package org.springframework.security.oauth2.provider.endpoint;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-2.0.3.RELEASE.jar:org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.class */
public class DefaultRedirectResolver implements RedirectResolver {
    private Collection<String> redirectGrantTypes = Arrays.asList("implicit", "authorization_code");
    private boolean matchSubdomains = true;

    public void setMatchSubdomains(boolean z) {
        this.matchSubdomains = z;
    }

    public void setRedirectGrantTypes(Collection<String> collection) {
        this.redirectGrantTypes = new HashSet(collection);
    }

    @Override // org.springframework.security.oauth2.provider.endpoint.RedirectResolver
    public String resolveRedirect(String str, ClientDetails clientDetails) throws OAuth2Exception {
        Set<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
        if (authorizedGrantTypes.isEmpty()) {
            throw new InvalidGrantException("A client must have at least one authorized grant type.");
        }
        if (!containsRedirectGrantType(authorizedGrantTypes)) {
            throw new InvalidGrantException("A redirect_uri can only be used by implicit or authorization_code grant types.");
        }
        Set<String> registeredRedirectUri = clientDetails.getRegisteredRedirectUri();
        if (registeredRedirectUri != null && !registeredRedirectUri.isEmpty()) {
            return obtainMatchingRedirect(registeredRedirectUri, str);
        }
        if (StringUtils.hasText(str)) {
            return str;
        }
        throw new InvalidRequestException("A redirect_uri must be supplied.");
    }

    private boolean containsRedirectGrantType(Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (this.redirectGrantTypes.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected boolean redirectMatches(String str, String str2) {
        try {
            URL url = new URL(str);
            URL url2 = new URL(str2);
            if (url2.getProtocol().equals(url.getProtocol()) && hostMatches(url2.getHost(), url.getHost())) {
                return StringUtils.cleanPath(url.getPath()).startsWith(StringUtils.cleanPath(url2.getPath()));
            }
        } catch (MalformedURLException e) {
        }
        return str.equals(str2);
    }

    protected boolean hostMatches(String str, String str2) {
        return this.matchSubdomains ? str2.endsWith(str) : str.equals(str2);
    }

    private String obtainMatchingRedirect(Set<String> set, String str) {
        Assert.notEmpty(set, "Redirect URIs cannot be empty");
        if (set.size() == 1 && str == null) {
            return set.iterator().next();
        }
        for (String str2 : set) {
            if (str != null && redirectMatches(str, str2)) {
                return str;
            }
        }
        throw new RedirectMismatchException("Invalid redirect: " + str + " does not match one of the registered values: " + set.toString());
    }
}
