package org.apereo.cas.config;

import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationPolicy;
import org.apereo.cas.authentication.ContextualAuthenticationPolicyFactory;
import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy;
import org.apereo.cas.authentication.adaptive.DefaultAdaptiveAuthenticationPolicy;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationService;
import org.apereo.cas.authentication.adaptive.intel.GroovyIPAddressIntelligenceService;
import org.apereo.cas.authentication.adaptive.intel.IPAddressIntelligenceService;
import org.apereo.cas.authentication.adaptive.intel.RestfulIPAddressIntelligenceService;
import org.apereo.cas.authentication.policy.AllAuthenticationHandlersSucceededAuthenticationPolicy;
import org.apereo.cas.authentication.policy.AllCredentialsValidatedAuthenticationPolicy;
import org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy;
import org.apereo.cas.authentication.policy.GroovyScriptAuthenticationPolicy;
import org.apereo.cas.authentication.policy.NotPreventedAuthenticationPolicy;
import org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicy;
import org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory;
import org.apereo.cas.authentication.policy.RestfulAuthenticationPolicy;
import org.apereo.cas.authentication.policy.UniquePrincipalAuthenticationPolicy;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationIPIntelligenceProperties;
import org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationProperties;
import org.apereo.cas.configuration.model.core.authentication.AuthenticationPolicyProperties;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ResourceLoader;
import org.springframework.web.client.RestTemplate;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("casCoreAuthenticationPolicyConfiguration")
/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-6.0.1.jar:org/apereo/cas/config/CasCoreAuthenticationPolicyConfiguration.class */
public class CasCoreAuthenticationPolicyConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CasCoreAuthenticationPolicyConfiguration.class);

    @Autowired
    @Qualifier("ticketRegistry")
    private ObjectProvider<TicketRegistry> ticketRegistry;

    @Autowired
    @Qualifier("geoLocationService")
    private ObjectProvider<GeoLocationService> geoLocationService;

    @Autowired
    private ResourceLoader resourceLoader;

    @Autowired
    private CasConfigurationProperties casProperties;

    @ConditionalOnMissingBean(name = {"authenticationPolicyExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer authenticationPolicyExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            AuthenticationPolicyProperties policy = this.casProperties.getAuthn().getPolicy();
            if (policy.getReq().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", RequiredHandlerAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(new RequiredHandlerAuthenticationPolicy(policy.getReq().getHandlerName(), policy.getReq().isTryAll()));
                return;
            }
            if (policy.getAllHandlers().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", AllAuthenticationHandlersSucceededAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(new AllAuthenticationHandlersSucceededAuthenticationPolicy());
                return;
            }
            if (policy.getAll().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", AllCredentialsValidatedAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(new AllCredentialsValidatedAuthenticationPolicy());
                return;
            }
            if (policy.getNotPrevented().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", NotPreventedAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(notPreventedAuthenticationPolicy());
                return;
            }
            if (policy.getUniquePrincipal().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", UniquePrincipalAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(new UniquePrincipalAuthenticationPolicy(this.ticketRegistry.getIfAvailable()));
                return;
            }
            if (!policy.getGroovy().isEmpty()) {
                LOGGER.trace("Activating authentication policy [{}]", GroovyScriptAuthenticationPolicy.class.getSimpleName());
                policy.getGroovy().forEach(groovyAuthenticationPolicyProperties -> {
                    authenticationEventExecutionPlan.registerAuthenticationPolicy(new GroovyScriptAuthenticationPolicy(this.resourceLoader, groovyAuthenticationPolicyProperties.getScript()));
                });
            } else if (!policy.getRest().isEmpty()) {
                LOGGER.trace("Activating authentication policy [{}]", RestfulAuthenticationPolicy.class.getSimpleName());
                policy.getRest().forEach(restAuthenticationPolicyProperties -> {
                    authenticationEventExecutionPlan.registerAuthenticationPolicy(new RestfulAuthenticationPolicy(new RestTemplate(), restAuthenticationPolicyProperties.getEndpoint()));
                });
            } else if (policy.getAny().isEnabled()) {
                LOGGER.trace("Activating authentication policy [{}]", AtLeastOneCredentialValidatedAuthenticationPolicy.class.getSimpleName());
                authenticationEventExecutionPlan.registerAuthenticationPolicy(new AtLeastOneCredentialValidatedAuthenticationPolicy(policy.getAny().isTryAll()));
            }
        };
    }

    @Bean
    public AuthenticationPolicy notPreventedAuthenticationPolicy() {
        return new NotPreventedAuthenticationPolicy();
    }

    @ConditionalOnMissingBean(name = {"adaptiveAuthenticationPolicy"})
    @RefreshScope
    @Bean
    public AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy() {
        return new DefaultAdaptiveAuthenticationPolicy(this.geoLocationService.getIfAvailable(), ipAddressIntelligenceService(), this.casProperties.getAuthn().getAdaptive());
    }

    @ConditionalOnMissingBean(name = {"requiredHandlerAuthenticationPolicyFactory"})
    @Bean
    public ContextualAuthenticationPolicyFactory requiredHandlerAuthenticationPolicyFactory() {
        return new RequiredHandlerAuthenticationPolicyFactory();
    }

    @ConditionalOnMissingBean(name = {"ipAddressIntelligenceService"})
    @RefreshScope
    @Bean
    public IPAddressIntelligenceService ipAddressIntelligenceService() {
        AdaptiveAuthenticationProperties adaptive = this.casProperties.getAuthn().getAdaptive();
        AdaptiveAuthenticationIPIntelligenceProperties ipIntel = adaptive.getIpIntel();
        return StringUtils.isNotBlank(ipIntel.getRest().getUrl()) ? new RestfulIPAddressIntelligenceService(adaptive) : ipIntel.getGroovy().getLocation() != null ? new GroovyIPAddressIntelligenceService(adaptive) : StringUtils.isNotBlank(ipIntel.getBlackDot().getEmailAddress()) ? new RestfulIPAddressIntelligenceService(adaptive) : IPAddressIntelligenceService.allowed();
    }
}
