package org.cloudfoundry.identity.uaa.oauth;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.error.UaaException;
import org.cloudfoundry.identity.uaa.message.SimpleMessage;
import org.cloudfoundry.identity.uaa.oauth.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
import org.cloudfoundry.identity.uaa.rest.AttributeNameMapper;
import org.cloudfoundry.identity.uaa.rest.QueryableResourceManager;
import org.cloudfoundry.identity.uaa.rest.SearchResults;
import org.cloudfoundry.identity.uaa.rest.SearchResultsFactory;
import org.cloudfoundry.identity.uaa.rest.SimpleAttributeNameMapper;
import org.cloudfoundry.identity.uaa.security.DefaultSecurityContextAccessor;
import org.cloudfoundry.identity.uaa.security.SecurityContextAccessor;
import org.cloudfoundry.identity.uaa.util.UaaPagingUtils;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.expression.spel.SpelEvaluationException;
import org.springframework.expression.spel.SpelParseException;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.jmx.export.annotation.ManagedMetric;
import org.springframework.jmx.export.annotation.ManagedResource;
import org.springframework.jmx.support.MetricType;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.provider.BaseClientDetails;
import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientRegistrationService;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.stereotype.Controller;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

@Controller
@ManagedResource
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-common-1.6.5.jar:org/cloudfoundry/identity/uaa/oauth/ClientAdminEndpoints.class */
public class ClientAdminEndpoints implements InitializingBean {
    private static final String SCIM_CLIENTS_SCHEMA_URI = "http://cloudfoundry.org/schema/scim/oauth-clients-1.0";
    private static final Set<String> VALID_GRANTS = new HashSet(Arrays.asList("implicit", "password", "client_credentials", "authorization_code", OAuth2AccessToken.REFRESH_TOKEN));
    private static final Collection<String> NON_ADMIN_INVALID_GRANTS = new HashSet(Arrays.asList("password"));
    private static final Collection<String> NON_ADMIN_VALID_AUTHORITIES = new HashSet(Arrays.asList("uaa.none"));
    private ClientRegistrationService clientRegistrationService;
    private QueryableResourceManager<ClientDetails> clientDetailsService;
    private ApprovalStore approvalStore;
    private AuthenticationManager authenticationManager;
    private final Log logger = LogFactory.getLog(getClass());
    private AttributeNameMapper attributeNameMapper = new SimpleAttributeNameMapper(Collections.emptyMap());
    private SecurityContextAccessor securityContextAccessor = new DefaultSecurityContextAccessor();
    private final Map<String, AtomicInteger> errorCounts = new ConcurrentHashMap();
    private AtomicInteger clientUpdates = new AtomicInteger();
    private AtomicInteger clientDeletes = new AtomicInteger();
    private AtomicInteger clientSecretChanges = new AtomicInteger();
    private Set<String> reservedClientIds = StringUtils.commaDelimitedListToSet("uaa");

    public ApprovalStore getApprovalStore() {
        return this.approvalStore;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    public AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setAttributeNameMapper(AttributeNameMapper attributeNameMapper) {
        this.attributeNameMapper = attributeNameMapper;
    }

    public void setClientRegistrationService(ClientRegistrationService clientRegistrationService) {
        this.clientRegistrationService = clientRegistrationService;
    }

    public void setClientDetailsService(QueryableResourceManager<ClientDetails> queryableResourceManager) {
        this.clientDetailsService = queryableResourceManager;
    }

    public void setSecurityContextAccessor(SecurityContextAccessor securityContextAccessor) {
        this.securityContextAccessor = securityContextAccessor;
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "Client Registration Count")
    public int getTotalClients() {
        return this.clientRegistrationService.listClientDetails().size();
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "Client Update Count (Since Startup)")
    public int getClientUpdates() {
        return this.clientUpdates.get();
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "Client Delete Count (Since Startup)")
    public int getClientDeletes() {
        return this.clientDeletes.get();
    }

    @ManagedMetric(metricType = MetricType.COUNTER, displayName = "Client Secret Change Count (Since Startup)")
    public int getClientSecretChanges() {
        return this.clientSecretChanges.get();
    }

