package org.apereo.cas.config;

import java.util.HashSet;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oauth.OAuthProperties;
import org.apereo.cas.services.DenyAllAttributeReleasePolicy;
import org.apereo.cas.services.RegexRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.authenticator.Authenticators;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.authenticator.OAuthClientAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuthUserAuthenticator;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.OAuth20AuthorizationCodeResponseTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20ClientCredentialsGrantTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20IdTokenResponseTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20PasswordGrantTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20RefreshTokenGrantTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20RequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20TokenResponseTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver;
import org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileControllerController;
import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.accesstoken.AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20DefaultTokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20ClientCredentialsResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20ResourceOwnerCredentialsResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20TokenAuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.UniqueTicketIdGenerator;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.DefaultAccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.OAuthAccessTokenExpirationPolicy;
import org.apereo.cas.ticket.code.DefaultOAuthCodeFactory;
import org.apereo.cas.ticket.code.OAuthCodeExpirationPolicy;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.refreshtoken.DefaultRefreshTokenFactory;
import org.apereo.cas.ticket.refreshtoken.OAuthRefreshTokenExpirationPolicy;
import org.apereo.cas.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.pac4j.cas.client.CasClient;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.http.UrlResolver;
import org.pac4j.http.client.direct.DirectBasicAuthClient;
import org.pac4j.http.client.direct.DirectFormClient;
import org.pac4j.springframework.web.CallbackController;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("oauthConfiguration")
/* loaded from: input_file:org/apereo/cas/config/CasOAuthConfiguration.class */
public class CasOAuthConfiguration extends WebMvcConfigurerAdapter {

    @Autowired
    private ApplicationContext applicationContext;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService centralAuthenticationService;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("webApplicationServiceFactory")
    private ServiceFactory webApplicationServiceFactory;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport;

    @Autowired
    @Qualifier("ticketRegistry")
    private TicketRegistry ticketRegistry;

    @Autowired
    @Qualifier("ticketGrantingTicketCookieGenerator")
    private CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;

    @ConditionalOnMissingBean(name = {"accessTokenResponseGenerator"})
    @Bean
    public AccessTokenResponseGenerator accessTokenResponseGenerator() {
        return new OAuth20AccessTokenResponseGenerator();
    }

    @ConditionalOnMissingBean(name = {"oauthCasClientRedirectActionBuilder"})
    @Bean
    public OAuth20CasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder() {
        return new OAuth20DefaultCasClientRedirectActionBuilder();
    }

    @RefreshScope
    @Bean
    public UrlResolver casCallbackUrlResolver() {
        return new OAuth20CasCallbackUrlResolver(OAuth20Utils.casOAuthCallbackUrl(this.casProperties.getServer().getPrefix()));
    }

    @RefreshScope
    @Bean
    public Config oauthSecConfig() {
        Client casClient = new CasClient(new CasConfiguration(this.casProperties.getServer().getLoginUrl()));
        casClient.setRedirectActionBuilder(webContext -> {
            return oauthCasClientRedirectActionBuilder().build(casClient, webContext);
        });
        casClient.setName(Authenticators.CAS_OAUTH_CLIENT);
        casClient.setUrlResolver(casCallbackUrlResolver());
        Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator = oAuthClientAuthenticator();
        Client directBasicAuthClient = new DirectBasicAuthClient(oAuthClientAuthenticator);
        directBasicAuthClient.setName(Authenticators.CAS_OAUTH_CLIENT_BASIC_AUTHN);
        Client directFormClient = new DirectFormClient(oAuthClientAuthenticator);
        directFormClient.setName(Authenticators.CAS_OAUTH_CLIENT_DIRECT_FORM);
        directFormClient.setUsernameParameter("client_id");
        directFormClient.setPasswordParameter("client_secret");
        Client directFormClient2 = new DirectFormClient(oAuthUserAuthenticator());
        directFormClient2.setName(Authenticators.CAS_OAUTH_CLIENT_USER_FORM);
        return new Config(OAuth20Utils.casOAuthCallbackUrl(this.casProperties.getServer().getPrefix()), new Client[]{casClient, directBasicAuthClient, directFormClient, directFormClient2});
    }

