package org.apereo.cas.config;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.yubico.core.DefaultSessionManager;
import com.yubico.core.InMemoryRegistrationStorage;
import com.yubico.core.SessionManager;
import com.yubico.core.WebAuthnServer;
import com.yubico.webauthn.RelyingParty;
import com.yubico.webauthn.attestation.AttestationMetadataSource;
import com.yubico.webauthn.attestation.AttestationTrustSource;
import com.yubico.webauthn.attestation.MetadataObject;
import com.yubico.webauthn.attestation.YubicoJsonMetadataService;
import com.yubico.webauthn.data.AttestationConveyancePreference;
import com.yubico.webauthn.data.RelyingPartyIdentity;
import com.yubico.webauthn.extension.appid.AppId;
import java.net.URL;
import java.time.Duration;
import java.util.LinkedHashSet;
import java.util.List;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationMetaDataPopulator;
import org.apereo.cas.authentication.MultifactorAuthenticationFailureModeEvaluator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.bypass.MultifactorAuthenticationProviderBypassEvaluator;
import org.apereo.cas.authentication.handler.ByCredentialTypeAuthenticationHandlerResolver;
import org.apereo.cas.authentication.metadata.AuthenticationContextAttributeMetaDataPopulator;
import org.apereo.cas.authentication.metadata.MultifactorAuthenticationProviderMetadataPopulator;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationCoreProperties;
import org.apereo.cas.configuration.model.support.mfa.webauthn.WebAuthnMultifactorAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.spring.beans.BeanCondition;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.ProtocolEndpointWebSecurityConfigurer;
import org.apereo.cas.webauthn.WebAuthnAuthenticationHandler;
import org.apereo.cas.webauthn.WebAuthnCredential;
import org.apereo.cas.webauthn.WebAuthnCredentialRegistrationCipherExecutor;
import org.apereo.cas.webauthn.WebAuthnMultifactorAuthenticationProvider;
import org.apereo.cas.webauthn.storage.JsonResourceWebAuthnCredentialRepository;
import org.apereo.cas.webauthn.storage.WebAuthnCredentialRepository;
import org.apereo.cas.webauthn.web.WebAuthnController;
import org.apereo.cas.webauthn.web.WebAuthnRegisteredDevicesEndpoint;
import org.apereo.inspektr.common.Cleanable;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.actuate.autoconfigure.endpoint.condition.ConditionalOnAvailableEndpoint;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.core.annotation.Order;
import org.springframework.core.io.Resource;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@AutoConfiguration
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.WebAuthn)
/* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration.class */
public class WebAuthnConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WebAuthnConfiguration.class);
    private static final BeanCondition CONDITION = BeanCondition.on("cas.authn.mfa.web-authn.core.enabled").isTrue().evenIfMissing();
    private static final int CACHE_MAX_SIZE = 10000;

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnAuthenticationPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnAuthenticationPlanConfiguration.class */
    public static class WebAuthnAuthenticationPlanConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer webAuthnAuthenticationEventExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("webAuthnMultifactorProviderAuthenticationMetadataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator, @Qualifier("webAuthnAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("webAuthnAuthenticationMetaDataPopulator") AuthenticationMetaDataPopulator authenticationMetaDataPopulator2) throws Exception {
            return (AuthenticationEventExecutionPlanConfigurer) BeanSupplier.of(AuthenticationEventExecutionPlanConfigurer.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return authenticationEventExecutionPlan -> {
                    authenticationEventExecutionPlan.registerAuthenticationHandler(authenticationHandler);
                    authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator2);
                    authenticationEventExecutionPlan.registerAuthenticationMetadataPopulator(authenticationMetaDataPopulator);
                    authenticationEventExecutionPlan.registerAuthenticationHandlerResolver(new ByCredentialTypeAuthenticationHandlerResolver(new Class[]{WebAuthnCredential.class}));
                };
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnCoreConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnCoreConfiguration.class */
    public static class WebAuthnCoreConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnSessionManager"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public SessionManager webAuthnSessionManager(ConfigurableApplicationContext configurableApplicationContext) {
            return (SessionManager) BeanSupplier.of(SessionManager.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(DefaultSessionManager::new).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"webAuthnPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory webAuthnPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }
    }

