package org.apereo.cas.pm.config;

import lombok.Generated;
import org.apereo.cas.audit.AuditActionResolvers;
import org.apereo.cas.audit.AuditPrincipalResolvers;
import org.apereo.cas.audit.AuditResourceResolvers;
import org.apereo.cas.audit.AuditTrailConstants;
import org.apereo.cas.audit.AuditTrailRecordResolutionPlanConfigurer;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.pm.PasswordHistoryProperties;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.cas.notifications.CommunicationsManager;
import org.apereo.cas.pm.PasswordHistoryService;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.pm.PasswordResetTokenCipherExecutor;
import org.apereo.cas.pm.PasswordResetUrlBuilder;
import org.apereo.cas.pm.PasswordValidationService;
import org.apereo.cas.pm.impl.DefaultPasswordResetUrlBuilder;
import org.apereo.cas.pm.impl.DefaultPasswordValidationService;
import org.apereo.cas.pm.impl.GroovyResourcePasswordManagementService;
import org.apereo.cas.pm.impl.JsonResourcePasswordManagementService;
import org.apereo.cas.pm.impl.NoOpPasswordManagementService;
import org.apereo.cas.pm.impl.history.AmnesiacPasswordHistoryService;
import org.apereo.cas.pm.impl.history.GroovyPasswordHistoryService;
import org.apereo.cas.pm.impl.history.InMemoryPasswordHistoryService;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.inspektr.audit.spi.AuditResourceResolver;
import org.apereo.inspektr.audit.spi.support.BooleanAuditActionResolver;
import org.apereo.inspektr.audit.spi.support.DefaultAuditActionResolver;
import org.apereo.inspektr.audit.spi.support.FirstParameterAuditResourceResolver;
import org.apereo.inspektr.audit.spi.support.ShortenedReturnValueAsStringAuditResourceResolver;
import org.apereo.inspektr.audit.spi.support.SpringWebflowActionExecutionAuditablePrincipalResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.core.io.Resource;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@AutoConfiguration
@ConditionalOnFeatureEnabled(feature = CasFeatureModule.FeatureCatalog.PasswordManagement)
/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration.class */
public class PasswordManagementConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PasswordManagementConfiguration.class);

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "PasswordManagementAuditConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration$PasswordManagementAuditConfiguration.class */
    public static class PasswordManagementAuditConfiguration {
        @ConditionalOnMissingBean(name = {"passwordManagementReturnValueResourceResolver"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuditResourceResolver passwordManagementReturnValueResourceResolver() {
            return new ShortenedReturnValueAsStringAuditResourceResolver();
        }

        @ConditionalOnMissingBean(name = {"passwordManagementAuditTrailRecordResolutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuditTrailRecordResolutionPlanConfigurer passwordManagementAuditTrailRecordResolutionPlanConfigurer(@Qualifier("returnValueResourceResolver") AuditResourceResolver auditResourceResolver) {
            return auditTrailRecordResolutionPlan -> {
                auditTrailRecordResolutionPlan.registerAuditActionResolver(AuditActionResolvers.CHANGE_PASSWORD_ACTION_RESOLVER, new BooleanAuditActionResolver(AuditTrailConstants.AUDIT_ACTION_POSTFIX_SUCCESS, AuditTrailConstants.AUDIT_ACTION_POSTFIX_FAILED));
                auditTrailRecordResolutionPlan.registerAuditResourceResolver(AuditResourceResolvers.CHANGE_PASSWORD_RESOURCE_RESOLVER, new FirstParameterAuditResourceResolver());
                auditTrailRecordResolutionPlan.registerAuditActionResolver(AuditActionResolvers.REQUEST_CHANGE_PASSWORD_ACTION_RESOLVER, new DefaultAuditActionResolver());
                auditTrailRecordResolutionPlan.registerAuditResourceResolver(AuditResourceResolvers.REQUEST_CHANGE_PASSWORD_RESOURCE_RESOLVER, auditResourceResolver);
                auditTrailRecordResolutionPlan.registerAuditPrincipalResolver(AuditPrincipalResolvers.REQUEST_CHANGE_PASSWORD_PRINCIPAL_RESOLVER, new SpringWebflowActionExecutionAuditablePrincipalResolver("username"));
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "PasswordManagementCipherConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration$PasswordManagementCipherConfiguration.class */
    public static class PasswordManagementCipherConfiguration {
        @ConditionalOnMissingBean(name = {"passwordManagementCipherExecutor"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CipherExecutor passwordManagementCipherExecutor(CasConfigurationProperties casConfigurationProperties) {
            PasswordManagementProperties pm = casConfigurationProperties.getAuthn().getPm();
            EncryptionJwtSigningJwtCryptographyProperties crypto = pm.getReset().getCrypto();
            return (pm.getCore().isEnabled() && crypto.isEnabled()) ? CipherExecutorUtils.newStringCipherExecutor(crypto, PasswordResetTokenCipherExecutor.class) : CipherExecutor.noOp();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "PasswordManagementCoreConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration$PasswordManagementCoreConfiguration.class */
    public static class PasswordManagementCoreConfiguration {
        @ConditionalOnMissingBean(name = {PasswordResetUrlBuilder.BEAN_NAME})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PasswordResetUrlBuilder passwordResetUrlBuilder(CasConfigurationProperties casConfigurationProperties, @Qualifier("passwordChangeService") PasswordManagementService passwordManagementService, @Qualifier("ticketRegistry") TicketRegistry ticketRegistry, @Qualifier("defaultTicketFactory") TicketFactory ticketFactory) {
            return new DefaultPasswordResetUrlBuilder(passwordManagementService, ticketRegistry, ticketFactory, casConfigurationProperties);
        }

