package org.cloudfoundry.identity.uaa.client;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.account.EmailAccountCreationService;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.http.PortMappingsBeanDefinitionParser;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationService;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.4.5.jar:org/cloudfoundry/identity/uaa/client/ClientAdminBootstrap.class */
public class ClientAdminBootstrap implements InitializingBean {
    private static Log logger = LogFactory.getLog(ClientAdminBootstrap.class);
    private ClientRegistrationService clientRegistrationService;
    private ClientMetadataProvisioning clientMetadataProvisioning;
    private final PasswordEncoder passwordEncoder;
    private Map<String, Map<String, Object>> clients = new HashMap();
    private Collection<String> autoApproveClients = Collections.emptySet();
    private String domain = "cloudfoundry\\.com";
    private boolean defaultOverride = true;

    public ClientAdminBootstrap(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void setDefaultOverride(boolean z) {
        this.defaultOverride = z;
    }

    public void setDomain(String str) {
        this.domain = str.replace(".", "\\.");
    }

    public PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public void setClients(Map<String, Map<String, Object>> map) {
        if (map == null) {
            this.clients = Collections.emptyMap();
        } else {
            this.clients = new HashMap(map);
        }
    }

    public void setAutoApproveClients(Collection<String> collection) {
        this.autoApproveClients = collection;
    }

    public void setClientRegistrationService(ClientRegistrationService clientRegistrationService) {
        this.clientRegistrationService = clientRegistrationService;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        addHttpsCallbacks();
        addNewClients();
        updateAutoApprovClients();
    }

    private void updateAutoApprovClients() {
        for (ClientDetails clientDetails : this.clientRegistrationService.listClientDetails()) {
            if (this.autoApproveClients.contains(clientDetails.getClientId())) {
                BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
                HashMap hashMap = new HashMap(clientDetails.getAdditionalInformation());
                hashMap.put(ClientConstants.AUTO_APPROVE, true);
                baseClientDetails.setAdditionalInformation(hashMap);
                logger.debug("Adding autoapprove flag: " + baseClientDetails);
                this.clientRegistrationService.updateClientDetails(baseClientDetails);
            }
        }
    }

    private void addHttpsCallbacks() {
        for (ClientDetails clientDetails : this.clientRegistrationService.listClientDetails()) {
            Set<String> registeredRedirectUri = clientDetails.getRegisteredRedirectUri();
            if (registeredRedirectUri != null && !registeredRedirectUri.isEmpty()) {
                Set<String> hashSet = new HashSet<>(registeredRedirectUri);
                boolean z = false;
                for (String str : registeredRedirectUri) {
                    if (str.matches("^http://[^/]*\\." + this.domain + ".*")) {
                        z = true;
                        hashSet.remove(str);
                        hashSet.add(PortMappingsBeanDefinitionParser.ATT_HTTPS_PORT + str.substring("http".length()));
                    }
                }
                if (z) {
                    BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
                    baseClientDetails.setRegisteredRedirectUri(hashSet);
                    logger.debug("Adding https callback: " + baseClientDetails);
                    this.clientRegistrationService.updateClientDetails(baseClientDetails);
                }
            }
        }
    }

    private String getRedirectUris(Map<String, Object> map) {
        HashSet hashSet = new HashSet();
        if (map.get("redirect-uri") != null) {
            hashSet.add((String) map.get("redirect-uri"));
        }
        if (map.get(EmailAccountCreationService.SIGNUP_REDIRECT_URL) != null) {
            hashSet.add((String) map.get(EmailAccountCreationService.SIGNUP_REDIRECT_URL));
        }
        if (map.get("change_email_redirect_url") != null) {
            hashSet.add((String) map.get("change_email_redirect_url"));
        }
        return StringUtils.arrayToCommaDelimitedString(hashSet.toArray(new String[0]));
    }

