package org.cloudfoundry.identity.uaa.oauth;

import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.provider.IdentityProvider;
import org.cloudfoundry.identity.uaa.provider.IdentityProviderProvisioning;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationRequestManager.class */
public class UaaAuthorizationRequestManager implements OAuth2RequestFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) UaaAuthorizationRequestManager.class);
    private final ClientServicesExtension clientDetailsService;
    private Map<String, String> scopeToResource = Collections.singletonMap("openid", "openid");
    private String scopeSeparator = ".";
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private OAuth2RequestFactory requestFactory;
    private UaaUserDatabase uaaUserDatabase;
    private IdentityProviderProvisioning providerProvisioning;

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.24.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationRequestManager$UaaTokenRequest.class */
    public class UaaTokenRequest extends TokenRequest {
        private Set<String> resourceIds;
        Set<String> responseTypes;

        public UaaTokenRequest(Map<String, String> map, String str, Collection<String> collection, String str2, Set<String> set) {
            super(map, str, collection, str2);
            this.resourceIds = set;
            this.responseTypes = OAuth2Utils.parseParameterList(map.get(OAuth2Utils.RESPONSE_TYPE));
        }

        @Override // org.springframework.security.oauth2.provider.TokenRequest
        public OAuth2Request createOAuth2Request(ClientDetails clientDetails) {
            OAuth2Request createOAuth2Request = super.createOAuth2Request(clientDetails);
            return new OAuth2Request(createOAuth2Request.getRequestParameters(), clientDetails.getClientId(), clientDetails.getAuthorities(), true, createOAuth2Request.getScope(), this.resourceIds, createOAuth2Request.getRedirectUri(), this.responseTypes, createOAuth2Request.getExtensions());
        }
    }

    public OAuth2RequestFactory getRequestFactory() {
        return this.requestFactory;
    }

    public void setRequestFactory(OAuth2RequestFactory oAuth2RequestFactory) {
        this.requestFactory = oAuth2RequestFactory;
    }

    public UaaAuthorizationRequestManager(ClientServicesExtension clientServicesExtension, UaaUserDatabase uaaUserDatabase, IdentityProviderProvisioning identityProviderProvisioning) {
        this.clientDetailsService = clientServicesExtension;
        this.uaaUserDatabase = uaaUserDatabase;
        this.requestFactory = new DefaultOAuth2RequestFactory(clientServicesExtension);
        this.providerProvisioning = identityProviderProvisioning;
    }

    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    public void setScopesToResources(Map<String, String> map) {
        this.scopeToResource = new HashMap(map);
    }

    public void setScopeSeparator(String str) {
        this.scopeSeparator = str;
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestFactory
    public AuthorizationRequest createAuthorizationRequest(Map<String, String> map) {
        String str = map.get("client_id");
        BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientDetailsService.loadClientByClientId(str, IdentityZoneHolder.get().getId());
        validateParameters(map, baseClientDetails);
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(map.get("scope"));
        Set<String> parseParameterList2 = OAuth2Utils.parseParameterList(map.get(OAuth2Utils.RESPONSE_TYPE));
        String str2 = map.get(OAuth2Utils.STATE);
        String str3 = map.get(OAuth2Utils.REDIRECT_URI);
        if (parseParameterList == null || parseParameterList.isEmpty()) {
            parseParameterList = baseClientDetails.getScope();
        }
        if (this.securityContextAccessor.isUser()) {
            UaaUser retrieveUserById = this.uaaUserDatabase.retrieveUserById(this.securityContextAccessor.getUserId());
            parseParameterList = checkUserScopes(parseParameterList, retrieveUserById.getAuthorities(), baseClientDetails);
            checkClientIdpAuthorization(baseClientDetails, retrieveUserById);
        }
        baseClientDetails.setResourceIds(getResourceIds(baseClientDetails, parseParameterList));
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(new HashMap(map), null, str, parseParameterList.isEmpty() ? null : parseParameterList, null, null, false, str2, str3, parseParameterList2);
        if (!parseParameterList.isEmpty()) {
            authorizationRequest.setScope(parseParameterList);
        }
        authorizationRequest.setResourceIdsAndAuthoritiesFromClientDetails(baseClientDetails);
        return authorizationRequest;
    }

    public void validateParameters(Map<String, String> map, ClientDetails clientDetails) {
        if (map.containsKey("scope")) {
            Set<String> scope = clientDetails.getScope();
            if (TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS.equals(map.get("grant_type"))) {
                scope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
            }
            Set<Pattern> constructWildcards = constructWildcards(scope);
            for (String str : OAuth2Utils.parseParameterList(map.get("scope"))) {
                if (!matches(constructWildcards, str)) {
                    throw new InvalidScopeException(str + " is invalid. Please use a valid scope name in the request");
                }
            }
        }
    }

    protected void checkClientIdpAuthorization(BaseClientDetails baseClientDetails, UaaUser uaaUser) {
        List list = (List) baseClientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS);
        if (list == null) {
            return;
        }
        if (list.isEmpty()) {
            throw new UnauthorizedClientException("Client is not authorized for any identity providers.");
        }
        try {
            IdentityProvider retrieveByOrigin = this.providerProvisioning.retrieveByOrigin(uaaUser.getOrigin(), uaaUser.getZoneId());
            if (retrieveByOrigin == null || !list.contains(retrieveByOrigin.getOriginKey())) {
                throw new DisallowedIdpException("Client is not authorized for specified user's identity provider.");
            }
        } catch (EmptyResultDataAccessException e) {
            throw new UnauthorizedClientException("User does not belong to a valid identity provider.");
        }
    }

