package org.apereo.cas.support.wsfederation.config.support.authentication;

import java.util.Collection;
import java.util.HashSet;
import lombok.Generated;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.authentication.PersonDirectoryPrincipalResolverProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegatedCookieProperties;
import org.apereo.cas.configuration.model.support.wsfed.WsFederationDelegationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.wsfederation.WsFederationConfiguration;
import org.apereo.cas.support.wsfederation.attributes.GroovyWsFederationAttributeMutator;
import org.apereo.cas.support.wsfederation.attributes.WsFederationAttributeMutator;
import org.apereo.cas.support.wsfederation.authentication.handler.support.WsFederationAuthenticationHandler;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredentialsToPrincipalResolver;
import org.apereo.cas.support.wsfederation.web.WsFederationCookieCipherExecutor;
import org.apereo.cas.support.wsfederation.web.WsFederationCookieGenerator;
import org.apereo.cas.web.support.DefaultCasCookieValueManager;
import org.apereo.services.persondir.IPersonAttributeDao;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.core.io.ResourceLoader;
import org.springframework.util.StringUtils;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("wsfedAuthenticationEventExecutionPlanConfiguration")
/* loaded from: input_file:org/apereo/cas/support/wsfederation/config/support/authentication/WsFedAuthenticationEventExecutionPlanConfiguration.class */
public class WsFedAuthenticationEventExecutionPlanConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFedAuthenticationEventExecutionPlanConfiguration.class);

    @Autowired
    @Qualifier("attributeRepository")
    private ObjectProvider<IPersonAttributeDao> attributeRepository;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    private CasConfigurationProperties casProperties;

    private WsFederationConfiguration getWsFederationConfiguration(WsFederationDelegationProperties wsFederationDelegationProperties) {
        WsFederationConfiguration wsFederationConfiguration = new WsFederationConfiguration();
        wsFederationConfiguration.setAttributesType(WsFederationConfiguration.WsFedPrincipalResolutionAttributesType.valueOf(wsFederationDelegationProperties.getAttributesType()));
        wsFederationConfiguration.setIdentityAttribute(wsFederationDelegationProperties.getIdentityAttribute());
        wsFederationConfiguration.setIdentityProviderIdentifier(wsFederationDelegationProperties.getIdentityProviderIdentifier());
        wsFederationConfiguration.setIdentityProviderUrl(wsFederationDelegationProperties.getIdentityProviderUrl());
        wsFederationConfiguration.setTolerance(Beans.newDuration(wsFederationDelegationProperties.getTolerance()).toMillis());
        wsFederationConfiguration.setRelyingPartyIdentifier(wsFederationDelegationProperties.getRelyingPartyIdentifier());
        StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getSigningCertificateResources()).forEach(str -> {
            wsFederationConfiguration.getSigningCertificateResources().add(this.resourceLoader.getResource(str));
        });
        StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getEncryptionPrivateKey()).forEach(str2 -> {
            wsFederationConfiguration.setEncryptionPrivateKey(this.resourceLoader.getResource(str2));
        });
        StringUtils.commaDelimitedListToSet(wsFederationDelegationProperties.getEncryptionCertificate()).forEach(str3 -> {
            wsFederationConfiguration.setEncryptionCertificate(this.resourceLoader.getResource(str3));
        });
        wsFederationConfiguration.setEncryptionPrivateKeyPassword(wsFederationDelegationProperties.getEncryptionPrivateKeyPassword());
        wsFederationConfiguration.setAttributeMutator(getAttributeMutatorForWsFederationConfig(wsFederationDelegationProperties));
        wsFederationConfiguration.setAutoRedirect(wsFederationDelegationProperties.isAutoRedirect());
        wsFederationConfiguration.setName(wsFederationDelegationProperties.getName());
        wsFederationConfiguration.setCookieGenerator(getCookieGeneratorForWsFederationConfig(wsFederationDelegationProperties));
        wsFederationConfiguration.initialize();
        return wsFederationConfiguration;
    }