        @ConditionalOnMissingBean(name = {PasswordManagementService.DEFAULT_BEAN_NAME})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PasswordManagementService passwordChangeService(CasConfigurationProperties casConfigurationProperties, @Qualifier("passwordManagementCipherExecutor") CipherExecutor cipherExecutor, @Qualifier("passwordHistoryService") PasswordHistoryService passwordHistoryService) {
            PasswordManagementProperties pm = casConfigurationProperties.getAuthn().getPm();
            if (pm.getCore().isEnabled()) {
                Resource location = pm.getJson().getLocation();
                if (location != null) {
                    PasswordManagementConfiguration.LOGGER.debug("Configuring password management based on JSON resource [{}]", location);
                    return new JsonResourcePasswordManagementService(cipherExecutor, casConfigurationProperties.getServer().getPrefix(), casConfigurationProperties.getAuthn().getPm(), location, passwordHistoryService);
                }
                Resource location2 = pm.getGroovy().getLocation();
                if (location2 != null) {
                    PasswordManagementConfiguration.LOGGER.debug("Configuring password management based on Groovy resource [{}]", location2);
                    return new GroovyResourcePasswordManagementService(cipherExecutor, casConfigurationProperties.getServer().getPrefix(), casConfigurationProperties.getAuthn().getPm(), location2, passwordHistoryService);
                }
                PasswordManagementConfiguration.LOGGER.warn("No storage service is configured to handle the account update and password service operations. Password management functionality will have no effect and will be disabled until a storage service is configured. To explicitly disable the password management, add 'cas.authn.pm.core.enabled=false' to the CAS configuration");
            } else {
                PasswordManagementConfiguration.LOGGER.debug("Password management is disabled. To enable the password management functionality, add 'cas.authn.pm.core.enabled=true' to the CAS configuration and then configure storage options for account updates");
            }
            return new NoOpPasswordManagementService(cipherExecutor, casConfigurationProperties.getServer().getPrefix(), casConfigurationProperties.getAuthn().getPm());
        }

        @Bean
        public InitializingBean afterPropertiesSet(CasConfigurationProperties casConfigurationProperties, @Qualifier("communicationsManager") CommunicationsManager communicationsManager) {
            return () -> {
                if (casConfigurationProperties.getAuthn().getPm().getCore().isEnabled()) {
                    communicationsManager.validate();
                }
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "PasswordManagementHistoryConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration$PasswordManagementHistoryConfiguration.class */
    public static class PasswordManagementHistoryConfiguration {
        @ConditionalOnMissingBean(name = {PasswordHistoryService.BEAN_NAME})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PasswordHistoryService passwordHistoryService(CasConfigurationProperties casConfigurationProperties) {
            PasswordManagementProperties pm = casConfigurationProperties.getAuthn().getPm();
            PasswordHistoryProperties history = pm.getHistory();
            return (pm.getCore().isEnabled() && history.getCore().isEnabled()) ? history.getGroovy().getLocation() != null ? new GroovyPasswordHistoryService(history.getGroovy().getLocation()) : new InMemoryPasswordHistoryService() : new AmnesiacPasswordHistoryService();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "PasswordManagementValidationConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.6.14.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration$PasswordManagementValidationConfiguration.class */
    public static class PasswordManagementValidationConfiguration {
        @ConditionalOnMissingBean(name = {"passwordValidationService"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PasswordValidationService passwordValidationService(CasConfigurationProperties casConfigurationProperties, @Qualifier("passwordHistoryService") PasswordHistoryService passwordHistoryService) {
            return new DefaultPasswordValidationService(casConfigurationProperties.getAuthn().getPm().getCore().getPasswordPolicyPattern(), passwordHistoryService);
        }
    }
}
