package org.apereo.cas.config;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.yubico.core.DefaultSessionManager;
import com.yubico.core.SessionManager;
import com.yubico.core.WebAuthnServer;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.attestation.AttestationResolver;
import com.yubico.webauthn.attestation.MetadataObject;
import com.yubico.webauthn.attestation.MetadataService;
import com.yubico.webauthn.attestation.StandardMetadataService;
import com.yubico.webauthn.attestation.TrustResolver;
import com.yubico.webauthn.attestation.resolver.CompositeAttestationResolver;
import com.yubico.webauthn.attestation.resolver.CompositeTrustResolver;
import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver;
import com.yubico.webauthn.attestation.resolver.SimpleTrustResolverWithEquality;
import com.yubico.webauthn.data.AttestationConveyancePreference;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.extension.appid.AppId;
import java.net.URL;
import java.time.Duration;
import java.util.ArrayList;
import java.util.LinkedHashSet;
import java.util.Map;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.webauthn.WebAuthnAuthenticationHandler;
import org.apereo.cas.webauthn.WebAuthnCredential;
import org.apereo.cas.webauthn.WebAuthnCredentialRegistrationCipherExecutor;
import org.apereo.cas.webauthn.WebAuthnMultifactorAuthenticationProvider;
import org.apereo.cas.webauthn.WebAuthnUtils;
import org.apereo.cas.webauthn.storage.JsonResourceWebAuthnCredentialRepository;
import org.apereo.cas.webauthn.storage.WebAuthnCredentialRepository;
import org.apereo.cas.webauthn.web.WebAuthnController;
import org.apereo.cas.webauthn.web.WebAuthnRegisteredDevicesEndpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.scheduling.annotation.Scheduled;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("webAuthnConfiguration")
/* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration.class */
public class WebAuthnConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAuthnConfiguration.class);
    private static final int CACHE_MAX_SIZE = 10000;

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    @Autowired
    @Qualifier("servicesManager")
    private ObjectProvider<ServicesManager> servicesManager;

    @Autowired
    @Qualifier("failureModeEvaluator")
    private ObjectProvider<MultifactorAuthenticationFailureModeEvaluator> failureModeEvaluator;

    @Autowired
    @Qualifier("webAuthnBypassEvaluator")
    private ObjectProvider<MultifactorAuthenticationProviderBypassEvaluator> webAuthnBypassEvaluator;

    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnDeviceRepositoryCleanerScheduler.class */
    public static class WebAuthnDeviceRepositoryCleanerScheduler implements Runnable {
        private final WebAuthnCredentialRepository repository;

        @Override // java.lang.Runnable
        @Scheduled(initialDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.start-delay:PT20S}", fixedDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.repeat-interval:PT5M}")
        public void run() {
            WebAuthnConfiguration.LOGGER.debug("Starting to clean expired devices from repository");
            this.repository.clean();
        }

        @Generated
        public WebAuthnDeviceRepositoryCleanerScheduler(WebAuthnCredentialRepository webAuthnCredentialRepository) {
            this.repository = webAuthnCredentialRepository;
        }
    }

    @ConditionalOnMissingBean(name = {"webAuthnController"})
    @Bean
    public WebAuthnController webAuthnController() throws Exception {
        return new WebAuthnController(webAuthnServer());
    }

    @ConditionalOnMissingBean(name = {"webAuthnCredentialRepository"})
    @RefreshScope
    @Bean
    public WebAuthnCredentialRepository webAuthnCredentialRepository() {
        Resource location = this.casProperties.getAuthn().getMfa().getWebAuthn().getJson().getLocation();
        return location != null ? new JsonResourceWebAuthnCredentialRepository(this.casProperties, location, webAuthnCredentialRegistrationCipherExecutor()) : WebAuthnCredentialRepository.inMemory();
    }

