package org.apereo.cas.config;

import com.okta.authn.sdk.client.AuthenticationClient;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalNameTransformerUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.support.password.PasswordEncoderUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.support.okta.OktaAuthenticationProperties;
import org.apereo.cas.okta.OktaAuthenticationHandler;
import org.apereo.cas.okta.OktaConfigurationFactory;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.spring.beans.BeanCondition;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "OktaAuthenticationConfiguration", proxyBeanMethods = false)
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.Authentication}, module = "okta")
/* loaded from: input_file:org/apereo/cas/config/OktaAuthenticationConfiguration.class */
class OktaAuthenticationConfiguration {

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "OktaAuthenticationCoreConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/OktaAuthenticationConfiguration$OktaAuthenticationCoreConfiguration.class */
    static class OktaAuthenticationCoreConfiguration {
        private static final BeanCondition CONDITION = BeanCondition.on("cas.authn.okta.organization-url");

        OktaAuthenticationCoreConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"oktaAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer oktaAuthenticationEventExecutionPlanConfigurer(ConfigurableApplicationContext configurableApplicationContext, @Qualifier("defaultPrincipalResolver") PrincipalResolver principalResolver, @Qualifier("oktaAuthenticationHandler") AuthenticationHandler authenticationHandler) {
            return (AuthenticationEventExecutionPlanConfigurer) BeanSupplier.of(AuthenticationEventExecutionPlanConfigurer.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return authenticationEventExecutionPlan -> {
                    authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(authenticationHandler, principalResolver);
                };
            }).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"oktaPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory oktaPrincipalFactory(ConfigurableApplicationContext configurableApplicationContext) {
            return (PrincipalFactory) BeanSupplier.of(PrincipalFactory.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(PrincipalFactoryUtils::newPrincipalFactory).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"oktaAuthenticationHandler"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationHandler oktaAuthenticationHandler(@Qualifier("oktaPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("servicesManager") ServicesManager servicesManager, @Qualifier("oktaAuthenticationClient") AuthenticationClient authenticationClient, ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            return (AuthenticationHandler) BeanSupplier.of(AuthenticationHandler.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                OktaAuthenticationProperties okta = casConfigurationProperties.getAuthn().getOkta();
                OktaAuthenticationHandler oktaAuthenticationHandler = new OktaAuthenticationHandler(okta.getName(), servicesManager, principalFactory, okta, authenticationClient);
                oktaAuthenticationHandler.setState(okta.getState());
                oktaAuthenticationHandler.setPrincipalNameTransformer(PrincipalNameTransformerUtils.newPrincipalNameTransformer(okta.getPrincipalTransformation()));
                oktaAuthenticationHandler.setPasswordEncoder(PasswordEncoderUtils.newPasswordEncoder(okta.getPasswordEncoder(), configurableApplicationContext));
                oktaAuthenticationHandler.setCredentialSelectionPredicate(CoreAuthenticationUtils.newCredentialSelectionPredicate(okta.getCredentialCriteria()));
                return oktaAuthenticationHandler;
            }).otherwiseProxy().get();
        }

        @ConditionalOnMissingBean(name = {"oktaAuthenticationClient"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationClient oktaAuthenticationClient(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
            return (AuthenticationClient) BeanSupplier.of(AuthenticationClient.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
                return OktaConfigurationFactory.buildAuthenticationClient(casConfigurationProperties.getAuthn().getOkta());
            }).otherwiseProxy().get();
        }
    }

    OktaAuthenticationConfiguration() {
    }
}
