package org.apereo.cas.config;

import com.yubico.client.v2.YubicoClient;
import java.time.Clock;
import java.time.ZonedDateTime;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.function.Function;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.adaptors.yubikey.DefaultYubiKeyAccountValidator;
import org.apereo.cas.adaptors.yubikey.YubiKeyAccount;
import org.apereo.cas.adaptors.yubikey.YubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.YubiKeyAccountValidator;
import org.apereo.cas.adaptors.yubikey.YubiKeyAuthenticationHandler;
import org.apereo.cas.adaptors.yubikey.YubiKeyCredential;
import org.apereo.cas.adaptors.yubikey.YubiKeyMultifactorAuthenticationProvider;
import org.apereo.cas.adaptors.yubikey.YubiKeyRegisteredDevice;
import org.apereo.cas.adaptors.yubikey.registry.JsonYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.OpenYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.PermissiveYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.RestfulYubiKeyAccountRegistry;
import org.apereo.cas.adaptors.yubikey.registry.YubiKeyAccountRegistryEndpoint;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.metadata.MultifactorAuthenticationProviderMetadataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.mfa.yubikey.YubiKeyMultifactorAuthenticationProperties;
import org.apereo.cas.configuration.support.CasFeatureModule;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.http.HttpClient;
import org.apereo.cas.util.spring.boot.ConditionalOnFeature;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ScopedProxyMode;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@ConditionalOnFeature(feature = CasFeatureModule.FeatureCatalog.YubiKey)
@AutoConfiguration
/* loaded from: input_file:org/apereo/cas/config/YubiKeyAuthenticationEventExecutionPlanConfiguration.class */
public class YubiKeyAuthenticationEventExecutionPlanConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(YubiKeyAuthenticationEventExecutionPlanConfiguration.class);

    @ConditionalOnMissingBean(name = {"yubikeyMultifactorProviderAuthenticationMetadataPopulator"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public AuthenticationMetaDataPopulator yubikeyMultifactorProviderAuthenticationMetadataPopulator(@Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties, @Qualifier("yubikeyMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider) {
        return new MultifactorAuthenticationProviderMetadataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), objectProvider, servicesManager);
    }

    @ConditionalOnMissingBean(name = {"yubikeyAuthenticationMetaDataPopulator"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public AuthenticationMetaDataPopulator yubikeyAuthenticationMetaDataPopulator(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubikeyAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("yubikeyMultifactorAuthenticationProvider") MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
        return new AuthenticationContextAttributeMetaDataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), authenticationHandler, multifactorAuthenticationProvider.getId());
    }

    @ConditionalOnMissingBean(name = {"yubikeyPrincipalFactory"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public PrincipalFactory yubikeyPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"yubicoClient"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public YubicoClient yubicoClient(CasConfigurationProperties casConfigurationProperties) {
        YubiKeyMultifactorAuthenticationProperties yubikey = casConfigurationProperties.getAuthn().getMfa().getYubikey();
        YubicoClient client = YubicoClient.getClient(yubikey.getClientId(), yubikey.getSecretKey());
        if (!yubikey.getApiUrls().isEmpty()) {
            client.setWsapiUrls((String[]) yubikey.getApiUrls().toArray(ArrayUtils.EMPTY_STRING_ARRAY));
        }
        return client;
    }

    @ConditionalOnMissingBean(name = {"yubikeyAuthenticationHandler"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public AuthenticationHandler yubikeyAuthenticationHandler(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubikeyPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("yubicoClient") YubicoClient yubicoClient, @Qualifier("yubiKeyAccountRegistry") YubiKeyAccountRegistry yubiKeyAccountRegistry, @Qualifier("yubikeyMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider, @Qualifier("servicesManager") ServicesManager servicesManager) {
        YubiKeyMultifactorAuthenticationProperties yubikey = casConfigurationProperties.getAuthn().getMfa().getYubikey();
        return new YubiKeyAuthenticationHandler(yubikey.getName(), servicesManager, principalFactory, yubicoClient, yubiKeyAccountRegistry, Integer.valueOf(yubikey.getOrder()), objectProvider);
    }

    @ConditionalOnMissingBean(name = {"yubiKeyAccountValidator"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public YubiKeyAccountValidator yubiKeyAccountValidator(@Qualifier("yubicoClient") YubicoClient yubicoClient) {
        return new DefaultYubiKeyAccountValidator(yubicoClient);
    }

