package org.apereo.cas.oidc.config;

import com.github.benmanes.caffeine.cache.CacheLoader;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import java.io.Serializable;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.support.oidc.OidcWebFingerProperties;
import org.apereo.cas.logout.slo.SingleLogoutServiceLogoutUrlBuilder;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.authn.OidcAccessTokenAuthenticator;
import org.apereo.cas.oidc.authn.OidcCasCallbackUrlResolver;
import org.apereo.cas.oidc.authn.OidcClientConfigurationAccessTokenAuthenticator;
import org.apereo.cas.oidc.authn.OidcDPoPAuthenticator;
import org.apereo.cas.oidc.authn.OidcJwtAuthenticator;
import org.apereo.cas.oidc.claims.OidcIdTokenClaimCollector;
import org.apereo.cas.oidc.claims.mapping.OidcAttributeToScopeClaimMapper;
import org.apereo.cas.oidc.claims.mapping.OidcDefaultAttributeToScopeClaimMapper;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettings;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettingsFactory;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerDiscoveryService;
import org.apereo.cas.oidc.discovery.webfinger.OidcWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcEchoingWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcGroovyWebFingerUserInfoRepository;
import org.apereo.cas.oidc.discovery.webfinger.userinfo.OidcRestfulWebFingerUserInfoRepository;
import org.apereo.cas.oidc.dynareg.OidcClientRegistrationRequest;
import org.apereo.cas.oidc.dynareg.OidcClientRegistrationRequestSerializer;
import org.apereo.cas.oidc.issuer.OidcDefaultIssuerService;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey;
import org.apereo.cas.oidc.jwks.OidcRegisteredServiceJsonWebKeystoreCacheLoader;
import org.apereo.cas.oidc.jwks.OidcServiceJsonWebKeystoreCacheExpirationPolicy;
import org.apereo.cas.oidc.profile.OidcProfileScopeToAttributesFilter;
import org.apereo.cas.oidc.profile.OidcUserProfileDataCreator;
import org.apereo.cas.oidc.profile.OidcUserProfileSigningAndEncryptionService;
import org.apereo.cas.oidc.profile.OidcUserProfileViewRenderer;
import org.apereo.cas.oidc.scopes.DefaultOidcAttributeReleasePolicyFactory;
import org.apereo.cas.oidc.scopes.OidcAttributeReleasePolicyFactory;
import org.apereo.cas.oidc.services.OidcServiceRegistryListener;
import org.apereo.cas.oidc.services.OidcServicesManagerRegisteredServiceLocator;
import org.apereo.cas.oidc.ticket.OidcDefaultPushedAuthorizationRequestFactory;
import org.apereo.cas.oidc.ticket.OidcPushedAuthorizationRequestExpirationPolicyBuilder;
import org.apereo.cas.oidc.ticket.OidcPushedAuthorizationRequestFactory;
import org.apereo.cas.oidc.token.OidcIdTokenSigningAndEncryptionService;
import org.apereo.cas.oidc.token.OidcJwtAccessTokenCipherExecutor;
import org.apereo.cas.oidc.token.OidcRegisteredServiceJwtAccessTokenCipherExecutor;
import org.apereo.cas.oidc.util.OidcRequestSupport;
import org.apereo.cas.oidc.web.OidcAuthenticationAuthorizeSecurityLogic;
import org.apereo.cas.oidc.web.OidcAuthorizationModelAndViewBuilder;
import org.apereo.cas.oidc.web.OidcCallbackAuthorizeViewResolver;
import org.apereo.cas.oidc.web.OidcCasClientRedirectActionBuilder;
import org.apereo.cas.oidc.web.OidcClientSecretValidator;
import org.apereo.cas.oidc.web.OidcConsentApprovalViewResolver;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.ServiceRegistryListener;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.ServicesManagerRegisteredServiceLocator;
import org.apereo.cas.support.oauth.authenticator.OAuth20AuthenticationClientProvider;
import org.apereo.cas.support.oauth.authenticator.OAuth20CasAuthenticationBuilder;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.profile.OAuth20UserProfileDataCreator;
import org.apereo.cas.support.oauth.validator.OAuth20ClientSecretValidator;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.validator.token.OAuth20TokenRequestValidator;
import org.apereo.cas.support.oauth.web.OAuth20RequestParameterResolver;
import org.apereo.cas.support.oauth.web.response.OAuth20CasClientRedirectActionBuilder;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20TokenGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20AccessTokenResponseGenerator;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationModelAndViewBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.response.callback.OAuth20InvalidAuthorizationResponseBuilder;
import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20CallbackAuthorizeViewResolver;
import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
import org.apereo.cas.ticket.ExpirationPolicyBuilder;
import org.apereo.cas.ticket.IdTokenGeneratorService;
import org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.TicketFactoryExecutionPlanConfigurer;
import org.apereo.cas.ticket.UniqueTicketIdGenerator;
import org.apereo.cas.ticket.accesstoken.OAuth20JwtBuilder;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.DefaultUniqueTicketIdGenerator;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.gen.DefaultRandomStringGenerator;
import org.apereo.cas.util.serialization.StringSerializer;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.jose4j.jwk.JsonWebKeySet;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.credentials.extractor.BearerAuthExtractor;
import org.pac4j.core.engine.SecurityLogic;
import org.pac4j.core.http.url.UrlResolver;
import org.pac4j.http.client.direct.DirectFormClient;
import org.pac4j.http.client.direct.HeaderClient;
import org.pac4j.jee.http.adapter.JEEHttpActionAdapter;
import org.pac4j.springframework.web.SecurityInterceptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.AutoConfigureOrder;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.web.servlet.HandlerInterceptor;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@AutoConfiguration
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.OpenIDConnect)
/* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration.class */
public class OidcConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcConfiguration.class);