    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnDeviceRepositoryCleanerScheduler.class */
    public static class WebAuthnDeviceRepositoryCleanerScheduler implements Cleanable {
        private final WebAuthnCredentialRepository repository;

        @Scheduled(initialDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.start-delay:PT20S}", fixedDelayString = "${cas.authn.mfa.web-authn.cleaner.schedule.repeat-interval:PT5M}")
        public void clean() {
            WebAuthnConfiguration.LOGGER.debug("Starting to clean expired devices from repository");
            this.repository.clean();
        }

        @Generated
        public WebAuthnDeviceRepositoryCleanerScheduler(WebAuthnCredentialRepository webAuthnCredentialRepository) {
            this.repository = webAuthnCredentialRepository;
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnHandlerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnHandlerConfiguration.class */
    public static class WebAuthnHandlerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationHandler"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationHandler webAuthnAuthenticationHandler(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository, @Qualifier("webAuthnMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider, @Qualifier("webAuthnSessionManager") SessionManager sessionManager, @Qualifier("servicesManager") ServicesManager servicesManager) throws Exception {
            return (AuthenticationHandler) BeanSupplier.of(AuthenticationHandler.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                WebAuthnMultifactorAuthenticationProperties webAuthn = casConfigurationProperties.getAuthn().getMfa().getWebAuthn();
                return new WebAuthnAuthenticationHandler(webAuthn.getName(), servicesManager, principalFactory, webAuthnCredentialRepository, sessionManager, Integer.valueOf(webAuthn.getOrder()), objectProvider);
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnMetadataConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnMetadataConfiguration.class */
    public static class WebAuthnMetadataConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnMultifactorProviderAuthenticationMetadataPopulator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationMetaDataPopulator webAuthnMultifactorProviderAuthenticationMetadataPopulator(@Qualifier("servicesManager") ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnMultifactorAuthenticationProvider") ObjectProvider<MultifactorAuthenticationProvider> objectProvider) {
            return new MultifactorAuthenticationProviderMetadataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), objectProvider, servicesManager);
        }

        @ConditionalOnMissingBean(name = {"webAuthnAuthenticationMetaDataPopulator"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationMetaDataPopulator webAuthnAuthenticationMetaDataPopulator(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnAuthenticationHandler") AuthenticationHandler authenticationHandler, @Qualifier("webAuthnMultifactorAuthenticationProvider") MultifactorAuthenticationProvider multifactorAuthenticationProvider) throws Exception {
            return (AuthenticationMetaDataPopulator) BeanSupplier.of(AuthenticationMetaDataPopulator.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new AuthenticationContextAttributeMetaDataPopulator(casConfigurationProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute(), authenticationHandler, multifactorAuthenticationProvider.getId());
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnMetadataServiceConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnMetadataServiceConfiguration.class */
    public static class WebAuthnMetadataServiceConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnMetadataService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AttestationMetadataSource webAuthnMetadataService(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            return (AttestationMetadataSource) BeanSupplier.of(AttestationMetadataSource.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(Unchecked.supplier(() -> {
                return new YubicoJsonMetadataService(List.of(MetadataObject.readMetadata(casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCore().getTrustedDeviceMetadata().getLocation().getInputStream())));
            })).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnRepositoryConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration.class */
    public static class WebAuthnRepositoryConfiguration {

        @EnableConfigurationProperties({CasConfigurationProperties.class})
        @Configuration(value = "WebAuthnControllerConfiguration", proxyBeanMethods = false)
        /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnControllerConfiguration.class */
        public static class WebAuthnControllerConfiguration {
            @ConditionalOnAvailableEndpoint
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public WebAuthnRegisteredDevicesEndpoint webAuthnRegisteredDevicesEndpoint(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRepository") ObjectProvider<WebAuthnCredentialRepository> objectProvider) {
                return new WebAuthnRegisteredDevicesEndpoint(casConfigurationProperties, objectProvider);
            }