    private Set<String> checkUserScopes(Set<String> set, Collection<? extends GrantedAuthority> collection, ClientDetails clientDetails) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(AuthorityUtils.authorityListToSet(collection));
        linkedHashSet.addAll(IdentityZoneHolder.get().getConfig().getUserConfig().getDefaultGroups());
        Set<String> intersectScopes = intersectScopes(new LinkedHashSet(set), clientDetails.getScope(), linkedHashSet);
        if (intersectScopes.isEmpty() && !clientDetails.getScope().isEmpty()) {
            logger.warn("The requested scopes are invalid");
            throw new InvalidScopeException(set + " is invalid. This user is not allowed any of the requested scopes");
        }
        if (UaaTokenUtils.hasRequiredUserAuthorities((Collection) Optional.ofNullable((Collection) clientDetails.getAdditionalInformation().get(ClientConstants.REQUIRED_USER_GROUPS)).orElse(Collections.emptySet()), collection)) {
            return intersectScopes;
        }
        logger.warn("The requested scopes are invalid");
        throw new InvalidScopeException("User does not meet the client's required group criteria.");
    }

    protected Set<String> intersectScopes(Set<String> set, Set<String> set2, Set<String> set3) {
        HashSet hashSet = new HashSet(set3);
        Set<Pattern> constructWildcards = constructWildcards(set2);
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (!matches(constructWildcards, (String) it.next())) {
                it.remove();
            }
        }
        Set<Pattern> constructWildcards2 = constructWildcards(set);
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            if (!matches(constructWildcards2, (String) it2.next())) {
                it2.remove();
            }
        }
        return hashSet;
    }

    protected Set<Pattern> constructWildcards(Set<String> set) {
        return UaaStringUtils.constructWildcards(set);
    }

    protected boolean matches(Set<Pattern> set, String str) {
        return UaaStringUtils.matches(set, str);
    }

    private Set<String> getResourceIds(ClientDetails clientDetails, Set<String> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        if (clientDetails.getClientId() != null) {
            linkedHashSet.add(clientDetails.getClientId());
        }
        for (String str : set) {
            if (this.scopeToResource.containsKey(str)) {
                linkedHashSet.add(this.scopeToResource.get(str));
            } else if (str.contains(this.scopeSeparator) && !str.endsWith(this.scopeSeparator) && !str.equals("uaa.none")) {
                linkedHashSet.add(str.substring(0, str.lastIndexOf(this.scopeSeparator)));
            }
        }
        return linkedHashSet.isEmpty() ? clientDetails.getResourceIds() : linkedHashSet;
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestFactory
    public OAuth2Request createOAuth2Request(AuthorizationRequest authorizationRequest) {
        return this.requestFactory.createOAuth2Request(authorizationRequest);
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestFactory
    public OAuth2Request createOAuth2Request(ClientDetails clientDetails, TokenRequest tokenRequest) {
        return this.requestFactory.createOAuth2Request(clientDetails, tokenRequest);
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestFactory
    public TokenRequest createTokenRequest(Map<String, String> map, ClientDetails clientDetails) {
        ClientDetails clientDetails2 = clientDetails;
        HashMap hashMap = new HashMap(map);
        String str = hashMap.get("client_id");
        String str2 = hashMap.get("grant_type");
        if (str == null) {
            clientDetails.getClientId();
        } else if (TokenConstants.GRANT_TYPE_USER_TOKEN.equals(str2)) {
            clientDetails2 = this.clientDetailsService.loadClientByClientId(str, IdentityZoneHolder.get().getId());
            hashMap.put(TokenConstants.USER_TOKEN_REQUESTING_CLIENT_ID, clientDetails.getClientId());
        } else if (!str.equals(clientDetails.getClientId())) {
            throw new InvalidClientException("Given client ID does not match authenticated client");
        }
        Set<String> extractScopes = extractScopes(hashMap, clientDetails2);
        return new UaaTokenRequest(Collections.unmodifiableMap(hashMap), clientDetails.getClientId(), extractScopes, str2, getResourceIds(clientDetails2, extractScopes));
    }

    protected Set<String> extractScopes(Map<String, String> map, ClientDetails clientDetails) {
        boolean equals = TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS.equals(map.get("grant_type"));
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(map.get("scope"));
        if (parseParameterList == null || parseParameterList.isEmpty()) {
            if (equals) {
                HashSet hashSet = new HashSet();
                Iterator<GrantedAuthority> it = clientDetails.getAuthorities().iterator();
                while (it.hasNext()) {
                    hashSet.add(it.next().getAuthority());
                }
                parseParameterList = hashSet;
            } else {
                parseParameterList = clientDetails.getScope();
            }
        }
        if (!equals) {
            parseParameterList = intersectScopes(parseParameterList, clientDetails.getScope(), getUserScopes());
        }
        return parseParameterList;
    }

    protected Set<String> getUserScopes() {
        HashSet hashSet = new HashSet();
        if (this.securityContextAccessor.isUser()) {
            Iterator<? extends GrantedAuthority> it = (this.uaaUserDatabase != null ? this.uaaUserDatabase.retrieveUserById(this.securityContextAccessor.getUserId()).getAuthorities() : this.securityContextAccessor.getAuthorities()).iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getAuthority());
            }
        }
        return hashSet;
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestFactory
    public TokenRequest createTokenRequest(AuthorizationRequest authorizationRequest, String str) {
        return this.requestFactory.createTokenRequest(authorizationRequest, str);
    }
}
