package org.apereo.cas.support.x509.rest.config;

import java.util.Objects;
import lombok.Generated;
import org.apereo.cas.adaptors.x509.authentication.X509CertificateExtractor;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.rest.RestX509Properties;
import org.apereo.cas.rest.factory.RestHttpRequestCredentialFactory;
import org.apereo.cas.rest.plan.RestHttpRequestCredentialFactoryConfigurer;
import org.apereo.cas.support.x509.rest.X509RestHttpRequestHeaderCredentialFactory;
import org.apereo.cas.support.x509.rest.X509RestMultipartBodyCredentialFactory;
import org.apereo.cas.support.x509.rest.X509RestTlsClientCertCredentialFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "x509RestConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/support/x509/rest/config/X509RestConfiguration.class */
public class X509RestConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(X509RestConfiguration.class);

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "X509RestCredentialFactoryConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/x509/rest/config/X509RestConfiguration$X509RestCredentialFactoryConfiguration.class */
    public static class X509RestCredentialFactoryConfiguration {
        @ConditionalOnMissingBean(name = {"x509RestMultipartBody"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public RestHttpRequestCredentialFactory x509RestMultipartBody() {
            return new X509RestMultipartBodyCredentialFactory();
        }

        @ConditionalOnMissingBean(name = {"x509RestRequestHeader"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public RestHttpRequestCredentialFactory x509RestRequestHeader(@Qualifier("x509CertificateExtractor") X509CertificateExtractor x509CertificateExtractor) {
            return new X509RestHttpRequestHeaderCredentialFactory(x509CertificateExtractor);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @ConditionalOnProperty(prefix = "cas.rest.x509", name = {"tls-client-auth"}, havingValue = "true")
        @Bean
        public RestHttpRequestCredentialFactory x509RestTlsClientCert() {
            return new X509RestTlsClientCertCredentialFactory();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "X509RestCredentialFactoryPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/x509/rest/config/X509RestConfiguration$X509RestCredentialFactoryPlanConfiguration.class */
    public static class X509RestCredentialFactoryPlanConfiguration {
        @ConditionalOnMissingBean(name = {"x509RestHttpRequestCredentialFactoryConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public RestHttpRequestCredentialFactoryConfigurer x509RestHttpRequestCredentialFactoryConfigurer(@Qualifier("x509RestTlsClientCert") ObjectProvider<RestHttpRequestCredentialFactory> objectProvider, @Qualifier("x509RestMultipartBody") ObjectProvider<RestHttpRequestCredentialFactory> objectProvider2, @Qualifier("x509RestRequestHeader") ObjectProvider<RestHttpRequestCredentialFactory> objectProvider3, @Qualifier("x509CertificateExtractor") X509CertificateExtractor x509CertificateExtractor, CasConfigurationProperties casConfigurationProperties) {
            return chainingRestHttpRequestCredentialFactory -> {
                RestX509Properties x509 = casConfigurationProperties.getRest().getX509();
                boolean isHeaderAuth = x509.isHeaderAuth();
                boolean isBodyAuth = x509.isBodyAuth();
                boolean isTlsClientAuth = x509.isTlsClientAuth();
                if (isTlsClientAuth && (isHeaderAuth || isBodyAuth)) {
                    X509RestConfiguration.LOGGER.warn("The X.509 feature over REST using \"headerAuth\" or \"bodyAuth\" provides a tremendously convenient target for claiming user identities or obtaining TGTs without proof of private key ownership. To securely use this feature, network configuration MUST allow connections to the CAS server only from trusted hosts which in turn have strict security limitations and logging. Thus, \"tlsClientAuth\" shouldn't be activated together with \"headerAuth\" or \"bodyAuth\"");
                }
                if (isHeaderAuth) {
                    Objects.requireNonNull(chainingRestHttpRequestCredentialFactory);
                    objectProvider3.ifAvailable(chainingRestHttpRequestCredentialFactory::registerCredentialFactory);
                }
                if (isBodyAuth) {
                    Objects.requireNonNull(chainingRestHttpRequestCredentialFactory);
                    objectProvider3.ifAvailable(chainingRestHttpRequestCredentialFactory::registerCredentialFactory);
                }
                if (isTlsClientAuth) {
                    Objects.requireNonNull(chainingRestHttpRequestCredentialFactory);
                    objectProvider.ifAvailable(chainingRestHttpRequestCredentialFactory::registerCredentialFactory);
                }
            };
        }
    }
}
