package org.apereo.cas.config;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Supplier;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditTrailRecordResolutionPlanConfigurer;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionOptionalSigningOptionalJwtCryptographyProperties;
import org.apereo.cas.integration.pac4j.DistributedJ2ESessionStore;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20ClientIdAwareProfileManager;
import org.apereo.cas.support.oauth.authenticator.OAuth20AccessTokenAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuth20ProofKeyCodeExchangeAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuth20UsernamePasswordAuthenticator;
import org.apereo.cas.support.oauth.authenticator.OAuthAuthenticationClientProvider;
import org.apereo.cas.support.oauth.profile.CasServerApiBasedTicketValidator;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20UserProfileDataCreator;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuth20UserProfileDataCreator;
import org.apereo.cas.support.oauth.services.OAuth20RegisteredServiceCipherExecutor;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20IdTokenAndTokenResponseTypeAuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20IdTokenResponseTypeAuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20ProofKeyCodeExchangeResponseTypeAuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20TokenResponseTypeAuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20AuthorizationCodeGrantTypeProofKeyCodeExchangeTokenRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20AuthorizationCodeGrantTypeTokenRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20ClientCredentialsGrantTypeTokenRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20DeviceCodeResponseTypeRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20PasswordGrantTypeTokenRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20RefreshTokenGrantTypeTokenRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20TokenRequestValidator;
import org.apereo.cas.support.oauth.web.OAuth20CasCallbackUrlResolver;
import org.apereo.cas.support.oauth.web.audit.AccessTokenResponseAuditResourceResolver;
import org.apereo.cas.support.oauth.web.audit.OAuth20AccessTokenGrantRequestAuditResourceResolver;
import org.apereo.cas.support.oauth.web.audit.OAuth20UserProfileDataAuditResourceResolver;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20AccessTokenEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20AuthorizeEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20CallbackAuthorizeEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20DeviceUserCodeApprovalEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20IntrospectionEndpointController;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileEndpointController;
import org.apereo.cas.support.oauth.web.mgmt.OAuth20TokenManagementEndpoint;
import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.OAuth20DefaultCasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20DefaultTokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenAuthorizationCodeGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenClientCredentialsGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenDeviceCodeResponseRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantAuditableRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenPasswordGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenProofKeyCodeExchangeAuthorizationCodeGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenRefreshTokenGrantRequestExtractor;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20DefaultAccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenCipherExecutor;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20RegisteredServiceJwtAccessTokenCipherExecutor;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationCodeAuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20ClientCredentialsResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20ResourceOwnerCredentialsResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20TokenAuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20DefaultUserProfileViewRenderer;
import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
import org.apereo.cas.ticket.ExpirationPolicyBuilder;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.UniqueTicketIdGenerator;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessTokenExpirationPolicyBuilder;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.OAuth20DefaultAccessTokenFactory;
import org.apereo.cas.ticket.accesstoken.OAuth20JwtBuilder;
import org.apereo.cas.ticket.code.OAuth20CodeExpirationPolicyBuilder;
import org.apereo.cas.ticket.code.OAuth20CodeFactory;
import org.apereo.cas.ticket.code.OAuth20DefaultOAuthCodeFactory;
import org.apereo.cas.ticket.device.OAuth20DefaultDeviceTokenFactory;
import org.apereo.cas.ticket.device.OAuth20DeviceTokenExpirationPolicyBuilder;
import org.apereo.cas.ticket.device.OAuth20DeviceTokenFactory;
import org.apereo.cas.ticket.refreshtoken.OAuth20DefaultRefreshTokenFactory;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshTokenExpirationPolicyBuilder;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshTokenFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver;
import org.pac4j.cas.client.CasClient;
import org.pac4j.cas.config.CasConfiguration;
import org.pac4j.core.client.Client;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.JEESessionStore;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.credentials.extractor.BearerAuthExtractor;
import org.pac4j.core.http.url.UrlResolver;
import org.pac4j.http.client.direct.DirectBasicAuthClient;
import org.pac4j.http.client.direct.DirectFormClient;
import org.pac4j.http.client.direct.HeaderClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.core.io.ResourceLoader;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("casOAuth20Configuration")
/* loaded from: input_file:org/apereo/cas/config/CasOAuth20Configuration.class */
public class CasOAuth20Configuration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(CasOAuth20Configuration.class);

