package org.cloudfoundry.identity.uaa.oauth;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.error.UaaException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.context.request.WebRequest;

@SessionAttributes({"authorizationRequest"})
@Controller
/* loaded from: input_file:org/cloudfoundry/identity/uaa/oauth/AccessController.class */
public class AccessController {
    private static final String SCOPE_PREFIX = "scope.";
    private ClientDetailsService clientDetailsService;
    private Boolean useSsl;
    protected final Log logger = LogFactory.getLog(getClass());
    private ApprovalStore approvalStore = null;

    /* renamed from: org.cloudfoundry.identity.uaa.oauth.AccessController$3, reason: invalid class name */
    /* loaded from: input_file:org/cloudfoundry/identity/uaa/oauth/AccessController$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$org$cloudfoundry$identity$uaa$approval$Approval$ApprovalStatus = new int[Approval.ApprovalStatus.values().length];

        static {
            try {
                $SwitchMap$org$cloudfoundry$identity$uaa$approval$Approval$ApprovalStatus[Approval.ApprovalStatus.APPROVED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$cloudfoundry$identity$uaa$approval$Approval$ApprovalStatus[Approval.ApprovalStatus.DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public void setUseSsl(Boolean bool) {
        this.useSsl = bool;
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    @RequestMapping({"/oauth/confirm_access"})
    public String confirm(Map<String, Object> map, final HttpServletRequest httpServletRequest, Principal principal, SessionStatus sessionStatus) throws Exception {
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with before authorizing access.");
        }
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) map.remove("authorizationRequest");
        if (authorizationRequest == null) {
            map.put(UaaException.ERROR, "No authorization request is present, so we cannot confirm access (we don't know what you are asking for).");
            return "access_confirmation";
        }
        String clientId = authorizationRequest.getClientId();
        ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(clientId);
        BaseClientDetails baseClientDetails = new BaseClientDetails(loadClientByClientId);
        baseClientDetails.setClientSecret((String) null);
        map.put("auth_request", authorizationRequest);
        map.put("client", baseClientDetails);
        map.put("redirect_uri", getRedirectUri(baseClientDetails, authorizationRequest));
        Map additionalInformation = loadClientByClientId.getAdditionalInformation();
        Object obj = (String) additionalInformation.get("name");
        map.put("client_display_name", obj != null ? obj : clientId);
        Object obj2 = additionalInformation.get("autoapprove");
        HashSet hashSet = new HashSet();
        if (obj2 instanceof Collection) {
            hashSet.addAll((Collection) obj2);
        } else if (((obj2 instanceof Boolean) && ((Boolean) obj2).booleanValue()) || "true".equals(obj2)) {
            hashSet.addAll(baseClientDetails.getScope());
        }
        ArrayList<Approval> arrayList = new ArrayList();
        for (Approval approval : this.approvalStore.getApprovals(Origin.getUserId((Authentication) principal), clientId)) {
            if (!hashSet.contains(approval.getScope())) {
                arrayList.add(approval);
            }
        }
        ArrayList<String> arrayList2 = new ArrayList<>();
        ArrayList<String> arrayList3 = new ArrayList<>();
        for (Approval approval2 : arrayList) {
            switch (AnonymousClass3.$SwitchMap$org$cloudfoundry$identity$uaa$approval$Approval$ApprovalStatus[approval2.getStatus().ordinal()]) {
                case 1:
                    arrayList2.add(approval2.getScope());
                    break;
                case 2:
                    arrayList3.add(approval2.getScope());
                    break;
                default:
                    this.logger.error("Encountered an unknown scope. This is not supposed to happen");
                    break;
            }
        }
        ArrayList<String> arrayList4 = new ArrayList<>();
        for (String str : authorizationRequest.getScope()) {
            if (!arrayList2.contains(str) && !arrayList3.contains(str) && !hashSet.contains(str)) {
                arrayList4.add(str);
            }
        }
        map.put("approved_scopes", getScopes(baseClientDetails, arrayList2));
        map.put("denied_scopes", getScopes(baseClientDetails, arrayList3));
        map.put("undecided_scopes", getScopes(baseClientDetails, arrayList4));
        ArrayList arrayList5 = new ArrayList();
        if (map.get("approved_scopes") != null) {
            arrayList5.addAll((List) map.get("approved_scopes"));
        }
        if (map.get("denied_scopes") != null) {
            arrayList5.addAll((List) map.get("denied_scopes"));
        }
        if (map.get("undecided_scopes") != null) {
            arrayList5.addAll((List) map.get("undecided_scopes"));
        }
        map.put("scopes", arrayList5);
        map.put("message", "To confirm or deny access POST to the following locations with the parameters requested.");
        map.put("options", new HashMap<String, Object>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1
            {
                put("confirm", new HashMap<String, String>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1.1
                    {
                        put("location", AccessController.this.getLocation(httpServletRequest, "oauth/authorize"));
                        put("path", AccessController.this.getPath(httpServletRequest, "oauth/authorize"));
                        put("key", "user_oauth_approval");
                        put("value", "true");
                    }
                });
                put("deny", new HashMap<String, String>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.1.2
                    {
                        put("location", AccessController.this.getLocation(httpServletRequest, "oauth/authorize"));
                        put("path", AccessController.this.getPath(httpServletRequest, "oauth/authorize"));
                        put("key", "user_oauth_approval");
                        put("value", "false");
                    }
                });
            }
        });
        return "access_confirmation";
    }

