package com.azure.spring.aad;

import com.azure.spring.aad.webapp.AuthorizationClientProperties;
import com.azure.spring.aad.webapp.AzureClientRegistration;
import com.azure.spring.autoconfigure.aad.AADAuthenticationProperties;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.util.Assert;

/* loaded from: input_file:com/azure/spring/aad/AADClientRegistrationRepository.class */
public class AADClientRegistrationRepository implements ClientRegistrationRepository, Iterable<ClientRegistration> {
    private static final Logger LOGGER = LoggerFactory.getLogger(AADClientRegistrationRepository.class);
    public static final String AZURE_CLIENT_REGISTRATION_ID = "azure";
    protected final AzureClientRegistration azureClient = azureClientRegistration();
    protected final Map<String, ClientRegistration> delegatedClients = delegatedClientRegistrations();
    protected final Map<String, ClientRegistration> allClients = allClientRegistrations();
    protected final AADAuthenticationProperties properties;

    public AADClientRegistrationRepository(AADAuthenticationProperties aADAuthenticationProperties) {
        this.properties = aADAuthenticationProperties;
    }

    private AzureClientRegistration azureClientRegistration() {
        if (!needDelegation()) {
            return null;
        }
        ClientRegistration.Builder clientRegistrationBuilder = toClientRegistrationBuilder(AZURE_CLIENT_REGISTRATION_ID, this.properties.getAuthorizationClients().getOrDefault(AZURE_CLIENT_REGISTRATION_ID, defaultAzureAuthorizationClientProperties()));
        Set<String> azureClientAuthorizationCodeScopes = azureClientAuthorizationCodeScopes();
        ClientRegistration build = clientRegistrationBuilder.scope(azureClientAuthorizationCodeScopes).build();
        Set<String> azureClientAccessTokenScopes = azureClientAccessTokenScopes();
        if (resourceServerCount(azureClientAccessTokenScopes) == 0 && resourceServerCount(azureClientAuthorizationCodeScopes) > 1) {
            azureClientAccessTokenScopes.add(this.properties.getGraphBaseUri() + "User.Read");
        }
        return new AzureClientRegistration(build, azureClientAccessTokenScopes);
    }

    private boolean needDelegation() {
        return AADApplicationType.WEB_APPLICATION == this.properties.getApplicationType() || AADApplicationType.WEB_APPLICATION_AND_RESOURCE_SERVER == this.properties.getApplicationType();
    }

    private Map<String, ClientRegistration> delegatedClientRegistrations() {
        return !needDelegation() ? Collections.emptyMap() : (Map) this.properties.getAuthorizationClients().entrySet().stream().filter(entry -> {
            return isAzureDelegatedClientRegistration((String) entry.getKey(), (AuthorizationClientProperties) entry.getValue());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry2 -> {
            return toClientRegistration((String) entry2.getKey(), (AuthorizationClientProperties) entry2.getValue());
        }));
    }

    private Map<String, ClientRegistration> allClientRegistrations() {
        Map map = (Map) this.properties.getAuthorizationClients().entrySet().stream().filter(entry -> {
            return !this.delegatedClients.containsKey(entry.getKey());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry2 -> {
            return toClientRegistration((String) entry2.getKey(), (AuthorizationClientProperties) entry2.getValue());
        }));
        if (needDelegation()) {
            map.putAll(this.delegatedClients);
            map.put(AZURE_CLIENT_REGISTRATION_ID, this.azureClient.getClient());
        }
        return Collections.unmodifiableMap(map);
    }

    private ClientRegistration.Builder toClientRegistrationBuilder(String str, AuthorizationClientProperties authorizationClientProperties) {
        AuthorizationGrantType authorizationGrantType;
        AADAuthorizationServerEndpoints aADAuthorizationServerEndpoints = new AADAuthorizationServerEndpoints(this.properties.getBaseUri(), this.properties.getTenantId());
        switch (authorizationClientProperties.getAuthorizationGrantType()) {
            case AUTHORIZATION_CODE:
                authorizationGrantType = AuthorizationGrantType.AUTHORIZATION_CODE;
                break;
            case ON_BEHALF_OF:
                authorizationGrantType = new AuthorizationGrantType(AADAuthorizationGrantType.ON_BEHALF_OF.getValue());
                break;
            case CLIENT_CREDENTIALS:
                authorizationGrantType = AuthorizationGrantType.CLIENT_CREDENTIALS;
                break;
            default:
                throw new IllegalArgumentException("Unsupported authorization type " + authorizationClientProperties.getAuthorizationGrantType().getValue());
        }
        return ClientRegistration.withRegistrationId(str).clientName(str).authorizationGrantType(authorizationGrantType).scope(toScopes(authorizationClientProperties)).redirectUri(this.properties.getRedirectUriTemplate()).userNameAttributeName(this.properties.getUserNameAttribute()).clientId(this.properties.getClientId()).clientSecret(this.properties.getClientSecret()).authorizationUri(aADAuthorizationServerEndpoints.authorizationEndpoint()).tokenUri(aADAuthorizationServerEndpoints.tokenEndpoint()).jwkSetUri(aADAuthorizationServerEndpoints.jwkSetEndpoint()).providerConfigurationMetadata(providerConfigurationMetadata(aADAuthorizationServerEndpoints));
    }