            @ConditionalOnMissingBean(name = {"webAuthnController"})
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public WebAuthnController webAuthnController(@Qualifier("webAuthnServer") WebAuthnServer webAuthnServer) {
                return new WebAuthnController(webAuthnServer);
            }
        }

        @EnableConfigurationProperties({CasConfigurationProperties.class})
        @Configuration(value = "WebAuthnCryptoConfiguration", proxyBeanMethods = false)
        /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnCryptoConfiguration.class */
        public static class WebAuthnCryptoConfiguration {
            @ConditionalOnMissingBean(name = {"webAuthnCredentialRegistrationCipherExecutor"})
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public CipherExecutor webAuthnCredentialRegistrationCipherExecutor(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) throws Exception {
                return (CipherExecutor) BeanSupplier.of(CipherExecutor.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                    EncryptionJwtSigningJwtCryptographyProperties crypto = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCrypto();
                    if (crypto.isEnabled()) {
                        return CipherExecutorUtils.newStringCipherExecutor(crypto, WebAuthnCredentialRegistrationCipherExecutor.class);
                    }
                    WebAuthnConfiguration.LOGGER.trace("Web Authn credential registration records managed by CAS are not signed/encrypted.");
                    return CipherExecutor.noOp();
                }).otherwiseProxy().get();
            }
        }

        @EnableConfigurationProperties({CasConfigurationProperties.class})
        @Configuration(value = "WebAuthnMultifactorProviderConfiguration", proxyBeanMethods = false)
        /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnMultifactorProviderConfiguration.class */
        public static class WebAuthnMultifactorProviderConfiguration {
            @ConditionalOnMissingBean(name = {"webAuthnMultifactorAuthenticationProvider"})
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public MultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("failureModeEvaluator") MultifactorAuthenticationFailureModeEvaluator multifactorAuthenticationFailureModeEvaluator, @Qualifier("webAuthnBypassEvaluator") MultifactorAuthenticationProviderBypassEvaluator multifactorAuthenticationProviderBypassEvaluator) throws Exception {
                return (MultifactorAuthenticationProvider) BeanSupplier.of(MultifactorAuthenticationProvider.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                    WebAuthnMultifactorAuthenticationProperties webAuthn = casConfigurationProperties.getAuthn().getMfa().getWebAuthn();
                    WebAuthnMultifactorAuthenticationProvider webAuthnMultifactorAuthenticationProvider = new WebAuthnMultifactorAuthenticationProvider();
                    webAuthnMultifactorAuthenticationProvider.setBypassEvaluator(multifactorAuthenticationProviderBypassEvaluator);
                    webAuthnMultifactorAuthenticationProvider.setFailureMode(webAuthn.getFailureMode());
                    webAuthnMultifactorAuthenticationProvider.setFailureModeEvaluator(multifactorAuthenticationFailureModeEvaluator);
                    webAuthnMultifactorAuthenticationProvider.setOrder(webAuthn.getRank());
                    webAuthnMultifactorAuthenticationProvider.setId(webAuthn.getId());
                    return webAuthnMultifactorAuthenticationProvider;
                }).otherwiseProxy().get();
            }
        }

        @Configuration(value = "WebAuthnSecurityConfiguration", proxyBeanMethods = false)
        @Order(999)
        /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnRepositoryConfiguration$WebAuthnSecurityConfiguration.class */
        public static class WebAuthnSecurityConfiguration {
            @ConditionalOnMissingBean(name = {"webAuthnCsrfTokenRepository"})
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public CsrfTokenRepository webAuthnCsrfTokenRepository() {
                return new HttpSessionCsrfTokenRepository();
            }

