package org.apereo.cas.pm.config;

import lombok.Generated;
import org.apereo.cas.audit.AuditTrailConstants;
import org.apereo.cas.audit.AuditTrailRecordResolutionPlanConfigurer;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.model.support.pm.PasswordManagementProperties;
import org.apereo.cas.pm.DefaultPasswordValidationService;
import org.apereo.cas.pm.PasswordHistoryService;
import org.apereo.cas.pm.PasswordManagementService;
import org.apereo.cas.pm.PasswordResetTokenCipherExecutor;
import org.apereo.cas.pm.PasswordValidationService;
import org.apereo.cas.pm.impl.GroovyResourcePasswordManagementService;
import org.apereo.cas.pm.impl.JsonResourcePasswordManagementService;
import org.apereo.cas.pm.impl.NoOpPasswordManagementService;
import org.apereo.cas.pm.impl.history.AmnesiacPasswordHistoryService;
import org.apereo.cas.pm.impl.history.GroovyPasswordHistoryService;
import org.apereo.cas.pm.impl.history.InMemoryPasswordHistoryService;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.io.CommunicationsManager;
import org.apereo.inspektr.audit.spi.support.BooleanAuditActionResolver;
import org.apereo.inspektr.audit.spi.support.FirstParameterAuditResourceResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration("passwordManagementConfiguration")
/* loaded from: input_file:WEB-INF/lib/cas-server-support-pm-6.2.2.jar:org/apereo/cas/pm/config/PasswordManagementConfiguration.class */
public class PasswordManagementConfiguration implements InitializingBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PasswordManagementConfiguration.class);

    @Autowired
    private CasConfigurationProperties casProperties;

    @Autowired
    @Qualifier("communicationsManager")
    private ObjectProvider<CommunicationsManager> communicationsManager;

    @ConditionalOnMissingBean(name = {"passwordManagementCipherExecutor"})
    @RefreshScope
    @Bean
    public CipherExecutor passwordManagementCipherExecutor() {
        PasswordManagementProperties pm = this.casProperties.getAuthn().getPm();
        EncryptionJwtSigningJwtCryptographyProperties crypto = pm.getReset().getCrypto();
        return (pm.isEnabled() && crypto.isEnabled()) ? CipherExecutorUtils.newStringCipherExecutor(crypto, PasswordResetTokenCipherExecutor.class) : CipherExecutor.noOp();
    }

    @ConditionalOnMissingBean(name = {"passwordValidationService"})
    @RefreshScope
    @Bean
    public PasswordValidationService passwordValidationService() {
        return new DefaultPasswordValidationService(this.casProperties.getAuthn().getPm().getPolicyPattern(), passwordHistoryService());
    }

    @ConditionalOnMissingBean(name = {"passwordHistoryService"})
    @RefreshScope
    @Bean
    public PasswordHistoryService passwordHistoryService() {
        PasswordManagementProperties pm = this.casProperties.getAuthn().getPm();
        PasswordManagementProperties.PasswordHistory history = pm.getHistory();
        return (pm.isEnabled() && history.isEnabled()) ? history.getGroovy().getLocation() != null ? new GroovyPasswordHistoryService(history.getGroovy().getLocation()) : new InMemoryPasswordHistoryService() : new AmnesiacPasswordHistoryService();
    }

    @ConditionalOnMissingBean(name = {"passwordChangeService"})
    @RefreshScope
    @Bean
    public PasswordManagementService passwordChangeService() {
        PasswordManagementProperties pm = this.casProperties.getAuthn().getPm();
        if (pm.isEnabled()) {
            Resource location = pm.getJson().getLocation();
            if (location != null) {
                LOGGER.debug("Configuring password management based on JSON resource [{}]", location);
                return new JsonResourcePasswordManagementService(passwordManagementCipherExecutor(), this.casProperties.getServer().getPrefix(), this.casProperties.getAuthn().getPm(), location, passwordHistoryService());
            }
            Resource location2 = pm.getGroovy().getLocation();
            if (location2 != null) {
                LOGGER.debug("Configuring password management based on Groovy resource [{}]", location2);
                return new GroovyResourcePasswordManagementService(passwordManagementCipherExecutor(), this.casProperties.getServer().getPrefix(), this.casProperties.getAuthn().getPm(), location2, passwordHistoryService());
            }
            LOGGER.warn("No storage service (LDAP, Database, etc) is configured to handle the account update and password service operations. Password management functionality will have no effect and will be disabled until a storage service is configured. To explicitly disable the password management functionality, add 'cas.authn.pm.enabled=false' to the CAS configuration");
        } else {
            LOGGER.debug("Password management is disabled. To enable the password management functionality, add 'cas.authn.pm.enabled=true' to the CAS configuration and then configure storage options for account updates");
        }
        return new NoOpPasswordManagementService(passwordManagementCipherExecutor(), this.casProperties.getServer().getPrefix(), this.casProperties.getAuthn().getPm());
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        if (this.casProperties.getAuthn().getPm().isEnabled()) {
            this.communicationsManager.getObject().validate();
        }
    }

    @Bean
    public AuditTrailRecordResolutionPlanConfigurer passwordManagementAuditTrailRecordResolutionPlanConfigurer() {
        return auditTrailRecordResolutionPlan -> {
            auditTrailRecordResolutionPlan.registerAuditActionResolver("CHANGE_PASSWORD_ACTION_RESOLVER", new BooleanAuditActionResolver(AuditTrailConstants.AUDIT_ACTION_POSTFIX_SUCCESS, AuditTrailConstants.AUDIT_ACTION_POSTFIX_FAILED));
            auditTrailRecordResolutionPlan.registerAuditResourceResolver("CHANGE_PASSWORD_RESOURCE_RESOLVER", new FirstParameterAuditResourceResolver());
        };
    }
}
