package org.apereo.cas.config;

import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ReturnAllAttributeReleasePolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.DefaultOAuthCasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.OAuthCasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.authenticator.Authenticators;
import org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator;
import org.apereo.cas.support.oauth.services.OAuthCallbackAuthorizeService;
import org.apereo.cas.support.oauth.validator.OAuth20AuthenticationRequestServiceSelectionStrategy;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.OAuth20AccessTokenController;
import org.apereo.cas.support.oauth.web.OAuth20AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.OAuth20AuthorizeController;
import org.apereo.cas.support.oauth.web.OAuth20CallbackAuthorizeController;
import org.apereo.cas.support.oauth.web.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.support.oauth.web.OAuth20ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter;
import org.apereo.cas.support.oauth.web.OAuth20ProfileController;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.UniqueTicketIdGenerator;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.DefaultAccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.OAuthAccessTokenExpirationPolicy;
import org.apereo.cas.ticket.code.DefaultOAuthCodeFactory;
import org.apereo.cas.ticket.code.OAuthCodeExpirationPolicy;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.refreshtoken.DefaultRefreshTokenFactory;
import org.apereo.cas.ticket.refreshtoken.OAuthRefreshTokenExpirationPolicy;
import org.apereo.cas.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.validation.AuthenticationRequestServiceSelectionStrategy;
import org.jasig.cas.client.util.URIBuilder;
import org.pac4j.cas.client.CasClient;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.http.CallbackUrlResolver;
import org.pac4j.core.redirect.RedirectAction;
import org.pac4j.http.client.direct.DirectBasicAuthClient;
import org.pac4j.http.client.direct.DirectFormClient;
import org.pac4j.springframework.web.CallbackController;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("oauthConfiguration")
/* loaded from: input_file:org/apereo/cas/config/CasOAuthConfiguration.class */
public class CasOAuthConfiguration extends WebMvcConfigurerAdapter {

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("webApplicationServiceFactory")
    private ServiceFactory webApplicationServiceFactory;

    @Autowired
    @Qualifier("authenticationRequestServiceSelectionStrategies")
    private List authenticationRequestServiceSelectionStrategies;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport;

    @Autowired
    @Qualifier("ticketRegistry")
    private TicketRegistry ticketRegistry;

    @ConditionalOnMissingBean(name = {"accessTokenResponseGenerator"})
    public AccessTokenResponseGenerator accessTokenResponseGenerator() {
        return new OAuth20AccessTokenResponseGenerator();
    }

    @ConditionalOnMissingBean(name = {"oauthCasClientRedirectActionBuilder"})
    public OAuthCasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder() {
        return new DefaultOAuthCasClientRedirectActionBuilder();
    }

    @Bean
    public Config oauthSecConfig() {
        Client client = new CasClient(new CasConfiguration(this.casProperties.getServer().getLoginUrl())) { // from class: org.apereo.cas.config.CasOAuthConfiguration.1
            protected RedirectAction retrieveRedirectAction(WebContext webContext) {
                return CasOAuthConfiguration.this.oauthCasClientRedirectActionBuilder().build(this, webContext);
            }
        };
        client.setName(Authenticators.CAS_OAUTH_CLIENT);
        client.setCallbackUrlResolver(buildOAuthCasCallbackUrlResolver());
        Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator = oAuthClientAuthenticator();
        Client directBasicAuthClient = new DirectBasicAuthClient(oAuthClientAuthenticator);
        directBasicAuthClient.setName(Authenticators.CAS_OAUTH_CLIENT_BASIC_AUTHN);
        Client directFormClient = new DirectFormClient(oAuthClientAuthenticator);
        directFormClient.setName(Authenticators.CAS_OAUTH_CLIENT_DIRECT_FORM);
        directFormClient.setUsernameParameter("client_id");
        directFormClient.setPasswordParameter("client_secret");
        Client directFormClient2 = new DirectFormClient(oAuthUserAuthenticator());
        directFormClient2.setName(Authenticators.CAS_OAUTH_CLIENT_USER_FORM);
        return new Config(this.casProperties.getServer().getPrefix().concat("/oauth2.0/callbackAuthorize"), new Client[]{client, directBasicAuthClient, directFormClient, directFormClient2});
    }