    @ConditionalOnMissingBean(name = {"webAuthnMultifactorAuthenticationProvider"})
    @RefreshScope
    @Bean
    public MultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider() {
        WebAuthnMultifactorProperties webAuthn = this.casProperties.getAuthn().getMfa().getWebAuthn();
        WebAuthnMultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider = new WebAuthnMultifactorAuthenticationProvider();
        webAuthnMultifactorAuthenticationProvider.setBypassEvaluator((MultifactorAuthenticationProviderBypassEvaluator) this.webAuthnBypassEvaluator.getObject());
        webAuthnMultifactorAuthenticationProvider.setFailureMode(webAuthn.getFailureMode());
        webAuthnMultifactorAuthenticationProvider.setFailureModeEvaluator((MultifactorAuthenticationFailureModeEvaluator) this.failureModeEvaluator.getObject());
        webAuthnMultifactorAuthenticationProvider.setOrder(webAuthn.getRank());
        webAuthnMultifactorAuthenticationProvider.setId(webAuthn.getId());
        return webAuthnMultifactorAuthenticationProvider;
    }

    @ConditionalOnMissingBean(name = {"simpleTrustResolverWithEquality"})
    @Bean
    public TrustResolver simpleTrustResolverWithEquality() {
        return new SimpleTrustResolverWithEquality(new ArrayList());
    }

    @ConditionalOnMissingBean(name = {"webAuthnMetadataService"})
    @Bean
    public MetadataService webAuthnMetadataService() throws Exception {
        Map beansOfType = this.applicationContext.getBeansOfType(TrustResolver.class, false, true);
        ArrayList arrayList = new ArrayList();
        arrayList.add(StandardMetadataService.createDefaultTrustResolver());
        arrayList.addAll(beansOfType.values());
        CompositeTrustResolver compositeTrustResolver = new CompositeTrustResolver(arrayList);
        Map beansOfType2 = this.applicationContext.getBeansOfType(AttestationResolver.class, false, true);
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(StandardMetadataService.createDefaultAttestationResolver(compositeTrustResolver));
        Resource location = this.casProperties.getAuthn().getMfa().getWebAuthn().getTrustedDeviceMetadata().getLocation();
        if (location != null) {
            arrayList2.add(new SimpleAttestationResolver(CollectionUtils.wrapList(new MetadataObject[]{(MetadataObject) WebAuthnUtils.getObjectMapper().readValue(location.getInputStream(), MetadataObject.class)}), compositeTrustResolver));
        }
        arrayList2.addAll(beansOfType2.values());
        return new StandardMetadataService(new CompositeAttestationResolver(arrayList2));
    }

    @ConditionalOnMissingBean(name = {"webAuthnSessionManager"})
    @Bean
    public SessionManager webAuthnSessionManager() {
        return new DefaultSessionManager();
    }

    @ConditionalOnMissingBean(name = {"webAuthnServer"})
    @Bean
    public WebAuthnServer webAuthnServer() throws Exception {
        WebAuthnMultifactorProperties webAuthn = this.casProperties.getAuthn().getMfa().getWebAuthn();
        String name = this.casProperties.getServer().getName();
        AppId appId = new AppId(StringUtils.defaultString(webAuthn.getApplicationId(), name));
        RelyingPartyIdentity build = RelyingPartyIdentity.builder().id(StringUtils.defaultString(webAuthn.getRelyingPartyId(), new URL(name).getHost())).name(StringUtils.defaultString(webAuthn.getRelyingPartyName(), "CAS")).build();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (StringUtils.isNotBlank(webAuthn.getAllowedOrigins())) {
            linkedHashSet.addAll(org.springframework.util.StringUtils.commaDelimitedListToSet(webAuthn.getAllowedOrigins()));
        } else {
            linkedHashSet.add(name);
        }
        return new WebAuthnServer(webAuthnCredentialRepository(), newCache(), newCache(), RelyingParty.builder().identity(build).credentialRepository(webAuthnCredentialRepository()).origins(linkedHashSet).attestationConveyancePreference(AttestationConveyancePreference.valueOf(webAuthn.getAttestationConveyancePreference().toUpperCase())).metadataService(webAuthnMetadataService()).allowUnrequestedExtensions(webAuthn.isAllowUnrequestedExtensions()).allowUntrustedAttestation(webAuthn.isAllowUntrustedAttestation()).validateSignatureCounter(webAuthn.isValidateSignatureCounter()).appId(appId).build(), webAuthnSessionManager());
    }

