package org.apereo.cas.config;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.adaptors.radius.RadiusClientFactory;
import org.apereo.cas.adaptors.radius.RadiusProtocol;
import org.apereo.cas.adaptors.radius.RadiusServer;
import org.apereo.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler;
import org.apereo.cas.adaptors.radius.server.AbstractRadiusServer;
import org.apereo.cas.adaptors.radius.server.NonBlockingRadiusServer;
import org.apereo.cas.adaptors.radius.server.RadiusServerConfigurationContext;
import org.apereo.cas.adaptors.radius.web.flow.RadiusAccessChallengedMultifactorAuthenticationTrigger;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.MultifactorAuthenticationContextValidator;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationTrigger;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalNameTransformerUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.authentication.support.password.PasswordPolicyContext;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusClientProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusServerProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.cas.web.flow.SingleSignOnParticipationStrategy;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext;
import org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.util.StringUtils;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("radiusConfiguration")
@ConditionalOnProperty(name = {"cas.authn.radius.client.inet-address"})
/* loaded from: input_file:org/apereo/cas/config/RadiusConfiguration.class */
public class RadiusConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(RadiusConfiguration.class);

    @Autowired
    @Qualifier("registeredServiceAccessStrategyEnforcer")
    private ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;

    @Autowired
    @Qualifier("multifactorAuthenticationProviderResolver")
    private ObjectProvider<MultifactorAuthenticationProviderResolver> multifactorAuthenticationProviderResolver;

    @Autowired
    @Qualifier("ticketRegistry")
    private ObjectProvider<TicketRegistry> ticketRegistry;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private ObjectProvider<CentralAuthenticationService> centralAuthenticationService;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private ObjectProvider<AuthenticationSystemSupport> authenticationSystemSupport;

    @Autowired
    @Qualifier("authenticationContextValidator")
    private ObjectProvider<MultifactorAuthenticationContextValidator> authenticationContextValidator;

    @Autowired
    @Qualifier("initialAuthenticationAttemptWebflowEventResolver")
    private ObjectProvider<CasDelegatingWebflowEventResolver> initialAuthenticationAttemptWebflowEventResolver;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private ObjectProvider<TicketRegistrySupport> ticketRegistrySupport;

    @Autowired
    @Qualifier("singleSignOnParticipationStrategy")
    private ObjectProvider<SingleSignOnParticipationStrategy> webflowSingleSignOnParticipationStrategy;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private ObjectProvider<AuthenticationServiceSelectionPlan> authenticationRequestServiceSelectionStrategies;

    @Autowired
    @Qualifier("warnCookieGenerator")
    private ObjectProvider<CasCookieBuilder> warnCookieGenerator;

    @Autowired
    @Qualifier("defaultPrincipalResolver")
    private ObjectProvider<PrincipalResolver> defaultPrincipalResolver;

    public static Set<String> getClientIps(RadiusClientProperties radiusClientProperties) {
        return StringUtils.commaDelimitedListToSet(StringUtils.trimAllWhitespace(radiusClientProperties.getInetAddress()));
    }

    @ConditionalOnMissingBean(name = {"radiusPrincipalFactory"})
    @Bean
    public PrincipalFactory radiusPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @RefreshScope
    @Bean
    public AbstractRadiusServer radiusServer() {
        RadiusProperties radius = this.casProperties.getAuthn().getRadius();
        RadiusClientProperties client = radius.getClient();
        return getSingleRadiusServer(client, radius.getServer(), getClientIps(client).iterator().next());
    }

    @RefreshScope
    @Bean
    public List<RadiusServer> radiusServers() {
        RadiusProperties radius = this.casProperties.getAuthn().getRadius();
        RadiusClientProperties client = radius.getClient();
        RadiusServerProperties server = radius.getServer();
        return (List) getClientIps(radius.getClient()).stream().map(str -> {
            return getSingleRadiusServer(client, server, str);
        }).collect(Collectors.toList());
    }

    @ConditionalOnMissingBean(name = {"radiusAuthenticationHandler"})
    @Bean
    public AuthenticationHandler radiusAuthenticationHandler() {
        RadiusProperties radius = this.casProperties.getAuthn().getRadius();
        RadiusAuthenticationHandler radiusAuthenticationHandler = new RadiusAuthenticationHandler(radius.getName(), (ServicesManager) this.servicesManager.getObject(), radiusPrincipalFactory(), radiusServers(), radius.isFailoverOnException(), radius.isFailoverOnAuthenticationFailure());
        radiusAuthenticationHandler.setPasswordEncoder(PasswordEncoderUtils.newPasswordEncoder(radius.getPasswordEncoder(), this.applicationContext));
        radiusAuthenticationHandler.setPrincipalNameTransformer(PrincipalNameTransformerUtils.newPrincipalNameTransformer(radius.getPrincipalTransformation()));
        radiusAuthenticationHandler.setPasswordPolicyConfiguration(radiusPasswordPolicyConfiguration());
        return radiusAuthenticationHandler;
    }

