package org.apereo.cas.adaptors.x509.config;

import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import net.sf.ehcache.Cache;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.x509.authentication.CRLFetcher;
import org.apereo.cas.adaptors.x509.authentication.ResourceCRLFetcher;
import org.apereo.cas.adaptors.x509.authentication.handler.support.X509CredentialsAuthenticationHandler;
import org.apereo.cas.adaptors.x509.authentication.ldap.LdaptiveResourceCRLFetcher;
import org.apereo.cas.adaptors.x509.authentication.principal.X509SerialNumberAndIssuerDNPrincipalResolver;
import org.apereo.cas.adaptors.x509.authentication.principal.X509SerialNumberPrincipalResolver;
import org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectAlternativeNameUPNPrincipalResolver;
import org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectDNPrincipalResolver;
import org.apereo.cas.adaptors.x509.authentication.principal.X509SubjectPrincipalResolver;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.NoOpRevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy;
import org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.x509.X509Properties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.services.persondir.IPersonAttributeDao;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ResourceLoader;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("x509AuthenticationConfiguration")
/* loaded from: input_file:org/apereo/cas/adaptors/x509/config/X509AuthenticationConfiguration.class */
public class X509AuthenticationConfiguration {
    private static final int HEX = 16;

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    @Qualifier("attributeRepository")
    private IPersonAttributeDao attributeRepository;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    private CasConfigurationProperties casProperties;

    /* renamed from: org.apereo.cas.adaptors.x509.config.X509AuthenticationConfiguration$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/adaptors/x509/config/X509AuthenticationConfiguration$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes = new int[X509Properties.PrincipalTypes.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes[X509Properties.PrincipalTypes.SERIAL_NO.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes[X509Properties.PrincipalTypes.SERIAL_NO_DN.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes[X509Properties.PrincipalTypes.SUBJECT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes[X509Properties.PrincipalTypes.SUBJECT_ALT_NAME.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    @Bean
    public RevocationPolicy allowRevocationPolicy() {
        return new AllowRevocationPolicy();
    }

    @RefreshScope
    @Bean
    public RevocationPolicy thresholdExpiredCRLRevocationPolicy() {
        return new ThresholdExpiredCRLRevocationPolicy(this.casProperties.getAuthn().getX509().getRevocationPolicyThreshold());
    }

    @Bean
    public RevocationPolicy denyRevocationPolicy() {
        return new DenyRevocationPolicy();
    }

    @Bean
    public RevocationChecker crlDistributionPointRevocationChecker() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new CRLDistributionPointRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlUnavailablePolicy()), getRevocationPolicy(x509.getCrlExpiredPolicy()), new Cache("CRL".concat(UUID.randomUUID().toString()), x509.getCacheMaxElementsInMemory(), x509.isCacheDiskOverflow(), x509.isCacheEternal(), x509.getCacheTimeToLiveSeconds(), x509.getCacheTimeToIdleSeconds()), crlFetcher(), x509.isThrowOnFetchFailure());
    }

    @Bean
    public RevocationChecker noOpRevocationChecker() {
        return new NoOpRevocationChecker();
    }

    @Bean
    public CRLFetcher resourceCrlFetcher() {
        return new ResourceCRLFetcher();
    }

    @Bean
    public RevocationChecker resourceCrlRevocationChecker() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new ResourceCRLRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlResourceUnavailablePolicy()), getRevocationPolicy(x509.getCrlResourceExpiredPolicy()), x509.getRefreshIntervalSeconds(), crlFetcher(), (Set) x509.getCrlResources().stream().map(str -> {
            return this.resourceLoader.getResource(str);
        }).collect(Collectors.toSet()));
    }

    private RevocationPolicy getRevocationPolicy(String str) {
        String lowerCase = str.trim().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1545477013:
                if (lowerCase.equals("threshold")) {
                    z = true;
                    break;
                }
                break;
            case 3079692:
                if (lowerCase.equals("deny")) {
                    z = 2;
                    break;
                }
                break;
            case 92906313:
                if (lowerCase.equals("allow")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new AllowRevocationPolicy();
            case true:
                return thresholdExpiredCRLRevocationPolicy();
            case true:
            default:
                return new DenyRevocationPolicy();
        }
    }

    @Bean
    public CRLFetcher crlFetcher() {
        String lowerCase = this.casProperties.getAuthn().getX509().getCrlFetcher().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -341064690:
                if (lowerCase.equals("resource")) {
                    z = true;
                    break;
                }
                break;
            case 3316647:
                if (lowerCase.equals("ldap")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return ldaptiveResourceCRLFetcher();
            case true:
            default:
                return resourceCrlFetcher();
        }
    }

