package org.apereo.cas.config;

import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.OidcCasClientRedirectActionBuilder;
import org.apereo.cas.OidcClientRegistrationRequest;
import org.apereo.cas.OidcClientRegistrationRequestSerializer;
import org.apereo.cas.OidcConstants;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.DefaultPrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuthCasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.validator.OAuth20Validator;
import org.apereo.cas.support.oauth.web.AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
import org.apereo.cas.ticket.code.OAuthCodeFactory;
import org.apereo.cas.ticket.refreshtoken.RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.OidcAuthorizationRequestSupport;
import org.apereo.cas.util.gen.DefaultRandomStringGenerator;
import org.apereo.cas.util.serialization.StringSerializer;
import org.apereo.cas.validation.AuthenticationRequestServiceSelectionStrategy;
import org.apereo.cas.web.OidcAccessTokenResponseGenerator;
import org.apereo.cas.web.OidcCallbackAuthorizeViewResolver;
import org.apereo.cas.web.OidcConsentApprovalViewResolver;
import org.apereo.cas.web.OidcHandlerInterceptorAdapter;
import org.apereo.cas.web.OidcSecurityInterceptor;
import org.apereo.cas.web.controllers.OidcAccessTokenEndpointController;
import org.apereo.cas.web.controllers.OidcAuthorizeEndpointController;
import org.apereo.cas.web.controllers.OidcDynamicClientRegistrationEndpointController;
import org.apereo.cas.web.controllers.OidcJwksEndpointController;
import org.apereo.cas.web.controllers.OidcProfileEndpointController;
import org.apereo.cas.web.controllers.OidcWellKnownEndpointController;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.OidcAuthenticationContextWebflowEventEventResolver;
import org.apereo.cas.web.flow.OidcRegisteredServiceUIAction;
import org.apereo.cas.web.flow.OidcWebflowConfigurer;
import org.apereo.cas.web.flow.authentication.FirstMultifactorAuthenticationProviderSelector;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.pac4j.cas.client.CasClient;
import org.pac4j.core.config.Config;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("oidcConfiguration")
/* loaded from: input_file:org/apereo/cas/config/OidcConfiguration.class */
public class OidcConfiguration extends WebMvcConfigurerAdapter {

    @Autowired
    @Qualifier("webApplicationServiceFactory")
    private ServiceFactory webApplicationServiceFactory;

    @Autowired
    @Qualifier("requiresAuthenticationAccessTokenInterceptor")
    private HandlerInterceptorAdapter requiresAuthenticationAccessTokenInterceptor;

    @Autowired(required = false)
    @Qualifier("multifactorAuthenticationProviderSelector")
    private MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector = new FirstMultifactorAuthenticationProviderSelector();

    @Autowired
    @Qualifier("warnCookieGenerator")
    private CookieGenerator warnCookieGenerator;

    @Autowired
    @Qualifier("loginFlowRegistry")
    private FlowDefinitionRegistry loginFlowDefinitionRegistry;

    @Autowired
    @Qualifier("logoutFlowRegistry")
    private FlowDefinitionRegistry logoutFlowDefinitionRegistry;

    @Autowired
    private FlowBuilderServices flowBuilderServices;

    @Autowired
    @Qualifier("initialAuthenticationAttemptWebflowEventResolver")
    private CasDelegatingWebflowEventResolver initialAuthenticationAttemptWebflowEventResolver;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService centralAuthenticationService;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport;

    @Autowired
    @Qualifier("oauth20AuthenticationRequestServiceSelectionStrategy")
    private AuthenticationRequestServiceSelectionStrategy oauth20AuthenticationRequestServiceSelectionStrategy;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("oauthSecConfig")
    private Config oauthSecConfig;

    @Autowired
    @Qualifier("ticketGrantingTicketCookieGenerator")
    private CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private TicketRegistrySupport ticketRegistrySupport;