    @ConditionalOnMissingBean(name = {"webAuthnPrincipalFactory"})
    @RefreshScope
    @Bean
    public PrincipalFactory webAuthnPrincipalFactory() {
        return PrincipalFactoryUtils.newPrincipalFactory();
    }

    @ConditionalOnMissingBean(name = {"webAuthnCredentialRegistrationCipherExecutor"})
    @RefreshScope
    @Bean
    public CipherExecutor webAuthnCredentialRegistrationCipherExecutor() {
        EncryptionJwtSigningJwtCryptographyProperties crypto = this.casProperties.getAuthn().getMfa().getWebAuthn().getCrypto();
        if (crypto.isEnabled()) {
            return CipherExecutorUtils.newStringCipherExecutor(crypto, WebAuthnCredentialRegistrationCipherExecutor.class);
        }
        LOGGER.trace("Web Authn credential registration records managed by CAS are not signed/encrypted.");
        return CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {"webAuthnAuthenticationHandler"})
    @RefreshScope
    @Bean
    public AuthenticationHandler webAuthnAuthenticationHandler() {
        WebAuthnMultifactorProperties webAuthn = this.casProperties.getAuthn().getMfa().getWebAuthn();
        return new WebAuthnAuthenticationHandler(webAuthn.getName(), (ServicesManager) this.servicesManager.getObject(), webAuthnPrincipalFactory(), webAuthnCredentialRepository(), webAuthnSessionManager(), Integer.valueOf(webAuthn.getOrder()));
    }

    @ConditionalOnMissingBean(name = {"webAuthnAuthenticationMetaDataPopulator"})
    @RefreshScope
    @Bean
    public AuthenticationMetaDataPopulator webAuthnAuthenticationMetaDataPopulator() {
        return new AuthenticationContextAttributeMetaDataPopulator(this.casProperties.getAuthn().getMfa().getAuthenticationContextAttribute(), webAuthnAuthenticationHandler(), webAuthnMultifactorAuthenticationProvider().getId());
    }

    @ConditionalOnMissingBean(name = {"webAuthnAuthenticationEventExecutionPlanConfigurer"})
    @Bean
    public AuthenticationEventExecutionPlanConfigurer webAuthnAuthenticationEventExecutionPlanConfigurer() {
        return authenticationEventExecutionPlan -> {
            authenticationEventExecutionPlan.registerAuthenticationHandler(webAuthnAuthenticationHandler());
            authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(webAuthnAuthenticationMetaDataPopulator());
            authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{WebAuthnCredential.class}));
        };
    }

    @ConditionalOnAvailableEndpoint
    @Bean
    public WebAuthnRegisteredDevicesEndpoint webAuthnRegisteredDevicesEndpoint() {
        return new WebAuthnRegisteredDevicesEndpoint(this.casProperties, webAuthnCredentialRepository());
    }

    @ConditionalOnMissingBean(name = {"webAuthnDeviceRepositoryCleanerScheduler"})
    @ConditionalOnProperty(prefix = "authn.mfa.web-authn.cleaner", name = {"enabled"}, havingValue = "true", matchIfMissing = true)
    @Bean
    public Runnable webAuthnDeviceRepositoryCleanerScheduler() {
        return new WebAuthnDeviceRepositoryCleanerScheduler(webAuthnCredentialRepository());
    }

    private static <K, V> Cache<K, V> newCache() {
        return CacheBuilder.newBuilder().maximumSize(10000L).expireAfterAccess(Duration.ofMinutes(5L)).build();
    }
}
