package org.cloudfoundry.identity.uaa.oauth;

import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.approval.Approval;
import org.cloudfoundry.identity.uaa.approval.ApprovalStore;
import org.cloudfoundry.identity.uaa.authentication.Origin;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.resources.QueryableResourceManager;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.4.3.jar:org/cloudfoundry/identity/uaa/oauth/UserManagedAuthzApprovalHandler.class */
public class UserManagedAuthzApprovalHandler implements UserApprovalHandler {
    private static final String SCOPE_PREFIX = "scope.";
    private static Log logger = LogFactory.getLog(UserManagedAuthzApprovalHandler.class);
    private ApprovalStore approvalStore;
    private QueryableResourceManager<ClientDetails> clientDetailsService;
    private final String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL;
    private int approvalExpiryInMillis = -1;

    public void setClientDetailsService(QueryableResourceManager<ClientDetails> queryableResourceManager) {
        this.clientDetailsService = queryableResourceManager;
    }

    public void setApprovalStore(ApprovalStore approvalStore) {
        this.approvalStore = approvalStore;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication authentication) {
        String str = authorizationRequest.getApprovalParameters().get(OAuth2Utils.USER_OAUTH_APPROVAL);
        boolean z = str != null && str.toLowerCase().equals("true");
        if (logger.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Looking up user approved authorizations for ");
            sb.append("client_id=").append(authorizationRequest.getClientId());
            sb.append(" and username=").append(authentication.getName());
            logger.debug(sb.toString());
        }
        Set scope = authorizationRequest.getScope();
        HashSet hashSet = new HashSet();
        ClientDetails retrieve = this.clientDetailsService.retrieve(authorizationRequest.getClientId());
        if (null != retrieve) {
            if (null != scope) {
                for (String str2 : scope) {
                    if (retrieve.isAutoApprove(str2)) {
                        hashSet.add(str2);
                    }
                }
            }
            Map<String, Object> additionalInformation = retrieve.getAdditionalInformation();
            if (null != additionalInformation) {
                Object obj = additionalInformation.get(ClientConstants.AUTO_APPROVE);
                if (null != obj && (obj instanceof Collection)) {
                    hashSet.addAll((Collection) obj);
                } else if ((null != obj && (obj instanceof Boolean) && ((Boolean) obj).booleanValue()) || "true".equals(obj)) {
                    hashSet.addAll(retrieve.getScope());
                }
            }
        }
        Set<String> retainAutoApprovedScopes = retainAutoApprovedScopes(scope, hashSet);
        if (!z) {
            List<Approval> approvals = this.approvalStore.getApprovals(getUserId(authentication), authorizationRequest.getClientId());
            HashSet hashSet2 = new HashSet();
            HashSet hashSet3 = new HashSet();
            hashSet3.addAll(retainAutoApprovedScopes);
            hashSet2.addAll(retainAutoApprovedScopes);
            Date date = new Date();
            for (Approval approval : approvals) {
                if (approval.getExpiresAt().after(date)) {
                    hashSet2.add(approval.getScope());
                    if (approval.getStatus() == Approval.ApprovalStatus.APPROVED) {
                        hashSet3.add(approval.getScope());
                    }
                }
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Valid user approved/denied scopes are " + hashSet2);
            }
            if (!hashSet2.containsAll(scope) || !authentication.isAuthenticated()) {
                return false;
            }
            authorizationRequest.setScope(retainAutoApprovedScopes(scope, hashSet3));
            return true;
        }
        Date computeExpiry = computeExpiry();
        Map<String, String> approvalParameters = authorizationRequest.getApprovalParameters();
        HashSet hashSet4 = new HashSet();
        hashSet4.addAll(retainAutoApprovedScopes);
        boolean z2 = false;
        for (String str3 : approvalParameters.keySet()) {
            if (str3.startsWith("scope.")) {
                hashSet4.add(approvalParameters.get(str3).substring("scope.".length()));
                z2 = true;
            }
        }
        if (z2) {
            authorizationRequest.setScope(hashSet4);
            for (String str4 : scope) {
                if (hashSet4.contains(str4)) {
                    this.approvalStore.addApproval(new Approval().setUserId(getUserId(authentication)).setClientId(authorizationRequest.getClientId()).setScope(str4).setExpiresAt(computeExpiry).setStatus(Approval.ApprovalStatus.APPROVED));
                } else {
                    this.approvalStore.addApproval(new Approval().setUserId(getUserId(authentication)).setClientId(authorizationRequest.getClientId()).setScope(str4).setExpiresAt(computeExpiry).setStatus(Approval.ApprovalStatus.DENIED));
                }
            }
        } else {
            authorizationRequest.setScope(retainAutoApprovedScopes);
            for (String str5 : scope) {
                if (!retainAutoApprovedScopes.contains(str5)) {
                    this.approvalStore.addApproval(new Approval().setUserId(getUserId(authentication)).setClientId(authorizationRequest.getClientId()).setScope(str5).setExpiresAt(computeExpiry).setStatus(Approval.ApprovalStatus.DENIED));
                }
            }
        }
        return authentication.isAuthenticated();
    }

    protected Set<String> retainAutoApprovedScopes(Collection<String> collection, Set<String> set) {
        return UaaTokenUtils.retainAutoApprovedScopes(collection, set);
    }

    protected String getUserId(Authentication authentication) {
        return Origin.getUserId(authentication);
    }

    private Date computeExpiry() {
        Calendar calendar = Calendar.getInstance();
        if (this.approvalExpiryInMillis == -1) {
            calendar.add(2, 1);
        } else {
            calendar.add(14, this.approvalExpiryInMillis);
        }
        return calendar.getTime();
    }

    public void setApprovalExpiryInSeconds(int i) {
        this.approvalExpiryInMillis = i * 1000;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        return authorizationRequest;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        return authorizationRequest;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest, Authentication authentication) {
        HashMap hashMap = new HashMap();
        hashMap.putAll(authorizationRequest.getRequestParameters());
        return hashMap;
    }
}