    @Autowired
    @Qualifier("defaultAccessTokenFactory")
    private AccessTokenFactory defaultAccessTokenFactory;

    @Autowired
    @Qualifier("defaultRefreshTokenFactory")
    private RefreshTokenFactory defaultRefreshTokenFactory;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Autowired
    @Qualifier("ticketRegistry")
    private TicketRegistry ticketRegistry;

    @Autowired
    @Qualifier("oAuthValidator")
    private OAuth20Validator oAuth20Validator;

    @Autowired
    @Qualifier("defaultOAuthCodeFactory")
    private OAuthCodeFactory defaultOAuthCodeFactory;

    @Autowired
    @Qualifier("authenticationRequestServiceSelectionStrategies")
    private List<AuthenticationRequestServiceSelectionStrategy> authenticationRequestServiceSelectionStrategies;

    public void addInterceptors(InterceptorRegistry interceptorRegistry) {
        interceptorRegistry.addInterceptor(oauthInterceptor()).addPathPatterns(new String[]{'/' + OidcConstants.BASE_OIDC_URL.concat("/").concat("*")});
    }

    @Bean
    public ConsentApprovalViewResolver consentApprovalViewResolver() {
        OidcConsentApprovalViewResolver oidcConsentApprovalViewResolver = new OidcConsentApprovalViewResolver();
        oidcConsentApprovalViewResolver.setOidcAuthzRequestSupport(oidcAuthorizationRequestSupport());
        return oidcConsentApprovalViewResolver;
    }

    @Bean
    public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver() {
        return new OidcCallbackAuthorizeViewResolver(oidcAuthorizationRequestSupport());
    }

    @Bean
    public OAuthCasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder() {
        OidcCasClientRedirectActionBuilder oidcCasClientRedirectActionBuilder = new OidcCasClientRedirectActionBuilder();
        oidcCasClientRedirectActionBuilder.setOidcAuthorizationRequestSupport(oidcAuthorizationRequestSupport());
        return oidcCasClientRedirectActionBuilder;
    }

    @Bean
    public HandlerInterceptorAdapter requiresAuthenticationDynamicRegistrationInterceptor() {
        return new SecurityInterceptor(this.oauthSecConfig, (String) Stream.of((Object[]) new String[]{"clientBasicAuth", "clientForm", "userForm"}).collect(Collectors.joining(",")));
    }

    @Bean
    public HandlerInterceptorAdapter requiresAuthenticationAuthorizeInterceptor() {
        return new OidcSecurityInterceptor(this.oauthSecConfig, this.oauthSecConfig.getClients().findClient(CasClient.class).getName(), oidcAuthorizationRequestSupport());
    }

    @Bean
    public OAuthCasClientRedirectActionBuilder oidcCasClientRedirectActionBuilder() {
        return new OidcCasClientRedirectActionBuilder();
    }

    @RefreshScope
    @Bean
    public AccessTokenResponseGenerator oidcAccessTokenResponseGenerator() {
        OidcAccessTokenResponseGenerator oidcAccessTokenResponseGenerator = new OidcAccessTokenResponseGenerator();
        oidcAccessTokenResponseGenerator.setIssuer(this.casProperties.getAuthn().getOidc().getIssuer());
        oidcAccessTokenResponseGenerator.setJwksFile(this.casProperties.getAuthn().getOidc().getJwksFile());
        oidcAccessTokenResponseGenerator.setSkew(this.casProperties.getAuthn().getOidc().getSkew());
        return oidcAccessTokenResponseGenerator;
    }

    @Bean
    public OidcAuthorizationRequestSupport oidcAuthorizationRequestSupport() {
        OidcAuthorizationRequestSupport oidcAuthorizationRequestSupport = new OidcAuthorizationRequestSupport();
        oidcAuthorizationRequestSupport.setTicketGrantingTicketCookieGenerator(this.ticketGrantingTicketCookieGenerator);
        oidcAuthorizationRequestSupport.setTicketRegistrySupport(this.ticketRegistrySupport);
        return oidcAuthorizationRequestSupport;
    }

