", "bearer".concat(" "), authenticator);
            headerClient.setName(str);
            String str2 = (String) Stream.of(headerClient.getName()).collect(Collectors.joining(","));
            Config config = new Config(OAuth20Utils.casOAuthCallbackUrl(casConfigurationProperties.getServer().getPrefix()), headerClient);
            config.setSessionStore(sessionStore);
            SecurityInterceptor securityInterceptor = new SecurityInterceptor(config, str2, JEEHttpActionAdapter.INSTANCE);
            securityInterceptor.setAuthorizers("isFullyAuthenticated");
            securityInterceptor.setMatchers("securityheaders");
            return securityInterceptor;
        }

        @Bean
        public SecurityInterceptor umaRequestingPartyTokenSecurityInterceptor(CasConfigurationProperties casConfigurationProperties, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, @Qualifier("centralAuthenticationService") CentralAuthenticationService centralAuthenticationService, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder) {
            return getSecurityInterceptor(new UmaRequestingPartyTokenAuthenticator(centralAuthenticationService, jwtBuilder), "CAS_UMA_CLIENT_RPT_AUTH", sessionStore, casConfigurationProperties);
        }

        @Bean
        public SecurityInterceptor umaAuthorizationApiTokenSecurityInterceptor(CasConfigurationProperties casConfigurationProperties, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, @Qualifier("centralAuthenticationService") CentralAuthenticationService centralAuthenticationService, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder) {
            return getSecurityInterceptor(new UmaAuthorizationApiTokenAuthenticator(centralAuthenticationService, jwtBuilder), "CAS_UMA_CLIENT_AAT_AUTH", sessionStore, casConfigurationProperties);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaResourcesConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaResourcesConfiguration.class */
    public static class CasOAuthUmaResourcesConfiguration {
        @ConditionalOnMissingBean(name = {"umaResourceSetClaimPermissionExaminer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaResourceSetClaimPermissionExaminer umaResourceSetClaimPermissionExaminer() {
            return new DefaultUmaResourceSetClaimPermissionExaminer();
        }

        @ConditionalOnMissingBean(name = {"umaResourceSetRepository"})
        @Bean
        public ResourceSetRepository umaResourceSetRepository() {
            return new DefaultResourceSetRepository();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaTicketFactoryPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaTicketFactoryPlanConfiguration.class */
    public static class CasOAuthUmaTicketFactoryPlanConfiguration {
        @ConditionalOnMissingBean(name = {"defaultUmaPermissionTicketFactoryConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public TicketFactoryExecutionPlanConfigurer defaultUmaPermissionTicketFactoryConfigurer(@Qualifier("defaultUmaPermissionTicketFactory") UmaPermissionTicketFactory umaPermissionTicketFactory) {
            return () -> {
                return umaPermissionTicketFactory;
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaTicketsConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaTicketsConfiguration.class */
    public static class CasOAuthUmaTicketsConfiguration {
        @ConditionalOnMissingBean(name = {"umaPermissionTicketIdGenerator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UniqueTicketIdGenerator umaPermissionTicketIdGenerator() {
            return new DefaultUniqueTicketIdGenerator();
        }

        @ConditionalOnMissingBean(name = {"umaPermissionTicketExpirationPolicy"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ExpirationPolicyBuilder umaPermissionTicketExpirationPolicy(CasConfigurationProperties casConfigurationProperties) {
            return new UmaPermissionTicketExpirationPolicyBuilder(casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"defaultUmaPermissionTicketFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UmaPermissionTicketFactory defaultUmaPermissionTicketFactory(@Qualifier("umaPermissionTicketIdGenerator") UniqueTicketIdGenerator uniqueTicketIdGenerator, @Qualifier("umaPermissionTicketExpirationPolicy") ExpirationPolicyBuilder expirationPolicyBuilder) {
            return new DefaultUmaPermissionTicketFactory(uniqueTicketIdGenerator, expirationPolicyBuilder);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaTokenConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaTokenConfiguration.class */
    public static class CasOAuthUmaTokenConfiguration {
        @ConditionalOnMissingBean(name = {"umaRequestingPartyTokenGenerator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public IdTokenGeneratorService umaRequestingPartyTokenGenerator(@Qualifier("umaConfigurationContext") ObjectProvider<UmaConfigurationContext> objectProvider) {
            return new UmaIdTokenGeneratorService(objectProvider);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "CasOAuthUmaWebMvcConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasOAuthUmaConfiguration$CasOAuthUmaWebMvcConfiguration.class */
    public static class CasOAuthUmaWebMvcConfiguration {
        @ConditionalOnMissingBean(name = {"umaWebMvcConfigurer"})
        @Bean
        public WebMvcConfigurer umaWebMvcConfigurer(@Qualifier("umaAuthorizationApiTokenSecurityInterceptor") final SecurityInterceptor securityInterceptor, @Qualifier("umaRequestingPartyTokenSecurityInterceptor") final SecurityInterceptor securityInterceptor2) {
            return new WebMvcConfigurer() { // from class: org.apereo.cas.config.CasOAuthUmaConfiguration.CasOAuthUmaWebMvcConfiguration.1
                public void addInterceptors(InterceptorRegistry interceptorRegistry) {
                    interceptorRegistry.addInterceptor(securityInterceptor2).order(100).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("permission").concat("*")}).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("resourceSet").concat("*")}).addPathPatterns(new String[]{"/oauth2.0".concat("/*/").concat("policy").concat("*")}).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("policy").concat("*")}).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("rqpClaims").concat("*")});
                    interceptorRegistry.addInterceptor(securityInterceptor).order(100).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("rptAuthzRequest").concat("*")});
                }
            };
        }
    }
}
