package org.apereo.cas.config;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.yubico.core.DefaultSessionManager;
import com.yubico.core.SessionManager;
import com.yubico.core.WebAuthnServer;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.attestation.AttestationResolver;
import com.yubico.webauthn.attestation.MetadataObject;
import com.yubico.webauthn.attestation.MetadataService;
import com.yubico.webauthn.attestation.StandardMetadataService;
import com.yubico.webauthn.attestation.TrustResolver;
import com.yubico.webauthn.attestation.resolver.CompositeAttestationResolver;
import com.yubico.webauthn.attestation.resolver.CompositeTrustResolver;
import com.yubico.webauthn.attestation.resolver.SimpleAttestationResolver;
import com.yubico.webauthn.attestation.resolver.SimpleTrustResolverWithEquality;
import com.yubico.webauthn.data.AttestationConveyancePreference;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.extension.appid.AppId;
import java.net.URL;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationCoreProperties;
import org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
import org.apereo.cas.webauthn.WebAuthnAuthenticationHandler;
import org.apereo.cas.webauthn.WebAuthnCredential;
import org.apereo.cas.webauthn.WebAuthnCredentialRegistrationCipherExecutor;
import org.apereo.cas.webauthn.WebAuthnMultifactorAuthenticationProvider;
import org.apereo.cas.webauthn.WebAuthnUtils;
import org.apereo.cas.webauthn.storage.JsonResourceWebAuthnCredentialRepository;
import org.apereo.cas.webauthn.storage.WebAuthnCredentialRepository;
import org.apereo.cas.webauthn.web.WebAuthnController;
import org.apereo.cas.webauthn.web.WebAuthnRegisteredDevicesEndpoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.Resource;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@ConditionalOnWebAuthnEnabled
@Configuration(value = "webAuthnConfiguration", proxyBeanMethods = false)
/* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration.class */
public class WebAuthnConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAuthnConfiguration.class);
    private static final int CACHE_MAX_SIZE = 10000;

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnAuthenticationPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnAuthenticationPlanConfiguration.class */
    public static class WebAuthnAuthenticationPlanConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationEventExecutionPlanConfigurer"})
        @Bean
        public AuthenticationEventExecutionPlanConfigurer webAuthnAuthenticationEventExecutionPlanConfigurer(@Qualifier("webAuthnAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("webAuthnAuthenticationMetaDataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator) {
            return authenticationEventExecutionPlan -> {
                authenticationEventExecutionPlan.registerAuthenticationHandler(authenticationHandler);
                authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator);
                authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{WebAuthnCredential.class}));
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnControllerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnControllerConfiguration.class */
    public static class WebAuthnControllerConfiguration {
        @ConditionalOnAvailableEndpoint
        @Bean
        public WebAuthnRegisteredDevicesEndpoint webAuthnRegisteredDevicesEndpoint(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository) {
            return new WebAuthnRegisteredDevicesEndpoint(casConfigurationProperties, webAuthnCredentialRepository);
        }

        @ConditionalOnMissingBean(name = {"webAuthnController"})
        @Bean
        public WebAuthnController webAuthnController(@Qualifier("webAuthnServer") WebAuthnServer webAuthnServer) {
            return new WebAuthnController(webAuthnServer);
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnCoreConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnCoreConfiguration.class */
    public static class WebAuthnCoreConfiguration {
        @ConditionalOnMissingBean(name = {"simpleTrustResolverWithEquality"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public TrustResolver simpleTrustResolverWithEquality() {
            return new SimpleTrustResolverWithEquality(new ArrayList());
        }

        @ConditionalOnMissingBean(name = {"webAuthnSessionManager"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public SessionManager webAuthnSessionManager() {
            return new DefaultSessionManager();
        }

        @ConditionalOnMissingBean(name = {"webAuthnPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory webAuthnPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnCryptoConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnCryptoConfiguration.class */
    public static class WebAuthnCryptoConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnCredentialRegistrationCipherExecutor"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CipherExecutor webAuthnCredentialRegistrationCipherExecutor(CasConfigurationProperties casConfigurationProperties) {
            EncryptionJwtSigningJwtCryptographyProperties crypto = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCrypto();
            if (crypto.isEnabled()) {
                return CipherExecutorUtils.newStringCipherExecutor(crypto, WebAuthnCredentialRegistrationCipherExecutor.class);
            }
            WebAuthnConfiguration.LOGGER.trace("Web Authn credential registration records managed by CAS are not signed/encrypted.");
            return CipherExecutor.noOp();
        }
    }