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcCacheConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcCacheConfiguration.class */
    public static class OidcCacheConfiguration {
        @ConditionalOnMissingBean(name = {"oidcServiceJsonWebKeystoreCache"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> oidcServiceJsonWebKeystoreCache(@Qualifier("oidcServiceJsonWebKeystoreCacheLoader") CacheLoader<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> cacheLoader, CasConfigurationProperties casConfigurationProperties) {
            return Caffeine.newBuilder().maximumSize(100L).expireAfter(new OidcServiceJsonWebKeystoreCacheExpirationPolicy(casConfigurationProperties)).build(cacheLoader);
        }

        @ConditionalOnMissingBean(name = {"oidcServiceJsonWebKeystoreCacheLoader"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CacheLoader<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> oidcServiceJsonWebKeystoreCacheLoader(ConfigurableApplicationContext configurableApplicationContext) {
            return new OidcRegisteredServiceJsonWebKeystoreCacheLoader(configurableApplicationContext);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcClaimsConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcClaimsConfiguration.class */
    public static class OidcClaimsConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter(@Qualifier("oidcPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("oidcAttributeReleasePolicyFactory") OidcAttributeReleasePolicyFactory oidcAttributeReleasePolicyFactory, CasConfigurationProperties casConfigurationProperties) {
            return new OidcProfileScopeToAttributesFilter(principalFactory, casConfigurationProperties, oidcAttributeReleasePolicyFactory);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcClientConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcClientConfiguration.class */
    public static class OidcClientConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20AuthenticationClientProvider oidcClientConfigurationAuthenticationClientProvider(@Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry) {
            return () -> {
                HeaderClient headerClient = new HeaderClient();
                headerClient.setCredentialsExtractor(new BearerAuthExtractor());
                headerClient.setAuthenticator(new OidcClientConfigurationAccessTokenAuthenticator(ticketRegistry, jwtBuilder));
                headerClient.setName("ClientRegistrationClient");
                headerClient.init();
                return headerClient;
            };
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20AuthenticationClientProvider oidcDynamicRegistrationAuthenticationClientProvider(@Qualifier("oidcDynamicRegistrationAuthenticator") Authenticator authenticator) {
            return () -> {
                HeaderClient headerClient = new HeaderClient();
                headerClient.setCredentialsExtractor(new BearerAuthExtractor());
                headerClient.setAuthenticator(authenticator);
                headerClient.setName("clientDynamicRegistrationAuth");
                headerClient.init();
                return headerClient;
            };
        }

