package org.cloudfoundry.identity.uaa.client;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.client.ClientDetailsValidator;
import org.cloudfoundry.identity.uaa.provider.ldap.ProcessLdapProperties;
import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.cloudfoundry.identity.uaa.zone.ClientSecretValidator;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/client/ClientAdminEndpointsValidator.class */
public class ClientAdminEndpointsValidator implements InitializingBean, ClientDetailsValidator {
    public static final Set<String> VALID_GRANTS = new HashSet(Arrays.asList("implicit", "password", "client_credentials", "authorization_code", "refresh_token", "user_token", "urn:ietf:params:oauth:grant-type:saml2-bearer", "urn:ietf:params:oauth:grant-type:jwt-bearer"));
    private static final Collection<String> NON_ADMIN_INVALID_GRANTS = new HashSet(Arrays.asList("password"));
    private static final Collection<String> NON_ADMIN_VALID_AUTHORITIES = new HashSet(Arrays.asList("uaa.none"));
    private ClientSecretValidator clientSecretValidator;
    private QueryableResourceManager<ClientDetails> clientDetailsService;
    private final Log logger = LogFactory.getLog(getClass());
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private Set<String> reservedClientIds = StringUtils.commaDelimitedListToSet("uaa");

    public void setClientDetailsService(QueryableResourceManager<ClientDetails> queryableResourceManager) {
        this.clientDetailsService = queryableResourceManager;
    }

    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    public void afterPropertiesSet() throws Exception {
        Assert.state(this.clientDetailsService != null, "A ClientDetailsService must be provided");
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientDetails validate(ClientDetails clientDetails, ClientDetailsValidator.Mode mode) {
        return validate(clientDetails, mode == ClientDetailsValidator.Mode.CREATE, true);
    }