    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnDeviceRepositoryCleanerScheduler.class */
    public static class WebAuthnDeviceRepositoryCleanerScheduler implements Runnable {
        private final WebAuthnCredentialRepository repository;

        @Override // java.lang.Runnable
        @Scheduled(initialDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.start-delay:PT20S}", fixedDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.repeat-interval:PT5M}")
        public void run() {
            WebAuthnConfiguration.LOGGER.debug("Starting to clean expired devices from repository");
            this.repository.clean();
        }

        @Generated
        public WebAuthnDeviceRepositoryCleanerScheduler(WebAuthnCredentialRepository webAuthnCredentialRepository) {
            this.repository = webAuthnCredentialRepository;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnHandlerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnHandlerConfiguration.class */
    public static class WebAuthnHandlerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationHandler"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationHandler webAuthnAuthenticationHandler(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository, @Qualifier("webAuthnSessionManager") SessionManager sessionManager, @Qualifier("servicesManager") ServicesManager servicesManager) {
            WebAuthnMultifactorAuthenticationProperties webAuthn = casConfigurationProperties.getAuthn().getMfa().getWebAuthn();
            return new WebAuthnAuthenticationHandler(webAuthn.getName(), servicesManager, principalFactory, webAuthnCredentialRepository, sessionManager, Integer.valueOf(webAuthn.getOrder()));
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnMetadataConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnMetadataConfiguration.class */
    public static class WebAuthnMetadataConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationMetaDataPopulator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationMetaDataPopulator webAuthnAuthenticationMetaDataPopulator(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("webAuthnMultifactorAuthenticationProvider") MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
            return new AuthenticationContextAttributeMetaDataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), authenticationHandler, multifactorAuthenticationProvider.getId());
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnMetadataServiceConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnMetadataServiceConfiguration.class */
    public static class WebAuthnMetadataServiceConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnMetadataService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public MetadataService webAuthnMetadataService(CasConfigurationProperties casConfigurationProperties, ObjectProvider<List<TrustResolver>> objectProvider, ObjectProvider<List<AttestationResolver>> objectProvider2) throws Exception {
            ArrayList arrayList = new ArrayList();
            arrayList.add(StandardMetadataService.createDefaultTrustResolver());
            arrayList.addAll((Collection) Optional.ofNullable((List) objectProvider.getIfAvailable()).orElse(new ArrayList()));
            CompositeTrustResolver compositeTrustResolver = new CompositeTrustResolver(arrayList);
            ArrayList arrayList2 = new ArrayList();
            arrayList2.add(StandardMetadataService.createDefaultAttestationResolver(compositeTrustResolver));
            Resource location = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCore().getTrustedDeviceMetadata().getLocation();
            if (location != null) {
                arrayList2.add(new SimpleAttestationResolver(CollectionUtils.wrapList(new MetadataObject[]{(MetadataObject) WebAuthnUtils.getObjectMapper().readValue(location.getInputStream(), MetadataObject.class)}), compositeTrustResolver));
            }
            arrayList2.addAll((Collection) Optional.ofNullable((List) objectProvider2.getIfAvailable()).orElse(new ArrayList()));
            return new StandardMetadataService(new CompositeAttestationResolver(arrayList2));
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnMultifactorProviderConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnMultifactorProviderConfiguration.class */
    public static class WebAuthnMultifactorProviderConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnMultifactorAuthenticationProvider"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public MultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider(CasConfigurationProperties casConfigurationProperties, @Qualifier("failureModeEvaluator") MultifactorAuthenticationFailureModeEvaluator multifactorAuthenticationFailureModeEvaluator, @Qualifier("webAuthnBypassEvaluator") MultifactorAuthenticationProviderBypassEvaluator multifactorAuthenticationProviderBypassEvaluator) {
            WebAuthnMultifactorAuthenticationProperties webAuthn = casConfigurationProperties.getAuthn().getMfa().getWebAuthn();
            WebAuthnMultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider = new WebAuthnMultifactorAuthenticationProvider();
            webAuthnMultifactorAuthenticationProvider.setBypassEvaluator(multifactorAuthenticationProviderBypassEvaluator);
            webAuthnMultifactorAuthenticationProvider.setFailureMode(webAuthn.getFailureMode());
            webAuthnMultifactorAuthenticationProvider.setFailureModeEvaluator(multifactorAuthenticationFailureModeEvaluator);
            webAuthnMultifactorAuthenticationProvider.setOrder(webAuthn.getRank());
            webAuthnMultifactorAuthenticationProvider.setId(webAuthn.getId());
            return webAuthnMultifactorAuthenticationProvider;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnRepositoryConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration.class */
    public static class WebAuthnRepositoryConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnCredentialRepository"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public WebAuthnCredentialRepository webAuthnCredentialRepository(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRegistrationCipherExecutor") CipherExecutor cipherExecutor) {
            Resource location = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getJson().getLocation();
            return location != null ? new JsonResourceWebAuthnCredentialRepository(casConfigurationProperties, location, cipherExecutor) : WebAuthnCredentialRepository.inMemory();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnSchedulerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnSchedulerConfiguration.class */
    public static class WebAuthnSchedulerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnDeviceRepositoryCleanerScheduler"})
        @ConditionalOnProperty(prefix = "authn.mfa.web-authn.cleaner", name = {"enabled"}, havingValue = "true", matchIfMissing = true)
        @Bean
        public Runnable webAuthnDeviceRepositoryCleanerScheduler(@Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository) {
            return new WebAuthnDeviceRepositoryCleanerScheduler(webAuthnCredentialRepository);
        }
    }