    @RefreshScope
    @Bean
    public AuthenticationHandler x509CredentialsAuthenticationHandler() {
        RevocationChecker noOpRevocationChecker;
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        String lowerCase = x509.getRevocationChecker().trim().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -341064690:
                if (lowerCase.equals("resource")) {
                    z = false;
                    break;
                }
                break;
            case 98781:
                if (lowerCase.equals("crl")) {
                    z = true;
                    break;
                }
                break;
            case 3387192:
                if (lowerCase.equals("none")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                noOpRevocationChecker = resourceCrlRevocationChecker();
                break;
            case true:
                noOpRevocationChecker = crlDistributionPointRevocationChecker();
                break;
            case true:
            default:
                noOpRevocationChecker = noOpRevocationChecker();
                break;
        }
        return new X509CredentialsAuthenticationHandler(x509.getName(), this.servicesManager, x509PrincipalFactory(), StringUtils.isNotBlank(x509.getRegExTrustedIssuerDnPattern()) ? RegexUtils.createPattern(x509.getRegExTrustedIssuerDnPattern()) : null, x509.getMaxPathLength(), x509.isMaxPathLengthAllowUnspecified(), x509.isCheckKeyUsage(), x509.isRequireKeyUsage(), StringUtils.isNotBlank(x509.getRegExSubjectDnPattern()) ? RegexUtils.createPattern(x509.getRegExSubjectDnPattern()) : null, noOpRevocationChecker);
    }

    @Bean
    public CRLFetcher ldaptiveResourceCRLFetcher() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new LdaptiveResourceCRLFetcher(LdapUtils.newLdaptiveConnectionConfig(x509.getLdap()), LdapUtils.newLdaptiveSearchExecutor(x509.getLdap().getBaseDn(), x509.getLdap().getSearchFilter()), x509.getLdap().getCertificateAttribute());
    }

    @RefreshScope
    @Bean
    public PrincipalResolver x509SubjectPrincipalResolver() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new X509SubjectPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute(), x509.getPrincipalDescriptor());
    }

    @RefreshScope
    @Bean
    public PrincipalResolver x509SubjectDNPrincipalResolver() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new X509SubjectDNPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute());
    }

    @RefreshScope
    @Bean
    public PrincipalResolver x509SubjectAlternativeNameUPNPrincipalResolver() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new X509SubjectAlternativeNameUPNPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute());
    }

    @RefreshScope
    @Bean
    public PrincipalResolver x509SerialNumberPrincipalResolver() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        int principalSNRadix = x509.getPrincipalSNRadix();
        return (2 > principalSNRadix || principalSNRadix > 36) ? new X509SerialNumberPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute()) : principalSNRadix == HEX ? new X509SerialNumberPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute(), principalSNRadix, x509.isPrincipalHexSNZeroPadding()) : new X509SerialNumberPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute(), principalSNRadix, false);
    }

    @ConditionalOnMissingBean(name = {"x509PrincipalFactory"})
    @Bean
    public PrincipalFactory x509PrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @RefreshScope
    @Bean
    public PrincipalResolver x509SerialNumberAndIssuerDNPrincipalResolver() {
        X509Properties x509 = this.casProperties.getAuthn().getX509();
        return new X509SerialNumberAndIssuerDNPrincipalResolver(this.attributeRepository, x509PrincipalFactory(), x509.getPrincipal().isReturnNull(), x509.getPrincipal().getPrincipalAttribute(), x509.getSerialNumberPrefix(), x509.getValueDelimiter());
    }

    @ConditionalOnMissingBean(name = {"x509AuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer x509AuthenticationEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            PrincipalResolver principalResolver = null;
            if (this.casProperties.getAuthn().getX509().getPrincipalType() != null) {
                switch (AnonymousClass1.$SwitchMap$org$apereo$cas$configuration$model$support$x509$X509Properties$PrincipalTypes[this.casProperties.getAuthn().getX509().getPrincipalType().ordinal()]) {
                    case 1:
                        principalResolver = x509SerialNumberPrincipalResolver();
                        break;
                    case 2:
                        principalResolver = x509SerialNumberAndIssuerDNPrincipalResolver();
                        break;
                    case 3:
                        principalResolver = x509SubjectPrincipalResolver();
                        break;
                    case 4:
                        principalResolver = x509SubjectAlternativeNameUPNPrincipalResolver();
                        break;
                    default:
                        principalResolver = x509SubjectDNPrincipalResolver();
                        break;
                }
            }
            authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(x509CredentialsAuthenticationHandler(), principalResolver);
        };
    }
}