    @ManagedMetric(displayName = "Errors Since Startup")
    public Map<String, AtomicInteger> getErrorCounts() {
        return this.errorCounts;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        Assert.state(this.clientRegistrationService != null, "A ClientRegistrationService must be provided");
        Assert.state(this.clientDetailsService != null, "A ClientDetailsService must be provided");
    }

    @RequestMapping(value = {"/oauth/clients/{client}"}, method = {RequestMethod.GET})
    @ResponseBody
    public ClientDetails getClientDetails(@PathVariable String str) throws Exception {
        try {
            return removeSecret(this.clientDetailsService.retrieve(str));
        } catch (BadClientCredentialsException e) {
            throw new NoSuchClientException("No such client: " + str);
        } catch (InvalidClientException e2) {
            throw new NoSuchClientException("No such client: " + str);
        }
    }

    @RequestMapping(value = {"/oauth/clients"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.CREATED)
    @ResponseBody
    public ClientDetails createClientDetails(@RequestBody BaseClientDetails baseClientDetails) throws Exception {
        this.clientRegistrationService.addClientDetails(validateClient(baseClientDetails, true));
        return removeSecret(baseClientDetails);
    }

    @RequestMapping(value = {"/oauth/clients/tx"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.CREATED)
    @Transactional
    @ResponseBody
    public ClientDetails[] createClientDetailsTx(@RequestBody BaseClientDetails[] baseClientDetailsArr) throws Exception {
        if (baseClientDetailsArr == null || baseClientDetailsArr.length == 0) {
            throw new NoSuchClientException("Message body does not contain any clients.");
        }
        ClientDetails[] clientDetailsArr = new ClientDetails[baseClientDetailsArr.length];
        for (int i = 0; i < baseClientDetailsArr.length; i++) {
            clientDetailsArr[i] = validateClient(baseClientDetailsArr[i], true);
        }
        return doInsertClientDetails(clientDetailsArr);
    }

    protected ClientDetails[] doInsertClientDetails(ClientDetails[] clientDetailsArr) {
        for (int i = 0; i < clientDetailsArr.length; i++) {
            this.clientRegistrationService.addClientDetails(clientDetailsArr[i]);
            clientDetailsArr[i] = removeSecret(clientDetailsArr[i]);
        }
        return clientDetailsArr;
    }

    @RequestMapping(value = {"/oauth/clients/tx"}, method = {RequestMethod.PUT})
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    @ResponseBody
    public ClientDetails[] updateClientDetailsTx(@RequestBody BaseClientDetails[] baseClientDetailsArr) throws Exception {
        if (baseClientDetailsArr == null || baseClientDetailsArr.length == 0) {
            throw new InvalidClientDetailsException("No clients specified for update.");
        }
        ClientDetails[] clientDetailsArr = new ClientDetails[baseClientDetailsArr.length];
        for (int i = 0; i < baseClientDetailsArr.length; i++) {
            BaseClientDetails baseClientDetails = baseClientDetailsArr[i];
            ClientDetails clientDetails = getClientDetails(baseClientDetails.getClientId());
            if (clientDetails == null) {
                throw new NoSuchClientException("Client " + baseClientDetails.getClientId() + " does not exist");
            }
            clientDetailsArr[i] = syncWithExisting(clientDetails, baseClientDetails);
            clientDetailsArr[i] = validateClient(clientDetailsArr[i], false);
        }
        return doProcessUpdates(clientDetailsArr);
    }

    protected ClientDetails[] doProcessUpdates(ClientDetails[] clientDetailsArr) {
        ClientDetails[] clientDetailsArr2 = new ClientDetails[clientDetailsArr.length];
        for (int i = 0; i < clientDetailsArr2.length; i++) {
            this.clientRegistrationService.updateClientDetails(clientDetailsArr[i]);
            this.clientUpdates.incrementAndGet();
            clientDetailsArr2[i] = removeSecret(clientDetailsArr[i]);
        }
        return clientDetailsArr2;
    }