    private void addNewClients() throws Exception {
        for (Map.Entry<String, Map<String, Object>> entry : this.clients.entrySet()) {
            String key = entry.getKey();
            Map<String, Object> value = entry.getValue();
            BaseClientDetails baseClientDetails = new BaseClientDetails(key, (String) value.get("resource-ids"), (String) value.get("scope"), (String) value.get("authorized-grant-types"), (String) value.get("authorities"), getRedirectUris(value));
            baseClientDetails.setClientSecret((String) value.get(ClientDetailsModification.SECRET));
            Integer num = (Integer) value.get("access-token-validity");
            Boolean bool = (Boolean) value.get("override");
            if (bool == null) {
                bool = Boolean.valueOf(this.defaultOverride);
            }
            HashMap hashMap = new HashMap(value);
            if (num != null) {
                baseClientDetails.setAccessTokenValiditySeconds(num);
            }
            Integer num2 = (Integer) value.get("refresh-token-validity");
            if (num2 != null) {
                baseClientDetails.setRefreshTokenValiditySeconds(num2);
            }
            baseClientDetails.setResourceIds(Collections.singleton("none"));
            if (baseClientDetails.getScope().isEmpty()) {
                baseClientDetails.setScope(Collections.singleton("uaa.none"));
            }
            if (baseClientDetails.getAuthorities().isEmpty()) {
                baseClientDetails.setAuthorities(Collections.singleton(UaaAuthority.UAA_NONE));
            }
            if (baseClientDetails.getAuthorizedGrantTypes().contains("authorization_code")) {
                baseClientDetails.getAuthorizedGrantTypes().add(OAuth2AccessToken.REFRESH_TOKEN);
            }
            Iterator it = Arrays.asList("resource-ids", "scope", "authorized-grant-types", "authorities", "redirect-uri", ClientDetailsModification.SECRET, "id", "override", "access-token-validity", "refresh-token-validity", "show-on-homepage", "app-launch-url", "app-icon").iterator();
            while (it.hasNext()) {
                hashMap.remove((String) it.next());
            }
            baseClientDetails.setAdditionalInformation(hashMap);
            try {
                this.clientRegistrationService.addClientDetails(baseClientDetails);
            } catch (ClientAlreadyExistsException e) {
                if (bool == null || bool.booleanValue()) {
                    logger.debug("Overriding client details for " + key);
                    this.clientRegistrationService.updateClientDetails(baseClientDetails);
                    if (StringUtils.hasText(baseClientDetails.getClientSecret()) && didPasswordChange(key, baseClientDetails.getClientSecret())) {
                        this.clientRegistrationService.updateClientSecret(key, baseClientDetails.getClientSecret());
                    }
                } else {
                    logger.debug(e.getMessage());
                }
            }
            this.clientMetadataProvisioning.update(buildClientMetadata(value, key));
        }
    }

    private ClientMetadata buildClientMetadata(Map<String, Object> map, String str) {
        Boolean bool = (Boolean) map.get("show-on-homepage");
        String str2 = (String) map.get("app-launch-url");
        String str3 = (String) map.get("app-icon");
        ClientMetadata clientMetadata = new ClientMetadata();
        clientMetadata.setClientId(str);
        clientMetadata.setAppIcon(str3);
        clientMetadata.setShowOnHomePage(bool != null && bool.booleanValue());
        if (StringUtils.hasText(str2)) {
            try {
                clientMetadata.setAppLaunchUrl(new URL(str2));
            } catch (MalformedURLException e) {
                logger.info(new ClientMetadataException("Invalid app-launch-url for client " + str, e, HttpStatus.INTERNAL_SERVER_ERROR));
            }
        }
        return clientMetadata;
    }

    protected boolean didPasswordChange(String str, String str2) {
        if (getPasswordEncoder() == null || !(this.clientRegistrationService instanceof ClientDetailsService)) {
            return true;
        }
        return !getPasswordEncoder().matches(str2, ((ClientDetailsService) this.clientRegistrationService).loadClientByClientId(str).getClientSecret());
    }

    public ClientMetadataProvisioning getClientMetadataProvisioning() {
        return this.clientMetadataProvisioning;
    }

    public void setClientMetadataProvisioning(ClientMetadataProvisioning clientMetadataProvisioning) {
        this.clientMetadataProvisioning = clientMetadataProvisioning;
    }
}
