package org.apereo.cas.authentication.support.password;

import lombok.Generated;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.model.core.authentication.PasswordEncoderProperties;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.crypto.DefaultPasswordEncoder;
import org.apereo.cas.util.crypto.GlibcCryptPasswordEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.LdapShaPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.crypto.password.Pbkdf2PasswordEncoder;
import org.springframework.security.crypto.password.StandardPasswordEncoder;
import org.springframework.security.crypto.scrypt.SCryptPasswordEncoder;
import org.springframework.web.context.support.GroovyWebApplicationContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-api-6.3.7.4.jar:org/apereo/cas/authentication/support/password/PasswordEncoderUtils.class */
public final class PasswordEncoderUtils {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PasswordEncoderUtils.class);
    private static final int HASH_WIDTH = 256;

    public static PasswordEncoder newPasswordEncoder(PasswordEncoderProperties passwordEncoderProperties, ApplicationContext applicationContext) {
        String type = passwordEncoderProperties.getType();
        if (StringUtils.isBlank(type)) {
            LOGGER.trace("No password encoder type is defined, and so none shall be created");
            return NoOpPasswordEncoder.getInstance();
        }
        if (type.endsWith(GroovyWebApplicationContext.DEFAULT_CONFIG_LOCATION_SUFFIX)) {
            LOGGER.trace("Creating Groovy-based password encoder at [{}]", type);
            return new GroovyPasswordEncoder(applicationContext.getResource(type), applicationContext);
        }
        if (type.contains(".")) {
            try {
                LOGGER.debug("Configuration indicates use of a custom password encoder [{}]", type);
                return (PasswordEncoder) Class.forName(type).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            } catch (Exception e) {
                LoggingUtils.error(LOGGER, "Falling back to a no-op password encoder as CAS has failed to create an instance of the custom password encoder class " + type, e);
                return NoOpPasswordEncoder.getInstance();
            }
        }
        switch (PasswordEncoderProperties.PasswordEncoderTypes.valueOf(type)) {
            case DEFAULT:
                LOGGER.debug("Creating default password encoder with encoding alg [{}] and character encoding [{}]", passwordEncoderProperties.getEncodingAlgorithm(), passwordEncoderProperties.getCharacterEncoding());
                return new DefaultPasswordEncoder(passwordEncoderProperties.getEncodingAlgorithm(), passwordEncoderProperties.getCharacterEncoding());
            case STANDARD:
                LOGGER.debug("Creating standard password encoder with the secret defined in the configuration");
                return new StandardPasswordEncoder(passwordEncoderProperties.getSecret());
            case BCRYPT:
                LOGGER.debug("Creating BCRYPT password encoder given the strength [{}] and secret in the configuration", Integer.valueOf(passwordEncoderProperties.getStrength()));
                if (StringUtils.isBlank(passwordEncoderProperties.getSecret())) {
                    LOGGER.debug("Creating BCRYPT encoder without secret");
                    return new BCryptPasswordEncoder(passwordEncoderProperties.getStrength());
                }
                LOGGER.debug("Creating BCRYPT encoder with secret");
                return new BCryptPasswordEncoder(passwordEncoderProperties.getStrength(), RandomUtils.getNativeInstance());
            case SCRYPT:
                LOGGER.debug("Creating SCRYPT encoder");
                return new SCryptPasswordEncoder();
            case SSHA:
                LOGGER.warn("Creating SSHA encoder; digest based password encoding is not considered secure. This strategy is here to support legacy implementations and using it is considered insecure.");
                return new LdapShaPasswordEncoder();
            case PBKDF2:
                if (!StringUtils.isBlank(passwordEncoderProperties.getSecret())) {
                    return new Pbkdf2PasswordEncoder(passwordEncoderProperties.getSecret(), passwordEncoderProperties.getStrength(), 256);
                }
                LOGGER.trace("Creating PBKDF2 encoder without secret");
                return new Pbkdf2PasswordEncoder();
            case GLIBC_CRYPT:
                LOGGER.debug(String.format("Creating glibc CRYPT encoder with encoding alg [%s], strength [%s] and %ssecret", passwordEncoderProperties.getEncodingAlgorithm(), Integer.valueOf(passwordEncoderProperties.getStrength()), BooleanUtils.toString(StringUtils.isNotBlank(passwordEncoderProperties.getSecret()), "", "without ")));
                return new GlibcCryptPasswordEncoder(passwordEncoderProperties.getEncodingAlgorithm(), passwordEncoderProperties.getStrength(), passwordEncoderProperties.getSecret());
            case NONE:
            default:
                LOGGER.trace("No password encoder shall be created given the requested encoder type [{}]", type);
                return NoOpPasswordEncoder.getInstance();
        }
    }

    @Generated
    private PasswordEncoderUtils() {
        throw new UnsupportedOperationException("This is a utility class and cannot be instantiated");
    }
}