    @RequestMapping(value = {"/oauth/clients/{client}"}, method = {RequestMethod.PUT})
    @ResponseStatus(HttpStatus.OK)
    @ResponseBody
    public ClientDetails updateClientDetails(@RequestBody BaseClientDetails baseClientDetails, @PathVariable("client") String str) throws Exception {
        Assert.state(str.equals(baseClientDetails.getClientId()), String.format("The client id (%s) does not match the URL (%s)", baseClientDetails.getClientId(), str));
        ClientDetails clientDetails = baseClientDetails;
        try {
            ClientDetails clientDetails2 = getClientDetails(str);
            if (clientDetails2 == null) {
                this.logger.warn("Couldn't fetch client config, null, for client_id: " + str);
            } else {
                clientDetails = syncWithExisting(clientDetails2, baseClientDetails);
            }
        } catch (Exception e) {
            this.logger.warn("Couldn't fetch client config for client_id: " + str, e);
        }
        this.clientRegistrationService.updateClientDetails(validateClient(clientDetails, false));
        this.clientUpdates.incrementAndGet();
        return removeSecret(baseClientDetails);
    }

    @RequestMapping(value = {"/oauth/clients/{client}"}, method = {RequestMethod.DELETE})
    @ResponseStatus(HttpStatus.OK)
    @ResponseBody
    public ClientDetails removeClientDetails(@PathVariable String str) throws Exception {
        ClientDetails retrieve = this.clientDetailsService.retrieve(str);
        doProcessDeletes(new ClientDetails[]{retrieve});
        return removeSecret(retrieve);
    }

    @RequestMapping(value = {"/oauth/clients/tx/delete"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    @ResponseBody
    public ClientDetails[] removeClientDetailsTx(@RequestBody BaseClientDetails[] baseClientDetailsArr) throws Exception {
        ClientDetails[] clientDetailsArr = new ClientDetails[baseClientDetailsArr.length];
        for (int i = 0; i < clientDetailsArr.length; i++) {
            clientDetailsArr[i] = this.clientDetailsService.retrieve(baseClientDetailsArr[i].getClientId());
        }
        return doProcessDeletes(clientDetailsArr);
    }

    @RequestMapping(value = {"/oauth/clients/tx/modify"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    @ResponseBody
    public ClientDetailsModification[] modifyClientDetailsTx(@RequestBody ClientDetailsModification[] clientDetailsModificationArr) throws Exception {
        ClientDetailsModification[] clientDetailsModificationArr2 = new ClientDetailsModification[clientDetailsModificationArr.length];
        for (int i = 0; i < clientDetailsModificationArr2.length; i++) {
            if (ClientDetailsModification.ADD.equals(clientDetailsModificationArr[i].getAction())) {
                this.clientRegistrationService.addClientDetails(validateClient(clientDetailsModificationArr[i], true));
                this.clientUpdates.incrementAndGet();
                clientDetailsModificationArr2[i] = new ClientDetailsModification(this.clientDetailsService.retrieve(clientDetailsModificationArr[i].getClientId()));
            } else if (ClientDetailsModification.DELETE.equals(clientDetailsModificationArr[i].getAction())) {
                clientDetailsModificationArr2[i] = new ClientDetailsModification(this.clientDetailsService.retrieve(clientDetailsModificationArr[i].getClientId()));
                doProcessDeletes(new ClientDetails[]{clientDetailsModificationArr2[i]});
                clientDetailsModificationArr2[i].setApprovalsDeleted(true);
            } else if (ClientDetailsModification.UPDATE.equals(clientDetailsModificationArr[i].getAction())) {
                clientDetailsModificationArr2[i] = updateClientNotSecret(clientDetailsModificationArr[i]);
            } else if (ClientDetailsModification.UPDATE_SECRET.equals(clientDetailsModificationArr[i].getAction())) {
                boolean updateClientSecret = updateClientSecret(clientDetailsModificationArr[i]);
                clientDetailsModificationArr2[i] = updateClientNotSecret(clientDetailsModificationArr[i]);
                clientDetailsModificationArr2[i].setApprovalsDeleted(updateClientSecret);
            } else {
                if (!ClientDetailsModification.SECRET.equals(clientDetailsModificationArr[i].getAction())) {
                    throw new InvalidClientDetailsException("Invalid action.");
                }
                boolean updateClientSecret2 = updateClientSecret(clientDetailsModificationArr[i]);
                clientDetailsModificationArr2[i] = clientDetailsModificationArr[i];
                clientDetailsModificationArr2[i].setApprovalsDeleted(updateClientSecret2);
            }
            clientDetailsModificationArr2[i].setAction(clientDetailsModificationArr[i].getAction());
            clientDetailsModificationArr2[i].setClientSecret(null);
        }
        return clientDetailsModificationArr2;
    }