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    @Qualifier("registeredServiceAccessStrategyEnforcer")
    private ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    @Qualifier("centralAuthenticationService")
    private ObjectProvider<CentralAuthenticationService> centralAuthenticationService;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("webApplicationServiceFactory")
    private ObjectProvider<ServiceFactory> webApplicationServiceFactory;

    @Autowired
    @Qualifier("defaultTicketFactory")
    private ObjectProvider<TicketFactory> ticketFactory;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private ObjectProvider<AuthenticationSystemSupport> authenticationSystemSupport;

    @Autowired
    @Qualifier("ticketRegistry")
    private ObjectProvider<TicketRegistry> ticketRegistry;

    @Autowired
    @Qualifier("ticketGrantingTicketCookieGenerator")
    private ObjectProvider<CasCookieBuilder> ticketGrantingTicketCookieGenerator;

    @ConditionalOnMissingBean(name = {"accessTokenResponseGenerator"})
    @Bean
    public OAuth20AccessTokenResponseGenerator accessTokenResponseGenerator() {
        return new OAuth20DefaultAccessTokenResponseGenerator(accessTokenJwtBuilder());
    }

    @ConditionalOnMissingBean(name = {"accessTokenJwtBuilder"})
    @Bean
    public JwtBuilder accessTokenJwtBuilder() {
        return new OAuth20JwtBuilder(this.casProperties.getServer().getPrefix(), oauthAccessTokenJwtCipherExecutor(), (ServicesManager) this.servicesManager.getObject(), oauthRegisteredServiceJwtAccessTokenCipherExecutor());
    }

    @ConditionalOnMissingBean(name = {"oauthRegisteredServiceJwtAccessTokenCipherExecutor"})
    @Bean
    public RegisteredServiceCipherExecutor oauthRegisteredServiceJwtAccessTokenCipherExecutor() {
        return new OAuth20RegisteredServiceJwtAccessTokenCipherExecutor();
    }

    @ConditionalOnMissingBean(name = {"oauthCasClientRedirectActionBuilder"})
    @Bean
    public OAuth20CasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder() {
        return new OAuth20DefaultCasClientRedirectActionBuilder();
    }

    @Bean
    public UrlResolver casCallbackUrlResolver() {
        return new OAuth20CasCallbackUrlResolver(OAuth20Utils.casOAuthCallbackUrl(this.casProperties.getServer().getPrefix()));
    }

    @Bean
    public Config oauthSecConfig() {
        Config config = new Config(OAuth20Utils.casOAuthCallbackUrl(this.casProperties.getServer().getPrefix()), oauthSecConfigClients());
        config.setSessionStore(oauthDistributedSessionStore());
        Config.setProfileManagerFactory("CASOAuthSecurityProfileManager", webContext -> {
            return new OAuth20ClientIdAwareProfileManager(webContext, config.getSessionStore(), (ServicesManager) this.servicesManager.getObject());
        });
        return config;
    }

