package org.apereo.cas.config;

import com.github.benmanes.caffeine.cache.Cache;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties;
import org.apereo.cas.configuration.support.CasFeatureModule;
import org.apereo.cas.support.saml.idp.metadata.AmazonS3SamlIdPMetadataCipherExecutor;
import org.apereo.cas.support.saml.idp.metadata.AmazonS3SamlIdPMetadataGenerator;
import org.apereo.cas.support.saml.idp.metadata.AmazonS3SamlIdPMetadataLocator;
import org.apereo.cas.support.saml.idp.metadata.generator.SamlIdPMetadataGenerator;
import org.apereo.cas.support.saml.idp.metadata.generator.SamlIdPMetadataGeneratorConfigurationContext;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPMetadataLocator;
import org.apereo.cas.support.saml.services.idp.metadata.SamlIdPMetadataDocument;
import org.apereo.cas.util.cipher.CipherExecutorUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.spring.beans.BeanCondition;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.util.spring.boot.ConditionalOnFeature;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.ScopedProxyMode;
import software.amazon.awssdk.services.s3.S3Client;

@EnableConfigurationProperties({CasConfigurationProperties.class})
@Configuration(value = "AmazonS3SamlIdPMetadataConfiguration", proxyBeanMethods = false)
@ConditionalOnFeature(feature = CasFeatureModule.FeatureCatalog.SAMLIdentityProviderMetadata, module = "aws-s3")
/* loaded from: input_file:org/apereo/cas/config/AmazonS3SamlIdPMetadataConfiguration.class */
public class AmazonS3SamlIdPMetadataConfiguration {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AmazonS3SamlIdPMetadataConfiguration.class);
    private static final BeanCondition CONDITION = BeanCondition.on("cas.authn.saml-idp.metadata.amazon-s3.idp-metadata-bucket-name");

    @ConditionalOnMissingBean(name = {"samlIdPMetadataGeneratorCipherExecutor"})
    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public CipherExecutor samlIdPMetadataGeneratorCipherExecutor(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties) {
        return (CipherExecutor) BeanSupplier.of(CipherExecutor.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
            EncryptionJwtSigningJwtCryptographyProperties crypto = casConfigurationProperties.getAuthn().getSamlIdp().getMetadata().getAmazonS3().getCrypto();
            if (crypto.isEnabled()) {
                return CipherExecutorUtils.newStringCipherExecutor(crypto, AmazonS3SamlIdPMetadataCipherExecutor.class);
            }
            LOGGER.info("Amazon S3 SAML IdP metadata encryption/signing is turned off and MAY NOT be safe in a production environment. Consider using other choices to handle encryption, signing and verification of metadata artifacts");
            return CipherExecutor.noOp();
        }).otherwise(CipherExecutor::noOp).get();
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public SamlIdPMetadataGenerator samlIdPMetadataGenerator(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("samlIdPMetadataGeneratorConfigurationContext") SamlIdPMetadataGeneratorConfigurationContext samlIdPMetadataGeneratorConfigurationContext, @Qualifier("amazonS3Client") S3Client s3Client) throws Exception {
        return (SamlIdPMetadataGenerator) BeanSupplier.of(SamlIdPMetadataGenerator.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(Unchecked.supplier(() -> {
            AmazonS3SamlIdPMetadataGenerator amazonS3SamlIdPMetadataGenerator = new AmazonS3SamlIdPMetadataGenerator(samlIdPMetadataGeneratorConfigurationContext, s3Client, casConfigurationProperties.getAuthn().getSamlIdp().getMetadata().getAmazonS3().getIdpMetadataBucketName());
            amazonS3SamlIdPMetadataGenerator.generate(Optional.empty());
            return amazonS3SamlIdPMetadataGenerator;
        })).otherwiseProxy().get();
    }

    @RefreshScope(proxyMode = ScopedProxyMode.DEFAULT)
    @Bean
    public SamlIdPMetadataLocator samlIdPMetadataLocator(ConfigurableApplicationContext configurableApplicationContext, CasConfigurationProperties casConfigurationProperties, @Qualifier("samlIdPMetadataCache") Cache<String, SamlIdPMetadataDocument> cache, @Qualifier("samlIdPMetadataGeneratorCipherExecutor") CipherExecutor cipherExecutor, @Qualifier("amazonS3Client") S3Client s3Client) {
        return (SamlIdPMetadataLocator) BeanSupplier.of(SamlIdPMetadataLocator.class).when(CONDITION.given(configurableApplicationContext.getEnvironment())).supply(() -> {
            return new AmazonS3SamlIdPMetadataLocator(cipherExecutor, cache, casConfigurationProperties.getAuthn().getSamlIdp().getMetadata().getAmazonS3().getIdpMetadataBucketName(), s3Client);
        }).otherwiseProxy().get();
    }
}
