package org.apereo.cas.oidc.config;

import java.util.List;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationTrigger;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerDiscoveryService;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeystoreRotationService;
import org.apereo.cas.oidc.jwks.generator.OidcJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.web.OidcHandlerInterceptorAdapter;
import org.apereo.cas.oidc.web.OidcLocaleChangeInterceptor;
import org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController;
import org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController;
import org.apereo.cas.oidc.web.controllers.dynareg.OidcClientConfigurationEndpointController;
import org.apereo.cas.oidc.web.controllers.dynareg.OidcDynamicClientRegistrationEndpointController;
import org.apereo.cas.oidc.web.controllers.introspection.OidcIntrospectionEndpointController;
import org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController;
import org.apereo.cas.oidc.web.controllers.jwks.OidcJwksRotationEndpoint;
import org.apereo.cas.oidc.web.controllers.logout.OidcLogoutEndpointController;
import org.apereo.cas.oidc.web.controllers.logout.OidcPostLogoutRedirectUrlMatcher;
import org.apereo.cas.oidc.web.controllers.profile.OidcUserProfileEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcAccessTokenEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController;
import org.apereo.cas.oidc.web.flow.OidcCasWebflowLoginContextProvider;
import org.apereo.cas.oidc.web.flow.OidcMultifactorAuthenticationTrigger;
import org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction;
import org.apereo.cas.oidc.web.flow.OidcWebflowConfigurer;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.validation.CasProtocolViewFactory;
import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
import org.apereo.cas.web.UrlValidator;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.CasWebflowLoginContextProvider;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext;
import org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.AutoConfigureOrder;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "OidcEndpointsConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration.class */
public class OidcEndpointsConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcControllerEndpointsConfiguration", proxyBeanMethods = false)
    @AutoConfigureOrder(Integer.MAX_VALUE)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcControllerEndpointsConfiguration.class */
    public static class OidcControllerEndpointsConfiguration {
        @ConditionalOnMissingBean(name = {"oidcWellKnownController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcWellKnownEndpointController oidcWellKnownController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext, @Qualifier("oidcWebFingerDiscoveryService") OidcWebFingerDiscoveryService oidcWebFingerDiscoveryService) {
            return new OidcWellKnownEndpointController(oidcConfigurationContext, oidcWebFingerDiscoveryService);
        }

        @ConditionalOnMissingBean(name = {"oidcProfileController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcUserProfileEndpointController oidcProfileController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcUserProfileEndpointController(oidcConfigurationContext);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcAuthorizeEndpointController oidcAuthorizeController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcAuthorizeEndpointController(oidcConfigurationContext);
        }

        @ConditionalOnMissingBean(name = {"oidcLogoutEndpointController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcLogoutEndpointController oidcLogoutEndpointController(@Qualifier("postLogoutRedirectUrlMatcher") OidcPostLogoutRedirectUrlMatcher oidcPostLogoutRedirectUrlMatcher, @Qualifier("urlValidator") UrlValidator urlValidator, @Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcLogoutEndpointController(oidcConfigurationContext, oidcPostLogoutRedirectUrlMatcher, urlValidator);
        }

        @ConditionalOnMissingBean(name = {"oidcRevocationEndpointController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcRevocationEndpointController oidcRevocationEndpointController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcRevocationEndpointController(oidcConfigurationContext);
        }

        @ConditionalOnMissingBean(name = {"oidcAccessTokenController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcAccessTokenEndpointController oidcAccessTokenController(@Qualifier("accessTokenGrantAuditableRequestExtractor") AuditableExecution auditableExecution, @Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcAccessTokenEndpointController(oidcConfigurationContext, auditableExecution);
        }

        @ConditionalOnMissingBean(name = {"oidcDynamicClientRegistrationEndpointController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcDynamicClientRegistrationEndpointController oidcDynamicClientRegistrationEndpointController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcDynamicClientRegistrationEndpointController(oidcConfigurationContext);
        }

        @ConditionalOnMissingBean(name = {"oidcClientConfigurationEndpointController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcClientConfigurationEndpointController oidcClientConfigurationEndpointController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcClientConfigurationEndpointController(oidcConfigurationContext);
        }

        @ConditionalOnMissingBean(name = {"oidcJwksController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcJwksEndpointController oidcJwksController(@Qualifier("oidcJsonWebKeystoreGeneratorService") OidcJsonWebKeystoreGeneratorService oidcJsonWebKeystoreGeneratorService, @Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcJwksEndpointController(oidcConfigurationContext, oidcJsonWebKeystoreGeneratorService);
        }

        @ConditionalOnMissingBean(name = {"oidcIntrospectionEndpointController"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcIntrospectionEndpointController oidcIntrospectionEndpointController(@Qualifier("oidcConfigurationContext") OidcConfigurationContext oidcConfigurationContext) {
            return new OidcIntrospectionEndpointController(oidcConfigurationContext);
        }

