package org.apereo.cas.web.flow.config;

import java.util.LinkedHashSet;
import java.util.Set;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.adaptive.UnauthorizedAuthenticationException;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.exceptions.InvalidLoginLocationException;
import org.apereo.cas.authentication.exceptions.InvalidLoginTimeException;
import org.apereo.cas.authentication.principal.ResponseBuilderLocator;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.sso.SsoProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionRandomizedSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.core.web.MessageBundleProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceForPrincipalException;
import org.apereo.cas.ticket.UnsatisfiedAuthenticationPolicyException;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.cipher.WebflowConversationStateCipherExecutor;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.flow.DefaultSingleSignOnParticipationStrategy;
import org.apereo.cas.web.flow.SingleSignOnParticipationStrategy;
import org.apereo.cas.web.flow.actions.AuthenticationExceptionHandlerAction;
import org.apereo.cas.web.flow.actions.CheckWebAuthenticationRequestAction;
import org.apereo.cas.web.flow.actions.ClearWebflowCredentialAction;
import org.apereo.cas.web.flow.actions.InjectResponseHeadersAction;
import org.apereo.cas.web.flow.actions.RedirectToServiceAction;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.impl.ServiceTicketRequestWebflowEventResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.execution.Action;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("casCoreWebflowConfiguration")
/* loaded from: input_file:WEB-INF/lib/cas-server-core-webflow-6.0.1.jar:org/apereo/cas/web/flow/config/CasCoreWebflowConfiguration.class */
public class CasCoreWebflowConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CasCoreWebflowConfiguration.class);

    @Autowired
    @Qualifier("centralAuthenticationService")
    private ObjectProvider<CentralAuthenticationService> centralAuthenticationService;

    @Autowired
    @Qualifier("defaultAuthenticationSystemSupport")
    private ObjectProvider<AuthenticationSystemSupport> authenticationSystemSupport;

    @Autowired
    @Qualifier("defaultTicketRegistrySupport")
    private ObjectProvider<TicketRegistrySupport> ticketRegistrySupport;

    @Autowired
    @Qualifier("webApplicationResponseBuilderLocator")
    private ObjectProvider<ResponseBuilderLocator> responseBuilderLocator;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("warnCookieGenerator")
    private ObjectProvider<CookieGenerator> warnCookieGenerator;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    private ApplicationEventPublisher applicationEventPublisher;

    @Autowired
    @Qualifier("authenticationServiceSelectionPlan")
    private ObjectProvider<AuthenticationServiceSelectionPlan> authenticationServiceSelectionPlan;

    @Autowired
    @Qualifier("registeredServiceAccessStrategyEnforcer")
    private ObjectProvider<AuditableExecution> registeredServiceAccessStrategyEnforcer;

    @ConditionalOnMissingBean(name = {"serviceTicketRequestWebflowEventResolver"})
    @RefreshScope
    @Bean
    public CasWebflowEventResolver serviceTicketRequestWebflowEventResolver() {
        return new ServiceTicketRequestWebflowEventResolver(this.authenticationSystemSupport.getIfAvailable(), this.centralAuthenticationService.getIfAvailable(), this.servicesManager.getIfAvailable(), this.ticketRegistrySupport.getIfAvailable(), this.warnCookieGenerator.getIfAvailable(), this.authenticationServiceSelectionPlan.getIfAvailable(), this.registeredServiceAccessStrategyEnforcer.getIfAvailable(), this.casProperties, this.applicationEventPublisher, this.applicationContext);
    }

    @RefreshScope
    @Bean
    public CipherExecutor webflowCipherExecutor() {
        EncryptionRandomizedSigningJwtCryptographyProperties crypto = this.casProperties.getWebflow().getCrypto();
        boolean isEnabled = crypto.isEnabled();
        if (!isEnabled && StringUtils.isNotBlank(crypto.getEncryption().getKey()) && StringUtils.isNotBlank(crypto.getSigning().getKey())) {
            LOGGER.warn("Webflow encryption/signing is not enabled explicitly in the configuration, yet signing/encryption keys are defined for operations. CAS will proceed to enable the webflow encryption/signing functionality.");
            isEnabled = true;
        }
        if (isEnabled) {
            return new WebflowConversationStateCipherExecutor(crypto.getEncryption().getKey(), crypto.getSigning().getKey(), crypto.getAlg(), crypto.getSigning().getKeySize(), crypto.getEncryption().getKeySize());
        }
        LOGGER.warn("Webflow encryption/signing is turned off. This MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of webflow state.");
        return CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {CasWebflowConstants.ACTION_ID_CLEAR_WEBFLOW_CREDENTIALS})
    @RefreshScope
    @Bean
    public Action clearWebflowCredentialsAction() {
        return new ClearWebflowCredentialAction();
    }

    @ConditionalOnMissingBean(name = {"checkWebAuthenticationRequestAction"})
    @RefreshScope
    @Bean
    public Action checkWebAuthenticationRequestAction() {
        return new CheckWebAuthenticationRequestAction(this.casProperties.getAuthn().getMfa().getContentType());
    }

    @ConditionalOnMissingBean(name = {CasWebflowConstants.ACTION_ID_REDIRECT_TO_SERVICE})
    @RefreshScope
    @Bean
    public Action redirectToServiceAction() {
        return new RedirectToServiceAction(this.responseBuilderLocator.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"injectResponseHeadersAction"})
    @RefreshScope
    @Bean
    public Action injectResponseHeadersAction() {
        return new InjectResponseHeadersAction(this.responseBuilderLocator.getIfAvailable());
    }

    @ConditionalOnMissingBean(name = {"singleSignOnParticipationStrategy"})
    @RefreshScope
    @Bean
    public SingleSignOnParticipationStrategy singleSignOnParticipationStrategy() {
        SsoProperties sso = this.casProperties.getSso();
        return new DefaultSingleSignOnParticipationStrategy(this.servicesManager.getIfAvailable(), sso.isCreateSsoCookieOnRenewAuthn(), sso.isRenewAuthnEnabled());
    }

    @ConditionalOnMissingBean(name = {CasWebflowConstants.ACTION_ID_AUTHENTICATION_EXCEPTION_HANDLER})
    @Bean
    public Action authenticationExceptionHandler() {
        return new AuthenticationExceptionHandlerAction(handledAuthenticationExceptions(), MessageBundleProperties.DEFAULT_BUNDLE_PREFIX_AUTHN_FAILURE);
    }

    @RefreshScope
    @Bean
    public Set<Class<? extends Throwable>> handledAuthenticationExceptions() {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(AccountLockedException.class);
        linkedHashSet.add(CredentialExpiredException.class);
        linkedHashSet.add(AccountExpiredException.class);
        linkedHashSet.add(AccountDisabledException.class);
        linkedHashSet.add(InvalidLoginLocationException.class);
        linkedHashSet.add(AccountPasswordMustChangeException.class);
        linkedHashSet.add(InvalidLoginTimeException.class);
        linkedHashSet.add(AccountNotFoundException.class);
        linkedHashSet.add(FailedLoginException.class);
        linkedHashSet.add(UnauthorizedServiceForPrincipalException.class);
        linkedHashSet.add(PrincipalException.class);
        linkedHashSet.add(UnsatisfiedAuthenticationPolicyException.class);
        linkedHashSet.add(UnauthorizedAuthenticationException.class);
        linkedHashSet.addAll(this.casProperties.getAuthn().getExceptions().getExceptions());
        return linkedHashSet;
    }
}