    @ConditionalOnMissingBean(name = {"requiresAuthenticationAuthorizeInterceptor"})
    @RefreshScope
    @Bean
    public SecurityInterceptor requiresAuthenticationAuthorizeInterceptor() {
        return new SecurityInterceptor(oauthSecConfig(), Authenticators.CAS_OAUTH_CLIENT);
    }

    @ConditionalOnMissingBean(name = {"consentApprovalViewResolver"})
    @RefreshScope
    @Bean
    public ConsentApprovalViewResolver consentApprovalViewResolver() {
        return new OAuth20ConsentApprovalViewResolver(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeViewResolver"})
    @RefreshScope
    @Bean
    public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver() {
        return new OAuth20CallbackAuthorizeViewResolver() { // from class: org.apereo.cas.config.CasOAuthConfiguration.1
        };
    }

    @ConditionalOnMissingBean(name = {"requiresAuthenticationAccessTokenInterceptor"})
    @RefreshScope
    @Bean
    public SecurityInterceptor requiresAuthenticationAccessTokenInterceptor() {
        return new SecurityInterceptor(oauthSecConfig(), (String) Stream.of((Object[]) new String[]{Authenticators.CAS_OAUTH_CLIENT_BASIC_AUTHN, Authenticators.CAS_OAUTH_CLIENT_DIRECT_FORM, Authenticators.CAS_OAUTH_CLIENT_USER_FORM}).collect(Collectors.joining(",")));
    }

    @ConditionalOnMissingBean(name = {"oauthInterceptor"})
    @RefreshScope
    @Bean
    public HandlerInterceptorAdapter oauthInterceptor() {
        return new OAuth20HandlerInterceptorAdapter(requiresAuthenticationAccessTokenInterceptor(), requiresAuthenticationAuthorizeInterceptor());
    }

    public void addInterceptors(InterceptorRegistry interceptorRegistry) {
        interceptorRegistry.addInterceptor(oauthInterceptor()).addPathPatterns(new String[]{"/oauth2.0".concat("/").concat("*")});
    }

    @RefreshScope
    @Bean
    public OAuth20CasClientRedirectActionBuilder defaultOAuthCasClientRedirectActionBuilder() {
        return new OAuth20DefaultCasClientRedirectActionBuilder();
    }

    @ConditionalOnMissingBean(name = {"oAuthClientAuthenticator"})
    @RefreshScope
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator() {
        return new OAuthClientAuthenticator(oAuthValidator(), this.servicesManager);
    }

    @ConditionalOnMissingBean(name = {"oAuthUserAuthenticator"})
    @RefreshScope
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthUserAuthenticator() {
        return new OAuthUserAuthenticator(this.authenticationSystemSupport, this.servicesManager, this.webApplicationServiceFactory);
    }

    @ConditionalOnMissingBean(name = {"oAuthValidator"})
    @RefreshScope
    @Bean
    public OAuth20Validator oAuthValidator() {
        return new OAuth20Validator(this.webApplicationServiceFactory);
    }

    @ConditionalOnMissingBean(name = {"oauthAccessTokenResponseGenerator"})
    @RefreshScope
    @Bean
    public AccessTokenResponseGenerator oauthAccessTokenResponseGenerator() {
        return new OAuth20AccessTokenResponseGenerator();
    }

    @ConditionalOnMissingBean(name = {"defaultAccessTokenFactory"})
    @RefreshScope
    @Bean
    public AccessTokenFactory defaultAccessTokenFactory() {
        return new DefaultAccessTokenFactory(accessTokenIdGenerator(), accessTokenExpirationPolicy());
    }

