package org.cloudfoundry.identity.uaa.oauth;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.log4j.spi.LocationInfo;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.scim.ScimGroupProvisioning;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.stereotype.Controller;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.context.request.WebRequest;

@SessionAttributes({"authorizationRequest"})
@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/oauth/AccessController.class */
public class AccessController {
    private static final String SCOPE_PREFIX = "scope.";
    private ClientServicesExtension clientDetailsService;
    private Boolean useSsl;
    private ScimGroupProvisioning groupProvisioning;
    protected final Log logger = LogFactory.getLog(getClass());
    private ApprovalStore approvalStore = null;

    public void setUseSsl(Boolean bool) {
        this.useSsl = bool;
    }

    public void setClientDetailsService(ClientServicesExtension clientServicesExtension) {
        this.clientDetailsService = clientServicesExtension;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    public ScimGroupProvisioning getGroupProvisioning() {
        return this.groupProvisioning;
    }

    public AccessController setGroupProvisioning(ScimGroupProvisioning scimGroupProvisioning) {
        this.groupProvisioning = scimGroupProvisioning;
        return this;
    }

    @RequestMapping({"/oauth/confirm_access"})
    public String confirm(Map<String, Object> map, final HttpServletRequest httpServletRequest, Principal principal, SessionStatus sessionStatus) throws Exception {
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with before authorizing access.");
        }
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) map.remove("authorizationRequest");
        if (authorizationRequest == null) {
            map.put("error", "No authorization request is present, so we cannot confirm access (we don't know what you are asking for).");
            return "access_confirmation";
        }
        String clientId = authorizationRequest.getClientId();
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId());
        BaseClientDetails baseClientDetails2 = new BaseClientDetails(baseClientDetails);
        baseClientDetails2.setClientSecret(null);
        map.put("auth_request", authorizationRequest);
        map.put(OAuth2Utils.REDIRECT_URI, getRedirectUri(baseClientDetails2, authorizationRequest));
        Object obj = (String) baseClientDetails.getAdditionalInformation().get("name");
        map.put("client_display_name", obj != null ? obj : clientId);
        Set<String> autoApproveScopes = baseClientDetails.getAutoApproveScopes();
        HashSet hashSet = new HashSet();
        if (autoApproveScopes != null) {
            if (autoApproveScopes.contains("true")) {
                hashSet.addAll(baseClientDetails.getScope());
            } else {
                hashSet.addAll(autoApproveScopes);
            }
        }
        ArrayList<Approval> arrayList = new ArrayList();
        for (Approval approval : this.approvalStore.getApprovals(Origin.getUserId((Authentication) principal), clientId, IdentityZoneHolder.get().getId())) {
            if (!hashSet.contains(approval.getScope())) {
                arrayList.add(approval);
            }
        }
        ArrayList<String> arrayList2 = new ArrayList<>();
        ArrayList<String> arrayList3 = new ArrayList<>();
        for (Approval approval2 : arrayList) {
            switch (approval2.getStatus()) {
                case APPROVED:
                    arrayList2.add(approval2.getScope());
                    break;
                case DENIED:
                    arrayList3.add(approval2.getScope());
                    break;
                default:
                    this.logger.error("Encountered an unknown scope. This is not supposed to happen");
                    break;
            }
        }
        ArrayList<String> arrayList4 = new ArrayList<>();
        for (String str : authorizationRequest.getScope()) {
            if (!arrayList2.contains(str) && !arrayList3.contains(str) && !hashSet.contains(str)) {
                arrayList4.add(str);
            }
        }
        List<Map<String, String>> scopes = getScopes(arrayList2);
        map.put("approved_scopes", scopes);
        List<Map<String, String>> scopes2 = getScopes(arrayList4);
        map.put("undecided_scopes", scopes2);
        List<Map<String, String>> scopes3 = getScopes(arrayList3);
        map.put("denied_scopes", scopes3);
        ArrayList arrayList5 = new ArrayList();
        arrayList5.addAll(scopes);
        arrayList5.addAll(scopes2);
        arrayList5.addAll(scopes3);
        map.put("scopes", arrayList5);
        map.put("message", "To confirm or deny access POST to the following locations with the parameters requested.");
        map.put("options", new HashMap<String, Object>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1
            {
                put("confirm", new HashMap<String, String>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1.1
                    {
                        put("location", AccessController.this.getLocation(httpServletRequest, "oauth/authorize"));
                        put("path", AccessController.this.getPath(httpServletRequest, "oauth/authorize"));
                        put("key", OAuth2Utils.USER_OAUTH_APPROVAL);
                        put("value", "true");
                    }
                });
                put("deny", new HashMap<String, String>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1.2
                    {
                        put("location", AccessController.this.getLocation(httpServletRequest, "oauth/authorize"));
                        put("path", AccessController.this.getPath(httpServletRequest, "oauth/authorize"));
                        put("key", OAuth2Utils.USER_OAUTH_APPROVAL);
                        put("value", "false");
                    }
                });
            }
        });
        return "access_confirmation";
    }