        @ConditionalOnMissingBean(name = {"oidcDPoPClientProvider"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20AuthenticationClientProvider oidcDPoPClientProvider(CasConfigurationProperties casConfigurationProperties, @Qualifier("servicesManager") ServicesManager servicesManager, @Qualifier("registeredServiceAccessStrategyEnforcer") AuditableExecution auditableExecution, @Qualifier("oidcServerDiscoverySettingsFactory") OidcServerDiscoverySettings oidcServerDiscoverySettings) {
            return () -> {
                HeaderClient headerClient = new HeaderClient("DPoP", new OidcDPoPAuthenticator(oidcServerDiscoverySettings, servicesManager, auditableExecution, casConfigurationProperties));
                headerClient.setName("proofOfPossessionAuth");
                headerClient.init();
                return headerClient;
            };
        }

        @ConditionalOnMissingBean(name = {"oidcJwtClientProvider"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20AuthenticationClientProvider oidcJwtClientProvider(@Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, @Qualifier("webApplicationServiceFactory") ServiceFactory<WebApplicationService> serviceFactory, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("servicesManager") ServicesManager servicesManager, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("registeredServiceAccessStrategyEnforcer") AuditableExecution auditableExecution) {
            return () -> {
                DirectFormClient directFormClient = new DirectFormClient(new OidcJwtAuthenticator(oidcIssuerService, servicesManager, auditableExecution, ticketRegistry, serviceFactory, casConfigurationProperties, configurableApplicationContext));
                directFormClient.setName("ClientPrivateKeyJwtClient");
                directFormClient.setUsernameParameter("client_assertion_type");
                directFormClient.setPasswordParameter("client_assertion");
                directFormClient.init();
                return directFormClient;
            };
        }

        @ConditionalOnMissingBean(name = {"oauthAccessTokenAuthenticator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public Authenticator oauthAccessTokenAuthenticator(@Qualifier("oidcTokenSigningAndEncryptionService") OAuth20TokenSigningAndEncryptionService oAuth20TokenSigningAndEncryptionService, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("servicesManager") ServicesManager servicesManager) throws Exception {
            return new OidcAccessTokenAuthenticator(ticketRegistry, oAuth20TokenSigningAndEncryptionService, servicesManager, jwtBuilder);
        }