    private ClientDetailsModification updateClientNotSecret(ClientDetailsModification clientDetailsModification) {
        ClientDetailsModification clientDetailsModification2 = new ClientDetailsModification(this.clientDetailsService.retrieve(clientDetailsModification.getClientId()));
        this.clientRegistrationService.updateClientDetails(validateClient(clientDetailsModification, false));
        this.clientUpdates.incrementAndGet();
        return clientDetailsModification2;
    }

    private boolean updateClientSecret(ClientDetailsModification clientDetailsModification) {
        boolean z = !authenticateClient(clientDetailsModification.getClientId(), clientDetailsModification.getClientSecret());
        if (z) {
            this.clientRegistrationService.updateClientSecret(clientDetailsModification.getClientId(), clientDetailsModification.getClientSecret());
            deleteApprovals(clientDetailsModification.getClientId());
            clientDetailsModification.setApprovalsDeleted(true);
        }
        return z;
    }

    @RequestMapping(value = {"/oauth/clients/tx/secret"}, method = {RequestMethod.POST})
    @ResponseStatus(HttpStatus.OK)
    @Transactional
    @ResponseBody
    public ClientDetailsModification[] changeSecretTx(@RequestBody SecretChangeRequest[] secretChangeRequestArr) {
        ClientDetailsModification[] clientDetailsModificationArr = new ClientDetailsModification[secretChangeRequestArr.length];
        String str = null;
        for (int i = 0; i < secretChangeRequestArr.length; i++) {
            try {
                str = secretChangeRequestArr[i].getClientId();
                clientDetailsModificationArr[i] = new ClientDetailsModification(this.clientDetailsService.retrieve(str));
                boolean authenticateClient = authenticateClient(str, secretChangeRequestArr[i].getOldSecret());
                this.clientRegistrationService.updateClientSecret(str, secretChangeRequestArr[i].getSecret());
                if (!authenticateClient) {
                    deleteApprovals(str);
                    clientDetailsModificationArr[i].setApprovalsDeleted(true);
                }
                clientDetailsModificationArr[i] = removeSecret(clientDetailsModificationArr[i]);
            } catch (InvalidClientException e) {
                throw new NoSuchClientException("No such client: " + str);
            }
        }
        this.clientSecretChanges.getAndAdd(secretChangeRequestArr.length);
        return clientDetailsModificationArr;
    }

    protected ClientDetails[] doProcessDeletes(ClientDetails[] clientDetailsArr) {
        ClientDetailsModification[] clientDetailsModificationArr = new ClientDetailsModification[clientDetailsArr.length];
        for (int i = 0; i < clientDetailsArr.length; i++) {
            String clientId = clientDetailsArr[i].getClientId();
            this.clientRegistrationService.removeClientDetails(clientId);
            deleteApprovals(clientId);
            this.clientDeletes.incrementAndGet();
            clientDetailsModificationArr[i] = removeSecret(clientDetailsArr[i]);
            clientDetailsModificationArr[i].setApprovalsDeleted(true);
        }
        return clientDetailsModificationArr;
    }

    private void deleteApprovals(String str) {
        if (this.approvalStore == null) {
            throw new UnsupportedOperationException("No approval store configured on " + getClass().getName());
        }
        this.approvalStore.revokeApprovals(String.format("clientId eq '%s'", str));
    }

