package org.cloudfoundry.identity.uaa.oauth;

import java.util.Collections;
import org.apache.commons.lang.StringUtils;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.ClientDetailsValidator;
import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/oauth/ZoneEndpointsClientDetailsValidator.class */
public class ZoneEndpointsClientDetailsValidator implements ClientDetailsValidator {
    private final String requiredScope;

    public ZoneEndpointsClientDetailsValidator(String str) {
        this.requiredScope = str;
    }

    @Override // org.cloudfoundry.identity.uaa.oauth.ClientDetailsValidator
    public ClientDetails validate(ClientDetails clientDetails, ClientDetailsValidator.Mode mode) throws InvalidClientDetailsException {
        if (mode != ClientDetailsValidator.Mode.CREATE) {
            if (mode == ClientDetailsValidator.Mode.MODIFY) {
                throw new IllegalStateException("This validator cannot be used for modification requests");
            }
            if (mode != ClientDetailsValidator.Mode.DELETE) {
                throw new IllegalStateException("This validator must be called with a mode");
            }
            if (this.requiredScope.equals(clientDetails.getAdditionalInformation().get(ClientConstants.CREATED_WITH))) {
                return clientDetails;
            }
            throw new InvalidClientDetailsException("client must have been createdwith scope " + this.requiredScope);
        }
        if (!Collections.singleton("authorization_code").equals(clientDetails.getAuthorizedGrantTypes())) {
            throw new InvalidClientDetailsException("only authorization_code grant type is allowed");
        }
        if (!Collections.singleton("openid").equals(clientDetails.getScope())) {
            throw new InvalidClientDetailsException("only openid scope is allowed");
        }
        if (!Collections.singleton("uaa.resource").equals(AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()))) {
            throw new InvalidClientDetailsException("only uaa.resource authority is allowed");
        }
        if (StringUtils.isBlank(clientDetails.getClientId())) {
            throw new InvalidClientDetailsException("client_id cannot be blank");
        }
        if (StringUtils.isBlank(clientDetails.getClientSecret())) {
            throw new InvalidClientDetailsException("client_secret cannot be blank");
        }
        if (!Collections.singletonList(Origin.UAA).equals(clientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS))) {
            throw new InvalidClientDetailsException("only the internal IdP ('uaa') is allowed");
        }
        BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
        baseClientDetails.setAdditionalInformation(clientDetails.getAdditionalInformation());
        baseClientDetails.setResourceIds(Collections.singleton(ClientDetailsModification.NONE));
        baseClientDetails.addAdditionalInformation(ClientConstants.CREATED_WITH, this.requiredScope);
        return baseClientDetails;
    }
}