    @ConditionalOnMissingBean(name = {"oauthSecConfigClients"})
    @Bean
    public List<Client> oauthSecConfigClients() {
        CasConfiguration casConfiguration = new CasConfiguration(this.casProperties.getServer().getLoginUrl());
        casConfiguration.setDefaultTicketValidator(new CasServerApiBasedTicketValidator((CentralAuthenticationService) this.centralAuthenticationService.getObject()));
        CasClient casClient = new CasClient(casConfiguration);
        casClient.setRedirectionActionBuilder(webContext -> {
            return oauthCasClientRedirectActionBuilder().build(casClient, webContext);
        });
        casClient.setName("CasOAuthClient");
        casClient.setUrlResolver(casCallbackUrlResolver());
        casClient.setCallbackUrl(OAuth20Utils.casOAuthCallbackUrl(this.casProperties.getServer().getPrefix()));
        casClient.init();
        Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator = oAuthClientAuthenticator();
        DirectBasicAuthClient directBasicAuthClient = new DirectBasicAuthClient(oAuthClientAuthenticator);
        directBasicAuthClient.setName("clientBasicAuth");
        directBasicAuthClient.init();
        DirectFormClient directFormClient = new DirectFormClient(oAuthClientAuthenticator);
        directFormClient.setName("clientForm");
        directFormClient.setUsernameParameter("client_id");
        directFormClient.setPasswordParameter("client_secret");
        directFormClient.init();
        DirectFormClient directFormClient2 = new DirectFormClient(oAuthProofKeyCodeExchangeAuthenticator());
        directFormClient2.setName("pkceAuthn");
        directFormClient2.setUsernameParameter("client_id");
        directFormClient2.setPasswordParameter("code_verifier");
        directFormClient2.init();
        DirectFormClient directFormClient3 = new DirectFormClient(oAuthUserAuthenticator());
        directFormClient3.setName("userForm");
        directFormClient3.init();
        HeaderClient headerClient = new HeaderClient();
        headerClient.setCredentialsExtractor(new BearerAuthExtractor());
        headerClient.setAuthenticator(oAuthAccessTokenAuthenticator());
        headerClient.setName("clientAccessTokenAuth");
        headerClient.init();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList(this.applicationContext.getBeansOfType(OAuthAuthenticationClientProvider.class, false, true).values());
        AnnotationAwareOrderComparator.sort(arrayList2);
        arrayList2.forEach(oAuthAuthenticationClientProvider -> {
            arrayList.add(oAuthAuthenticationClientProvider.createClient());
        });
        arrayList.add(casClient);
        arrayList.add(directBasicAuthClient);
        arrayList.add(directFormClient2);
        arrayList.add(directFormClient);
        arrayList.add(directFormClient3);
        arrayList.add(headerClient);
        return arrayList;
    }

    @ConditionalOnMissingBean(name = {"consentApprovalViewResolver"})
    @Bean
    public ConsentApprovalViewResolver consentApprovalViewResolver() {
        return new OAuth20ConsentApprovalViewResolver(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeViewResolver"})
    @Bean
    public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver() {
        return new OAuth20CallbackAuthorizeViewResolver() { // from class: org.apereo.cas.config.CasOAuth20Configuration.1
        };
    }

    @ConditionalOnMissingBean(name = {"oAuthClientAuthenticator"})
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthClientAuthenticator() {
        return new OAuth20ClientIdClientSecretAuthenticator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject(), oauthRegisteredServiceCipherExecutor(), (TicketRegistry) this.ticketRegistry.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"oAuthProofKeyCodeExchangeAuthenticator"})
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthProofKeyCodeExchangeAuthenticator() {
        return new OAuth20ProofKeyCodeExchangeAuthenticator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject(), (TicketRegistry) this.ticketRegistry.getObject(), oauthRegisteredServiceCipherExecutor());
    }

    @ConditionalOnMissingBean(name = {"oAuthUserAuthenticator"})
    @Bean
    public Authenticator<UsernamePasswordCredentials> oAuthUserAuthenticator() {
        return new OAuth20UsernamePasswordAuthenticator((AuthenticationSystemSupport) this.authenticationSystemSupport.getObject(), (ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), oauthRegisteredServiceCipherExecutor());
    }

    @ConditionalOnMissingBean(name = {"oAuthAccessTokenAuthenticator"})
    @Bean
    public Authenticator<TokenCredentials> oAuthAccessTokenAuthenticator() {
        return new OAuth20AccessTokenAuthenticator((TicketRegistry) this.ticketRegistry.getObject(), accessTokenJwtBuilder());
    }

