package org.apereo.cas.config;

import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.radius.RadiusClientFactory;
import org.apereo.cas.adaptors.radius.RadiusProtocol;
import org.apereo.cas.adaptors.radius.RadiusServer;
import org.apereo.cas.adaptors.radius.authentication.RadiusMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.radius.authentication.RadiusTokenAuthenticationHandler;
import org.apereo.cas.adaptors.radius.authentication.RadiusTokenCredential;
import org.apereo.cas.adaptors.radius.server.NonBlockingRadiusServer;
import org.apereo.cas.adaptors.radius.server.RadiusServerConfigurationContext;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.CasSSLContext;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.metadata.MultifactorAuthenticationProviderMetadataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.support.mfa.RadiusMultifactorAuthenticationProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusClientProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusServerProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.spring.beans.BeanCondition;
import org.apereo.cas.util.spring.beans.BeanContainer;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "RadiusTokenAuthenticationEventExecutionPlanConfiguration", proxyBeanMethods = false)
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.RadiusMFA})
/* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration.class */
class RadiusTokenAuthenticationEventExecutionPlanConfiguration {
    private static final BeanCondition CONDITION = BeanCondition.on("cas.authn.mfa.radius.client.inet-address");

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "RadiusTokenAuthenticationEventExecutionPlanBaseConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration$RadiusTokenAuthenticationEventExecutionPlanBaseConfiguration.class */
    static class RadiusTokenAuthenticationEventExecutionPlanBaseConfiguration {
        RadiusTokenAuthenticationEventExecutionPlanBaseConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"radiusTokenAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer radiusTokenAuthenticationEventExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("radiusMultifactorProviderAuthenticationMetadataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator, CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusTokenAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("radiusAuthenticationMetaDataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator2) throws Exception {
            return (AuthenticationEventExecutionPlanConfigurer) BeanSupplier.of(AuthenticationEventExecutionPlanConfigurer.class).when(RadiusTokenAuthenticationEventExecutionPlanConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return authenticationEventExecutionPlan -> {
                    if (StringUtils.isNotBlank(casConfigurationProperties.getAuthn().getMfa().getRadius().getClient().getInetAddress())) {
                        authenticationEventExecutionPlan.registerAuthenticationHandler(authenticationHandler);
                        authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator2);
                        authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator);
                        authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{RadiusTokenCredential.class}));
                    }
                };
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "RadiusTokenAuthenticationEventExecutionPlanHandlerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration$RadiusTokenAuthenticationEventExecutionPlanHandlerConfiguration.class */
    static class RadiusTokenAuthenticationEventExecutionPlanHandlerConfiguration {
        RadiusTokenAuthenticationEventExecutionPlanHandlerConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"radiusTokenAuthenticationHandler"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationHandler radiusTokenAuthenticationHandler(@Qualifier("radiusMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusTokenPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("radiusTokenServers") BeanContainer<RadiusServer> beanContainer, @Qualifier("servicesManager") ServicesManager servicesManager) throws Exception {
            return (AuthenticationHandler) BeanSupplier.of(AuthenticationHandler.class).when(RadiusTokenAuthenticationEventExecutionPlanConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                RadiusMultifactorAuthenticationProperties radius = casConfigurationProperties.getAuthn().getMfa().getRadius();
                return new RadiusTokenAuthenticationHandler(radius.getName(), servicesManager, principalFactory, beanContainer.toList(), radius.isFailoverOnException(), radius.isFailoverOnAuthenticationFailure(), Integer.valueOf(radius.getOrder()), objectProvider);
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "RadiusTokenAuthenticationEventExecutionPlanMetadataConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration$RadiusTokenAuthenticationEventExecutionPlanMetadataConfiguration.class */
    static class RadiusTokenAuthenticationEventExecutionPlanMetadataConfiguration {
        RadiusTokenAuthenticationEventExecutionPlanMetadataConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"radiusMultifactorProviderAuthenticationMetadataPopulator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationMetaDataPopulator radiusMultifactorProviderAuthenticationMetadataPopulator(@Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider) {
            return new MultifactorAuthenticationProviderMetadataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), objectProvider, servicesManager);
        }