        @ConditionalOnMissingBean(name = {"oidcDynamicRegistrationAuthenticator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public Authenticator oidcDynamicRegistrationAuthenticator(@Qualifier("oidcTokenSigningAndEncryptionService") OAuth20TokenSigningAndEncryptionService oAuth20TokenSigningAndEncryptionService, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("servicesManager") ServicesManager servicesManager) throws Exception {
            OidcAccessTokenAuthenticator oidcAccessTokenAuthenticator = new OidcAccessTokenAuthenticator(ticketRegistry, oAuth20TokenSigningAndEncryptionService, servicesManager, jwtBuilder);
            oidcAccessTokenAuthenticator.setRequiredScopes(Set.of("client_registration_scope"));
            return oidcAccessTokenAuthenticator;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcConsentConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcConsentConfiguration.class */
    public static class OidcConsentConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ConsentApprovalViewResolver consentApprovalViewResolver(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("defaultTicketFactory") TicketFactory ticketFactory, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, CasConfigurationProperties casConfigurationProperties) {
            return new OidcConsentApprovalViewResolver(casConfigurationProperties, sessionStore, ticketRegistry, ticketFactory, oAuth20RequestParameterResolver);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcContextConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcContextConfiguration.class */
    public static class OidcContextConfiguration {
        @ConditionalOnMissingBean(name = {"oidcConfigurationContext"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcConfigurationContext oidcConfigurationContext(@Qualifier("oauth20ClientSecretValidator") OAuth20ClientSecretValidator oAuth20ClientSecretValidator, @Qualifier("oidcIdTokenGenerator") IdTokenGeneratorService idTokenGeneratorService, @Qualifier("oidcIdTokenExpirationPolicy") ExpirationPolicyBuilder expirationPolicyBuilder, @Qualifier("oidcUserProfileViewRenderer") OAuth20UserProfileViewRenderer oAuth20UserProfileViewRenderer, @Qualifier("oidcIdTokenClaimCollector") OidcIdTokenClaimCollector oidcIdTokenClaimCollector, @Qualifier("callbackAuthorizeViewResolver") OAuth20CallbackAuthorizeViewResolver oAuth20CallbackAuthorizeViewResolver, @Qualifier("oauthInvalidAuthorizationBuilder") OAuth20InvalidAuthorizationResponseBuilder oAuth20InvalidAuthorizationResponseBuilder, @Qualifier("oidcUserProfileDataCreator") OAuth20UserProfileDataCreator oAuth20UserProfileDataCreator, @Qualifier("oidcTokenSigningAndEncryptionService") OAuth20TokenSigningAndEncryptionService oAuth20TokenSigningAndEncryptionService, @Qualifier("singleLogoutServiceLogoutUrlBuilder") SingleLogoutServiceLogoutUrlBuilder singleLogoutServiceLogoutUrlBuilder, @Qualifier("oauthTokenGenerator") OAuth20TokenGenerator oAuth20TokenGenerator, @Qualifier("oauthCasAuthenticationBuilder") OAuth20CasAuthenticationBuilder oAuth20CasAuthenticationBuilder, @Qualifier("profileScopeToAttributesFilter") OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter, @Qualifier("oidcRequestSupport") OidcRequestSupport oidcRequestSupport, ObjectProvider<List<OAuth20AuthorizationRequestValidator>> objectProvider, @Qualifier("oauthRegisteredServiceCipherExecutor") CipherExecutor cipherExecutor, @Qualifier("consentApprovalViewResolver") ConsentApprovalViewResolver consentApprovalViewResolver, @Qualifier("oidcAttributeToScopeClaimMapper") OidcAttributeToScopeClaimMapper oidcAttributeToScopeClaimMapper, @Qualifier("accessTokenJwtBuilder") JwtBuilder jwtBuilder, @Qualifier("deviceTokenExpirationPolicy") ExpirationPolicyBuilder expirationPolicyBuilder2, @Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, ObjectProvider<List<OAuth20AuthorizationResponseBuilder>> objectProvider2, @Qualifier("centralAuthenticationService") CentralAuthenticationService centralAuthenticationService, @Qualifier("oauthDistributedSessionCookieGenerator") CasCookieBuilder casCookieBuilder, @Qualifier("oauthDistributedSessionStore") SessionStore sessionStore, @Qualifier("clientRegistrationRequestSerializer") StringSerializer<OidcClientRegistrationRequest> stringSerializer, @Qualifier("webApplicationServiceFactory") ServiceFactory<WebApplicationService> serviceFactory, @Qualifier("ticketGrantingTicketCookieGenerator") CasCookieBuilder casCookieBuilder2, ObjectProvider<List<OAuth20TokenRequestValidator>> objectProvider3, @Qualifier("oauthSecConfig") Config