    private List<Map<String, String>> getScopes(ArrayList<String> arrayList) {
        ArrayList arrayList2 = new ArrayList();
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            String next = it.next();
            HashMap hashMap = new HashMap();
            hashMap.put("code", "scope." + next);
            this.groupProvisioning.query(String.format(ScimGroupProvisioning.GROUP_BY_NAME_FILTER, next), IdentityZoneHolder.get().getId()).stream().findFirst().ifPresent(scimGroup -> {
                String description = scimGroup.getDescription();
                if (StringUtils.hasText(description)) {
                    hashMap.put("text", description);
                }
            });
            hashMap.putIfAbsent("text", next);
            arrayList2.add(hashMap);
        }
        Collections.sort(arrayList2, (map, map2) -> {
            String str = (String) map.get("code");
            String str2 = (String) map2.get("code");
            int codeIsPasswordOrOpenId = codeIsPasswordOrOpenId(str2) - codeIsPasswordOrOpenId(str);
            return 0 != codeIsPasswordOrOpenId ? codeIsPasswordOrOpenId : str.compareTo(str2);
        });
        return arrayList2;
    }

    private int codeIsPasswordOrOpenId(String str) {
        return (str.startsWith("scope.password") || str.startsWith("scope.openid")) ? 1 : 0;
    }

    private String getRedirectUri(ClientDetails clientDetails, AuthorizationRequest authorizationRequest) {
        String str = null;
        if (authorizationRequest.getRedirectUri() != null) {
            str = authorizationRequest.getRedirectUri();
        }
        if (clientDetails.getRegisteredRedirectUri() != null && !clientDetails.getRegisteredRedirectUri().isEmpty() && str == null) {
            str = clientDetails.getRegisteredRedirectUri().iterator().next();
        }
        if (str != null) {
            if (str.contains(LocationInfo.NA)) {
                str = str.substring(0, str.indexOf(LocationInfo.NA));
            }
            if (str.contains("#")) {
                str = str.substring(0, str.indexOf("#"));
            }
        }
        return str;
    }

    @RequestMapping({"/oauth/error"})
    public String handleError(WebRequest webRequest, Map<String, Object> map) throws Exception {
        Object attribute = webRequest.getAttribute("error", 0);
        if (attribute == null) {
            return "access_confirmation_error";
        }
        map.put("error", attribute);
        return "access_confirmation_error";
    }

    protected String getLocation(HttpServletRequest httpServletRequest, String str) {
        return extractScheme(httpServletRequest) + "://" + httpServletRequest.getHeader("Host") + getPath(httpServletRequest, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getPath(HttpServletRequest httpServletRequest, String str) {
        String contextPath = httpServletRequest.getContextPath();
        if (contextPath.endsWith("/")) {
            contextPath = contextPath.substring(0, contextPath.lastIndexOf("/") - 1);
        }
        if (str.startsWith("/")) {
            str = str.substring(1);
        }
        return contextPath + "/" + str;
    }

    protected String extractScheme(HttpServletRequest httpServletRequest) {
        return (this.useSsl == null || !this.useSsl.booleanValue()) ? httpServletRequest.getScheme() : PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT;
    }
}