    @ConditionalOnMissingBean(name = {"defaultAccessTokenFactory"})
    @RefreshScope
    @Bean
    public OAuth20AccessTokenFactory defaultAccessTokenFactory() {
        return new OAuth20DefaultAccessTokenFactory(accessTokenIdGenerator(), accessTokenExpirationPolicy(), accessTokenJwtBuilder(), (ServicesManager) this.servicesManager.getObject());
    }

    @ConditionalOnMissingBean(name = {"defaultDeviceTokenFactory"})
    @RefreshScope
    @Bean
    public OAuth20DeviceTokenFactory defaultDeviceTokenFactory() {
        return new OAuth20DefaultDeviceTokenFactory(deviceTokenIdGenerator(), deviceTokenExpirationPolicy(), this.casProperties.getAuthn().getOauth().getDeviceUserCode().getUserCodeLength(), (ServicesManager) this.servicesManager.getObject());
    }

    @ConditionalOnMissingBean(name = {"accessTokenExpirationPolicy"})
    @RefreshScope
    @Bean
    public ExpirationPolicyBuilder accessTokenExpirationPolicy() {
        return new OAuth20AccessTokenExpirationPolicyBuilder(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"deviceTokenExpirationPolicy"})
    @RefreshScope
    @Bean
    public ExpirationPolicyBuilder deviceTokenExpirationPolicy() {
        return new OAuth20DeviceTokenExpirationPolicyBuilder(this.casProperties);
    }

    @RefreshScope
    @Bean
    public ExpirationPolicyBuilder oAuthCodeExpirationPolicy() {
        return new OAuth20CodeExpirationPolicyBuilder(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"oAuthCodeIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator oAuthCodeIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"refreshTokenIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator refreshTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"defaultOAuthCodeFactory"})
    @RefreshScope
    @Bean
    public OAuth20CodeFactory defaultOAuthCodeFactory() {
        return new OAuth20DefaultOAuthCodeFactory(oAuthCodeIdGenerator(), oAuthCodeExpirationPolicy(), (ServicesManager) this.servicesManager.getObject());
    }

    @ConditionalOnMissingBean(name = {"profileScopeToAttributesFilter"})
    @Bean
    public OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter() {
        return new DefaultOAuth20ProfileScopeToAttributesFilter();
    }

    @ConditionalOnMissingBean(name = {"callbackAuthorizeController"})
    @RefreshScope
    @Bean
    public OAuth20CallbackAuthorizeEndpointController callbackAuthorizeController() {
        return new OAuth20CallbackAuthorizeEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthTokenGenerator"})
    @RefreshScope
    @Bean
    public OAuth20TokenGenerator oauthTokenGenerator() {
        return new OAuth20DefaultTokenGenerator(defaultAccessTokenFactory(), defaultDeviceTokenFactory(), defaultRefreshTokenFactory(), (TicketRegistry) this.ticketRegistry.getObject(), this.casProperties);
    }

    @Bean
    public Collection<AccessTokenGrantRequestExtractor> accessTokenGrantRequestExtractors() {
        OAuth20ConfigurationContext build = buildConfigurationContext().build();
        return CollectionUtils.wrapList(new AccessTokenGrantRequestExtractor[]{new AccessTokenProofKeyCodeExchangeAuthorizationCodeGrantRequestExtractor(build), new AccessTokenAuthorizationCodeGrantRequestExtractor(build), new AccessTokenRefreshTokenGrantRequestExtractor(build), new AccessTokenDeviceCodeResponseRequestExtractor(build), new AccessTokenPasswordGrantRequestExtractor(build), new AccessTokenClientCredentialsGrantRequestExtractor(build)});
    }

    @ConditionalOnMissingBean(name = {"accessTokenGrantAuditableRequestExtractor"})
    @Bean
    public AuditableExecution accessTokenGrantAuditableRequestExtractor() {
        return new AccessTokenGrantAuditableRequestExtractor(accessTokenGrantRequestExtractors());
    }