config, @Qualifier("oidcAccessTokenResponseGenerator") OAuth20AccessTokenResponseGenerator oAuth20AccessTokenResponseGenerator, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("servicesManager") ServicesManager servicesManager, @Qualifier("defaultTicketFactory") TicketFactory ticketFactory, @Qualifier("oidcPrincipalFactory") PrincipalFactory principalFactory, CasConfigurationProperties casConfigurationProperties, @Qualifier("oidcServerDiscoverySettingsFactory") OidcServerDiscoverySettings oidcServerDiscoverySettings, @Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, ConfigurableApplicationContext configurableApplicationContext, @Qualifier("registeredServiceAccessStrategyEnforcer") AuditableExecution auditableExecution) {
            return OidcConfigurationContext.builder().discoverySettings(oidcServerDiscoverySettings).requestParameterResolver(oAuth20RequestParameterResolver).issuerService(oidcIssuerService).ticketFactory(ticketFactory).idTokenClaimCollector(oidcIdTokenClaimCollector).idTokenGeneratorService(idTokenGeneratorService).idTokenExpirationPolicy(expirationPolicyBuilder).oidcRequestSupport(oidcRequestSupport).attributeToScopeClaimMapper(oidcAttributeToScopeClaimMapper).applicationContext(configurableApplicationContext).registeredServiceCipherExecutor(cipherExecutor).sessionStore(sessionStore).servicesManager(servicesManager).ticketRegistry(ticketRegistry).clientRegistrationRequestSerializer(stringSerializer).clientIdGenerator(new DefaultRandomStringGenerator()).clientSecretGenerator(new DefaultRandomStringGenerator()).principalFactory(principalFactory).webApplicationServiceServiceFactory(serviceFactory).casProperties(casConfigurationProperties).ticketGrantingTicketCookieGenerator(casCookieBuilder2).oauthDistributedSessionCookieGenerator(casCookieBuilder).oauthConfig(config).registeredServiceAccessStrategyEnforcer(auditableExecution).centralAuthenticationService(centralAuthenticationService).callbackAuthorizeViewResolver(oAuth20CallbackAuthorizeViewResolver).profileScopeToAttributesFilter(oAuth20ProfileScopeToAttributesFilter).accessTokenGenerator(oAuth20TokenGenerator).accessTokenResponseGenerator(oAuth20AccessTokenResponseGenerator).deviceTokenExpirationPolicy(expirationPolicyBuilder2).accessTokenGrantRequestValidators(objectProvider3).userProfileDataCreator(oAuth20UserProfileDataCreator).userProfileViewRenderer(oAuth20UserProfileViewRenderer).consentApprovalViewResolver(consentApprovalViewResolver).authenticationBuilder(oAuth20CasAuthenticationBuilder).oauthAuthorizationResponseBuilders(objectProvider2).oauthInvalidAuthorizationResponseBuilder(oAuth20InvalidAuthorizationResponseBuilder).oauthRequestValidators(objectProvider).singleLogoutServiceLogoutUrlBuilder(singleLogoutServiceLogoutUrlBuilder).idTokenSigningAndEncryptionService(oAuth20TokenSigningAndEncryptionService).accessTokenJwtBuilder(jwtBuilder).clientSecretValidator(oAuth20ClientSecretValidator).build();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcCoreConfiguration", proxyBeanMethods = false)
    @AutoConfigureOrder(Integer.MIN_VALUE)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcCoreConfiguration.class */
    public static class OidcCoreConfiguration {
        @ConditionalOnMissingBean(name = {"oidcWebFingerUserInfoRepository"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcWebFingerUserInfoRepository oidcWebFingerUserInfoRepository(CasConfigurationProperties casConfigurationProperties) {
            OidcWebFingerProperties.UserInfoRepository userInfo = casConfigurationProperties.getAuthn().getOidc().getWebfinger().getUserInfo();
            if (userInfo.getGroovy().getLocation() != null) {
                return new OidcGroovyWebFingerUserInfoRepository(userInfo.getGroovy().getLocation());
            }
            if (StringUtils.isNotBlank(userInfo.getRest().getUrl())) {
                return new OidcRestfulWebFingerUserInfoRepository(userInfo.getRest());
            }
            OidcConfiguration.LOGGER.info("Using [{}] to locate webfinger resources, which is NOT appropriate for production purposes, as it will always echo back the given username/email address and is only useful for testing/demo purposes. Consider choosing and configuring a different repository implementation for locating and fetching user information for webfinger resources, etc.", OidcEchoingWebFingerUserInfoRepository.class.getSimpleName());
            return new OidcEchoingWebFingerUserInfoRepository();
        }