    @RequestMapping(value = {"/oauth/clients"}, method = {RequestMethod.GET})
    @ResponseBody
    public SearchResults<?> listClientDetails(@RequestParam(value = "attributes", required = false) String str, @RequestParam(required = false, defaultValue = "client_id pr") String str2, @RequestParam(required = false, defaultValue = "client_id") String str3, @RequestParam(required = false, defaultValue = "ascending") String str4, @RequestParam(required = false, defaultValue = "1") int i, @RequestParam(required = false, defaultValue = "100") int i2) throws Exception {
        ArrayList arrayList = new ArrayList();
        try {
            List<ClientDetails> query = this.clientDetailsService.query(str2, str3, "ascending".equalsIgnoreCase(str4));
            if (i2 > query.size()) {
                i2 = query.size();
            }
            Iterator it = UaaPagingUtils.subList(query, i, i2).iterator();
            while (it.hasNext()) {
                arrayList.add(removeSecret((ClientDetails) it.next()));
            }
            if (!StringUtils.hasLength(str)) {
                return new SearchResults<>(Arrays.asList(SCIM_CLIENTS_SCHEMA_URI), arrayList, i, i2, query.size());
            }
            try {
                return SearchResultsFactory.buildSearchResultFrom(arrayList, i, i2, query.size(), str.split(","), this.attributeNameMapper, Arrays.asList(SCIM_CLIENTS_SCHEMA_URI));
            } catch (SpelEvaluationException e) {
                throw new UaaException("Invalid attributes: [" + str + "]", HttpStatus.BAD_REQUEST.value());
            } catch (SpelParseException e2) {
                throw new UaaException("Invalid attributes: [" + str + "]", HttpStatus.BAD_REQUEST.value());
            }
        } catch (IllegalArgumentException e3) {
            throw new UaaException("Invalid filter expression: [" + str2 + "]", HttpStatus.BAD_REQUEST.value());
        }
    }

    @RequestMapping(value = {"/oauth/clients/{client}/secret"}, method = {RequestMethod.PUT})
    public SimpleMessage changeSecret(@PathVariable String str, @RequestBody SecretChangeRequest secretChangeRequest) {
        try {
            try {
                checkPasswordChangeIsAllowed(this.clientDetailsService.retrieve(str), secretChangeRequest.getOldSecret());
                this.clientRegistrationService.updateClientSecret(str, secretChangeRequest.getSecret());
                this.clientSecretChanges.incrementAndGet();
                return new SimpleMessage("ok", "secret updated");
            } catch (IllegalStateException e) {
                throw new InvalidClientDetailsException(e.getMessage());
            }
        } catch (InvalidClientException e2) {
            throw new NoSuchClientException("No such client: " + str);
        }
    }

    @ExceptionHandler({InvalidClientDetailsException.class})
    public ResponseEntity<InvalidClientDetailsException> handleInvalidClientDetails(InvalidClientDetailsException invalidClientDetailsException) {
        incrementErrorCounts(invalidClientDetailsException);
        return new ResponseEntity<>(invalidClientDetailsException, HttpStatus.BAD_REQUEST);
    }

    @ExceptionHandler({NoSuchClientException.class})
    public ResponseEntity<Void> handleNoSuchClient(NoSuchClientException noSuchClientException) {
        incrementErrorCounts(noSuchClientException);
        return new ResponseEntity<>(HttpStatus.NOT_FOUND);
    }

    @ExceptionHandler({ClientAlreadyExistsException.class})
    public ResponseEntity<InvalidClientDetailsException> handleClientAlreadyExists(ClientAlreadyExistsException clientAlreadyExistsException) {
        incrementErrorCounts(clientAlreadyExistsException);
        return new ResponseEntity<>(new InvalidClientDetailsException(clientAlreadyExistsException.getMessage()), HttpStatus.CONFLICT);
    }

    private void incrementErrorCounts(Exception exc) {
        String errorName = UaaStringUtils.getErrorName(exc);
        AtomicInteger atomicInteger = this.errorCounts.get(errorName);
        if (atomicInteger == null) {
            synchronized (this.errorCounts) {
                atomicInteger = this.errorCounts.get(errorName);
                if (atomicInteger == null) {
                    atomicInteger = new AtomicInteger();
                    this.errorCounts.put(errorName, atomicInteger);
                }
            }
        }
        atomicInteger.incrementAndGet();
    }