    private List<Map<String, String>> getScopes(ClientDetails clientDetails, ArrayList<String> arrayList) {
        ArrayList arrayList2 = new ArrayList();
        Iterator<String> it = arrayList.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (next.contains(".")) {
                HashMap hashMap = new HashMap();
                String str = SCOPE_PREFIX + next;
                String substring = next.substring(0, next.lastIndexOf("."));
                if (!"uaa".equals(substring)) {
                    String substring2 = next.substring(next.lastIndexOf(".") + 1);
                    hashMap.put("code", str);
                    hashMap.put("text", "Access your '" + substring + "' resources with scope '" + substring2 + "'");
                    arrayList2.add(hashMap);
                }
            } else {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("code", SCOPE_PREFIX + next);
                hashMap2.put("text", "Access your data with scope '" + next + "'");
                arrayList2.add(hashMap2);
            }
        }
        Collections.sort(arrayList2, new Comparator<Map<String, String>>() { // from class: org.cloudfoundry.identity.uaa.oauth.AccessController.2
            @Override // java.util.Comparator
            public int compare(Map<String, String> map, Map<String, String> map2) {
                String str2 = map.get("code");
                String str3 = map2.get("code");
                if (str2.startsWith("scope.password") || str2.startsWith("scope.openid")) {
                    str2 = "aaa" + str2;
                }
                if (str3.startsWith("scope.password") || str3.startsWith("scope.openid")) {
                    str3 = "aaa" + str3;
                }
                return str2.compareTo(str3);
            }
        });
        return arrayList2;
    }

    private String getRedirectUri(ClientDetails clientDetails, AuthorizationRequest authorizationRequest) {
        String str = null;
        if (authorizationRequest.getRedirectUri() != null) {
            str = authorizationRequest.getRedirectUri();
        }
        if (clientDetails.getRegisteredRedirectUri() != null && !clientDetails.getRegisteredRedirectUri().isEmpty() && str == null) {
            str = (String) clientDetails.getRegisteredRedirectUri().iterator().next();
        }
        if (str != null) {
            if (str.contains("?")) {
                str = str.substring(0, str.indexOf("?"));
            }
            if (str.contains("#")) {
                str = str.substring(0, str.indexOf("#"));
            }
        }
        return str;
    }

    @RequestMapping({"/oauth/error"})
    public String handleError(WebRequest webRequest, Map<String, Object> map) throws Exception {
        Object attribute = webRequest.getAttribute(UaaException.ERROR, 0);
        if (attribute == null) {
            return "access_confirmation_error";
        }
        map.put(UaaException.ERROR, attribute);
        return "access_confirmation_error";
    }

    protected String getLocation(HttpServletRequest httpServletRequest, String str) {
        return extractScheme(httpServletRequest) + "://" + httpServletRequest.getHeader("Host") + getPath(httpServletRequest, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getPath(HttpServletRequest httpServletRequest, String str) {
        String contextPath = httpServletRequest.getContextPath();
        if (contextPath.endsWith("/")) {
            contextPath = contextPath.substring(0, contextPath.lastIndexOf("/") - 1);
        }
        if (str.startsWith("/")) {
            str = str.substring(1);
        }
        return contextPath + "/" + str;
    }

    protected String extractScheme(HttpServletRequest httpServletRequest) {
        return (this.useSsl == null || !this.useSsl.booleanValue()) ? httpServletRequest.getScheme() : "https";
    }
}