    private CallbackUrlResolver buildOAuthCasCallbackUrlResolver() {
        return (str, webContext) -> {
            if (!str.startsWith(this.casProperties.getServer().getPrefix().concat("/oauth2.0/callbackAuthorize"))) {
                return str;
            }
            URIBuilder uRIBuilder = new URIBuilder(str);
            URIBuilder uRIBuilder2 = new URIBuilder(webContext.getFullRequestURL());
            Optional findFirst = uRIBuilder2.getQueryParams().stream().filter(basicNameValuePair -> {
                return basicNameValuePair.getName().equals("client_id");
            }).findFirst();
            if (findFirst.isPresent()) {
                uRIBuilder.addParameter(((URIBuilder.BasicNameValuePair) findFirst.get()).getName(), ((URIBuilder.BasicNameValuePair) findFirst.get()).getValue());
            }
            Optional findFirst2 = uRIBuilder2.getQueryParams().stream().filter(basicNameValuePair2 -> {
                return basicNameValuePair2.getName().equals("redirect_uri");
            }).findFirst();
            if (findFirst2.isPresent()) {
                uRIBuilder.addParameter(((URIBuilder.BasicNameValuePair) findFirst2.get()).getName(), ((URIBuilder.BasicNameValuePair) findFirst2.get()).getValue());
            }
            Optional findFirst3 = uRIBuilder2.getQueryParams().stream().filter(basicNameValuePair3 -> {
                return basicNameValuePair3.getName().equals("acr_values");
            }).findFirst();
            if (findFirst3.isPresent()) {
                uRIBuilder.addParameter(((URIBuilder.BasicNameValuePair) findFirst3.get()).getName(), ((URIBuilder.BasicNameValuePair) findFirst3.get()).getValue());
            }
            return uRIBuilder.build().toString();
        };
    }

    @ConditionalOnMissingBean(name = {"requiresAuthenticationAuthorizeInterceptor"})
    @Bean
    public SecurityInterceptor requiresAuthenticationAuthorizeInterceptor() {
        return new SecurityInterceptor(oauthSecConfig(), Authenticators.CAS_OAUTH_CLIENT);
    }

    @ConditionalOnMissingBean(name = {"consentApprovalViewResolver"})
    @Bean
    public ConsentApprovalViewResolver consentApprovalViewResolver() {
        return new OAuth20ConsentApprovalViewResolver();
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeViewResolver"})
    @Bean
    public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver() {
        return new OAuth20CallbackAuthorizeViewResolver() { // from class: org.apereo.cas.config.CasOAuthConfiguration.2
        };
    }

    @ConditionalOnMissingBean(name = {"requiresAuthenticationAccessTokenInterceptor"})
    @Bean
    public HandlerInterceptorAdapter requiresAuthenticationAccessTokenInterceptor() {
        return new SecurityInterceptor(oauthSecConfig(), (String) Stream.of((Object[]) new String[]{Authenticators.CAS_OAUTH_CLIENT_BASIC_AUTHN, Authenticators.CAS_OAUTH_CLIENT_DIRECT_FORM, Authenticators.CAS_OAUTH_CLIENT_USER_FORM}).collect(Collectors.joining(",")));
    }

    @ConditionalOnMissingBean(name = {"oauthInterceptor"})
    @Bean
    public HandlerInterceptorAdapter oauthInterceptor() {
        return new OAuth20HandlerInterceptorAdapter(requiresAuthenticationAccessTokenInterceptor(), requiresAuthenticationAuthorizeInterceptor());
    }

    public void addInterceptors(InterceptorRegistry interceptorRegistry) {
        interceptorRegistry.addInterceptor(oauthInterceptor()).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("*")});
    }

    @Bean
    public OAuthCasClientRedirectActionBuilder defaultOAuthCasClientRedirectActionBuilder() {
        return new DefaultOAuthCasClientRedirectActionBuilder();
    }

    @ConditionalOnMissingBean(name = {"oAuthClientAuthenticator"})
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator() {
        OAuthClientAuthenticator oAuthClientAuthenticator = new OAuthClientAuthenticator();
        oAuthClientAuthenticator.setValidator(oAuthValidator());
        oAuthClientAuthenticator.setServicesManager(this.servicesManager);
        return oAuthClientAuthenticator;
    }

    @ConditionalOnMissingBean(name = {"oAuthUserAuthenticator"})
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthUserAuthenticator() {
        OAuthUserAuthenticator oAuthUserAuthenticator = new OAuthUserAuthenticator();
        oAuthUserAuthenticator.setAuthenticationSystemSupport(this.authenticationSystemSupport);
        return oAuthUserAuthenticator;
    }

    @ConditionalOnMissingBean(name = {"oAuthValidator"})
    @Bean
    public OAuth20Validator oAuthValidator() {
        return new OAuth20Validator(this.webApplicationServiceFactory);
    }

    @ConditionalOnMissingBean(name = {"oauthAccessTokenResponseGenerator"})
    @Bean
    public AccessTokenResponseGenerator oauthAccessTokenResponseGenerator() {
        return new OAuth20AccessTokenResponseGenerator();
    }

    @ConditionalOnMissingBean(name = {"defaultAccessTokenFactory"})
    @RefreshScope
    @Bean
    public AccessTokenFactory defaultAccessTokenFactory() {
        DefaultAccessTokenFactory defaultAccessTokenFactory = new DefaultAccessTokenFactory();
        defaultAccessTokenFactory.setAccessTokenIdGenerator(accessTokenIdGenerator());
        defaultAccessTokenFactory.setExpirationPolicy(accessTokenExpirationPolicy());
        return defaultAccessTokenFactory;
    }

    private ExpirationPolicy accessTokenExpirationPolicy() {
        return new OAuthAccessTokenExpirationPolicy(this.casProperties.getAuthn().getOauth().getAccessToken().getMaxTimeToLiveInSeconds(), this.casProperties.getAuthn().getOauth().getAccessToken().getTimeToKillInSeconds());
    }

    private ExpirationPolicy oAuthCodeExpirationPolicy() {
        return new OAuthCodeExpirationPolicy(this.casProperties.getAuthn().getOauth().getCode().getNumberOfUses(), this.casProperties.getAuthn().getOauth().getCode().getTimeToKillInSeconds());
    }