    private static WsFederationAttributeMutator getAttributeMutatorForWsFederationConfig(WsFederationDelegationProperties wsFederationDelegationProperties) {
        Resource location = wsFederationDelegationProperties.getAttributeMutatorScript().getLocation();
        return location != null ? new GroovyWsFederationAttributeMutator(location) : WsFederationAttributeMutator.noOp();
    }

    private static WsFederationCookieGenerator getCookieGeneratorForWsFederationConfig(WsFederationDelegationProperties wsFederationDelegationProperties) {
        WsFederationDelegatedCookieProperties cookie = wsFederationDelegationProperties.getCookie();
        return new WsFederationCookieGenerator(new DefaultCasCookieValueManager(getCipherExecutorForWsFederationConfig(cookie), cookie), cookie);
    }

    private static CipherExecutor getCipherExecutorForWsFederationConfig(WsFederationDelegatedCookieProperties wsFederationDelegatedCookieProperties) {
        EncryptionJwtSigningJwtCryptographyProperties crypto = wsFederationDelegatedCookieProperties.getCrypto();
        if (crypto.isEnabled()) {
            return new WsFederationCookieCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg(), crypto.getSigning().getKeySize(), crypto.getEncryption().getKeySize());
        }
        LOGGER.info("WsFederation delegated authentication cookie encryption/signing is turned off and MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of delegated authentication cookie.");
        return CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {"wsFederationConfigurations"})
    @RefreshScope
    @Bean
    public Collection<WsFederationConfiguration> wsFederationConfigurations() {
        HashSet hashSet = new HashSet();
        this.casProperties.getAuthn().getWsfed().forEach(wsFederationDelegationProperties -> {
            hashSet.add(getWsFederationConfiguration(wsFederationDelegationProperties));
        });
        return hashSet;
    }

    @ConditionalOnMissingBean(name = {"wsfedPrincipalFactory"})
    @RefreshScope
    @Bean
    public PrincipalFactory wsfedPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"wsfedAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer wsfedAuthenticationEventExecutionPlanConfigurer() {
        PersonDirectoryPrincipalResolverProperties personDirectory = this.casProperties.getPersonDirectory();
        return authenticationEventExecutionPlan -> {
            this.casProperties.getAuthn().getWsfed().stream().filter(wsFederationDelegationProperties -> {
                return org.apache.commons.lang3.StringUtils.isNotBlank(wsFederationDelegationProperties.getIdentityProviderUrl()) && org.apache.commons.lang3.StringUtils.isNotBlank(wsFederationDelegationProperties.getIdentityProviderIdentifier());
            }).forEach(wsFederationDelegationProperties2 -> {
                WsFederationAuthenticationHandler wsFederationAuthenticationHandler = new WsFederationAuthenticationHandler(wsFederationDelegationProperties2.getName(), (ServicesManager) this.servicesManager.getIfAvailable(), wsfedPrincipalFactory(), Integer.valueOf(wsFederationDelegationProperties2.getOrder()));
                if (!wsFederationDelegationProperties2.isAttributeResolverEnabled()) {
                    authenticationEventExecutionPlan.registerAuthenticationHandler(wsFederationAuthenticationHandler);
                    return;
                }
                WsFederationConfiguration orElseThrow = wsFederationConfigurations().stream().filter(wsFederationConfiguration -> {
                    return wsFederationConfiguration.getIdentityProviderUrl().equals(wsFederationDelegationProperties2.getIdentityProviderUrl());
                }).findFirst().orElseThrow(() -> {
                    return new RuntimeException("Unable to find configuration for identity provider " + wsFederationDelegationProperties2.getIdentityProviderUrl());
                });
                PersonDirectoryPrincipalResolverProperties principal = wsFederationDelegationProperties2.getPrincipal();
                authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(wsFederationAuthenticationHandler, new WsFederationCredentialsToPrincipalResolver((IPersonAttributeDao) this.attributeRepository.getIfAvailable(), wsfedPrincipalFactory(), principal.isReturnNull() || personDirectory.isReturnNull(), (String) org.apache.commons.lang3.StringUtils.defaultIfBlank(principal.getPrincipalAttribute(), personDirectory.getPrincipalAttribute()), orElseThrow, personDirectory.isUseExistingPrincipalId() || principal.isUseExistingPrincipalId()));
            });
        };
    }
}