        @ConditionalOnMissingBean(name = {"oidcCasCallbackUrlResolver"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UrlResolver casCallbackUrlResolver(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, CasConfigurationProperties casConfigurationProperties) {
            return new OidcCasCallbackUrlResolver(casConfigurationProperties, oAuth20RequestParameterResolver);
        }

        @ConditionalOnMissingBean(name = {"oidcIdTokenClaimCollector"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcIdTokenClaimCollector oidcIdTokenClaimCollector() {
            return OidcIdTokenClaimCollector.defaultCollector();
        }

        @ConditionalOnMissingBean(name = {"oidcIssuerService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcIssuerService oidcIssuerService(CasConfigurationProperties casConfigurationProperties) {
            return new OidcDefaultIssuerService(casConfigurationProperties.getAuthn().getOidc());
        }

        @ConditionalOnMissingBean(name = {"oidcPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory oidcPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }

        @ConditionalOnMissingBean(name = {"oidcAttributeToScopeClaimMapper"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcAttributeToScopeClaimMapper oidcAttributeToScopeClaimMapper(CasConfigurationProperties casConfigurationProperties) {
            return new OidcDefaultAttributeToScopeClaimMapper(casConfigurationProperties.getAuthn().getOidc().getCore().getClaimsMap());
        }

        @ConditionalOnMissingBean(name = {"oidcAttributeReleasePolicyFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcAttributeReleasePolicyFactory oidcAttributeReleasePolicyFactory(CasConfigurationProperties casConfigurationProperties) {
            return new DefaultOidcAttributeReleasePolicyFactory(casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"oidcServicesManagerRegisteredServiceLocator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ServicesManagerRegisteredServiceLocator oidcServicesManagerRegisteredServiceLocator(CasConfigurationProperties casConfigurationProperties) {
            return new OidcServicesManagerRegisteredServiceLocator(casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"clientRegistrationRequestSerializer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public StringSerializer<OidcClientRegistrationRequest> clientRegistrationRequestSerializer() {
            return new OidcClientRegistrationRequestSerializer();
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20AuthorizationModelAndViewBuilder oauthAuthorizationModelAndViewBuilder(CasConfigurationProperties casConfigurationProperties, @Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService) {
            return new OidcAuthorizationModelAndViewBuilder(oidcIssuerService, casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"oidcServerDiscoverySettingsFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public FactoryBean<OidcServerDiscoverySettings> oidcServerDiscoverySettingsFactory(@Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            return new OidcServerDiscoverySettingsFactory(casConfigurationProperties, oidcIssuerService, configurableApplicationContext);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcCryptoConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcCryptoConfiguration.class */
    public static class OidcCryptoConfiguration {
        @ConditionalOnMissingBean(name = {"oidcRegisteredServiceJwtAccessTokenCipherExecutor"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public RegisteredServiceCipherExecutor oidcRegisteredServiceJwtAccessTokenCipherExecutor(@Qualifier("oidcServiceJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, @Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, @Qualifier("oidcDefaultJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2) {
            return new OidcRegisteredServiceJwtAccessTokenCipherExecutor(loadingCache2, loadingCache, oidcIssuerService);
        }

        @ConditionalOnMissingBean(name = {"oidcAccessTokenJwtCipherExecutor"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CipherExecutor<Serializable, String> oidcAccessTokenJwtCipherExecutor(@Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, @Qualifier("oidcDefaultJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache) {
            return new OidcJwtAccessTokenCipherExecutor(loadingCache, oidcIssuerService);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcJwtConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcJwtConfiguration.class */
    public static class OidcJwtConfiguration {
        @ConditionalOnMissingBean(name = {"oidcAccessTokenJwtBuilder"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public JwtBuilder accessTokenJwtBuilder(CasConfigurationProperties casConfigurationProperties, @Qualifier("oidcAccessTokenJwtCipherExecutor") CipherExecutor<Serializable, String> cipherExecutor, @Qualifier("oidcRegisteredServiceJwtAccessTokenCipherExecutor") RegisteredServiceCipherExecutor registeredServiceCipherExecutor, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return new OAuth20JwtBuilder(cipherExecutor, servicesManager, registeredServiceCipherExecutor, casConfigurationProperties);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcRedirectConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcRedirectConfiguration.class */
    public static class OidcRedirectConfiguration {
        @ConditionalOnMissingBean(name = {"oidcRequestSupport"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcRequestSupport oidcRequestSupport(@Qualifier("ticketGrantingTicketCookieGenerator") CasCookieBuilder casCookieBuilder, @Qualifier("defaultTicketRegistrySupport") TicketRegistrySupport ticketRegistrySupport) {
            return new OidcRequestSupport(casCookieBuilder, ticketRegistrySupport);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20CallbackAuthorizeViewResolver callbackAuthorizeViewResolver(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, @Qualifier("oauthAuthorizationModelAndViewBuilder") OAuth20AuthorizationModelAndViewBuilder oAuth20AuthorizationModelAndViewBuilder, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return new OidcCallbackAuthorizeViewResolver(servicesManager, oAuth20AuthorizationModelAndViewBuilder, oAuth20RequestParameterResolver);
        }