    @Bean
    public UniqueTicketIdGenerator oAuthCodeIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @Bean
    public UniqueTicketIdGenerator refreshTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"defaultOAuthCodeFactory"})
    @RefreshScope
    @Bean
    public OAuthCodeFactory defaultOAuthCodeFactory() {
        DefaultOAuthCodeFactory defaultOAuthCodeFactory = new DefaultOAuthCodeFactory();
        defaultOAuthCodeFactory.setExpirationPolicy(oAuthCodeExpirationPolicy());
        defaultOAuthCodeFactory.setoAuthCodeIdGenerator(oAuthCodeIdGenerator());
        return defaultOAuthCodeFactory;
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeController"})
    @Bean
    public OAuth20CallbackAuthorizeController callbackAuthorizeController() {
        return new OAuth20CallbackAuthorizeController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, oauthSecConfig(), callbackController(), callbackAuthorizeViewResolver());
    }

    @ConditionalOnMissingBean(name = {"accessTokenController"})
    @Bean
    public OAuth20AccessTokenController accessTokenController() {
        return new OAuth20AccessTokenController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, defaultRefreshTokenFactory(), accessTokenResponseGenerator());
    }

    @ConditionalOnMissingBean(name = {"profileController"})
    @Bean
    public OAuth20ProfileController profileController() {
        return new OAuth20ProfileController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory);
    }

    @ConditionalOnMissingBean(name = {"authorizeController"})
    @Bean
    public OAuth20AuthorizeController authorizeController() {
        return new OAuth20AuthorizeController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, defaultOAuthCodeFactory(), consentApprovalViewResolver());
    }

    @Bean
    public PrincipalFactory oauthPrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"defaultRefreshTokenFactory"})
    @RefreshScope
    @Bean
    public RefreshTokenFactory defaultRefreshTokenFactory() {
        DefaultRefreshTokenFactory defaultRefreshTokenFactory = new DefaultRefreshTokenFactory();
        defaultRefreshTokenFactory.setExpirationPolicy(refreshTokenExpirationPolicy());
        defaultRefreshTokenFactory.setRefreshTokenIdGenerator(refreshTokenIdGenerator());
        return defaultRefreshTokenFactory;
    }

    private ExpirationPolicy refreshTokenExpirationPolicy() {
        return new OAuthRefreshTokenExpirationPolicy(this.casProperties.getAuthn().getOauth().getRefreshToken().getTimeToKillInSeconds());
    }

    @ConditionalOnMissingBean(name = {"oauth20AuthenticationRequestServiceSelectionStrategy"})
    @Bean
    public AuthenticationRequestServiceSelectionStrategy oauth20AuthenticationRequestServiceSelectionStrategy() {
        OAuth20AuthenticationRequestServiceSelectionStrategy oAuth20AuthenticationRequestServiceSelectionStrategy = new OAuth20AuthenticationRequestServiceSelectionStrategy();
        oAuth20AuthenticationRequestServiceSelectionStrategy.setServicesManager(this.servicesManager);
        oAuth20AuthenticationRequestServiceSelectionStrategy.setWebApplicationServiceFactory(this.webApplicationServiceFactory);
        return oAuth20AuthenticationRequestServiceSelectionStrategy;
    }

    @Bean
    public CallbackController callbackController() {
        CallbackController callbackController = new CallbackController();
        callbackController.setConfig(oauthSecConfig());
        return callbackController;
    }

    @Bean
    public UniqueTicketIdGenerator accessTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @PostConstruct
    public void initializeServletApplicationContext() {
        String str = this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*";
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
        if (findServiceBy == null || !findServiceBy.getServiceId().equals(str)) {
            OAuthCallbackAuthorizeService oAuthCallbackAuthorizeService = new OAuthCallbackAuthorizeService();
            oAuthCallbackAuthorizeService.setName("OAuth Callback url");
            oAuthCallbackAuthorizeService.setDescription("OAuth Wrapper Callback Url");
            oAuthCallbackAuthorizeService.setServiceId(str);
            oAuthCallbackAuthorizeService.setEvaluationOrder(Integer.MIN_VALUE);
            oAuthCallbackAuthorizeService.setAttributeReleasePolicy(new ReturnAllAttributeReleasePolicy());
            this.servicesManager.save(oAuthCallbackAuthorizeService);
            this.servicesManager.load();
        }
        this.authenticationRequestServiceSelectionStrategies.add(0, oauth20AuthenticationRequestServiceSelectionStrategy());
    }
}
