package org.cloudfoundry.identity.uaa.user;

import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.12.1.jar:org/cloudfoundry/identity/uaa/user/UaaUserApprovalHandler.class */
public class UaaUserApprovalHandler implements UserApprovalHandler {
    private Log logger = LogFactory.getLog(getClass());
    private boolean useTokenServices = true;
    private String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL;
    private ClientServicesExtension clientDetailsService;
    private OAuth2RequestFactory requestFactory;
    private AuthorizationServerTokenServices tokenServices;

    public void setTokenServices(AuthorizationServerTokenServices authorizationServerTokenServices) {
        this.tokenServices = authorizationServerTokenServices;
    }

    public void setRequestFactory(OAuth2RequestFactory oAuth2RequestFactory) {
        this.requestFactory = oAuth2RequestFactory;
    }

    public void setApprovalParameter(String str) {
        this.approvalParameter = str;
    }

    public void setClientDetailsService(ClientServicesExtension clientServicesExtension) {
        this.clientDetailsService = clientServicesExtension;
    }

    public void setUseTokenServices(boolean z) {
        this.useTokenServices = z;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public boolean isApproved(AuthorizationRequest authorizationRequest, Authentication authentication) {
        if (!authentication.isAuthenticated()) {
            return false;
        }
        if (authorizationRequest.isApproved()) {
            return true;
        }
        String clientId = authorizationRequest.getClientId();
        boolean z = false;
        if (this.clientDetailsService != null && isAutoApprove(this.clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId()), authorizationRequest.getScope())) {
            z = true;
        }
        return z;
    }

    private boolean isAutoApprove(ClientDetails clientDetails, Collection<String> collection) {
        BaseClientDetails baseClientDetails = (BaseClientDetails) clientDetails;
        if (baseClientDetails.getAutoApproveScopes() != null) {
            return baseClientDetails.getAutoApproveScopes().contains("true") || baseClientDetails.getAutoApproveScopes().containsAll(collection);
        }
        return false;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        boolean z;
        boolean z2 = false;
        String clientId = authorizationRequest.getClientId();
        Set scope = authorizationRequest.getScope();
        if (this.clientDetailsService != null) {
            try {
                ClientDetails loadClientByClientId = this.clientDetailsService.loadClientByClientId(clientId, IdentityZoneHolder.get().getId());
                z2 = true;
                Iterator it = scope.iterator();
                while (it.hasNext()) {
                    if (!loadClientByClientId.isAutoApprove((String) it.next())) {
                        z2 = false;
                    }
                }
                if (z2) {
                    authorizationRequest.setApproved(true);
                    return authorizationRequest;
                }
            } catch (ClientRegistrationException e) {
                this.logger.warn("Client registration problem prevent autoapproval check for client=" + clientId);
            }
        }
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(this.requestFactory.createOAuth2Request(authorizationRequest), authentication);
        if (this.logger.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Looking up existing token for ");
            sb.append("client_id=" + clientId);
            sb.append(", scope=" + scope);
            sb.append(" and username=" + authentication.getName());
            this.logger.debug(sb.toString());
        }
        OAuth2AccessToken accessToken = this.tokenServices.getAccessToken(oAuth2Authentication);
        this.logger.debug("Existing access token=" + accessToken);
        if (accessToken == null || accessToken.isExpired()) {
            this.logger.debug("Checking explicit approval");
            z = authentication.isAuthenticated() && z2;
        } else {
            this.logger.debug("User already approved with token=" + accessToken);
            z = true;
        }
        authorizationRequest.setApproved(z);
        return authorizationRequest;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public AuthorizationRequest updateAfterApproval(AuthorizationRequest authorizationRequest, Authentication authentication) {
        String str = authorizationRequest.getApprovalParameters().get(this.approvalParameter);
        authorizationRequest.setApproved(str != null && str.toLowerCase().equals("true"));
        return authorizationRequest;
    }

    @Override // org.springframework.security.oauth2.provider.approval.UserApprovalHandler
    public Map<String, Object> getUserApprovalRequest(AuthorizationRequest authorizationRequest, Authentication authentication) {
        HashMap hashMap = new HashMap();
        hashMap.putAll(authorizationRequest.getRequestParameters());
        return hashMap;
    }
}