        @ConditionalOnMissingBean(name = {"oidcCasClientRedirectActionBuilder"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20CasClientRedirectActionBuilder oidcCasClientRedirectActionBuilder(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, @Qualifier("oidcRequestSupport") OidcRequestSupport oidcRequestSupport) {
            return new OidcCasClientRedirectActionBuilder(oidcRequestSupport, oAuth20RequestParameterResolver);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20CasClientRedirectActionBuilder oauthCasClientRedirectActionBuilder(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, @Qualifier("oidcRequestSupport") OidcRequestSupport oidcRequestSupport) {
            return new OidcCasClientRedirectActionBuilder(oidcRequestSupport, oAuth20RequestParameterResolver);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcServicesConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcServicesConfiguration.class */
    public static class OidcServicesConfiguration {
        @ConditionalOnMissingBean(name = {"oidcServiceRegistryListener"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ServiceRegistryListener oidcServiceRegistryListener(@Qualifier("oidcAttributeReleasePolicyFactory") OidcAttributeReleasePolicyFactory oidcAttributeReleasePolicyFactory) {
            return new OidcServiceRegistryListener(oidcAttributeReleasePolicyFactory);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcTicketFactoryPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcTicketFactoryPlanConfiguration.class */
    public static class OidcTicketFactoryPlanConfiguration {
        @ConditionalOnMissingBean(name = {"pushedAuthorizationUriExpirationPolicy"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public ExpirationPolicyBuilder pushedAuthorizationUriExpirationPolicy(CasConfigurationProperties casConfigurationProperties) {
            return new OidcPushedAuthorizationRequestExpirationPolicyBuilder(casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {"pushedAuthorizationIdGenerator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public UniqueTicketIdGenerator pushedAuthorizationIdGenerator() {
            return new DefaultUniqueTicketIdGenerator();
        }

        @ConditionalOnMissingBean(name = {"oidcPushedAuthorizationUriFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcPushedAuthorizationRequestFactory oidcPushedAuthorizationUriFactory(@Qualifier("pushedAuthorizationUriExpirationPolicy") ExpirationPolicyBuilder expirationPolicyBuilder, @Qualifier("pushedAuthorizationIdGenerator") UniqueTicketIdGenerator uniqueTicketIdGenerator) {
            return new OidcDefaultPushedAuthorizationRequestFactory(uniqueTicketIdGenerator, expirationPolicyBuilder);
        }

        @ConditionalOnMissingBean(name = {"oidcPushedAuthorizationUriFactoryConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public TicketFactoryExecutionPlanConfigurer oidcPushedAuthorizationUriFactoryConfigurer(@Qualifier("oidcPushedAuthorizationUriFactory") OidcPushedAuthorizationRequestFactory oidcPushedAuthorizationRequestFactory) {
            return () -> {
                return oidcPushedAuthorizationRequestFactory;
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcTokenServiceConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcTokenServiceConfiguration.class */
    public static class OidcTokenServiceConfiguration {
        @ConditionalOnMissingBean(name = {"oidcTokenSigningAndEncryptionService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20TokenSigningAndEncryptionService oidcTokenSigningAndEncryptionService(@Qualifier("oidcServerDiscoverySettingsFactory") FactoryBean<OidcServerDiscoverySettings> factoryBean, @Qualifier("oidcServiceJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, @Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, @Qualifier("oidcDefaultJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2) throws Exception {
            return new OidcIdTokenSigningAndEncryptionService(loadingCache2, loadingCache, oidcIssuerService, (OidcServerDiscoverySettings) factoryBean.getObject());
        }

