package org.apereo.cas.support.pac4j.config;

import lombok.Generated;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedSessionCookieProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.validation.Pac4jServiceTicketValidationAuthorizer;
import org.apereo.cas.validation.RegisteredServiceDelegatedAuthenticationPolicyAuditableEnforcer;
import org.apereo.cas.validation.ServiceTicketValidationAuthorizer;
import org.apereo.cas.validation.ServiceTicketValidationAuthorizerConfigurer;
import org.apereo.cas.validation.ServiceTicketValidationAuthorizersExecutionPlan;
import org.apereo.cas.web.pac4j.DelegatedSessionCookieCipherExecutor;
import org.apereo.cas.web.pac4j.DelegatedSessionCookieManager;
import org.apereo.cas.web.pac4j.SessionStoreCookieGenerator;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.DefaultCasCookieValueManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("pac4jDelegatedAuthenticationConfiguration")
/* loaded from: input_file:org/apereo/cas/support/pac4j/config/Pac4jDelegatedAuthenticationConfiguration.class */
public class Pac4jDelegatedAuthenticationConfiguration implements ServiceTicketValidationAuthorizerConfigurer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(Pac4jDelegatedAuthenticationConfiguration.class);

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    private CasConfigurationProperties casProperties;

    @ConditionalOnMissingBean(name = {"registeredServiceDelegatedAuthenticationPolicyAuditableEnforcer"})
    @RefreshScope
    @Bean
    public AuditableExecution registeredServiceDelegatedAuthenticationPolicyAuditableEnforcer() {
        return new RegisteredServiceDelegatedAuthenticationPolicyAuditableEnforcer();
    }

    @ConditionalOnMissingBean(name = {"pac4jDelegatedSessionCookieManager"})
    @Bean
    public DelegatedSessionCookieManager pac4jDelegatedSessionCookieManager() {
        return new DelegatedSessionCookieManager(pac4jSessionStoreCookieGenerator());
    }

    @ConditionalOnMissingBean(name = {"pac4jSessionStoreCookieGenerator"})
    @Bean
    public CookieRetrievingCookieGenerator pac4jSessionStoreCookieGenerator() {
        Pac4jDelegatedSessionCookieProperties cookie = this.casProperties.getAuthn().getPac4j().getCookie();
        return new SessionStoreCookieGenerator(new DefaultCasCookieValueManager(pac4jDelegatedSessionStoreCookieCipherExecutor()), cookie.getName(), cookie.getPath(), cookie.getMaxAge(), cookie.isSecure(), cookie.getDomain(), cookie.isHttpOnly());
    }

    @ConditionalOnMissingBean(name = {"pac4jDelegatedSessionStoreCookieCipherExecutor"})
    @Bean
    public CipherExecutor pac4jDelegatedSessionStoreCookieCipherExecutor() {
        EncryptionJwtSigningJwtCryptographyProperties crypto = this.casProperties.getAuthn().getPac4j().getCookie().getCrypto();
        if (crypto.isEnabled()) {
            return new DelegatedSessionCookieCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg());
        }
        LOGGER.info("Delegated authentication cookie encryption/signing is turned off and MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of delegated authentication cookie.");
        return CipherExecutor.noOp();
    }

    @Bean
    public ServiceTicketValidationAuthorizer pac4jServiceTicketValidationAuthorizer() {
        return new Pac4jServiceTicketValidationAuthorizer(this.servicesManager, registeredServiceDelegatedAuthenticationPolicyAuditableEnforcer());
    }

    public void configureAuthorizersExecutionPlan(ServiceTicketValidationAuthorizersExecutionPlan serviceTicketValidationAuthorizersExecutionPlan) {
        serviceTicketValidationAuthorizersExecutionPlan.registerAuthorizer(pac4jServiceTicketValidationAuthorizer());
    }
}
