package org.cloudfoundry.identity.uaa.oauth;

import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
import org.springframework.security.oauth2.provider.TokenRequest;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.9.1.jar:org/cloudfoundry/identity/uaa/oauth/UaaOauth2RequestValidator.class */
public class UaaOauth2RequestValidator implements OAuth2RequestValidator {
    private static String CLIENT_CREDENTIALS = "client_credentials";
    private ClientDetailsService clientDetailsService;

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestValidator
    public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails clientDetails) throws InvalidScopeException {
        if (CLIENT_CREDENTIALS.equalsIgnoreCase((String) authorizationRequest.getRequestParameters().get("grant_type"))) {
            validateScope(authorizationRequest.getScope(), getAuthorities(clientDetails.getAuthorities()), false);
        } else {
            validateScope(authorizationRequest.getScope(), clientDetails.getScope(), true);
        }
    }

    @Override // org.springframework.security.oauth2.provider.OAuth2RequestValidator
    public void validateScope(TokenRequest tokenRequest, ClientDetails clientDetails) throws InvalidScopeException {
        if (CLIENT_CREDENTIALS.equalsIgnoreCase(tokenRequest.getGrantType())) {
            validateScope(tokenRequest.getScope(), getAuthorities(clientDetails.getAuthorities()), false);
        } else if (!TokenConstants.GRANT_TYPE_USER_TOKEN.equalsIgnoreCase(tokenRequest.getGrantType())) {
            validateScope(tokenRequest.getScope(), clientDetails.getScope(), true);
        } else {
            validateScope(tokenRequest.getScope(), this.clientDetailsService.loadClientByClientId((String) tokenRequest.getRequestParameters().get("client_id")).getScope(), true);
        }
    }

    private void validateScope(Set<String> set, Set<String> set2, boolean z) {
        if (set2 == null || set2.isEmpty()) {
            throw new InvalidScopeException("Empty scope (client has no registered scopes)");
        }
        if (!z) {
            for (String str : set) {
                if (!set2.contains(str)) {
                    throw new InvalidScopeException("Invalid scope: " + str, set2);
                }
            }
            return;
        }
        Set<Pattern> constructWildcards = UaaStringUtils.constructWildcards(set2);
        for (String str2 : set) {
            if (!UaaStringUtils.matches(constructWildcards, str2)) {
                throw new InvalidScopeException("Invalid scope: " + str2, set2);
            }
        }
    }

    private Set<String> getAuthorities(Collection<GrantedAuthority> collection) {
        HashSet hashSet = new HashSet();
        Iterator<GrantedAuthority> it = collection.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getAuthority());
        }
        return hashSet;
    }
}