        @ConditionalOnMissingBean(name = {"oidcUserProfileSigningAndEncryptionService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20TokenSigningAndEncryptionService oidcUserProfileSigningAndEncryptionService(@Qualifier("oidcServerDiscoverySettingsFactory") FactoryBean<OidcServerDiscoverySettings> factoryBean, @Qualifier("oidcServiceJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, @Qualifier("oidcIssuerService") OidcIssuerService oidcIssuerService, @Qualifier("oidcDefaultJsonWebKeystoreCache") LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2) throws Exception {
            return new OidcUserProfileSigningAndEncryptionService(loadingCache2, loadingCache, oidcIssuerService, (OidcServerDiscoverySettings) factoryBean.getObject());
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcUserProfileConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcUserProfileConfiguration.class */
    public static class OidcUserProfileConfiguration {
        @ConditionalOnMissingBean(name = {"oidcUserProfileViewRenderer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20UserProfileViewRenderer oidcUserProfileViewRenderer(@Qualifier("oidcUserProfileSigningAndEncryptionService") OAuth20TokenSigningAndEncryptionService oAuth20TokenSigningAndEncryptionService, @Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties) {
            return new OidcUserProfileViewRenderer(casConfigurationProperties.getAuthn().getOauth(), servicesManager, oAuth20TokenSigningAndEncryptionService);
        }

        @ConditionalOnMissingBean(name = {"oidcUserProfileDataCreator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20UserProfileDataCreator oidcUserProfileDataCreator(@Qualifier("oidcConfigurationContext") ObjectProvider<OidcConfigurationContext> objectProvider) {
            return new OidcUserProfileDataCreator(objectProvider);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcWebConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcWebConfiguration.class */
    public static class OidcWebConfiguration {
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OAuth20ClientSecretValidator oauth20ClientSecretValidator(@Qualifier("oauthRegisteredServiceCipherExecutor") CipherExecutor cipherExecutor) {
            return new OidcClientSecretValidator(cipherExecutor);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public SecurityLogic oidcAuthorizationSecurityLogic(@Qualifier("oauthRequestParameterResolver") OAuth20RequestParameterResolver oAuth20RequestParameterResolver, @Qualifier("ticketGrantingTicketCookieGenerator") CasCookieBuilder casCookieBuilder, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry) {
            return new OidcAuthenticationAuthorizeSecurityLogic(casCookieBuilder, ticketRegistry, oAuth20RequestParameterResolver);
        }

        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public HandlerInterceptor requiresAuthenticationAuthorizeInterceptor(@Qualifier("oidcAuthorizationSecurityLogic") SecurityLogic securityLogic, @Qualifier("oauthSecConfig") Config config) {
            SecurityInterceptor securityInterceptor = new SecurityInterceptor(config, "CasOAuthClient", JEEHttpActionAdapter.INSTANCE);
            securityInterceptor.setMatchers("securityheaders");
            securityInterceptor.setAuthorizers("isFullyAuthenticated");
            securityInterceptor.setSecurityLogic(securityLogic);
            return securityInterceptor;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OidcWebFingerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/oidc/config/OidcConfiguration$OidcWebFingerConfiguration.class */
    public static class OidcWebFingerConfiguration {
        @ConditionalOnMissingBean(name = {"oidcWebFingerDiscoveryService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public OidcWebFingerDiscoveryService oidcWebFingerDiscoveryService(@Qualifier("oidcWebFingerUserInfoRepository") OidcWebFingerUserInfoRepository oidcWebFingerUserInfoRepository, @Qualifier("oidcServerDiscoverySettingsFactory") FactoryBean<OidcServerDiscoverySettings> factoryBean) throws Exception {
            return new OidcWebFingerDiscoveryService(oidcWebFingerUserInfoRepository, (OidcServerDiscoverySettings) factoryBean.getObject());
        }
    }
}
