package org.apereo.cas.config.support.authentication;

import com.yubico.client.v2.YubicoClient;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.yubikey.DefaultYubiKeyAccountValidator;
import org.apereo.cas.adaptors.yubikey.YubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.YubiKeyAccountValidator;
import org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler;
import org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.yubikey.registry.JsonYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.OpenYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.WhitelistYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.web.flow.YubiKeyAccountCheckRegistrationAction;
import org.apereo.cas.adaptors.yubikey.web.flow.YubiKeyAccountSaveRegistrationAction;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderBypass;
import org.apereo.cas.authentication.MultifactorAuthenticationUtils;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.mfa.YubiKeyMultifactorProperties;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.http.HttpClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("yubikeyAuthenticationEventExecutionPlanConfiguration")
/* loaded from: input_file:org/apereo/cas/config/support/authentication/YubiKeyAuthenticationEventExecutionPlanConfiguration.class */
public class YubiKeyAuthenticationEventExecutionPlanConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(YubiKeyAuthenticationEventExecutionPlanConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("noRedirectHttpClient")
    private HttpClient httpClient;

    @RefreshScope
    @Bean
    public AuthenticationMetaDataPopulator yubikeyAuthenticationMetaDataPopulator() {
        return new AuthenticationContextAttributeMetaDataPopulator(this.casProperties.getAuthn().getMfa().getAuthenticationContextAttribute(), yubikeyAuthenticationHandler(), yubikeyAuthenticationProvider());
    }

    @RefreshScope
    @Bean
    public MultifactorAuthenticationProviderBypass yubikeyBypassEvaluator() {
        return MultifactorAuthenticationUtils.newMultifactorAuthenticationProviderBypass(this.casProperties.getAuthn().getMfa().getYubikey().getBypass());
    }

    @ConditionalOnMissingBean(name = {"yubikeyPrincipalFactory"})
    @Bean
    public PrincipalFactory yubikeyPrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"yubicoClient"})
    @RefreshScope
    @Bean
    public YubicoClient yubicoClient() {
        YubiKeyMultifactorProperties yubikey = this.casProperties.getAuthn().getMfa().getYubikey();
        if (StringUtils.isBlank(yubikey.getSecretKey())) {
            throw new IllegalArgumentException("Yubikey secret key cannot be blank");
        }
        if (yubikey.getClientId().intValue() <= 0) {
            throw new IllegalArgumentException("Yubikey client id is undefined");
        }
        YubicoClient client = YubicoClient.getClient(yubikey.getClientId(), yubikey.getSecretKey());
        if (!yubikey.getApiUrls().isEmpty()) {
            client.setWsapiUrls((String[]) yubikey.getApiUrls().toArray(new String[0]));
        }
        return client;
    }

    @ConditionalOnMissingBean(name = {"yubikeyAuthenticationHandler"})
    @RefreshScope
    @Bean
    public AuthenticationHandler yubikeyAuthenticationHandler() {
        return new YubiKeyAuthenticationHandler(this.casProperties.getAuthn().getMfa().getYubikey().getName(), this.servicesManager, yubikeyPrincipalFactory(), yubicoClient(), yubiKeyAccountRegistry());
    }

    @RefreshScope
    @Bean
    public Action yubiKeyAccountRegistrationAction() {
        return new YubiKeyAccountCheckRegistrationAction(yubiKeyAccountRegistry());
    }

    @RefreshScope
    @Bean
    public Action yubiKeySaveAccountRegistrationAction() {
        return new YubiKeyAccountSaveRegistrationAction(yubiKeyAccountRegistry());
    }

    @ConditionalOnMissingBean(name = {"yubiKeyAccountValidator"})
    @RefreshScope
    @Bean
    public YubiKeyAccountValidator yubiKeyAccountValidator() {
        return new DefaultYubiKeyAccountValidator(yubicoClient());
    }

    @ConditionalOnMissingBean(name = {"yubiKeyAccountRegistry"})
    @RefreshScope
    @Bean
    public YubiKeyAccountRegistry yubiKeyAccountRegistry() {
        YubiKeyMultifactorProperties yubikey = this.casProperties.getAuthn().getMfa().getYubikey();
        if (yubikey.getJsonFile() != null) {
            LOGGER.debug("Using JSON resource [{}] as the YubiKey account registry", yubikey.getJsonFile());
            return new JsonYubiKeyAccountRegistry(yubikey.getJsonFile(), yubiKeyAccountValidator());
        }
        if (yubikey.getAllowedDevices() != null) {
            LOGGER.debug("Using statically-defined devices for [{}] as the YubiKey account registry", yubikey.getAllowedDevices().keySet());
            return new WhitelistYubiKeyAccountRegistry(yubikey.getAllowedDevices(), yubiKeyAccountValidator());
        }
        LOGGER.warn("All credentials are considered eligible for YubiKey authentication. Consider providing an account registry implementation via [{}]", YubiKeyAccountRegistry.class.getName());
        return new OpenYubiKeyAccountRegistry();
    }

    @RefreshScope
    @Bean
    public MultifactorAuthenticationProvider yubikeyAuthenticationProvider() {
        YubiKeyMultifactorAuthenticationProvider yubiKeyMultifactorAuthenticationProvider = new YubiKeyMultifactorAuthenticationProvider(yubicoClient(), this.httpClient);
        yubiKeyMultifactorAuthenticationProvider.setBypassEvaluator(yubikeyBypassEvaluator());
        yubiKeyMultifactorAuthenticationProvider.setGlobalFailureMode(this.casProperties.getAuthn().getMfa().getGlobalFailureMode());
        yubiKeyMultifactorAuthenticationProvider.setOrder(this.casProperties.getAuthn().getMfa().getYubikey().getRank());
        yubiKeyMultifactorAuthenticationProvider.setId(this.casProperties.getAuthn().getMfa().getYubikey().getId());
        return yubiKeyMultifactorAuthenticationProvider;
    }

    @ConditionalOnMissingBean(name = {"yubikeyAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer yubikeyAuthenticationEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            YubiKeyMultifactorProperties yubikey = this.casProperties.getAuthn().getMfa().getYubikey();
            if (yubikey.getClientId().intValue() <= 0 || !StringUtils.isNotBlank(yubikey.getSecretKey())) {
                return;
            }
            authenticationEventExecutionPlan.registerAuthenticationHandler(yubikeyAuthenticationHandler());
            authenticationEventExecutionPlan.registerMetadataPopulator(yubikeyAuthenticationMetaDataPopulator());
        };
    }
}
