package org.apereo.cas.oidc.config;

import com.github.benmanes.caffeine.cache.CacheLoader;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import java.time.Duration;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.MultifactorAuthenticationProviderResolver;
import org.apereo.cas.authentication.MultifactorAuthenticationTrigger;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerDiscoveryService;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcDefaultJsonWebKeystoreCacheLoader;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.jwks.generator.OidcDefaultJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.jwks.generator.OidcRestfulJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.web.OidcHandlerInterceptorAdapter;
import org.apereo.cas.oidc.web.OidcLocaleChangeInterceptor;
import org.apereo.cas.oidc.web.controllers.authorize.OidcAuthorizeEndpointController;
import org.apereo.cas.oidc.web.controllers.discovery.OidcWellKnownEndpointController;
import org.apereo.cas.oidc.web.controllers.dynareg.OidcClientConfigurationEndpointController;
import org.apereo.cas.oidc.web.controllers.dynareg.OidcDynamicClientRegistrationEndpointController;
import org.apereo.cas.oidc.web.controllers.introspection.OidcIntrospectionEndpointController;
import org.apereo.cas.oidc.web.controllers.jwks.OidcJwksEndpointController;
import org.apereo.cas.oidc.web.controllers.logout.OidcLogoutEndpointController;
import org.apereo.cas.oidc.web.controllers.logout.OidcPostLogoutRedirectUrlMatcher;
import org.apereo.cas.oidc.web.controllers.profile.OidcUserProfileEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcAccessTokenEndpointController;
import org.apereo.cas.oidc.web.controllers.token.OidcRevocationEndpointController;
import org.apereo.cas.oidc.web.flow.OidcCasWebflowLoginContextProvider;
import org.apereo.cas.oidc.web.flow.OidcMultifactorAuthenticationTrigger;
import org.apereo.cas.oidc.web.flow.OidcRegisteredServiceUIAction;
import org.apereo.cas.oidc.web.flow.OidcWebflowConfigurer;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.validation.CasProtocolViewFactory;
import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
import org.apereo.cas.web.UrlValidator;
import org.apereo.cas.web.flow.CasWebflowConfigurer;
import org.apereo.cas.web.flow.CasWebflowExecutionPlanConfigurer;
import org.apereo.cas.web.flow.CasWebflowLoginContextProvider;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.CasWebflowEventResolutionConfigurationContext;
import org.apereo.cas.web.flow.resolver.impl.mfa.DefaultMultifactorAuthenticationProviderWebflowEventResolver;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.jose4j.jwk.PublicJsonWebKey;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.DependsOn;
import org.springframework.web.servlet.HandlerInterceptor;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.webflow.definition.registry.FlowDefinitionRegistry;
import org.springframework.webflow.engine.builder.support.FlowBuilderServices;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("oidcEndpointsConfiguration")
/* loaded from: input_file:org/apereo/cas/oidc/config/OidcEndpointsConfiguration.class */
public class OidcEndpointsConfiguration {

    @Autowired
    @Qualifier("oauthDistributedSessionStore")
    private ObjectProvider<SessionStore> oauthDistributedSessionStore;

    @Autowired
    @Qualifier("accessTokenGrantAuditableRequestExtractor")
    private ObjectProvider<AuditableExecution> accessTokenGrantAuditableRequestExtractor;

    @Autowired
    @Qualifier("oauthAuthorizationRequestValidators")
    private ObjectProvider<Set<OAuth20AuthorizationRequestValidator>> oauthRequestValidators;

    @Autowired
    @Qualifier("requiresAuthenticationAccessTokenInterceptor")
    private ObjectProvider<HandlerInterceptor> requiresAuthenticationAccessTokenInterceptor;

    @Autowired
    @Qualifier("requiresAuthenticationAuthorizeInterceptor")
    private ObjectProvider<HandlerInterceptor> requiresAuthenticationAuthorizeInterceptor;

    @Autowired
    @Qualifier("argumentExtractor")
    private ObjectProvider<ArgumentExtractor> argumentExtractor;

    @Autowired
    @Qualifier("loginFlowRegistry")
    private ObjectProvider<FlowDefinitionRegistry> loginFlowDefinitionRegistry;

    @Autowired
    @Qualifier("logoutFlowRegistry")
    private ObjectProvider<FlowDefinitionRegistry> logoutFlowDefinitionRegistry;

    @Autowired
    private ObjectProvider<FlowBuilderServices> flowBuilderServices;

    @Autowired
    @Qualifier("initialAuthenticationAttemptWebflowEventResolver")
    private ObjectProvider<CasDelegatingWebflowEventResolver> initialAuthenticationAttemptWebflowEventResolver;