    public ClientDetails validate(ClientDetails clientDetails, boolean z, boolean z2) throws InvalidClientDetailsException {
        BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
        if ((clientDetails instanceof BaseClientDetails) && ((BaseClientDetails) clientDetails).getAutoApproveScopes() != null) {
            baseClientDetails.setAutoApproveScopes(((BaseClientDetails) clientDetails).getAutoApproveScopes());
        }
        baseClientDetails.setAdditionalInformation(clientDetails.getAdditionalInformation());
        String clientId = baseClientDetails.getClientId();
        if (z && this.reservedClientIds.contains(clientId)) {
            throw new InvalidClientDetailsException("Not allowed: " + clientId + " is a reserved client_id");
        }
        validateClientRedirectUri(baseClientDetails);
        Set<String> authorizedGrantTypes = baseClientDetails.getAuthorizedGrantTypes();
        if (authorizedGrantTypes.isEmpty()) {
            throw new InvalidClientDetailsException("An authorized grant type must be provided. Must be one of: " + VALID_GRANTS.toString());
        }
        checkRequestedGrantTypes(authorizedGrantTypes);
        if ((authorizedGrantTypes.contains("authorization_code") || authorizedGrantTypes.contains("password")) && !authorizedGrantTypes.contains("refresh_token")) {
            this.logger.debug("requested grant type missing refresh_token: " + clientId);
            authorizedGrantTypes.add("refresh_token");
        }
        if (authorizedGrantTypes.contains("urn:ietf:params:oauth:grant-type:jwt-bearer")) {
            if (baseClientDetails.getScope() == null || baseClientDetails.getScope().isEmpty()) {
                this.logger.debug("Invalid client: " + clientId + ". Scope cannot be empty for grant_type urn:ietf:params:oauth:grant-type:jwt-bearer");
                throw new InvalidClientDetailsException("Scope cannot be empty for grant_type urn:ietf:params:oauth:grant-type:jwt-bearer");
            }
            if (z && !StringUtils.hasText(baseClientDetails.getClientSecret())) {
                this.logger.debug("Invalid client: " + clientId + ". Client secret is required for grant type urn:ietf:params:oauth:grant-type:jwt-bearer");
                throw new InvalidClientDetailsException("Client secret is required for grant type urn:ietf:params:oauth:grant-type:jwt-bearer");
            }
        }
        if (z2 && !this.securityContextAccessor.isAdmin() && !this.securityContextAccessor.getScopes().contains("clients.admin")) {
            for (String str : authorizedGrantTypes) {
                if (NON_ADMIN_INVALID_GRANTS.contains(str)) {
                    throw new InvalidClientDetailsException(str + " is not an allowed grant type for non-admin caller.");
                }
            }
            if (authorizedGrantTypes.contains("implicit") && authorizedGrantTypes.contains("authorization_code")) {
                throw new InvalidClientDetailsException("Not allowed: implicit grant type is not allowed together with authorization_code");
            }
            String clientId2 = this.securityContextAccessor.getClientId();
            ClientDetails clientDetails2 = null;
            try {
                clientDetails2 = this.clientDetailsService.retrieve(clientId2, IdentityZoneHolder.get().getId());
            } catch (Exception e) {
            }
            if (clientId2 == null || clientDetails2 == null) {
                String str2 = clientId + ".";
                for (String str3 : baseClientDetails.getScope()) {
                    if (!str3.startsWith(str2)) {
                        throw new InvalidClientDetailsException(str3 + " is not an allowed scope for null caller and client_id=" + clientId + ". Must start with '" + str2 + "'");
                    }
                }
            } else {
                String str4 = clientId2 + ".";
                String str5 = clientId + ".";
                Set scope = clientDetails2.getScope();
                for (String str6 : baseClientDetails.getScope()) {
                    if (!str6.startsWith(str4) && !str6.startsWith(str5) && !scope.contains(str6)) {
                        throw new InvalidClientDetailsException(str6 + " is not an allowed scope for caller=" + clientId2 + ". Must have prefix in [" + str4 + "," + str5 + "] or be one of: " + scope.toString());
                    }
                }
            }
            HashSet hashSet = new HashSet(NON_ADMIN_VALID_AUTHORITIES);
            if (authorizedGrantTypes.contains("client_credentials")) {
                hashSet.add("uaa.resource");
            }
            for (String str7 : AuthorityUtils.authorityListToSet(baseClientDetails.getAuthorities())) {
                if (!hashSet.contains(str7)) {
                    throw new InvalidClientDetailsException(str7 + " is not an allowed authority for caller=" + clientId2 + ". Must be one of: " + hashSet.toString());
                }
            }
        }
        if (baseClientDetails.getAuthorities().isEmpty()) {
            baseClientDetails.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList("uaa.none"));
        }
        baseClientDetails.setResourceIds(Collections.singleton(ProcessLdapProperties.NONE));
        if (baseClientDetails.getScope().isEmpty()) {
            baseClientDetails.setScope(Collections.singleton("uaa.none"));
        }
        if (authorizedGrantTypes.contains("implicit") && StringUtils.hasText(baseClientDetails.getClientSecret())) {
            throw new InvalidClientDetailsException("Implicit grant should not have a client_secret");
        }
        if (z && (authorizedGrantTypes.contains("client_credentials") || authorizedGrantTypes.contains("authorization_code"))) {
            if (!StringUtils.hasText(baseClientDetails.getClientSecret())) {
                throw new InvalidClientDetailsException("Client secret is required for client_credentials and authorization_code grant types");
            }
            this.clientSecretValidator.validate(baseClientDetails.getClientSecret());
        }
        return baseClientDetails;
    }

    public void validateClientRedirectUri(ClientDetails clientDetails) {
        Set<String> registeredRedirectUri = clientDetails.getRegisteredRedirectUri();
        for (String str : Arrays.asList("authorization_code", "implicit")) {
            if (clientDetails.getAuthorizedGrantTypes().contains(str)) {
                if (isMissingRedirectUris(registeredRedirectUri)) {
                    throw new InvalidClientDetailsException(str + " grant type requires at least one redirect URL.");
                }
                for (String str2 : registeredRedirectUri) {
                    if (!UaaUrlUtils.isValidRegisteredRedirectUrl(str2)) {
                        throw new InvalidClientDetailsException(String.format("One of the redirect_uri is invalid: %s", str2));
                    }
                }
            }
        }
    }

    private boolean isMissingRedirectUris(Set<String> set) {
        return set == null || set.isEmpty();
    }

    public static void checkRequestedGrantTypes(Set<String> set) {
        for (String str : set) {
            if (!VALID_GRANTS.contains(str)) {
                throw new InvalidClientDetailsException(str + " is not an allowed grant type. Must be one of: " + VALID_GRANTS.toString());
            }
        }
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientSecretValidator getClientSecretValidator() {
        return this.clientSecretValidator;
    }

    public void setClientSecretValidator(ClientSecretValidator clientSecretValidator) {
        this.clientSecretValidator = clientSecretValidator;
    }
}
