package org.apereo.cas.config;

import com.google.errorprone.annotations.CanIgnoreReturnValue;
import java.util.List;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlanConfigurer;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.LdapAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authorization.EndpointLdapAuthenticationProvider;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.features.CasFeatureModule;
import org.apereo.cas.configuration.model.core.monitor.LdapSecurityActuatorEndpointsMonitorProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.LdapUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.beans.BeanContainer;
import org.apereo.cas.util.spring.boot.ConditionalOnFeatureEnabled;
import org.apereo.cas.web.CasWebSecurityConfigurer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;

/* JADX INFO: Access modifiers changed from: package-private */
@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "LdapAuthenticationConfiguration", proxyBeanMethods = false)
@ConditionalOnFeatureEnabled(feature = {CasFeatureModule.FeatureCatalog.LDAP}, module = "authentication")
/* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration.class */
public class LdapAuthenticationConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(LdapAuthenticationConfiguration.class);

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "LdapAuthenticationPlanConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$LdapAuthenticationPlanConfiguration.class */
    static class LdapAuthenticationPlanConfiguration {
        LdapAuthenticationPlanConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"ldapAuthenticationHandlers"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public BeanContainer<AuthenticationHandler> ldapAuthenticationHandlers(CasConfigurationProperties casConfigurationProperties, ConfigurableApplicationContext configurableApplicationContext, @Qualifier("ldapPrincipalFactory") PrincipalFactory principalFactory, @Qualifier("servicesManager") ServicesManager servicesManager) {
            return BeanContainer.of((List) casConfigurationProperties.getAuthn().getLdap().stream().filter(ldapAuthenticationProperties -> {
                if (ldapAuthenticationProperties.getType() != null && !StringUtils.isBlank(ldapAuthenticationProperties.getLdapUrl())) {
                    return true;
                }
                LdapAuthenticationConfiguration.LOGGER.warn("Skipping LDAP authentication entry since no type or LDAP url is defined");
                return false;
            }).map(ldapAuthenticationProperties2 -> {
                LdapAuthenticationHandler createLdapAuthenticationHandler = LdapUtils.createLdapAuthenticationHandler(ldapAuthenticationProperties2, configurableApplicationContext, servicesManager, principalFactory);
                createLdapAuthenticationHandler.setState(ldapAuthenticationProperties2.getState());
                return createLdapAuthenticationHandler;
            }).collect(Collectors.toList()));
        }

        @ConditionalOnMissingBean(name = {"ldapAuthenticationEventExecutionPlanConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public AuthenticationEventExecutionPlanConfigurer ldapAuthenticationEventExecutionPlanConfigurer(@Qualifier("ldapAuthenticationHandlers") BeanContainer<AuthenticationHandler> beanContainer, @Qualifier("defaultPrincipalResolver") PrincipalResolver principalResolver) {
            return authenticationEventExecutionPlan -> {
                beanContainer.toList().forEach(authenticationHandler -> {
                    LdapAuthenticationConfiguration.LOGGER.info("Registering LDAP authentication for [{}]", authenticationHandler.getName());
                    authenticationEventExecutionPlan.registerAuthenticationHandlerWithPrincipalResolver(authenticationHandler, principalResolver);
                });
            };
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "LdapCoreAuthenticationConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$LdapCoreAuthenticationConfiguration.class */
    static class LdapCoreAuthenticationConfiguration {
        LdapCoreAuthenticationConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"ldapPrincipalFactory"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public PrincipalFactory ldapPrincipalFactory() {
            return PrincipalFactoryUtils.newPrincipalFactory();
        }
    }

    @EnableConfigurationProperties({CasConfigurationProperties.class})
    @Configuration(value = "LdapSpringSecurityAuthenticationConfiguration", proxyBeanMethods = false)
    /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$LdapSpringSecurityAuthenticationConfiguration.class */
    static class LdapSpringSecurityAuthenticationConfiguration {

        /* loaded from: input_file:org/apereo/cas/config/LdapAuthenticationConfiguration$LdapSpringSecurityAuthenticationConfiguration$LdapHttpSecurityCasWebSecurityConfigurer.class */
        private static final class LdapHttpSecurityCasWebSecurityConfigurer implements CasWebSecurityConfigurer<HttpSecurity> {
            private final CasConfigurationProperties casProperties;
            private final SecurityProperties securityProperties;
            private EndpointLdapAuthenticationProvider endpointLdapAuthenticationProvider;

            public void destroy() {
                FunctionUtils.doIfNotNull(this.endpointLdapAuthenticationProvider, (v0) -> {
                    v0.destroy();
                });
            }

            @CanIgnoreReturnValue
            public CasWebSecurityConfigurer<HttpSecurity> configure(HttpSecurity httpSecurity) {
                LdapSecurityActuatorEndpointsMonitorProperties ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
                if (StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter())) {
                    configureLdapAuthenticationProvider(httpSecurity, ldap);
                } else {
                    LdapAuthenticationConfiguration.LOGGER.trace("No LDAP url or search filter is defined to enable LDAP authentication");
                }
                return this;
            }

            private void configureLdapAuthenticationProvider(HttpSecurity httpSecurity, LdapSecurityActuatorEndpointsMonitorProperties ldapSecurityActuatorEndpointsMonitorProperties) {
                if (isLdapAuthorizationActive()) {
                    this.endpointLdapAuthenticationProvider = new EndpointLdapAuthenticationProvider(ldapSecurityActuatorEndpointsMonitorProperties, this.securityProperties, LdapUtils.newLdaptiveConnectionFactory(ldapSecurityActuatorEndpointsMonitorProperties), LdapUtils.newLdaptiveAuthenticator(ldapSecurityActuatorEndpointsMonitorProperties));
                    httpSecurity.authenticationProvider(this.endpointLdapAuthenticationProvider);
                }
            }

            private boolean isLdapAuthorizationActive() {
                LdapSecurityActuatorEndpointsMonitorProperties ldap = this.casProperties.getMonitor().getEndpoints().getLdap();
                return StringUtils.isNotBlank(ldap.getBaseDn()) && StringUtils.isNotBlank(ldap.getLdapUrl()) && StringUtils.isNotBlank(ldap.getSearchFilter()) && (StringUtils.isNotBlank(ldap.getLdapAuthz().getRoleAttribute()) || StringUtils.isNotBlank(ldap.getLdapAuthz().getGroupAttribute()));
            }

            @Generated
            public LdapHttpSecurityCasWebSecurityConfigurer(CasConfigurationProperties casConfigurationProperties, SecurityProperties securityProperties) {
                this.casProperties = casConfigurationProperties;
                this.securityProperties = securityProperties;
            }
        }

        LdapSpringSecurityAuthenticationConfiguration() {
        }

        @ConditionalOnMissingBean(name = {"ldapHttpWebSecurityConfigurer"})
        @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
        @Bean
        public CasWebSecurityConfigurer<HttpSecurity> ldapHttpWebSecurityConfigurer(SecurityProperties securityProperties, CasConfigurationProperties casConfigurationProperties) {
            return new LdapHttpSecurityCasWebSecurityConfigurer(casConfigurationProperties, securityProperties);
        }
    }

    LdapAuthenticationConfiguration() {
    }
}