    @Autowired
    @Qualifier("oauth20AuthenticationRequestServiceSelectionStrategy")
    private ObjectProvider<AuthenticationServiceSelectionStrategy> oauth20AuthenticationServiceSelectionStrategy;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("casProtocolViewFactory")
    private ObjectProvider<CasProtocolViewFactory> casProtocolViewFactory;

    @Autowired
    @Qualifier("oidcConfigurationContext")
    private ObjectProvider<OidcConfigurationContext> oidcConfigurationContext;

    @Autowired
    @Qualifier("oauthSecConfig")
    private ObjectProvider<Config> oauthSecConfig;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    @Qualifier("casWebflowConfigurationContext")
    private ObjectProvider<CasWebflowEventResolutionConfigurationContext> casWebflowConfigurationContext;

    @Autowired
    @Qualifier("accessTokenGrantRequestExtractors")
    private ObjectProvider<Collection<AccessTokenGrantRequestExtractor>> accessTokenGrantRequestExtractors;

    @Autowired
    @Qualifier("multifactorAuthenticationProviderResolver")
    private ObjectProvider<MultifactorAuthenticationProviderResolver> multifactorAuthenticationProviderResolver;

    @Autowired
    @Qualifier("urlValidator")
    private ObjectProvider<UrlValidator> urlValidator;

    @Autowired
    @Qualifier("oidcIssuerService")
    private ObjectProvider<OidcIssuerService> oidcIssuerService;

    @ConditionalOnMissingBean(name = {"oidcMultifactorAuthenticationTrigger"})
    @RefreshScope
    @Bean
    public MultifactorAuthenticationTrigger oidcMultifactorAuthenticationTrigger() {
        return new OidcMultifactorAuthenticationTrigger(this.casProperties, (MultifactorAuthenticationProviderResolver) this.multifactorAuthenticationProviderResolver.getObject(), this.applicationContext);
    }

    @ConditionalOnMissingBean(name = {"oidcDefaultJsonWebKeystoreCache"})
    @RefreshScope
    @Bean
    public LoadingCache<String, Optional<PublicJsonWebKey>> oidcDefaultJsonWebKeystoreCache() {
        return Caffeine.newBuilder().maximumSize(1L).expireAfterWrite(Duration.ofMinutes(this.casProperties.getAuthn().getOidc().getJwks().getJwksCacheInMinutes())).build(oidcDefaultJsonWebKeystoreCacheLoader());
    }

    @Bean
    public WebMvcConfigurer oidcWebMvcConfigurer() {
        return new WebMvcConfigurer() { // from class: org.apereo.cas.oidc.config.OidcEndpointsConfiguration.1
            public void addInterceptors(InterceptorRegistry interceptorRegistry) {
                interceptorRegistry.addInterceptor(OidcEndpointsConfiguration.this.oauthInterceptor()).order(100).addPathPatterns(new String[]{OidcEndpointsConfiguration.this.getOidcBaseEndpoint((OidcIssuerService) OidcEndpointsConfiguration.this.oidcIssuerService.getObject()).concat("/*")});
            }
        };
    }

    @Bean
    public HandlerInterceptor requiresAuthenticationDynamicRegistrationInterceptor() {
        SecurityInterceptor securityInterceptor = new SecurityInterceptor((Config) this.oauthSecConfig.getObject(), String.join(",", "clientBasicAuth", "clientAccessTokenAuth", "clientForm", "userForm"), JEEHttpActionAdapter.INSTANCE);
        securityInterceptor.setMatchers("securityheaders");
        securityInterceptor.setAuthorizers("isFullyAuthenticated");
        return securityInterceptor;
    }

    @Bean
    public HandlerInterceptor requiresAuthenticationClientConfigurationInterceptor() {
        SecurityInterceptor securityInterceptor = new SecurityInterceptor((Config) this.oauthSecConfig.getObject(), String.join(",", "ClientRegistrationClient"), JEEHttpActionAdapter.INSTANCE);
        securityInterceptor.setMatchers("securityheaders");
        securityInterceptor.setAuthorizers("isFullyAuthenticated");
        return securityInterceptor;
    }