            @ConditionalOnMissingBean(name = {"webAuthnProtocolEndpointConfigurer"})
            @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
            @Bean
            public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> webAuthnProtocolEndpointConfigurer(@Qualifier("webAuthnCsrfTokenRepository") final ObjectProvider<CsrfTokenRepository> objectProvider) {
                return new ProtocolEndpointWebSecurityConfigurer<HttpSecurity>() { // from class: org.apereo.cas.config.WebAuthnConfiguration.WebAuthnRepositoryConfiguration.WebAuthnSecurityConfiguration.1
                    public ProtocolEndpointWebSecurityConfigurer<HttpSecurity> configure(HttpSecurity httpSecurity) {
                        ObjectProvider objectProvider2 = objectProvider;
                        Unchecked.consumer(obj -> {
                            httpSecurity.csrf(csrfConfigurer -> {
                                AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher("/webauthn/**");
                                objectProvider2.ifAvailable(csrfTokenRepository -> {
                                    csrfConfigurer.requireCsrfProtectionMatcher(antPathRequestMatcher).csrfTokenRepository(csrfTokenRepository);
                                });
                            });
                        }).accept(httpSecurity);
                        return this;
                    }
                };
            }
        }

        @ConditionalOnMissingBean(name = {"webAuthnCredentialRepository"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public WebAuthnCredentialRepository webAuthnCredentialRepository(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRegistrationCipherExecutor") CipherExecutor cipherExecutor) throws Exception {
            return (WebAuthnCredentialRepository) BeanSupplier.of(WebAuthnCredentialRepository.class).when(WebAuthnConfiguration.CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                Resource location = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getJson().getLocation();
                return location != null ? new JsonResourceWebAuthnCredentialRepository(casConfigurationProperties, location, cipherExecutor) : new InMemoryRegistrationStorage(casConfigurationProperties, cipherExecutor);
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnSchedulerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnSchedulerConfiguration.class */
    public static class WebAuthnSchedulerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnDeviceRepositoryCleanerScheduler"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public Cleanable webAuthnDeviceRepositoryCleanerScheduler(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository) throws Exception {
            return (Cleanable) BeanSupplier.of(Cleanable.class).when(BeanCondition.on("cas.authn.mfa.web-authn.cleaner.enabled").isTrue().evenIfMissing().given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return new WebAuthnDeviceRepositoryCleanerScheduler(webAuthnCredentialRepository);
            }).otherwiseProxy().get();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "WebAuthnServerConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/WebAuthnConfiguration$WebAuthnServerConfiguration.class */
    public static class WebAuthnServerConfiguration {
        @ConditionalOnMissingBean(name = {"webAuthnServer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public WebAuthnServer webAuthnServer(CasConfigurationProperties casConfigurationProperties, @Qualifier("webAuthnCredentialRepository") WebAuthnCredentialRepository webAuthnCredentialRepository, @Qualifier("webAuthnMetadataService") AttestationTrustSource attestationTrustSource, @Qualifier("webAuthnSessionManager") SessionManager sessionManager) throws Exception {
            WebAuthnMultifactorAuthenticationCoreProperties core = casConfigurationProperties.getAuthn().getMfa().getWebAuthn().getCore();
            String name = casConfigurationProperties.getServer().getName();
            AppId appId = new AppId(StringUtils.defaultString(core.getApplicationId(), name));
            RelyingPartyIdentity build = RelyingPartyIdentity.builder().id(StringUtils.defaultString(core.getRelyingPartyId(), new URL(name).getHost())).name(StringUtils.defaultString(core.getRelyingPartyName(), "CAS")).build();
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (StringUtils.isNotBlank(core.getAllowedOrigins())) {
                linkedHashSet.addAll(org.springframework.util.StringUtils.commaDelimitedListToSet(core.getAllowedOrigins()));
            } else {
                linkedHashSet.add(name);
            }
            return new WebAuthnServer(webAuthnCredentialRepository, WebAuthnConfiguration.newCache(), WebAuthnConfiguration.newCache(), RelyingParty.builder().identity(build).credentialRepository(webAuthnCredentialRepository).origins(linkedHashSet).attestationConveyancePreference(AttestationConveyancePreference.valueOf(core.getAttestationConveyancePreference().toUpperCase())).attestationTrustSource(attestationTrustSource).allowUntrustedAttestation(core.isAllowUntrustedAttestation()).validateSignatureCounter(core.isValidateSignatureCounter()).appId(appId).build(), sessionManager);
        }
    }

    private static <K, V> Cache<K, V> newCache() {
        return CacheBuilder.newBuilder().maximumSize(10000L).expireAfterAccess(Duration.ofMinutes(5L)).build();
    }
}