    @ConditionalOnMissingBean(name = {"introspectionEndpointController"})
    @Bean
    public OAuth20IntrospectionEndpointController introspectionEndpointController() {
        return new OAuth20IntrospectionEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"accessTokenController"})
    @Bean
    public OAuth20AccessTokenEndpointController accessTokenController() {
        return new OAuth20AccessTokenEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"deviceUserCodeApprovalEndpointController"})
    @Bean
    public OAuth20DeviceUserCodeApprovalEndpointController deviceUserCodeApprovalEndpointController() {
        return new OAuth20DeviceUserCodeApprovalEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthUserProfileViewRenderer"})
    @RefreshScope
    @Bean
    public OAuth20UserProfileViewRenderer oauthUserProfileViewRenderer() {
        return new OAuth20DefaultUserProfileViewRenderer(this.casProperties.getAuthn().getOauth());
    }

    @ConditionalOnMissingBean(name = {"oAuth2UserProfileDataCreator"})
    @Bean
    public OAuth20UserProfileDataCreator oAuth2UserProfileDataCreator() {
        return new DefaultOAuth20UserProfileDataCreator((ServicesManager) this.servicesManager.getObject(), profileScopeToAttributesFilter());
    }

    @ConditionalOnMissingBean(name = {"profileController"})
    @Bean
    public OAuth20UserProfileEndpointController profileController() {
        return new OAuth20UserProfileEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationResponseBuilders"})
    @RefreshScope
    @Bean
    public Set<OAuth20AuthorizationResponseBuilder> oauthAuthorizationResponseBuilders() {
        return new HashSet(this.applicationContext.getBeansOfType(OAuth20AuthorizationResponseBuilder.class, false, true).values());
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationRequestValidators"})
    @RefreshScope
    @Bean
    public Set<OAuth20AuthorizationRequestValidator> oauthAuthorizationRequestValidators() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(oauthProofKeyCodeExchangeResponseTypeAuthorizationRequestValidator());
        linkedHashSet.add(oauthAuthorizationCodeResponseTypeRequestValidator());
        linkedHashSet.add(oauthIdTokenResponseTypeRequestValidator());
        linkedHashSet.add(oauthTokenResponseTypeRequestValidator());
        linkedHashSet.add(oauthIdTokenAndTokenResponseTypeRequestValidator());
        return linkedHashSet;
    }

    @ConditionalOnMissingBean(name = {"oauth20AuthorizationCodeGrantTypeProofKeyCodeExchangeTokenRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauth20AuthorizationCodeGrantTypeProofKeyCodeExchangeTokenRequestValidator() {
        return new OAuth20AuthorizationCodeGrantTypeProofKeyCodeExchangeTokenRequestValidator(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationCodeGrantTypeTokenRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauthAuthorizationCodeGrantTypeTokenRequestValidator() {
        return new OAuth20AuthorizationCodeGrantTypeTokenRequestValidator(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthDeviceCodeResponseTypeRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauthDeviceCodeResponseTypeRequestValidator() {
        return new OAuth20DeviceCodeResponseTypeRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthRefreshTokenGrantTypeTokenRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauthRefreshTokenGrantTypeTokenRequestValidator() {
        return new OAuth20RefreshTokenGrantTypeTokenRequestValidator(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthPasswordGrantTypeTokenRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauthPasswordGrantTypeTokenRequestValidator() {
        return new OAuth20PasswordGrantTypeTokenRequestValidator(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthClientCredentialsGrantTypeTokenRequestValidator"})
    @Bean
    public OAuth20TokenRequestValidator oauthClientCredentialsGrantTypeTokenRequestValidator() {
        return new OAuth20ClientCredentialsGrantTypeTokenRequestValidator(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthTokenRequestValidators"})
    @RefreshScope
    @Bean
    public Collection<OAuth20TokenRequestValidator> oauthTokenRequestValidators() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(oauth20AuthorizationCodeGrantTypeProofKeyCodeExchangeTokenRequestValidator());
        arrayList.add(oauthAuthorizationCodeGrantTypeTokenRequestValidator());
        arrayList.add(oauthDeviceCodeResponseTypeRequestValidator());
        arrayList.add(oauthRefreshTokenGrantTypeTokenRequestValidator());
        arrayList.add(oauthPasswordGrantTypeTokenRequestValidator());
        arrayList.add(oauthClientCredentialsGrantTypeTokenRequestValidator());
        return arrayList;
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationCodeResponseTypeRequestValidator"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationRequestValidator oauthAuthorizationCodeResponseTypeRequestValidator() {
        return new OAuth20AuthorizationCodeResponseTypeAuthorizationRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthProofKeyCodeExchangeResponseTypeAuthorizationRequestValidator"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationRequestValidator oauthProofKeyCodeExchangeResponseTypeAuthorizationRequestValidator() {
        return new OAuth20ProofKeyCodeExchangeResponseTypeAuthorizationRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthTokenResponseTypeRequestValidator"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationRequestValidator oauthTokenResponseTypeRequestValidator() {
        return new OAuth20TokenResponseTypeAuthorizationRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthIdTokenResponseTypeRequestValidator"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationRequestValidator oauthIdTokenResponseTypeRequestValidator() {
        return new OAuth20IdTokenResponseTypeAuthorizationRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthIdTokenAndTokenResponseTypeRequestValidator"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationRequestValidator oauthIdTokenAndTokenResponseTypeRequestValidator() {
        return new OAuth20IdTokenAndTokenResponseTypeAuthorizationRequestValidator((ServicesManager) this.servicesManager.getObject(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), (AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject());
    }