        @ConditionalOnAvailableEndpoint
        @Bean
        public OidcJwksRotationEndpoint jwksRotationEndpoint(CasConfigurationProperties casConfigurationProperties, @Qualifier("oidcJsonWebKeystoreRotationService") OidcJsonWebKeystoreRotationService oidcJsonWebKeystoreRotationService) {
            return new OidcJwksRotationEndpoint(casConfigurationProperties, oidcJsonWebKeystoreRotationService);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcEndpointsLogoutConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcEndpointsLogoutConfiguration.class */
    public static class OidcEndpointsLogoutConfiguration {
        @ConditionalOnMissingBean(name = {"postLogoutRedirectUrlMatcher"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcPostLogoutRedirectUrlMatcher postLogoutRedirectUrlMatcher() {
            return (v0, v1) -> {
                return v0.equalsIgnoreCase(v1);
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcEndpointsMultifactorAuthenticationConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcEndpointsMultifactorAuthenticationConfiguration.class */
    public static class OidcEndpointsMultifactorAuthenticationConfiguration {
        @ConditionalOnMissingBean(name = {"oidcMultifactorAuthenticationTrigger"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public MultifactorAuthenticationTrigger oidcMultifactorAuthenticationTrigger(@Qualifier("multifactorAuthenticationProviderResolver") MultifactorAuthenticationProviderResolver multifactorAuthenticationProviderResolver, CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            return new OidcMultifactorAuthenticationTrigger(casConfigurationProperties, multifactorAuthenticationProviderResolver, configurableApplicationContext);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcEndpointsWebConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcEndpointsWebConfiguration.class */
    public static class OidcEndpointsWebConfiguration {
        private static String getOidcBaseEndpoint(OidcIssuerService oidcIssuerService, CasConfigurationProperties casConfigurationProperties) {
            return StringUtils.prependIfMissing(StringUtils.remove(oidcIssuerService.determineIssuer(Optional.empty()), casConfigurationProperties.getServer().getPrefix()), "/", new CharSequence[0]);
        }

        @Bean
        public WebMvcConfigurer oidcWebMvcConfigurer(@Qualifier("oidcIssuerService") final OidcIssuerService oidcIssuerService, @Qualifier("oauthInterceptor") final ObjectProvider<HandlerInterceptor> objectProvider, final CasConfigurationProperties casConfigurationProperties) {
            return new WebMvcConfigurer() { // from class: org.apereo.cas.oidc.config.OidcEndpointsConfiguration.OidcEndpointsWebConfiguration.1
                public void addInterceptors(InterceptorRegistry interceptorRegistry) {
                    interceptorRegistry.addInterceptor((HandlerInterceptor) objectProvider.getObject()).order(100).addPathPatterns(new String[]{OidcEndpointsWebConfiguration.getOidcBaseEndpoint(oidcIssuerService, casConfigurationProperties).concat("/*")});
                }
            };
        }

        @ConditionalOnMissingBean(name = {"oidcProtocolEndpointConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ProtocolEndpointWebSecurityConfigurer<Void> oidcProtocolEndpointConfigurer(@Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, CasConfigurationProperties casConfigurationProperties) {
            final String oidcBaseEndpoint = getOidcBaseEndpoint(oidcIssuerService, casConfigurationProperties);
            return new ProtocolEndpointWebSecurityConfigurer<Void>() { // from class: org.apereo.cas.oidc.config.OidcEndpointsConfiguration.OidcEndpointsWebConfiguration.2
                public List<String> getIgnoredEndpoints() {
                    return List.of(oidcBaseEndpoint);
                }
            };
        }

        @ConditionalOnMissingBean(name = {"oidcLocaleChangeInterceptor"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public HandlerInterceptor oidcLocaleChangeInterceptor(@Qualifier("argumentExtractor") ArgumentExtractor argumentExtractor, @Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties) {
            OidcLocaleChangeInterceptor oidcLocaleChangeInterceptor = new OidcLocaleChangeInterceptor(casConfigurationProperties.getLocale(), argumentExtractor, servicesManager);
            oidcLocaleChangeInterceptor.setParamName("ui_locales");
            return oidcLocaleChangeInterceptor;
        }

        @ConditionalOnMissingBean(name = {"oidcConfirmView"})
        @Bean
        public View oidcConfirmView(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("casProtocolViewFactory") CasProtocolViewFactory casProtocolViewFactory) {
            return casProtocolViewFactory.create(configurableApplicationContext, "protocol/oidc/confirm");
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcEndpointsWebflowConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcEndpointsWebflowConfiguration.class */
    public static class OidcEndpointsWebflowConfiguration {
        @ConditionalOnMissingBean(name = {"oidcCasWebflowExecutionPlanConfigurer"})
        @Bean
        public CasWebflowExecutionPlanConfigurer oidcCasWebflowExecutionPlanConfigurer(@Qualifier("oidcWebflowConfigurer") CasWebflowConfigurer casWebflowConfigurer, @Qualifier("oidcLocaleChangeInterceptor") HandlerInterceptor handlerInterceptor, @Qualifier("oidcCasWebflowLoginContextProvider") CasWebflowLoginContextProvider casWebflowLoginContextProvider) {
            return casWebflowExecutionPlan -> {
                casWebflowExecutionPlan.registerWebflowConfigurer(casWebflowConfigurer);
                casWebflowExecutionPlan.registerWebflowInterceptor(handlerInterceptor);
                casWebflowExecutionPlan.registerWebflowLoginContextProvider(casWebflowLoginContextProvider);
            };
        }

