package org.apereo.cas.support.x509.rest.config;

import lombok.Generated;
import org.apereo.cas.adaptors.x509.authentication.X509CertificateExtractor;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.rest.RestProperties;
import org.apereo.cas.rest.factory.RestHttpRequestCredentialFactory;
import org.apereo.cas.rest.plan.RestHttpRequestCredentialFactoryConfigurer;
import org.apereo.cas.support.x509.rest.X509RestHttpRequestHeaderCredentialFactory;
import org.apereo.cas.support.x509.rest.X509RestMultipartBodyCredentialFactory;
import org.apereo.cas.support.x509.rest.X509RestTlsClientCertCredentialFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Lazy;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("x509RestConfiguration")
/* loaded from: input_file:org/apereo/cas/support/x509/rest/config/X509RestConfiguration.class */
public class X509RestConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(X509RestConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("x509CertificateExtractor")
    @Lazy
    private ObjectProvider<X509CertificateExtractor> x509CertificateExtractor;

    @Bean
    public RestHttpRequestCredentialFactory x509RestMultipartBody() {
        return new X509RestMultipartBodyCredentialFactory();
    }

    @Bean
    public RestHttpRequestCredentialFactory x509RestRequestHeader() {
        return new X509RestHttpRequestHeaderCredentialFactory((X509CertificateExtractor) this.x509CertificateExtractor.getObject());
    }

    @ConditionalOnProperty(prefix = "cas.rest", name = {"tlsClientAuth"}, havingValue = "true")
    @Bean
    public RestHttpRequestCredentialFactory x509RestTlsClientCert() {
        return new X509RestTlsClientCertCredentialFactory();
    }

    @Bean
    public RestHttpRequestCredentialFactoryConfigurer x509RestHttpRequestCredentialFactoryConfigurer() {
        return chainingRestHttpRequestCredentialFactory -> {
            RestProperties rest = this.casProperties.getRest();
            X509CertificateExtractor x509CertificateExtractor = (X509CertificateExtractor) this.x509CertificateExtractor.getObject();
            boolean isHeaderAuth = rest.isHeaderAuth();
            boolean isBodyAuth = rest.isBodyAuth();
            boolean isTlsClientAuth = rest.isTlsClientAuth();
            LOGGER.trace("Is certificate extractor available? = [{}], headerAuth = [{}], bodyAuth = [{}], tlsClientAuth = [{}]", new Object[]{x509CertificateExtractor, Boolean.valueOf(isHeaderAuth), Boolean.valueOf(isBodyAuth), Boolean.valueOf(isTlsClientAuth)});
            if (isTlsClientAuth && (isHeaderAuth || isBodyAuth)) {
                LOGGER.warn("The X.509 feature over REST using \"headerAuth\" or \"bodyAuth\" provides a tremendously convenient target for claiming user identities or obtaining TGTs without proof of private key ownership. To securely use this feature, network configuration MUST allow connections to the CAS server only from trusted hosts which in turn have strict security limitations and logging. Thus, \"tlsClientAuth\" shouldn't be activated together with \"headerAuth\" or \"bodyAuth\"");
            }
            if (x509CertificateExtractor != null && isHeaderAuth) {
                chainingRestHttpRequestCredentialFactory.registerCredentialFactory(x509RestRequestHeader());
            }
            if (isBodyAuth) {
                chainingRestHttpRequestCredentialFactory.registerCredentialFactory(x509RestMultipartBody());
            }
            if (isTlsClientAuth) {
                chainingRestHttpRequestCredentialFactory.registerCredentialFactory(x509RestTlsClientCert());
            }
        };
    }
}