    @ConditionalOnMissingBean(name = {"oauthResourceOwnerCredentialsResponseBuilder"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthResourceOwnerCredentialsResponseBuilder() {
        return new OAuth20ResourceOwnerCredentialsResponseBuilder(accessTokenResponseGenerator(), oauthTokenGenerator(), accessTokenExpirationPolicy(), this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"oauthClientCredentialsResponseBuilder"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthClientCredentialsResponseBuilder() {
        return new OAuth20ClientCredentialsResponseBuilder(accessTokenResponseGenerator(), oauthTokenGenerator(), accessTokenExpirationPolicy(), this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"oauthTokenResponseBuilder"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthTokenResponseBuilder() {
        return new OAuth20TokenAuthorizationResponseBuilder(oauthTokenGenerator(), accessTokenExpirationPolicy(), (ServicesManager) this.servicesManager.getObject(), accessTokenJwtBuilder());
    }

    @ConditionalOnMissingBean(name = {"oauthAuthorizationCodeResponseBuilder"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizationResponseBuilder oauthAuthorizationCodeResponseBuilder() {
        return new OAuth20AuthorizationCodeAuthorizationResponseBuilder((TicketRegistry) this.ticketRegistry.getObject(), defaultOAuthCodeFactory(), (ServicesManager) this.servicesManager.getObject());
    }

    @ConditionalOnMissingBean(name = {"authorizeController"})
    @RefreshScope
    @Bean
    public OAuth20AuthorizeEndpointController authorizeController() {
        return new OAuth20AuthorizeEndpointController(buildConfigurationContext().accessTokenGrantAuditableRequestExtractor(accessTokenGrantAuditableRequestExtractor()).build());
    }

    @ConditionalOnMissingBean(name = {"oauthPrincipalFactory"})
    @RefreshScope
    @Bean
    public PrincipalFactory oauthPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"defaultRefreshTokenFactory"})
    @RefreshScope
    @Bean
    public OAuth20RefreshTokenFactory defaultRefreshTokenFactory() {
        return new OAuth20DefaultRefreshTokenFactory(refreshTokenIdGenerator(), refreshTokenExpirationPolicy(), (ServicesManager) this.servicesManager.getObject());
    }