        @ConditionalOnMissingBean(name = {"oidcCasWebflowLoginContextProvider"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowLoginContextProvider oidcCasWebflowLoginContextProvider(@Qualifier("argumentExtractor") ArgumentExtractor argumentExtractor) {
            return new OidcCasWebflowLoginContextProvider(argumentExtractor);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowEventResolver oidcAuthenticationContextWebflowEventResolver(@Qualifier("initialAuthenticationAttemptWebflowEventResolver") CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, @Qualifier("casWebflowConfigurationContext") CasWebflowEventResolutionConfigurationContext casWebflowEventResolutionConfigurationContext, @Qualifier("oidcMultifactorAuthenticationTrigger") MultifactorAuthenticationTrigger multifactorAuthenticationTrigger) {
            DefaultMultifactorAuthenticationProviderWebflowEventResolver defaultMultifactorAuthenticationProviderWebflowEventResolver = new DefaultMultifactorAuthenticationProviderWebflowEventResolver(casWebflowEventResolutionConfigurationContext, multifactorAuthenticationTrigger);
            casDelegatingWebflowEventResolver.addDelegate(defaultMultifactorAuthenticationProviderWebflowEventResolver);
            return defaultMultifactorAuthenticationProviderWebflowEventResolver;
        }

        @ConditionalOnMissingBean(name = {"oidcWebflowConfigurer"})
        @Bean
        public CasWebflowConfigurer oidcWebflowConfigurer(@Qualifier("logoutFlowRegistry") FlowDefinitionRegistry flowDefinitionRegistry, @Qualifier("flowBuilderServices") FlowBuilderServices flowBuilderServices, @Qualifier("loginFlowRegistry") FlowDefinitionRegistry flowDefinitionRegistry2, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            OidcWebflowConfigurer oidcWebflowConfigurer = new OidcWebflowConfigurer(flowBuilderServices, flowDefinitionRegistry2, configurableApplicationContext, casConfigurationProperties);
            oidcWebflowConfigurer.setLogoutFlowDefinitionRegistry(flowDefinitionRegistry);
            return oidcWebflowConfigurer;
        }

        @ConditionalOnMissingBean(name = {"oidcRegisteredServiceUIAction"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public Action oidcRegisteredServiceUIAction(@Qualifier("oauth20AuthenticationRequestServiceSelectionStrategy") AuthenticationServiceSelectionStrategy authenticationServiceSelectionStrategy, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return new OidcRegisteredServiceUIAction(servicesManager, authenticationServiceSelectionStrategy);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcInterceptorsConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration$OidcInterceptorsConfiguration.class */
    public static class OidcInterceptorsConfiguration {
        @Bean
        public HandlerInterceptor requiresAuthenticationDynamicRegistrationInterceptor(@Qualifier("oauthSecConfig") Config config) {
            SecurityInterceptor securityInterceptor = new SecurityInterceptor(config, String.join(",", "clientBasicAuth", "clientAccessTokenAuth", "clientForm", "userForm"), JEEHttpActionAdapter.INSTANCE);
            securityInterceptor.setMatchers("securityheaders");
            securityInterceptor.setAuthorizers("isFullyAuthenticated");
            return securityInterceptor;
        }

        @Bean
        public HandlerInterceptor requiresAuthenticationClientConfigurationInterceptor(@Qualifier("oauthSecConfig") Config config) {
            SecurityInterceptor securityInterceptor = new SecurityInterceptor(config, String.join(",", "ClientRegistrationClient"), JEEHttpActionAdapter.INSTANCE);
            securityInterceptor.setMatchers("securityheaders");
            securityInterceptor.setAuthorizers("isFullyAuthenticated");
            return securityInterceptor;
        }

        @Bean
        public HandlerInterceptor oauthInterceptor(ObjectProvider<List<AccessTokenGrantRequestExtractor>> objectProvider, ObjectProvider<List<OAuth20AuthorizationRequestValidator>> objectProvider2, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, @Qualifier("requiresAuthenticationAuthorizeInterceptor") HandlerInterceptor handlerInterceptor, @Qualifier("requiresAuthenticationAccessTokenInterceptor") HandlerInterceptor handlerInterceptor2, @Qualifier("requiresAuthenticationClientConfigurationInterceptor") HandlerInterceptor handlerInterceptor3, @Qualifier("requiresAuthenticationDynamicRegistrationInterceptor") HandlerInterceptor handlerInterceptor4, @Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties) {
            return new OidcHandlerInterceptorAdapter(handlerInterceptor2, handlerInterceptor, handlerInterceptor4, handlerInterceptor3, OidcConstants.DynamicClientRegistrationMode.valueOf((String) StringUtils.defaultIfBlank(casConfigurationProperties.getAuthn().getOidc().getCore().getDynamicClientRegistrationMode(), OidcConstants.DynamicClientRegistrationMode.PROTECTED.name())), objectProvider, servicesManager, sessionStore, objectProvider2);
        }
    }
}
