package org.apereo.cas.support.wsfederation.config.support.authentication;

import java.util.HashSet;
import java.util.Objects;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.cookie.CookieProperties;
import org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegatedCookieProperties;
import org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.wsfederation.WsFederationConfiguration;
import org.apereo.cas.support.wsfederation.attributes.GroovyWsFederationAttributeMutator;
import org.apereo.cas.support.wsfederation.attributes.WsFederationAttributeMutator;
import org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver;
import org.apereo.cas.support.wsfederation.web.WsFederationCookieCipherExecutor;
import org.apereo.cas.support.wsfederation.web.WsFederationCookieGenerator;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.BeanContainer;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.cas.web.cookie.CookieValueManager;
import org.apereo.cas.web.support.mgmr.DefaultCasCookieValueManager;
import org.apereo.services.persondir.IPersonAttributeDao;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.core.io.Resource;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "WsfedAuthenticationEventExecutionPlanConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/support/wsfederation/config/support/authentication/WsFedAuthenticationEventExecutionPlanConfiguration.class */
public class WsFedAuthenticationEventExecutionPlanConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFedAuthenticationEventExecutionPlanConfiguration.class);

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WsFedAuthenticationEventExecutionPlanBaseConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/wsfederation/config/support/authentication/WsFedAuthenticationEventExecutionPlanConfiguration$WsFedAuthenticationEventExecutionPlanBaseConfiguration.class */
    public static class WsFedAuthenticationEventExecutionPlanBaseConfiguration {
        @ConditionalOnMissingBean(name = {"wsfedAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer wsfedAuthenticationEventExecutionPlanConfigurer(CasConfigurationProperties casConfigurationProperties, @Qualifier("wsfedPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("wsFederationConfigurations") BeanContainer<WsFederationConfiguration> beanContainer, @Qualifier("attributeRepository") IPersonAttributeDao iPersonAttributeDao, @Qualifier("servicesManager") ServicesManager servicesManager) {
            PersonDirectoryPrincipalResolverProperties personDirectory = casConfigurationProperties.getPersonDirectory();
            return authenticationEventExecutionPlan -> {
                casConfigurationProperties.getAuthn().getWsfed().stream().filter(wsFederationDelegationProperties -> {
                    return StringUtils.isNotBlank(wsFederationDelegationProperties.getIdentityProviderUrl()) && StringUtils.isNotBlank(wsFederationDelegationProperties.getIdentityProviderIdentifier());
                }).forEach(wsFederationDelegationProperties2 -> {
                    WsFederationAuthenticationHandler wsFederationAuthenticationHandler = new WsFederationAuthenticationHandler(wsFederationDelegationProperties2.getName(), servicesManager, principalFactory, Integer.valueOf(wsFederationDelegationProperties2.getOrder()));
                    if (!wsFederationDelegationProperties2.isAttributeResolverEnabled()) {
                        authenticationEventExecutionPlan.registerAuthenticationHandler(wsFederationAuthenticationHandler);
                        return;
                    }
                    WsFederationConfiguration wsFederationConfiguration = (WsFederationConfiguration) beanContainer.toSet().stream().filter(wsFederationConfiguration2 -> {
                        return wsFederationConfiguration2.getIdentityProviderUrl().equalsIgnoreCase(wsFederationDelegationProperties2.getIdentityProviderUrl());
                    }).findFirst().orElseThrow(() -> {
                        return new RuntimeException("Unable to find configuration for identity provider " + wsFederationDelegationProperties2.getIdentityProviderUrl());
                    });
                    WsFederationCredentialsToPrincipalResolver newPersonDirectoryPrincipalResolver = CoreAuthenticationUtils.newPersonDirectoryPrincipalResolver(principalFactory, iPersonAttributeDao, CoreAuthenticationUtils.getAttributeMerger(casConfigurationProperties.getAuthn().getAttributeRepository().getCore().getMerger()), WsFederationCredentialsToPrincipalResolver.class, new PersonDirectoryPrincipalResolverProperties[]{wsFederationDelegationProperties2.getPrincipal(), personDirectory});
                    newPersonDirectoryPrincipalResolver.setConfiguration(wsFederationConfiguration);
                    authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(wsFederationAuthenticationHandler, newPersonDirectoryPrincipalResolver);
                });
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WsFedAuthenticationEventExecutionPlanPrincipalConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/wsfederation/config/support/authentication/WsFedAuthenticationEventExecutionPlanConfiguration$WsFedAuthenticationEventExecutionPlanPrincipalConfiguration.class */
    public static class WsFedAuthenticationEventExecutionPlanPrincipalConfiguration {
        @ConditionalOnMissingBean(name = {"wsfedPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory wsfedPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WsFedAuthenticationProvidersConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/support/wsfederation/config/support/authentication/WsFedAuthenticationEventExecutionPlanConfiguration$WsFedAuthenticationProvidersConfiguration.class */
    public static class WsFedAuthenticationProvidersConfiguration {
        private static WsFederationAttributeMutator getAttributeMutatorForWsFederationConfig(WsFederationDelegationProperties wsFederationDelegationProperties) {
            Resource location = wsFederationDelegationProperties.getAttributeMutatorScript().getLocation();
            return location != null ? new GroovyWsFederationAttributeMutator(location) : WsFederationAttributeMutator.noOp();
        }