    @RefreshScope
    @Bean
    public ExpirationPolicyBuilder refreshTokenExpirationPolicy() {
        return new OAuth20RefreshTokenExpirationPolicyBuilder(this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"oauthCasAuthenticationBuilder"})
    @RefreshScope
    @Bean
    public OAuth20CasAuthenticationBuilder oauthCasAuthenticationBuilder() {
        return new OAuth20CasAuthenticationBuilder(oauthPrincipalFactory(), (ServiceFactory) this.webApplicationServiceFactory.getObject(), profileScopeToAttributesFilter(), this.casProperties);
    }

    @ConditionalOnMissingBean(name = {"accessTokenIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator accessTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @ConditionalOnMissingBean(name = {"deviceTokenIdGenerator"})
    @RefreshScope
    @Bean
    public UniqueTicketIdGenerator deviceTokenIdGenerator() {
        return new DefaultUniqueTicketIdGenerator();
    }

    @Bean
    public AuditTrailRecordResolutionPlanConfigurer oauthAuditTrailRecordResolutionPlanConfigurer() {
        return auditTrailRecordResolutionPlan -> {
            auditTrailRecordResolutionPlan.registerAuditActionResolver("OAUTH2_USER_PROFILE_ACTION_RESOLVER", new DefaultAuditActionResolver("_CREATED", "_CREATED"));
            auditTrailRecordResolutionPlan.registerAuditResourceResolver("OAUTH2_USER_PROFILE_RESOURCE_RESOLVER", new OAuth20UserProfileDataAuditResourceResolver());
            auditTrailRecordResolutionPlan.registerAuditActionResolver("OAUTH2_ACCESS_TOKEN_REQUEST_ACTION_RESOLVER", new DefaultAuditActionResolver("_CREATED", "_CREATED"));
            auditTrailRecordResolutionPlan.registerAuditResourceResolver("OAUTH2_ACCESS_TOKEN_REQUEST_RESOURCE_RESOLVER", new OAuth20AccessTokenGrantRequestAuditResourceResolver());
            auditTrailRecordResolutionPlan.registerAuditActionResolver("OAUTH2_ACCESS_TOKEN_RESPONSE_ACTION_RESOLVER", new DefaultAuditActionResolver("_CREATED", "_CREATED"));
            auditTrailRecordResolutionPlan.registerAuditResourceResolver("OAUTH2_ACCESS_TOKEN_RESPONSE_RESOURCE_RESOLVER", new AccessTokenResponseAuditResourceResolver());
        };
    }

    @ConditionalOnAvailableEndpoint
    @Bean
    public OAuth20TokenManagementEndpoint oAuth20TokenManagementEndpoint() {
        return new OAuth20TokenManagementEndpoint(this.casProperties, (TicketRegistry) this.ticketRegistry.getObject(), accessTokenJwtBuilder());
    }

    @ConditionalOnMissingBean(name = {"oauthAccessTokenJwtCipherExecutor"})
    @RefreshScope
    @Bean
    public CipherExecutor oauthAccessTokenJwtCipherExecutor() {
        EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto = this.casProperties.getAuthn().getOauth().getAccessToken().getCrypto();
        boolean z = !crypto.isEnabled() && StringUtils.isNotBlank(crypto.getEncryption().getKey()) && StringUtils.isNotBlank(crypto.getSigning().getKey());
        Supplier supplier = () -> {
            LOGGER.warn("Default encryption/signing is not enabled explicitly for OAuth access tokens as JWTs if necessary, yet signing/encryption keys are defined for operations. CAS will proceed to enable the token encryption/signing functionality.");
            return Boolean.TRUE;
        };
        Objects.requireNonNull(crypto);
        if (((Boolean) FunctionUtils.doIf(z, supplier, crypto::isEnabled).get()).booleanValue()) {
            return new OAuth20JwtAccessTokenCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg(), crypto.isEncryptionEnabled(), crypto.isSigningEnabled(), crypto.getSigning().getKeySize(), crypto.getEncryption().getKeySize());
        }
        LOGGER.info("OAuth access token encryption/signing is turned off for JWTs, if/when needed. This MAY NOT be safe in a production environment.");
        return CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {"oauthDistributedSessionStore"})
    @Bean
    public SessionStore<JEEContext> oauthDistributedSessionStore() {
        return this.casProperties.getAuthn().getOauth().isReplicateSessions() ? new DistributedJ2ESessionStore((TicketRegistry) this.ticketRegistry.getObject(), (TicketFactory) this.ticketFactory.getObject()) : new JEESessionStore();
    }

