package org.cloudfoundry.identity.uaa.approval;

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/approval/ApprovalService.class */
public class ApprovalService {
    TimeService timeService;
    ApprovalStore approvalStore;
    private final Log logger = LogFactory.getLog(getClass());

    public ApprovalService(TimeService timeService, ApprovalStore approvalStore) {
        this.timeService = timeService;
        this.approvalStore = approvalStore;
    }

    public void ensureRequiredApprovals(String str, Collection<String> collection, String str2, BaseClientDetails baseClientDetails) {
        Set<String> autoApprovedScopes = getAutoApprovedScopes(str2, collection, baseClientDetails.getAutoApproveScopes());
        if (autoApprovedScopes.containsAll(collection)) {
            return;
        }
        HashSet hashSet = new HashSet(autoApprovedScopes);
        for (Approval approval : this.approvalStore.getApprovals(str, baseClientDetails.getClientId(), IdentityZoneHolder.get().getId())) {
            if (collection.contains(approval.getScope()) && approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                if (!approval.isActiveAsOf(this.timeService.getCurrentDate())) {
                    this.logger.debug("Approval " + approval + " has expired. Need to re-approve.");
                    throw new InvalidTokenException("Invalid token (approvals expired)");
                }
                hashSet.add(approval.getScope());
            }
        }
        if (hashSet.containsAll(collection)) {
            return;
        }
        this.logger.debug("All requested scopes " + collection + " were not approved. Approved scopes: " + hashSet);
        HashSet hashSet2 = new HashSet(collection);
        hashSet2.removeAll(hashSet);
        throw new InvalidTokenException("Invalid token (some requested scopes are not approved): " + hashSet2);
    }

    private Set<String> getAutoApprovedScopes(Object obj, Collection<String> collection, Set<String> set) {
        return (obj == null || !"password".equals(obj.toString())) ? UaaTokenUtils.retainAutoApprovedScopes(collection, set) : new HashSet(collection);
    }
}