    private AuthorizationClientProperties defaultAzureAuthorizationClientProperties() {
        AuthorizationClientProperties authorizationClientProperties = new AuthorizationClientProperties();
        authorizationClientProperties.setAuthorizationGrantType(AADAuthorizationGrantType.AUTHORIZATION_CODE);
        return authorizationClientProperties;
    }

    private List<String> toScopes(AuthorizationClientProperties authorizationClientProperties) {
        List<String> scopes = authorizationClientProperties.getScopes();
        if (authorizationClientProperties.isOnDemand()) {
            if (!scopes.contains("openid")) {
                scopes.add("openid");
            }
            if (!scopes.contains("profile")) {
                scopes.add("profile");
            }
        }
        return scopes;
    }

    private Map<String, Object> providerConfigurationMetadata(AADAuthorizationServerEndpoints aADAuthorizationServerEndpoints) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("end_session_endpoint", aADAuthorizationServerEndpoints.endSessionEndpoint());
        return linkedHashMap;
    }

    public static int resourceServerCount(Set<String> set) {
        return (int) set.stream().filter(str -> {
            return str.contains("/");
        }).map(str2 -> {
            return str2.substring(0, str2.lastIndexOf(47));
        }).distinct().count();
    }

    private Set<String> azureClientAuthorizationCodeScopes() {
        Set<String> azureClientAccessTokenScopes = azureClientAccessTokenScopes();
        azureClientAccessTokenScopes.addAll(delegatedClientsAccessTokenScopes());
        return azureClientAccessTokenScopes;
    }

    private Set<String> delegatedClientsAccessTokenScopes() {
        return (Set) this.properties.getAuthorizationClients().values().stream().filter(authorizationClientProperties -> {
            return !authorizationClientProperties.isOnDemand() && AADAuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationClientProperties.getAuthorizationGrantType());
        }).flatMap(authorizationClientProperties2 -> {
            return authorizationClientProperties2.getScopes().stream();
        }).collect(Collectors.toSet());
    }

    private Set<String> azureClientAccessTokenScopes() {
        Set<String> set = (Set) ((Stream) Optional.of(this.properties).map((v0) -> {
            return v0.getAuthorizationClients();
        }).map(map -> {
            return (AuthorizationClientProperties) map.get(AZURE_CLIENT_REGISTRATION_ID);
        }).map((v0) -> {
            return v0.getScopes();
        }).map((v0) -> {
            return v0.stream();
        }).orElseGet(Stream::empty)).collect(Collectors.toSet());
        set.addAll(azureClientOpenidScopes());
        if (this.properties.allowedGroupIdsConfigured() || this.properties.allowedGroupNamesConfigured()) {
            set.add(this.properties.getGraphBaseUri() + "User.Read");
            set.add(this.properties.getGraphBaseUri() + "Directory.Read.All");
        }
        return set;
    }

    private Set<String> azureClientOpenidScopes() {
        HashSet hashSet = new HashSet();
        hashSet.add("openid");
        hashSet.add("profile");
        if (!this.properties.getAuthorizationClients().isEmpty()) {
            hashSet.add("offline_access");
        }
        return hashSet;
    }

    private ClientRegistration toClientRegistration(String str, AuthorizationClientProperties authorizationClientProperties) {
        return toClientRegistrationBuilder(str, authorizationClientProperties).build();
    }

    private boolean isAzureDelegatedClientRegistration(String str, AuthorizationClientProperties authorizationClientProperties) {
        return (AZURE_CLIENT_REGISTRATION_ID.equals(str) || !AADAuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationClientProperties.getAuthorizationGrantType()) || authorizationClientProperties.isOnDemand()) ? false : true;
    }

    public ClientRegistration findByRegistrationId(String str) {
        Assert.hasText(str, "registrationId cannot be empty");
        return this.allClients.get(str);
    }

    @Override // java.lang.Iterable
    public Iterator<ClientRegistration> iterator() {
        return !needDelegation() ? this.allClients.values().iterator() : Collections.singleton(this.azureClient.getClient()).iterator();
    }

    public AzureClientRegistration getAzureClient() {
        return this.azureClient;
    }

    public boolean isAzureDelegatedClientRegistration(ClientRegistration clientRegistration) {
        return this.delegatedClients.containsValue(clientRegistration);
    }

    public boolean isAzureDelegatedClientRegistration(String str) {
        return this.delegatedClients.containsKey(str);
    }

    public static boolean isDefaultClient(String str) {
        return AZURE_CLIENT_REGISTRATION_ID.equals(str);
    }
}