    @ConditionalOnMissingBean(name = {"oauthRegisteredServiceCipherExecutor"})
    @RefreshScope
    @Bean
    public CipherExecutor oauthRegisteredServiceCipherExecutor() {
        EncryptionOptionalSigningOptionalJwtCryptographyProperties crypto = this.casProperties.getAuthn().getOauth().getCrypto();
        boolean z = !crypto.isEnabled() && StringUtils.isNotBlank(crypto.getEncryption().getKey()) && StringUtils.isNotBlank(crypto.getSigning().getKey());
        Supplier supplier = () -> {
            LOGGER.warn("Secret encryption/signing is not enabled explicitly in the configuration for OAuth/OIDC services, yet signing/encryption keys are defined for operations. CAS will proceed to enable the encryption/signing functionality.");
            return Boolean.TRUE;
        };
        Objects.requireNonNull(crypto);
        if (((Boolean) FunctionUtils.doIf(z, supplier, crypto::isEnabled).get()).booleanValue()) {
            return new OAuth20RegisteredServiceCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg(), crypto.isEncryptionEnabled(), crypto.isSigningEnabled(), crypto.getSigning().getKeySize(), crypto.getEncryption().getKeySize());
        }
        LOGGER.info("Relying party secret encryption/signing is turned off for OAuth/OIDC services. This MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of relying party secrets.");
        return CipherExecutor.noOp();
    }

    private OAuth20ConfigurationContext.OAuth20ConfigurationContextBuilder buildConfigurationContext() {
        return OAuth20ConfigurationContext.builder().registeredServiceCipherExecutor(oauthRegisteredServiceCipherExecutor()).sessionStore(oauthDistributedSessionStore()).servicesManager((ServicesManager) this.servicesManager.getObject()).ticketRegistry((TicketRegistry) this.ticketRegistry.getObject()).accessTokenFactory(defaultAccessTokenFactory()).deviceTokenFactory(defaultDeviceTokenFactory()).principalFactory(oauthPrincipalFactory()).webApplicationServiceServiceFactory((ServiceFactory) this.webApplicationServiceFactory.getObject()).casProperties(this.casProperties).ticketGrantingTicketCookieGenerator((CasCookieBuilder) this.ticketGrantingTicketCookieGenerator.getObject()).resourceLoader(this.resourceLoader).oauthConfig(oauthSecConfig()).registeredServiceAccessStrategyEnforcer((AuditableExecution) this.registeredServiceAccessStrategyEnforcer.getObject()).centralAuthenticationService((CentralAuthenticationService) this.centralAuthenticationService.getObject()).callbackAuthorizeViewResolver(callbackAuthorizeViewResolver()).profileScopeToAttributesFilter(profileScopeToAttributesFilter()).accessTokenGenerator(oauthTokenGenerator()).accessTokenJwtBuilder(accessTokenJwtBuilder()).accessTokenResponseGenerator(accessTokenResponseGenerator()).accessTokenExpirationPolicy(accessTokenExpirationPolicy()).deviceTokenExpirationPolicy(deviceTokenExpirationPolicy()).accessTokenGrantRequestValidators(oauthTokenRequestValidators()).userProfileDataCreator(oAuth2UserProfileDataCreator()).userProfileViewRenderer(oauthUserProfileViewRenderer()).oAuthCodeFactory(defaultOAuthCodeFactory()).consentApprovalViewResolver(consentApprovalViewResolver()).authenticationBuilder(oauthCasAuthenticationBuilder()).oauthAuthorizationResponseBuilders(oauthAuthorizationResponseBuilders()).oauthRequestValidators(oauthAuthorizationRequestValidators());
    }
}