    @ConditionalOnMissingBean(name = {"accessTokenExpirationPolicy"})
    @RefreshScope
    @Bean
    public ExpirationPolicy accessTokenExpirationPolicy() {
        OAuthProperties oauth = this.casProperties.getAuthn().getOauth();
        return new OAuthAccessTokenExpirationPolicy(oauth.getAccessToken().getMaxTimeToLiveInSeconds(), oauth.getAccessToken().getTimeToKillInSeconds());
    }

    private ExpirationPolicy oAuthCodeExpirationPolicy() {
        OAuthProperties oauth = this.casProperties.getAuthn().getOauth();
        return new OAuthCodeExpirationPolicy(oauth.getCode().getNumberOfUses(), oauth.getCode().getTimeToKillInSeconds());
    }

    @ConditionalOnMissingBean(name = {"oAuthCodeIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator oAuthCodeIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"refreshTokenIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator refreshTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"defaultOAuthCodeFactory"})
    @RefreshScope
    @Bean
    public OAuthCodeFactory defaultOAuthCodeFactory() {
        return new DefaultOAuthCodeFactory(oAuthCodeIdGenerator(), oAuthCodeExpirationPolicy());
    }

    @ConditionalOnMissingBean(name = {"profileScopeToAttributesFilter"})
    @Bean
    public OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter() {
        return new DefaultOAuth20ProfileScopeToAttributesFilter();
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeController"})
    @RefreshScope
    @Bean
    public OAuth20CallbackAuthorizeEndpointController callbackAuthorizeController() {
        return new OAuth20CallbackAuthorizeEndpointController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, oauthSecConfig(), callbackController(), callbackAuthorizeViewResolver(), profileScopeToAttributesFilter(), this.casProperties, this.ticketGrantingTicketCookieGenerator);
    }

    @ConditionalOnMissingBean(name = {"oauthTokenGenerator"})
    @RefreshScope
    @Bean
    public OAuth20TokenGenerator oauthTokenGenerator() {
        return new OAuth20DefaultTokenGenerator(defaultAccessTokenFactory(), this.ticketRegistry, defaultRefreshTokenFactory());
    }

    @ConditionalOnMissingBean(name = {"accessTokenController"})
    @RefreshScope
    @Bean
    public OAuth20AccessTokenEndpointController accessTokenController() {
        return new OAuth20AccessTokenEndpointController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, oauthTokenGenerator(), accessTokenResponseGenerator(), profileScopeToAttributesFilter(), this.casProperties, this.ticketGrantingTicketCookieGenerator, oauthCasAuthenticationBuilder(), this.centralAuthenticationService, accessTokenExpirationPolicy());
    }

    @ConditionalOnMissingBean(name = {"profileController"})
    @RefreshScope
    @Bean
    public OAuth20UserProfileControllerController profileController() {
        return new OAuth20UserProfileControllerController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, profileScopeToAttributesFilter(), this.casProperties, this.ticketGrantingTicketCookieGenerator);
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationResponseBuilders"})
    @RefreshScope
    @Bean
    public Set<OAuth20AuthorizationResponseBuilder> oauthAuthorizationResponseBuilders() {
        return new HashSet(this.applicationContext.getBeansOfType(OAuth20AuthorizationResponseBuilder.class, false, true).values());
    }

    @ConditionalOnMissingBean(name = {"oauthRequestValidators"})
    @RefreshScope
    @Bean
    public Set<OAuth20RequestValidator> oauthRequestValidators() {
        return new HashSet(this.applicationContext.getBeansOfType(OAuth20RequestValidator.class, false, true).values());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthClientCredentialsGrantTypeRequestValidator() {
        return new OAuth20ClientCredentialsGrantTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthAuthorizationCodeResponseTypeRequestValidator() {
        return new OAuth20AuthorizationCodeResponseTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthTokenResponseTypeRequestValidator() {
        return new OAuth20TokenResponseTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthIdTokenResponseTypeRequestValidator() {
        return new OAuth20IdTokenResponseTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthPasswordGrantTypeRequestValidator() {
        return new OAuth20PasswordGrantTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20RequestValidator oauthRefreshTokenGrantTypeRequestValidator() {
        return new OAuth20RefreshTokenGrantTypeRequestValidator(this.servicesManager, oAuthValidator());
    }

