package org.apereo.cas.config;

import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.trusted.authentication.principal.PrincipalBearingCredential;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.core.web.tomcat.CasEmbeddedApacheTomcatRemoteUserValveProperties;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.serialization.ComponentSerializationPlanConfigurer;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.TrustedAuthenticationWebflowConfigurer;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.boot.web.servlet.ServletRegistrationBean;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@AutoConfiguration
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.Authentication}, module = "trusted")
/* loaded from: input_file:org/apereo/cas/config/CasTrustedAuthenticationWebflowAutoConfiguration.class */
public class CasTrustedAuthenticationWebflowAutoConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "TrustedAuthenticationWebflowBaseConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasTrustedAuthenticationWebflowAutoConfiguration$TrustedAuthenticationWebflowBaseConfiguration.class */
    static class TrustedAuthenticationWebflowBaseConfiguration {
        TrustedAuthenticationWebflowBaseConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"trustedAuthnComponentSerializationPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ComponentSerializationPlanConfigurer trustedAuthnComponentSerializationPlanConfigurer() {
            return componentSerializationPlan -> {
                componentSerializationPlan.registerSerializableClass(PrincipalBearingCredential.class);
            };
        }

        @ConditionalOnMissingBean(name = {"trustedWebflowConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowConfigurer trustedWebflowConfigurer(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("loginFlowRegistry") FlowDefinitionRegistry flowDefinitionRegistry, @Qualifier("flowBuilderServices") FlowBuilderServices flowBuilderServices) {
            return new TrustedAuthenticationWebflowConfigurer(flowBuilderServices, flowDefinitionRegistry, configurableApplicationContext, casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"casRequestHeaderAuthenticationFilter"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FilterRegistrationBean<RequestHeaderAuthenticationFilter> casRequestHeaderAuthenticationFilter(CasConfigurationProperties casConfigurationProperties) {
            CasEmbeddedApacheTomcatRemoteUserValveProperties remoteUserValve = casConfigurationProperties.getServer().getTomcat().getRemoteUserValve();
            RequestHeaderAuthenticationFilter requestHeaderAuthenticationFilter = new RequestHeaderAuthenticationFilter();
            requestHeaderAuthenticationFilter.setPrincipalRequestHeader((String) StringUtils.defaultIfBlank(remoteUserValve.getRemoteUserHeader(), "NA"));
            requestHeaderAuthenticationFilter.setExceptionIfHeaderMissing(false);
            requestHeaderAuthenticationFilter.setRequiresAuthenticationRequestMatcher(httpServletRequest -> {
                return RegexUtils.matchesIpAddress(remoteUserValve.getAllowedIpAddressRegex(), httpServletRequest.getRemoteAddr());
            });
            requestHeaderAuthenticationFilter.setAuthenticationManager(authentication -> {
                authentication.setAuthenticated(authentication.getPrincipal() != null);
                return authentication;
            });
            FilterRegistrationBean<RequestHeaderAuthenticationFilter> filterRegistrationBean = new FilterRegistrationBean<>(requestHeaderAuthenticationFilter, new ServletRegistrationBean[0]);
            filterRegistrationBean.setName("casRequestHeaderAuthenticationFilter");
            filterRegistrationBean.setAsyncSupported(true);
            filterRegistrationBean.setOrder(0);
            filterRegistrationBean.setEnabled(StringUtils.isNotBlank(remoteUserValve.getRemoteUserHeader()));
            return filterRegistrationBean;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "TrustedAuthenticationWebflowPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/CasTrustedAuthenticationWebflowAutoConfiguration$TrustedAuthenticationWebflowPlanConfiguration.class */
    static class TrustedAuthenticationWebflowPlanConfiguration {
        TrustedAuthenticationWebflowPlanConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"trustedCasWebflowExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebflowExecutionPlanConfigurer trustedCasWebflowExecutionPlanConfigurer(@Qualifier("trustedWebflowConfigurer") CasWebflowConfigurer casWebflowConfigurer) {
            return casWebflowExecutionPlan -> {
                casWebflowExecutionPlan.registerWebflowConfigurer(casWebflowConfigurer);
            };
        }
    }
}