    @ConditionalOnMissingBean(name = {"yubiKeyAccountRegistry"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public YubiKeyAccountRegistry yubiKeyAccountRegistry(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubiKeyAccountValidator") YubiKeyAccountValidator yubiKeyAccountValidator, @Qualifier("yubicoClient") YubicoClient yubicoClient, @Qualifier("yubikeyAccountCipherExecutor") CipherExecutor cipherExecutor) {
        YubiKeyMultifactorAuthenticationProperties yubikey = casConfigurationProperties.getAuthn().getMfa().getYubikey();
        if (yubikey.getJsonFile() != null) {
            LOGGER.debug("Using JSON resource [{}] as the YubiKey account registry", yubikey.getJsonFile());
            JsonYubiKeyAccountRegistry jsonYubiKeyAccountRegistry = new JsonYubiKeyAccountRegistry(yubikey.getJsonFile(), yubiKeyAccountValidator);
            jsonYubiKeyAccountRegistry.setCipherExecutor(cipherExecutor);
            return jsonYubiKeyAccountRegistry;
        }
        if (StringUtils.isNotBlank(yubikey.getRest().getUrl())) {
            LOGGER.debug("Using REST API resource [{}] as the YubiKey account registry", yubikey.getRest().getUrl());
            RestfulYubiKeyAccountRegistry restfulYubiKeyAccountRegistry = new RestfulYubiKeyAccountRegistry(yubikey.getRest(), yubiKeyAccountValidator);
            restfulYubiKeyAccountRegistry.setCipherExecutor(cipherExecutor);
            return restfulYubiKeyAccountRegistry;
        }
        if (yubikey.getAllowedDevices() == null || yubikey.getAllowedDevices().isEmpty()) {
            LOGGER.warn("All credentials are considered eligible for YubiKey authentication. Consider providing an account registry implementation via [{}]", YubiKeyAccountRegistry.class.getName());
            OpenYubiKeyAccountRegistry openYubiKeyAccountRegistry = new OpenYubiKeyAccountRegistry(new DefaultYubiKeyAccountValidator(yubicoClient));
            openYubiKeyAccountRegistry.setCipherExecutor(cipherExecutor);
            return openYubiKeyAccountRegistry;
        }
        LOGGER.debug("Using statically-defined devices for [{}] as the YubiKey account registry", yubikey.getAllowedDevices().keySet());
        PermissiveYubiKeyAccountRegistry permissiveYubiKeyAccountRegistry = new PermissiveYubiKeyAccountRegistry((Map) yubikey.getAllowedDevices().entrySet().stream().map(entry -> {
            return YubiKeyAccount.builder().id(System.currentTimeMillis()).username((String) entry.getKey()).devices(List.of(YubiKeyRegisteredDevice.builder().publicId((String) entry.getValue()).name(UUID.randomUUID().toString()).registrationDate(ZonedDateTime.now(Clock.systemUTC())).build())).build();
        }).collect(Collectors.toMap((v0) -> {
            return v0.getUsername();
        }, Function.identity())), yubiKeyAccountValidator);
        permissiveYubiKeyAccountRegistry.setCipherExecutor(CipherExecutor.noOpOfSerializableToString());
        return permissiveYubiKeyAccountRegistry;
    }

    @ConditionalOnAvailableEndpoint
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public YubiKeyAccountRegistryEndpoint yubiKeyAccountRegistryEndpoint(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubiKeyAccountRegistry") ObjectProvider<YubiKeyAccountRegistry> objectProvider) {
        return new YubiKeyAccountRegistryEndpoint(casConfigurationProperties, objectProvider);
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public MultifactorAuthenticationProvider yubikeyMultifactorAuthenticationProvider(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubicoClient") YubicoClient yubicoClient, @Qualifier("httpClient") HttpClient httpClient, @Qualifier("yubikeyBypassEvaluator") MultifactorAuthenticationProviderBypassEvaluator multifactorAuthenticationProviderBypassEvaluator, @Qualifier("failureModeEvaluator") MultifactorAuthenticationFailureModeEvaluator multifactorAuthenticationFailureModeEvaluator) {
        YubiKeyMultifactorAuthenticationProperties yubikey = casConfigurationProperties.getAuthn().getMfa().getYubikey();
        YubiKeyMultifactorAuthenticationProvider yubiKeyMultifactorAuthenticationProvider = new YubiKeyMultifactorAuthenticationProvider(yubicoClient, httpClient);
        yubiKeyMultifactorAuthenticationProvider.setBypassEvaluator(multifactorAuthenticationProviderBypassEvaluator);
        yubiKeyMultifactorAuthenticationProvider.setFailureMode(yubikey.getFailureMode());
        yubiKeyMultifactorAuthenticationProvider.setFailureModeEvaluator(multifactorAuthenticationFailureModeEvaluator);
        yubiKeyMultifactorAuthenticationProvider.setOrder(yubikey.getRank());
        yubiKeyMultifactorAuthenticationProvider.setId(yubikey.getId());
        return yubiKeyMultifactorAuthenticationProvider;
    }

    @ConditionalOnMissingBean(name = {"yubikeyAuthenticationEventExecutionPlanConfigurer"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public AuthenticationEventExecutionPlanConfigurer yubikeyAuthenticationEventExecutionPlanConfigurer(CasConfigurationProperties casConfigurationProperties, @Qualifier("yubikeyMultifactorProviderAuthenticationMetadataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator, @Qualifier("yubikeyAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("yubikeyAuthenticationMetaDataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator2) {
        return authenticationEventExecutionPlan -> {
            YubiKeyMultifactorAuthenticationProperties yubikey = casConfigurationProperties.getAuthn().getMfa().getYubikey();
            if (yubikey.getClientId().intValue() <= 0 || !StringUtils.isNotBlank(yubikey.getSecretKey())) {
                return;
            }
            authenticationEventExecutionPlan.registerAuthenticationHandler(authenticationHandler);
            authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator2);
            authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator);
            authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{YubiKeyCredential.class}));
        };
    }
}