        @ConditionalOnMissingBean(name = {"radiusAuthenticationMetaDataPopulator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationMetaDataPopulator radiusAuthenticationMetaDataPopulator(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusTokenAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("radiusMultifactorAuthenticationProvider") MultifactorAuthenticationProvider multifactorAuthenticationProvider) throws Exception {
            return (AuthenticationMetaDataPopulator) BeanSupplier.of(AuthenticationMetaDataPopulator.class).when(RadiusTokenAuthenticationEventExecutionPlanConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new AuthenticationContextAttributeMetaDataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), authenticationHandler, multifactorAuthenticationProvider.getId());
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "RadiusTokenAuthenticationEventExecutionPlanProviderConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration$RadiusTokenAuthenticationEventExecutionPlanProviderConfiguration.class */
    static class RadiusTokenAuthenticationEventExecutionPlanProviderConfiguration {
        RadiusTokenAuthenticationEventExecutionPlanProviderConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"radiusMultifactorAuthenticationProvider"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public MultifactorAuthenticationProvider radiusMultifactorAuthenticationProvider(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusTokenServers") BeanContainer<RadiusServer> beanContainer, @Qualifier("radiusBypassEvaluator") MultifactorAuthenticationProviderBypassEvaluator multifactorAuthenticationProviderBypassEvaluator, @Qualifier("failureModeEvaluator") MultifactorAuthenticationFailureModeEvaluator multifactorAuthenticationFailureModeEvaluator) throws Exception {
            return (MultifactorAuthenticationProvider) BeanSupplier.of(MultifactorAuthenticationProvider.class).when(RadiusTokenAuthenticationEventExecutionPlanConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                RadiusMultifactorAuthenticationProperties radius = casConfigurationProperties.getAuthn().getMfa().getRadius();
                RadiusMultifactorAuthenticationProvider radiusMultifactorAuthenticationProvider = new RadiusMultifactorAuthenticationProvider(beanContainer.toList());
                radiusMultifactorAuthenticationProvider.setBypassEvaluator(multifactorAuthenticationProviderBypassEvaluator);
                radiusMultifactorAuthenticationProvider.setFailureMode(radius.getFailureMode());
                radiusMultifactorAuthenticationProvider.setFailureModeEvaluator(multifactorAuthenticationFailureModeEvaluator);
                radiusMultifactorAuthenticationProvider.setOrder(radius.getRank());
                radiusMultifactorAuthenticationProvider.setId(radius.getId());
                return radiusMultifactorAuthenticationProvider;
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "RadiusTokenAuthenticationServerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/RadiusTokenAuthenticationEventExecutionPlanConfiguration$RadiusTokenAuthenticationServerConfiguration.class */
    static class RadiusTokenAuthenticationServerConfiguration {
        RadiusTokenAuthenticationServerConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"radiusTokenServers"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public BeanContainer<RadiusServer> radiusTokenServers(CasConfigurationProperties casConfigurationProperties, @Qualifier("casSslContext") CasSSLContext casSSLContext) {
            RadiusMultifactorAuthenticationProperties radius = casConfigurationProperties.getAuthn().getMfa().getRadius();
            RadiusClientProperties client = radius.getClient();
            RadiusServerProperties server = radius.getServer();
            return StringUtils.isBlank(client.getInetAddress()) ? BeanContainer.empty() : BeanContainer.of(CollectionUtils.wrapList(new NonBlockingRadiusServer[]{new NonBlockingRadiusServer(RadiusServerConfigurationContext.builder().protocol(RadiusProtocol.valueOf(server.getProtocol())).radiusClientFactory(RadiusClientFactory.builder().authenticationPort(client.getAccountingPort()).authenticationPort(client.getAuthenticationPort()).socketTimeout(client.getSocketTimeout()).inetAddress(client.getInetAddress()).sharedSecret(client.getSharedSecret()).sslContext(casSSLContext).transportType(client.getTransportType()).build()).retries(server.getRetries()).nasIpAddress(server.getNasIpAddress()).nasIpv6Address(server.getNasIpv6Address()).nasPort(server.getNasPort()).nasPortId(server.getNasPortId()).nasIdentifier(server.getNasIdentifier()).nasRealPort(server.getNasRealPort()).nasPortType(server.getNasPortType()).build())}));
        }

        @ConditionalOnMissingBean(name = {"radiusTokenPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory radiusTokenPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }
    }

    RadiusTokenAuthenticationEventExecutionPlanConfiguration() {
    }
}