    private ClientDetails validateClient(ClientDetails clientDetails, boolean z) {
        BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
        baseClientDetails.setAdditionalInformation(clientDetails.getAdditionalInformation());
        String clientId = baseClientDetails.getClientId();
        if (z && this.reservedClientIds.contains(clientId)) {
            throw new InvalidClientDetailsException("Not allowed: " + clientId + " is a reserved client_id");
        }
        Set<String> authorizedGrantTypes = baseClientDetails.getAuthorizedGrantTypes();
        if (authorizedGrantTypes.isEmpty()) {
            throw new InvalidClientDetailsException("An authorized grant type must be provided. Must be one of: " + VALID_GRANTS.toString());
        }
        for (String str : authorizedGrantTypes) {
            if (!VALID_GRANTS.contains(str)) {
                throw new InvalidClientDetailsException(str + " is not an allowed grant type. Must be one of: " + VALID_GRANTS.toString());
            }
        }
        if ((authorizedGrantTypes.contains("authorization_code") || authorizedGrantTypes.contains("password")) && !authorizedGrantTypes.contains(OAuth2AccessToken.REFRESH_TOKEN)) {
            this.logger.debug("requested grant type missing refresh_token: " + clientId);
            authorizedGrantTypes.add(OAuth2AccessToken.REFRESH_TOKEN);
        }
        if (!this.securityContextAccessor.isAdmin()) {
            for (String str2 : authorizedGrantTypes) {
                if (NON_ADMIN_INVALID_GRANTS.contains(str2)) {
                    throw new InvalidClientDetailsException(str2 + " is not an allowed grant type for non-admin caller.");
                }
            }
            if (authorizedGrantTypes.contains("implicit") && authorizedGrantTypes.contains("authorization_code")) {
                throw new InvalidClientDetailsException("Not allowed: implicit grant type is not allowed together with authorization_code");
            }
            String clientId2 = this.securityContextAccessor.getClientId();
            if (clientId2 != null) {
                String str3 = clientId2 + ".";
                String str4 = clientId + ".";
                Set<String> scope = this.clientDetailsService.retrieve(clientId2).getScope();
                for (String str5 : baseClientDetails.getScope()) {
                    if (!str5.startsWith(str3) && !str5.startsWith(str4) && !scope.contains(str5)) {
                        throw new InvalidClientDetailsException(str5 + " is not an allowed scope for caller=" + clientId2 + ". Must have prefix in [" + str3 + "," + str4 + "] or be one of: " + scope.toString());
                    }
                }
            } else {
                String str6 = clientId + ".";
                for (String str7 : baseClientDetails.getScope()) {
                    if (!str7.startsWith(str6)) {
                        throw new InvalidClientDetailsException(str7 + " is not an allowed scope for null caller and client_id=" + clientId + ". Must start with '" + str6 + "'");
                    }
                }
            }
            HashSet hashSet = new HashSet(NON_ADMIN_VALID_AUTHORITIES);
            if (authorizedGrantTypes.contains("client_credentials")) {
                hashSet.add("uaa.resource");
            }
            for (String str8 : AuthorityUtils.authorityListToSet(baseClientDetails.getAuthorities())) {
                if (!hashSet.contains(str8)) {
                    throw new InvalidClientDetailsException(str8 + " is not an allowed authority for caller=" + clientId2 + ". Must be one of: " + hashSet.toString());
                }
            }
        }
        if (baseClientDetails.getAuthorities().isEmpty()) {
            baseClientDetails.setAuthorities(AuthorityUtils.commaSeparatedStringToAuthorityList("uaa.none"));
        }
        baseClientDetails.setResourceIds(Collections.singleton(ClientDetailsModification.NONE));
        if (baseClientDetails.getScope().isEmpty()) {
            baseClientDetails.setScope(Collections.singleton("uaa.none"));
        }
        if (authorizedGrantTypes.contains("implicit") && StringUtils.hasText(baseClientDetails.getClientSecret())) {
            throw new InvalidClientDetailsException("Implicit grant should not have a client_secret");
        }
        if (!z || (!(authorizedGrantTypes.contains("client_credentials") || authorizedGrantTypes.contains("authorization_code")) || StringUtils.hasText(baseClientDetails.getClientSecret()))) {
            return baseClientDetails;
        }
        throw new InvalidClientDetailsException("Client secret is required for client_credentials and authorization_code grant types");
    }