        private static WsFederationConfiguration getWsFederationConfiguration(WsFederationDelegationProperties wsFederationDelegationProperties, ConfigurableApplicationContext configurableApplicationContext) {
            WsFederationConfiguration wsFederationConfiguration = new WsFederationConfiguration();
            wsFederationConfiguration.setAttributesType(WsFederationConfiguration.WsFedPrincipalResolutionAttributesType.valueOf(wsFederationDelegationProperties.getAttributesType()));
            wsFederationConfiguration.setIdentityAttribute(wsFederationDelegationProperties.getIdentityAttribute());
            wsFederationConfiguration.setIdentityProviderIdentifier(wsFederationDelegationProperties.getIdentityProviderIdentifier());
            wsFederationConfiguration.setIdentityProviderUrl(wsFederationDelegationProperties.getIdentityProviderUrl());
            wsFederationConfiguration.setTolerance(Beans.newDuration(wsFederationDelegationProperties.getTolerance()).toMillis());
            wsFederationConfiguration.setRelyingPartyIdentifier(wsFederationDelegationProperties.getRelyingPartyIdentifier());
            org.springframework.util.StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getSigningCertificateResources()).forEach(str -> {
                wsFederationConfiguration.getSigningCertificateResources().add(configurableApplicationContext.getResource(str));
            });
            org.springframework.util.StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getEncryptionPrivateKey()).forEach(str2 -> {
                wsFederationConfiguration.setEncryptionPrivateKey(configurableApplicationContext.getResource(str2));
            });
            org.springframework.util.StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getEncryptionCertificate()).forEach(str3 -> {
                wsFederationConfiguration.setEncryptionCertificate(configurableApplicationContext.getResource(str3));
            });
            wsFederationConfiguration.setEncryptionPrivateKeyPassword(wsFederationDelegationProperties.getEncryptionPrivateKeyPassword());
            wsFederationConfiguration.setAttributeMutator(getAttributeMutatorForWsFederationConfig(wsFederationDelegationProperties));
            wsFederationConfiguration.setAutoRedirect(wsFederationDelegationProperties.isAutoRedirect());
            wsFederationConfiguration.setName(wsFederationDelegationProperties.getName());
            wsFederationConfiguration.setCookieGenerator(getCookieGeneratorForWsFederationConfig(wsFederationDelegationProperties));
            String id = wsFederationDelegationProperties.getId();
            Objects.requireNonNull(wsFederationConfiguration);
            FunctionUtils.doIfNotNull(id, wsFederationConfiguration::setId);
            wsFederationConfiguration.initialize();
            return wsFederationConfiguration;
        }

        private static CasCookieBuilder getCookieGeneratorForWsFederationConfig(WsFederationDelegationProperties wsFederationDelegationProperties) {
            WsFederationDelegatedCookieProperties cookie = wsFederationDelegationProperties.getCookie();
            return new WsFederationCookieGenerator((CookieValueManager) new DefaultCasCookieValueManager(getCipherExecutorForWsFederationConfig(cookie), cookie), (CookieProperties) cookie);
        }

        private static CipherExecutor getCipherExecutorForWsFederationConfig(WsFederationDelegatedCookieProperties wsFederationDelegatedCookieProperties) {
            EncryptionJwtSigningJwtCryptographyProperties crypto = wsFederationDelegatedCookieProperties.getCrypto();
            if (crypto.isEnabled()) {
                return CipherExecutorUtils.newStringCipherExecutor(crypto, WsFederationCookieCipherExecutor.class);
            }
            WsFedAuthenticationEventExecutionPlanConfiguration.LOGGER.info("WsFederation delegated authentication cookie encryption/signing is turned off and MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of delegated authentication cookie.");
            return CipherExecutor.noOp();
        }

        @ConditionalOnMissingBean(name = {"wsFederationConfigurations"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public BeanContainer<WsFederationConfiguration> wsFederationConfigurations(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            HashSet hashSet = new HashSet();
            casConfigurationProperties.getAuthn().getWsfed().forEach(wsFederationDelegationProperties -> {
                hashSet.add(getWsFederationConfiguration(wsFederationDelegationProperties, configurableApplicationContext));
            });
            return BeanContainer.of(hashSet);
        }
    }
}
