package org.cloudfoundry.identity.uaa.oauth;

import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.cloudfoundry.identity.uaa.authorization.ExternalGroupMappingAuthorizationManager;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.AuthorizationRequestManager;
import org.springframework.security.oauth2.provider.BaseClientDetails;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-common-1.6.0.jar:org/cloudfoundry/identity/uaa/oauth/UaaAuthorizationRequestManager.class */
public class UaaAuthorizationRequestManager implements AuthorizationRequestManager {
    private final ClientDetailsService clientDetailsService;
    private Map<String, String> scopeToResource = Collections.singletonMap("openid", "openid");
    private String scopeSeparator = ".";
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private Collection<String> defaultScopes = new HashSet();
    private ExternalGroupMappingAuthorizationManager externalGroupMappingAuthorizationManager = null;

    public UaaAuthorizationRequestManager(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setDefaultScopes(Collection<String> collection) {
        this.defaultScopes = collection;
    }

    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    public void setScopesToResources(Map<String, String> map) {
        this.scopeToResource = new HashMap(map);
    }

    public void setScopeSeparator(String str) {
        this.scopeSeparator = str;
    }

    @Override // org.springframework.security.oauth2.provider.AuthorizationRequestManager
    public AuthorizationRequest createAuthorizationRequest(Map<String, String> map) {
        BaseClientDetails baseClientDetails = new BaseClientDetails(this.clientDetailsService.loadClientByClientId(map.get(AuthorizationRequest.CLIENT_ID)));
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(map.get("scope"));
        String str = map.get("grant_type");
        if (parseParameterList == null || parseParameterList.isEmpty()) {
            parseParameterList = "client_credentials".equals(str) ? AuthorityUtils.authorityListToSet(baseClientDetails.getAuthorities()) : baseClientDetails.getScope();
        }
        Set<String> set = null;
        if (!"client_credentials".equals(str) && this.securityContextAccessor.isUser()) {
            parseParameterList = checkUserScopes(parseParameterList, this.securityContextAccessor.getAuthorities(), baseClientDetails);
            set = findScopesFromAuthorities(map.get("authorities"));
        }
        baseClientDetails.setResourceIds(getResourceIds(baseClientDetails, parseParameterList));
        DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(map);
        if (!parseParameterList.isEmpty()) {
            defaultAuthorizationRequest.setScope(parseParameterList);
        }
        if (set != null) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.putAll(defaultAuthorizationRequest.getAuthorizationParameters());
            linkedHashMap.put("external_scopes", OAuth2Utils.formatParameterList(set));
            defaultAuthorizationRequest.setAuthorizationParameters(linkedHashMap);
        }
        defaultAuthorizationRequest.addClientDetails(baseClientDetails);
        return defaultAuthorizationRequest;
    }

    private Set<String> findScopesFromAuthorities(String str) {
        return null == this.externalGroupMappingAuthorizationManager ? new HashSet() : this.externalGroupMappingAuthorizationManager.findScopesFromAuthorities(str);
    }

    @Override // org.springframework.security.oauth2.provider.AuthorizationRequestManager
    public void validateParameters(Map<String, String> map, ClientDetails clientDetails) {
        if (map.containsKey("scope")) {
            Set<String> scope = clientDetails.getScope();
            if ("client_credentials".equals(map.get("grant_type"))) {
                scope = AuthorityUtils.authorityListToSet(clientDetails.getAuthorities());
            }
            for (String str : OAuth2Utils.parseParameterList(map.get("scope"))) {
                if (!scope.contains(str)) {
                    throw new InvalidScopeException("Invalid scope: " + str + ". Did you know that you can get default scopes by simply sending no value?", scope);
                }
            }
        }
    }

    private Set<String> checkUserScopes(Set<String> set, Collection<? extends GrantedAuthority> collection, ClientDetails clientDetails) {
        LinkedHashSet linkedHashSet = new LinkedHashSet(set);
        LinkedHashSet linkedHashSet2 = new LinkedHashSet(AuthorityUtils.authorityListToSet(collection));
        linkedHashSet2.addAll(this.defaultScopes);
        Iterator it = linkedHashSet2.iterator();
        while (it.hasNext()) {
            if (!clientDetails.getScope().contains((String) it.next())) {
                it.remove();
            }
        }
        Iterator it2 = linkedHashSet.iterator();
        while (it2.hasNext()) {
            if (!linkedHashSet2.contains((String) it2.next())) {
                it2.remove();
            }
        }
        if (!linkedHashSet.isEmpty() || clientDetails.getScope().isEmpty()) {
            return linkedHashSet;
        }
        throw new InvalidScopeException("Invalid scope (empty) - this user is not allowed any of the requested scopes: " + set + " (either you requested a scope that was not allowed or client '" + clientDetails.getClientId() + "' is not allowed to act on behalf of this user)", linkedHashSet2);
    }

    private Set<String> getResourceIds(ClientDetails clientDetails, Set<String> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (String str : set) {
            if (this.scopeToResource.containsKey(str)) {
                linkedHashSet.add(this.scopeToResource.get(str));
            } else if (str.contains(this.scopeSeparator) && !str.endsWith(this.scopeSeparator) && !str.equals("uaa.none")) {
                linkedHashSet.add(str.substring(0, str.lastIndexOf(this.scopeSeparator)));
            }
        }
        return linkedHashSet.isEmpty() ? clientDetails.getResourceIds() : linkedHashSet;
    }

    public void setExternalGroupMappingAuthorizationManager(ExternalGroupMappingAuthorizationManager externalGroupMappingAuthorizationManager) {
        this.externalGroupMappingAuthorizationManager = externalGroupMappingAuthorizationManager;
    }
}