    @Bean
    public HandlerInterceptor oauthInterceptor() {
        return new OidcHandlerInterceptorAdapter((HandlerInterceptor) this.requiresAuthenticationAccessTokenInterceptor.getObject(), (HandlerInterceptor) this.requiresAuthenticationAuthorizeInterceptor.getObject(), requiresAuthenticationDynamicRegistrationInterceptor(), requiresAuthenticationClientConfigurationInterceptor(), OidcConstants.DynamicClientRegistrationMode.valueOf((String) StringUtils.defaultIfBlank(this.casProperties.getAuthn().getOidc().getCore().getDynamicClientRegistrationMode(), OidcConstants.DynamicClientRegistrationMode.PROTECTED.name())), (Collection) this.accessTokenGrantRequestExtractors.getObject(), (ServicesManager) this.servicesManager.getObject(), (SessionStore) this.oauthDistributedSessionStore.getObject(), (Set) this.oauthRequestValidators.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcProtocolEndpointConfigurer"})
    @RefreshScope
    @Bean
    public ProtocolEndpointWebSecurityConfigurer<Void> oidcProtocolEndpointConfigurer() {
        final String oidcBaseEndpoint = getOidcBaseEndpoint((OidcIssuerService) this.oidcIssuerService.getObject());
        return new ProtocolEndpointWebSecurityConfigurer<Void>() { // from class: org.apereo.cas.oidc.config.OidcEndpointsConfiguration.2
            public List<String> getIgnoredEndpoints() {
                return List.of(oidcBaseEndpoint);
            }
        };
    }

    @ConditionalOnMissingBean(name = {"oidcIntrospectionEndpointController"})
    @RefreshScope
    @Bean
    public OidcIntrospectionEndpointController oidcIntrospectionEndpointController() {
        return new OidcIntrospectionEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @ConditionalOnMissingBean(name = {"postLogoutRedirectUrlMatcher"})
    @RefreshScope
    @Bean
    public OidcPostLogoutRedirectUrlMatcher postLogoutRedirectUrlMatcher() {
        return (v0, v1) -> {
            return v0.equalsIgnoreCase(v1);
        };
    }

    @ConditionalOnMissingBean(name = {"oidcLogoutEndpointController"})
    @RefreshScope
    @Bean
    public OidcLogoutEndpointController oidcLogoutEndpointController() {
        return new OidcLogoutEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject(), postLogoutRedirectUrlMatcher(), (UrlValidator) this.urlValidator.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcRevocationEndpointController"})
    @RefreshScope
    @Bean
    public OidcRevocationEndpointController oidcRevocationEndpointController() {
        return new OidcRevocationEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcAccessTokenController"})
    @RefreshScope
    @Bean
    public OidcAccessTokenEndpointController oidcAccessTokenController() {
        return new OidcAccessTokenEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject(), (AuditableExecution) this.accessTokenGrantAuditableRequestExtractor.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcDynamicClientRegistrationEndpointController"})
    @RefreshScope
    @Bean
    public OidcDynamicClientRegistrationEndpointController oidcDynamicClientRegistrationEndpointController() {
        return new OidcDynamicClientRegistrationEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcClientConfigurationEndpointController"})
    @RefreshScope
    @Bean
    public OidcClientConfigurationEndpointController oidcClientConfigurationEndpointController() {
        return new OidcClientConfigurationEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcJwksController"})
    @RefreshScope
    @Bean
    public OidcJwksEndpointController oidcJwksController() {
        return new OidcJwksEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject(), oidcJsonWebKeystoreGeneratorService());
    }

    @ConditionalOnMissingBean(name = {"oidcDefaultJsonWebKeystoreCacheLoader"})
    @RefreshScope
    @Bean
    public CacheLoader<String, Optional<PublicJsonWebKey>> oidcDefaultJsonWebKeystoreCacheLoader() {
        return new OidcDefaultJsonWebKeystoreCacheLoader(oidcJsonWebKeystoreGeneratorService());
    }

    @ConditionalOnMissingBean(name = {"oidcJsonWebKeystoreGeneratorService"})
    @RefreshScope
    @Bean(initMethod = "generate")
    public OidcJsonWebKeystoreGeneratorService oidcJsonWebKeystoreGeneratorService() {
        OidcProperties oidc = this.casProperties.getAuthn().getOidc();
        return StringUtils.isNotBlank(oidc.getJwks().getRest().getUrl()) ? new OidcRestfulJsonWebKeystoreGeneratorService(oidc) : new OidcDefaultJsonWebKeystoreGeneratorService(oidc);
    }

    @ConditionalOnMissingBean(name = {"oidcWellKnownController"})
    @RefreshScope
    @Autowired
    @Bean
    public OidcWellKnownEndpointController oidcWellKnownController(@Qualifier("oidcWebFingerDiscoveryService") OidcWebFingerDiscoveryService oidcWebFingerDiscoveryService) {
        return new OidcWellKnownEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject(), oidcWebFingerDiscoveryService);
    }