    @Configuration(value = "WebAuthnSecurityConfiguration", proxyBeanMethods = false)
    @Order(999)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnSecurityConfiguration.class */
    public static class WebAuthnSecurityConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnCsrfTokenRepository"})
        @Bean
        public CsrfTokenRepository webAuthnCsrfTokenRepository() {
            return new HttpSessionCsrfTokenRepository();
        }

        @Bean
        public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> webAuthnProtocolEndpointConfigurer(@Qualifier("webAuthnCsrfTokenRepository") final ObjectProvider<CsrfTokenRepository> objectProvider) {
            return new ProtocolEndpointWebSecurityConfigurer<HttpSecurity>() { // from class: org.apereo.cas.config.WebAuthnConfiguration.WebAuthnSecurityConfiguration.1
                public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> configure(HttpSecurity httpSecurity) {
                    ObjectProvider objectProvider2 = objectProvider;
                    httpSecurity.csrf(csrfConfigurer -> {
                        AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/webauthn/**");
                        objectProvider2.ifAvailable(csrfTokenRepository -> {
                            csrfConfigurer.requireCsrfProtectionMatcher(antPathRequestMatcher).csrfTokenRepository(csrfTokenRepository);
                        });
                    });
                    return this;
                }
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnServerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnServerConfiguration.class */
    public static class WebAuthnServerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnServer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public WebAuthnServer webAuthnServer(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository, @Qualifier("webAuthnMetadataService") MetadataService metadataService, @Qualifier("webAuthnSessionManager") SessionManager sessionManager) throws Exception {
            WebAuthnMultifactorAuthenticationCoreProperties core = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCore();
            String name = casConfigurationProperties.getServer().getName();
            AppId appId = new AppId(StringUtils.defaultString(core.getApplicationId(), name));
            RelyingPartyIdentity build = RelyingPartyIdentity.builder().id(StringUtils.defaultString(core.getRelyingPartyId(), new URL(name).getHost())).name(StringUtils.defaultString(core.getRelyingPartyName(), "CAS")).build();
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (StringUtils.isNotBlank(core.getAllowedOrigins())) {
                linkedHashSet.addAll(org.springframework.util.StringUtils.commaDelimitedListToSet(core.getAllowedOrigins()));
            } else {
                linkedHashSet.add(name);
            }
            return new WebAuthnServer(webAuthnCredentialRepository, WebAuthnConfiguration.newCache(), WebAuthnConfiguration.newCache(), RelyingParty.builder().identity(build).credentialRepository(webAuthnCredentialRepository).origins(linkedHashSet).attestationConveyancePreference(AttestationConveyancePreference.valueOf(core.getAttestationConveyancePreference().toUpperCase())).metadataService(metadataService).allowUnrequestedExtensions(core.isAllowUnrequestedExtensions()).allowUntrustedAttestation(core.isAllowUntrustedAttestation()).validateSignatureCounter(core.isValidateSignatureCounter()).appId(appId).build(), sessionManager);
        }
    }

    private static <K, V> Cache<K, V> newCache() {
        return CacheBuilder.newBuilder().maximumSize(10000L).expireAfterAccess(Duration.ofMinutes(5L)).build();
    }
}