    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthResourceOwnerCredentialsResponseBuilder() {
        return new OAuth20ResourceOwnerCredentialsResponseBuilder(accessTokenResponseGenerator(), oauthTokenGenerator(), accessTokenExpirationPolicy());
    }

    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthClientCredentialsResponseBuilder() {
        return new OAuth20ClientCredentialsResponseBuilder(accessTokenResponseGenerator(), oauthTokenGenerator(), accessTokenExpirationPolicy());
    }

    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthTokenResponseBuilder() {
        return new OAuth20TokenAuthorizationResponseBuilder(oauthTokenGenerator(), accessTokenExpirationPolicy());
    }

    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthAuthorizationCodeResponseBuilder() {
        return new OAuth20AuthorizationCodeAuthorizationResponseBuilder(this.ticketRegistry, defaultOAuthCodeFactory());
    }

    @ConditionalOnMissingBean(name = {"authorizeController"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizeEndpointController authorizeController() {
        return new OAuth20AuthorizeEndpointController(this.servicesManager, this.ticketRegistry, oAuthValidator(), defaultAccessTokenFactory(), oauthPrincipalFactory(), this.webApplicationServiceFactory, defaultOAuthCodeFactory(), consentApprovalViewResolver(), profileScopeToAttributesFilter(), this.casProperties, this.ticketGrantingTicketCookieGenerator, oauthCasAuthenticationBuilder(), oauthAuthorizationResponseBuilders(), oauthRequestValidators());
    }

    @ConditionalOnMissingBean(name = {"oauthPrincipalFactory"})
    @RefreshScope
    @Bean
    public PrincipalFactory oauthPrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"defaultRefreshTokenFactory"})
    @RefreshScope
    @Bean
    public RefreshTokenFactory defaultRefreshTokenFactory() {
        return new DefaultRefreshTokenFactory(refreshTokenIdGenerator(), refreshTokenExpirationPolicy());
    }

    private ExpirationPolicy refreshTokenExpirationPolicy() {
        return new OAuthRefreshTokenExpirationPolicy(this.casProperties.getAuthn().getOauth().getRefreshToken().getTimeToKillInSeconds());
    }

    @ConditionalOnMissingBean(name = {"oauthCasAuthenticationBuilder"})
    @RefreshScope
    @Bean
    public OAuth20CasAuthenticationBuilder oauthCasAuthenticationBuilder() {
        return new OAuth20CasAuthenticationBuilder(oauthPrincipalFactory(), this.webApplicationServiceFactory, profileScopeToAttributesFilter(), this.casProperties);
    }

    @RefreshScope
    @Bean
    public CallbackController callbackController() {
        CallbackController callbackController = new CallbackController();
        callbackController.setConfig(oauthSecConfig());
        return callbackController;
    }

    @ConditionalOnMissingBean(name = {"accessTokenIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator accessTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @PostConstruct
    public void initializeServletApplicationContext() {
        String str = this.casProperties.getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*";
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
        if (findServiceBy == null || !findServiceBy.getServiceId().equals(str)) {
            RegexRegisteredService regexRegisteredService = new RegexRegisteredService();
            regexRegisteredService.setId(Math.abs(RandomUtils.getInstanceNative().nextLong()));
            regexRegisteredService.setEvaluationOrder(0);
            regexRegisteredService.setName(regexRegisteredService.getClass().getSimpleName());
            regexRegisteredService.setDescription("OAuth Authentication Callback Request URL");
            regexRegisteredService.setServiceId(str);
            regexRegisteredService.setAttributeReleasePolicy(new DenyAllAttributeReleasePolicy());
            this.servicesManager.save(regexRegisteredService);
            this.servicesManager.load();
        }
    }
}