    private void checkPasswordChangeIsAllowed(ClientDetails clientDetails, String str) {
        if (!this.securityContextAccessor.isClient()) {
            throw new IllegalStateException("Only a client can change client secret");
        }
        String clientId = clientDetails.getClientId();
        String clientId2 = this.securityContextAccessor.getClientId();
        if (this.securityContextAccessor.isAdmin()) {
            if (clientId.equals(clientId2) && !authenticateClient(clientId, str)) {
                throw new IllegalStateException("Previous secret is required even for admin");
            }
        } else {
            if (!clientId.equals(clientId2)) {
                this.logger.warn("Client with id " + clientId2 + " attempting to change password for client " + clientId);
                throw new IllegalStateException("Bad request. Not permitted to change another client's secret");
            }
            if (!authenticateClient(clientId, str)) {
                throw new IllegalStateException("Previous secret is required and must be valid");
            }
        }
    }

    private boolean authenticateClient(String str, String str2) {
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(str, str2);
        try {
            HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
            if (request != null) {
                usernamePasswordAuthenticationToken.setDetails(new UaaAuthenticationDetails(request, str));
            }
        } catch (IllegalStateException e) {
        }
        try {
            return this.authenticationManager.authenticate(usernamePasswordAuthenticationToken).isAuthenticated();
        } catch (AuthenticationException e2) {
            return false;
        } catch (Exception e3) {
            this.logger.debug("Unable to authenticate/validate " + str, e3);
            return false;
        }
    }

    private ClientDetailsModification removeSecret(ClientDetails clientDetails) {
        if (clientDetails == null) {
            return null;
        }
        ClientDetailsModification clientDetailsModification = new ClientDetailsModification(clientDetails);
        clientDetailsModification.setClientSecret(null);
        return clientDetailsModification;
    }

    private ClientDetails syncWithExisting(ClientDetails clientDetails, ClientDetails clientDetails2) {
        BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails2);
        if (baseClientDetails.getAccessTokenValiditySeconds() == null) {
            baseClientDetails.setAccessTokenValiditySeconds(clientDetails.getAccessTokenValiditySeconds());
        }
        if (baseClientDetails.getRefreshTokenValiditySeconds() == null) {
            baseClientDetails.setRefreshTokenValiditySeconds(clientDetails.getRefreshTokenValiditySeconds());
        }
        if (baseClientDetails.getAuthorities() == null || baseClientDetails.getAuthorities().isEmpty()) {
            baseClientDetails.setAuthorities(clientDetails.getAuthorities());
        }
        if (baseClientDetails.getAuthorizedGrantTypes() == null || baseClientDetails.getAuthorizedGrantTypes().isEmpty()) {
            baseClientDetails.setAuthorizedGrantTypes(clientDetails.getAuthorizedGrantTypes());
        }
        if (baseClientDetails.getRegisteredRedirectUri() == null || baseClientDetails.getRegisteredRedirectUri().isEmpty()) {
            baseClientDetails.setRegisteredRedirectUri(clientDetails.getRegisteredRedirectUri());
        }
        if (baseClientDetails.getResourceIds() == null || baseClientDetails.getResourceIds().isEmpty()) {
            baseClientDetails.setResourceIds(clientDetails.getResourceIds());
        }
        if (baseClientDetails.getScope() == null || baseClientDetails.getScope().isEmpty()) {
            baseClientDetails.setScope(clientDetails.getScope());
        }
        HashMap hashMap = new HashMap(clientDetails.getAdditionalInformation());
        hashMap.putAll(clientDetails2.getAdditionalInformation());
        for (String str : Collections.unmodifiableSet(hashMap.keySet())) {
            if (hashMap.get(str) == null) {
                hashMap.remove(str);
            }
        }
        baseClientDetails.setAdditionalInformation(hashMap);
        return baseClientDetails;
    }
}