    @ConditionalOnMissingBean(name = {"oidcProfileController"})
    @RefreshScope
    @Bean
    public OidcUserProfileEndpointController oidcProfileController() {
        return new OidcUserProfileEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @RefreshScope
    @Bean
    public OidcAuthorizeEndpointController oidcAuthorizeController() {
        return new OidcAuthorizeEndpointController((OidcConfigurationContext) this.oidcConfigurationContext.getObject());
    }

    @RefreshScope
    @Bean
    public CasWebflowEventResolver oidcAuthenticationContextWebflowEventResolver() {
        DefaultMultifactorAuthenticationProviderWebflowEventResolver defaultMultifactorAuthenticationProviderWebflowEventResolver = new DefaultMultifactorAuthenticationProviderWebflowEventResolver((CasWebflowEventResolutionConfigurationContext) this.casWebflowConfigurationContext.getObject(), oidcMultifactorAuthenticationTrigger());
        ((CasDelegatingWebflowEventResolver) Objects.requireNonNull((CasDelegatingWebflowEventResolver) this.initialAuthenticationAttemptWebflowEventResolver.getObject())).addDelegate(defaultMultifactorAuthenticationProviderWebflowEventResolver);
        return defaultMultifactorAuthenticationProviderWebflowEventResolver;
    }

    @ConditionalOnMissingBean(name = {"oidcWebflowConfigurer"})
    @DependsOn({"defaultWebflowConfigurer"})
    @Bean
    public CasWebflowConfigurer oidcWebflowConfigurer() {
        OidcWebflowConfigurer oidcWebflowConfigurer = new OidcWebflowConfigurer((FlowBuilderServices) this.flowBuilderServices.getObject(), (FlowDefinitionRegistry) this.loginFlowDefinitionRegistry.getObject(), oidcRegisteredServiceUIAction(), this.applicationContext, this.casProperties);
        oidcWebflowConfigurer.setLogoutFlowDefinitionRegistry((FlowDefinitionRegistry) this.logoutFlowDefinitionRegistry.getObject());
        return oidcWebflowConfigurer;
    }

    @ConditionalOnMissingBean(name = {"oidcRegisteredServiceUIAction"})
    @RefreshScope
    @Bean
    public Action oidcRegisteredServiceUIAction() {
        return new OidcRegisteredServiceUIAction((ServicesManager) this.servicesManager.getObject(), (AuthenticationServiceSelectionStrategy) this.oauth20AuthenticationServiceSelectionStrategy.getObject());
    }

    @ConditionalOnMissingBean(name = {"oidcLocaleChangeInterceptor"})
    @RefreshScope
    @Bean
    public HandlerInterceptor oidcLocaleChangeInterceptor() {
        OidcLocaleChangeInterceptor oidcLocaleChangeInterceptor = new OidcLocaleChangeInterceptor(this.casProperties.getLocale(), (ArgumentExtractor) this.argumentExtractor.getObject());
        oidcLocaleChangeInterceptor.setParamName("ui_locales");
        return oidcLocaleChangeInterceptor;
    }

    @ConditionalOnMissingBean(name = {"oidcCasWebflowExecutionPlanConfigurer"})
    @Bean
    public CasWebflowExecutionPlanConfigurer oidcCasWebflowExecutionPlanConfigurer() {
        return casWebflowExecutionPlan -> {
            casWebflowExecutionPlan.registerWebflowConfigurer(oidcWebflowConfigurer());
            casWebflowExecutionPlan.registerWebflowInterceptor(oidcLocaleChangeInterceptor());
            casWebflowExecutionPlan.registerWebflowLoginContextProvider(oidcCasWebflowLoginContextProvider());
        };
    }

    @ConditionalOnMissingBean(name = {"oidcConfirmView"})
    @Bean
    public View oidcConfirmView() {
        return ((CasProtocolViewFactory) this.casProtocolViewFactory.getObject()).create(this.applicationContext, "protocol/oidc/confirm");
    }

    @ConditionalOnMissingBean(name = {"oidcCasWebflowLoginContextProvider"})
    @RefreshScope
    @Bean
    public CasWebflowLoginContextProvider oidcCasWebflowLoginContextProvider() {
        return new OidcCasWebflowLoginContextProvider((ArgumentExtractor) this.argumentExtractor.getObject());
    }

    private String getOidcBaseEndpoint(OidcIssuerService oidcIssuerService) {
        return StringUtils.prependIfMissing(StringUtils.remove(oidcIssuerService.determineIssuer(Optional.empty()), this.casProperties.getServer().getPrefix()), "/", new CharSequence[0]);
    }
}