    @Bean
    public PrincipalFactory oidcPrincipalFactory() {
        return new DefaultPrincipalFactory();
    }

    @RefreshScope
    @Bean
    public OidcAccessTokenEndpointController oidcAccessTokenController() {
        return new OidcAccessTokenEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory, this.defaultRefreshTokenFactory, oidcAccessTokenResponseGenerator());
    }

    @Bean
    public StringSerializer<OidcClientRegistrationRequest> clientRegistrationRequestSerializer() {
        return new OidcClientRegistrationRequestSerializer();
    }

    @RefreshScope
    @Bean
    public OidcDynamicClientRegistrationEndpointController oidcDynamicClientRegistrationEndpointController() {
        return new OidcDynamicClientRegistrationEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory, clientRegistrationRequestSerializer(), new DefaultRandomStringGenerator(), new DefaultRandomStringGenerator());
    }

    @RefreshScope
    @Bean
    public OidcJwksEndpointController oidcJwksController() {
        return new OidcJwksEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory, this.casProperties.getAuthn().getOidc().getJwksFile());
    }

    @RefreshScope
    @Bean
    public OidcWellKnownEndpointController oidcWellKnownController() {
        return new OidcWellKnownEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory);
    }

    @RefreshScope
    @Bean
    public OidcProfileEndpointController oidcProfileController() {
        return new OidcProfileEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory);
    }

    @RefreshScope
    @Bean
    public OidcAuthorizeEndpointController oidcAuthorizeController() {
        return new OidcAuthorizeEndpointController(this.servicesManager, this.ticketRegistry, this.oAuth20Validator, this.defaultAccessTokenFactory, oidcPrincipalFactory(), this.webApplicationServiceFactory, this.defaultOAuthCodeFactory, consentApprovalViewResolver());
    }

    @RefreshScope
    @Bean
    public CasWebflowEventResolver oidcAuthenticationContextWebflowEventResolver() {
        return new OidcAuthenticationContextWebflowEventEventResolver(this.authenticationSystemSupport, this.centralAuthenticationService, this.servicesManager, this.ticketRegistrySupport, this.warnCookieGenerator, this.authenticationRequestServiceSelectionStrategies, this.multifactorAuthenticationProviderSelector);
    }

    @Bean
    public CasWebflowConfigurer oidcWebflowConfigurer() {
        OidcWebflowConfigurer oidcWebflowConfigurer = new OidcWebflowConfigurer(this.flowBuilderServices, this.loginFlowDefinitionRegistry, oidcRegisteredServiceUIAction());
        oidcWebflowConfigurer.setLogoutFlowDefinitionRegistry(this.logoutFlowDefinitionRegistry);
        return oidcWebflowConfigurer;
    }

    @ConditionalOnMissingBean(name = {"oidcRegisteredServiceUIAction"})
    @Bean
    public Action oidcRegisteredServiceUIAction() {
        return new OidcRegisteredServiceUIAction(this.servicesManager, this.oauth20AuthenticationRequestServiceSelectionStrategy);
    }

    @Bean
    public HandlerInterceptorAdapter oauthInterceptor() {
        return new OidcHandlerInterceptorAdapter(this.requiresAuthenticationAccessTokenInterceptor, requiresAuthenticationAuthorizeInterceptor(), requiresAuthenticationDynamicRegistrationInterceptor(), OidcConstants.DynamicClientRegistrationMode.valueOf((String) StringUtils.defaultIfBlank(this.casProperties.getAuthn().getOidc().getDynamicClientRegistrationMode(), OidcConstants.DynamicClientRegistrationMode.PROTECTED.name())));
    }

    @PostConstruct
    public void initOidcConfig() {
        this.initialAuthenticationAttemptWebflowEventResolver.addDelegate(oidcAuthenticationContextWebflowEventResolver());
    }
}
