package org.apereo.cas.config;

import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apereo.cas.adaptors.radius.RadiusClientFactory;
import org.apereo.cas.adaptors.radius.RadiusProtocol;
import org.apereo.cas.adaptors.radius.RadiusServer;
import org.apereo.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler;
import org.apereo.cas.adaptors.radius.server.AbstractRadiusServer;
import org.apereo.cas.adaptors.radius.server.NonBlockingRadiusServer;
import org.apereo.cas.adaptors.radius.server.RadiusServerConfigurationContext;
import org.apereo.cas.adaptors.radius.web.flow.RadiusAccessChallengedMultifactorAuthenticationTrigger;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.CasSSLContext;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationTrigger;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalNameTransformerUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.authentication.support.password.PasswordPolicyContext;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusClientProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusProperties;
import org.apereo.cas.configuration.model.support.radius.RadiusServerProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.spring.BeanContainer;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext;
import org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.util.StringUtils;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@ConditionalOnProperty(name = {"cas.authn.radius.client.inet-address"})
@Configuration(value = "radiusConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/config/RadiusConfiguration.class */
public class RadiusConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(RadiusConfiguration.class);

    static Set<String> getClientIps(RadiusClientProperties radiusClientProperties) {
        return StringUtils.commaDelimitedListToSet(StringUtils.trimAllWhitespace(radiusClientProperties.getInetAddress()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static AbstractRadiusServer getSingleRadiusServer(RadiusClientProperties radiusClientProperties, RadiusServerProperties radiusServerProperties, String str, CasSSLContext casSSLContext) {
        return new NonBlockingRadiusServer(RadiusServerConfigurationContext.builder().protocol(RadiusProtocol.valueOf(radiusServerProperties.getProtocol())).radiusClientFactory(RadiusClientFactory.builder().authenticationPort(radiusClientProperties.getAccountingPort()).authenticationPort(radiusClientProperties.getAuthenticationPort()).socketTimeout(radiusClientProperties.getSocketTimeout()).inetAddress(str).sharedSecret(radiusClientProperties.getSharedSecret()).sslContext(casSSLContext).transportType(radiusClientProperties.getTransportType()).build()).retries(radiusServerProperties.getRetries()).nasIpAddress(radiusServerProperties.getNasIpAddress()).nasIpv6Address(radiusServerProperties.getNasIpv6Address()).nasPort(radiusServerProperties.getNasPort()).nasPortId(radiusServerProperties.getNasPortId()).nasIdentifier(radiusServerProperties.getNasIdentifier()).nasRealPort(radiusServerProperties.getNasRealPort()).nasPortType(radiusServerProperties.getNasPortType()).build());
    }

    @ConditionalOnMissingBean(name = {"radiusPrincipalFactory"})
    @Bean
    public PrincipalFactory radiusPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public AbstractRadiusServer radiusServer(CasConfigurationProperties casConfigurationProperties, @Qualifier("casSslContext") CasSSLContext casSSLContext) {
        RadiusProperties radius = casConfigurationProperties.getAuthn().getRadius();
        RadiusClientProperties client = radius.getClient();
        return getSingleRadiusServer(client, radius.getServer(), getClientIps(client).iterator().next(), casSSLContext);
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public BeanContainer<RadiusServer> radiusServers(@Qualifier("casSslContext") CasSSLContext casSSLContext, CasConfigurationProperties casConfigurationProperties) {
        RadiusProperties radius = casConfigurationProperties.getAuthn().getRadius();
        RadiusClientProperties client = radius.getClient();
        RadiusServerProperties server = radius.getServer();
        return BeanContainer.of((List) getClientIps(radius.getClient()).stream().map(str -> {
            return getSingleRadiusServer(client, server, str, casSSLContext);
        }).collect(Collectors.toList()));
    }

    @ConditionalOnMissingBean(name = {"radiusAuthenticationHandler"})
    @Bean
    public AuthenticationHandler radiusAuthenticationHandler(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext, @Qualifier("radiusPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("radiusServers") BeanContainer<RadiusServer> beanContainer, @Qualifier("radiusPasswordPolicyConfiguration") PasswordPolicyContext passwordPolicyContext, @Qualifier("servicesManager") ServicesManager servicesManager) {
        RadiusProperties radius = casConfigurationProperties.getAuthn().getRadius();
        RadiusAuthenticationHandler radiusAuthenticationHandler = new RadiusAuthenticationHandler(radius.getName(), servicesManager, principalFactory, beanContainer.toList(), radius.isFailoverOnException(), radius.isFailoverOnAuthenticationFailure());
        radiusAuthenticationHandler.setState(radius.getState());
        radiusAuthenticationHandler.setPasswordEncoder(PasswordEncoderUtils.newPasswordEncoder(radius.getPasswordEncoder(), configurableApplicationContext));
        radiusAuthenticationHandler.setPrincipalNameTransformer(PrincipalNameTransformerUtils.newPrincipalNameTransformer(radius.getPrincipalTransformation()));
        radiusAuthenticationHandler.setPasswordPolicyConfiguration(passwordPolicyContext);
        return radiusAuthenticationHandler;
    }

    @ConditionalOnMissingBean(name = {"radiusAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer radiusAuthenticationEventExecutionPlanConfigurer(CasConfigurationProperties casConfigurationProperties, @Qualifier("radiusAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("defaultPrincipalResolver") PrincipalResolver principalResolver) {
        return authenticationEventExecutionPlan -> {
            if (getClientIps(casConfigurationProperties.getAuthn().getRadius().getClient()).isEmpty()) {
                LOGGER.warn("No RADIUS address is defined. RADIUS support will be disabled.");
            } else {
                authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(authenticationHandler, principalResolver);
            }
        };
    }

    @ConditionalOnMissingBean(name = {"radiusPasswordPolicyConfiguration"})
    @Bean
    public PasswordPolicyContext radiusPasswordPolicyConfiguration() {
        return new PasswordPolicyContext();
    }

    @ConditionalOnMissingBean(name = {"radiusAccessChallengedMultifactorAuthenticationTrigger"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public MultifactorAuthenticationTrigger radiusAccessChallengedMultifactorAuthenticationTrigger(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext, @Qualifier("multifactorAuthenticationProviderResolver") MultifactorAuthenticationProviderResolver multifactorAuthenticationProviderResolver) {
        return new RadiusAccessChallengedMultifactorAuthenticationTrigger(casConfigurationProperties, multifactorAuthenticationProviderResolver, configurableApplicationContext);
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public CasWebflowEventResolver radiusAccessChallengedAuthenticationWebflowEventResolver(@Qualifier("initialAuthenticationAttemptWebflowEventResolver") CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, @Qualifier("radiusAccessChallengedMultifactorAuthenticationTrigger") MultifactorAuthenticationTrigger multifactorAuthenticationTrigger, @Qualifier("casWebflowConfigurationContext") CasWebflowEventResolutionConfigurationContext casWebflowEventResolutionConfigurationContext) {
        DefaultMultifactorAuthenticationProviderWebflowEventResolver defaultMultifactorAuthenticationProviderWebflowEventResolver = new DefaultMultifactorAuthenticationProviderWebflowEventResolver(casWebflowEventResolutionConfigurationContext, multifactorAuthenticationTrigger);
        LOGGER.debug("Activating MFA event resolver based on RADIUS...");
        casDelegatingWebflowEventResolver.addDelegate(defaultMultifactorAuthenticationProviderWebflowEventResolver);
        return defaultMultifactorAuthenticationProviderWebflowEventResolver;
    }
}