    @ConditionalOnMissingBean(name = {"radiusAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer radiusAuthenticationEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            if (getClientIps(this.casProperties.getAuthn().getRadius().getClient()).isEmpty()) {
                LOGGER.warn("No RADIUS address is defined. RADIUS support will be disabled.");
            } else {
                authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(radiusAuthenticationHandler(), (PrincipalResolver) this.defaultPrincipalResolver.getObject());
            }
        };
    }

    @ConditionalOnMissingBean(name = {"radiusPasswordPolicyConfiguration"})
    @Bean
    public PasswordPolicyContext radiusPasswordPolicyConfiguration() {
        return new PasswordPolicyContext();
    }

    @ConditionalOnMissingBean(name = {"radiusAccessChallengedMultifactorAuthenticationTrigger"})
    @RefreshScope
    @Bean
    public MultifactorAuthenticationTrigger radiusAccessChallengedMultifactorAuthenticationTrigger() {
        return new RadiusAccessChallengedMultifactorAuthenticationTrigger(this.casProperties, (MultifactorAuthenticationProviderResolver) this.multifactorAuthenticationProviderResolver.getObject(), this.applicationContext);
    }

    @RefreshScope
    @Bean
    public CasWebflowEventResolver radiusAccessChallengedAuthenticationWebflowEventResolver() {
        DefaultMultifactorAuthenticationProviderWebflowEventResolver defaultMultifactorAuthenticationProviderWebflowEventResolver = new DefaultMultifactorAuthenticationProviderWebflowEventResolver(CasWebflowEventResolutionConfigurationContext.builder().casDelegatingWebflowEventResolver((CasDelegatingWebflowEventResolver) this.initialAuthenticationAttemptWebflowEventResolver.getObject()).authenticationContextValidator((MultifactorAuthenticationContextValidator) this.authenticationContextValidator.getObject()).authenticationSystemSupport((AuthenticationSystemSupport) this.authenticationSystemSupport.getObject()).centralAuthenticationService((CentralAuthenticationService) this.centralAuthenticationService.getObject()).servicesManager((ServicesManager) this.servicesManager.getObject()).singleSignOnParticipationStrategy((SingleSignOnParticipationStrategy) this.webflowSingleSignOnParticipationStrategy.getObject()).ticketRegistrySupport((TicketRegistrySupport) this.ticketRegistrySupport.getObject()).warnCookieGenerator((CasCookieBuilder) this.warnCookieGenerator.getObject()).authenticationRequestServiceSelectionStrategies((AuthenticationServiceSelectionPlan) this.authenticationRequestServiceSelectionStrategies.getObject()).registeredServiceAccessStrategyEnforcer((AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject()).casProperties(this.casProperties).ticketRegistry((TicketRegistry) this.ticketRegistry.getObject()).applicationContext(this.applicationContext).build(), radiusAccessChallengedMultifactorAuthenticationTrigger());
        LOGGER.debug("Activating MFA event resolver based on RADIUS...");
        ((CasDelegatingWebflowEventResolver) this.initialAuthenticationAttemptWebflowEventResolver.getObject()).addDelegate(defaultMultifactorAuthenticationProviderWebflowEventResolver);
        return defaultMultifactorAuthenticationProviderWebflowEventResolver;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static AbstractRadiusServer getSingleRadiusServer(RadiusClientProperties radiusClientProperties, RadiusServerProperties radiusServerProperties, String str) {
        return new NonBlockingRadiusServer(RadiusServerConfigurationContext.builder().protocol(RadiusProtocol.valueOf(radiusServerProperties.getProtocol())).radiusClientFactory(new RadiusClientFactory(radiusClientProperties.getAccountingPort(), radiusClientProperties.getAuthenticationPort(), radiusClientProperties.getSocketTimeout(), str, radiusClientProperties.getSharedSecret())).retries(radiusServerProperties.getRetries()).nasIpAddress(radiusServerProperties.getNasIpAddress()).nasIpv6Address(radiusServerProperties.getNasIpv6Address()).nasPort(radiusServerProperties.getNasPort()).nasPortId(radiusServerProperties.getNasPortId()).nasIdentifier(radiusServerProperties.getNasIdentifier()).nasRealPort(radiusServerProperties.getNasRealPort()).nasPortType(radiusServerProperties.getNasPortType()).build());
    }
}
