package org.cloudfoundry.identity.uaa.client;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.account.EmailAccountCreationService;
import org.cloudfoundry.identity.uaa.audit.event.EntityDeletedEvent;
import org.cloudfoundry.identity.uaa.authentication.SystemAuthentication;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.client.ClientDetailsModification;
import org.cloudfoundry.identity.uaa.user.UaaAuthority;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.ApplicationListener;
import org.springframework.context.event.ContextRefreshedEvent;
import org.springframework.http.HttpStatus;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.provider.ClientAlreadyExistsException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.12.4.jar:org/cloudfoundry/identity/uaa/client/ClientAdminBootstrap.class */
public class ClientAdminBootstrap implements InitializingBean, ApplicationListener<ContextRefreshedEvent>, ApplicationEventPublisherAware {
    private static Log logger = LogFactory.getLog(ClientAdminBootstrap.class);
    private ClientServicesExtension clientRegistrationService;
    private ClientMetadataProvisioning clientMetadataProvisioning;
    private final PasswordEncoder passwordEncoder;
    private ApplicationEventPublisher publisher;
    private Map<String, Map<String, Object>> clients = new HashMap();
    private List<String> clientsToDelete = null;
    private Collection<String> autoApproveClients = Collections.emptySet();
    private boolean defaultOverride = true;

    public ClientAdminBootstrap(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void setDefaultOverride(boolean z) {
        this.defaultOverride = z;
    }

    public PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public void setClients(Map<String, Map<String, Object>> map) {
        if (map == null) {
            this.clients = Collections.emptyMap();
        } else {
            this.clients = new HashMap(map);
        }
    }

    public void setClientsToDelete(List<String> list) {
        this.clientsToDelete = list;
    }

    public void setAutoApproveClients(Collection<String> collection) {
        this.autoApproveClients = collection;
    }

    public void setClientRegistrationService(ClientServicesExtension clientServicesExtension) {
        this.clientRegistrationService = clientServicesExtension;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        addNewClients();
        updateAutoApproveClients();
    }

    private void updateAutoApproveClients() {
        List list = (List) Optional.ofNullable(this.clientsToDelete).orElse(Collections.emptyList());
        LinkedList<String> linkedList = new LinkedList((Collection) Optional.ofNullable(this.autoApproveClients).orElse(Collections.emptyList()));
        linkedList.removeIf(str -> {
            return list.contains(str);
        });
        for (String str2 : linkedList) {
            try {
                BaseClientDetails baseClientDetails = (BaseClientDetails) this.clientRegistrationService.loadClientByClientId(str2, IdentityZone.getUaa().getId());
                baseClientDetails.addAdditionalInformation(ClientConstants.AUTO_APPROVE, true);
                logger.debug("Adding autoapprove flag to client: " + str2);
                this.clientRegistrationService.updateClientDetails(baseClientDetails, IdentityZone.getUaa().getId());
            } catch (NoSuchClientException e) {
                logger.debug("Client not found, unable to set autoapprove: " + str2);
            }
        }
    }

    private String getRedirectUris(Map<String, Object> map) {
        HashSet hashSet = new HashSet();
        if (map.get("redirect-uri") != null) {
            hashSet.add((String) map.get("redirect-uri"));
        }
        if (map.get(EmailAccountCreationService.SIGNUP_REDIRECT_URL) != null) {
            hashSet.add((String) map.get(EmailAccountCreationService.SIGNUP_REDIRECT_URL));
        }
        if (map.get("change_email_redirect_url") != null) {
            hashSet.add((String) map.get("change_email_redirect_url"));
        }
        return StringUtils.arrayToCommaDelimitedString(hashSet.toArray(new String[0]));
    }

    private void addNewClients() throws Exception {
        List list = (List) Optional.ofNullable(this.clientsToDelete).orElse(Collections.emptyList());
        Set<Map.Entry<String, Map<String, Object>>> entrySet = this.clients.entrySet();
        entrySet.removeIf(entry -> {
            return list.contains(entry.getKey());
        });
        for (Map.Entry<String, Map<String, Object>> entry2 : entrySet) {
            String key = entry2.getKey();
            Map<String, Object> value = entry2.getValue();
            if (value.get("authorized-grant-types") == null) {
                throw new InvalidClientDetailsException("Client must have at least one authorized-grant-type. client ID: " + key);
            }
            BaseClientDetails baseClientDetails = new BaseClientDetails(key, (String) value.get("resource-ids"), (String) value.get("scope"), (String) value.get("authorized-grant-types"), (String) value.get("authorities"), getRedirectUris(value));
            baseClientDetails.setClientSecret(value.get(ClientDetailsModification.SECRET) == null ? "" : (String) value.get(ClientDetailsModification.SECRET));
            Integer num = (Integer) value.get("access-token-validity");
            Boolean bool = (Boolean) value.get("override");
            if (bool == null) {
                bool = Boolean.valueOf(this.defaultOverride);
            }
            HashMap hashMap = new HashMap(value);
            if (num != null) {
                baseClientDetails.setAccessTokenValiditySeconds(num);
            }
            Integer num2 = (Integer) value.get("refresh-token-validity");
            if (num2 != null) {
                baseClientDetails.setRefreshTokenValiditySeconds(num2);
            }
            baseClientDetails.setResourceIds(Collections.singleton("none"));
            if (baseClientDetails.getScope().isEmpty()) {
                baseClientDetails.setScope(Collections.singleton("uaa.none"));
            }
            if (baseClientDetails.getAuthorities().isEmpty()) {
                baseClientDetails.setAuthorities(Collections.singleton(UaaAuthority.UAA_NONE));
            }
            if (baseClientDetails.getAuthorizedGrantTypes().contains("authorization_code")) {
                baseClientDetails.getAuthorizedGrantTypes().add("refresh_token");
            }
            Iterator it = Arrays.asList("resource-ids", "scope", "authorized-grant-types", "authorities", "redirect-uri", ClientDetailsModification.SECRET, "id", "override", "access-token-validity", "refresh-token-validity", "show-on-homepage", "app-launch-url", "app-icon").iterator();
            while (it.hasNext()) {
                hashMap.remove((String) it.next());
            }
            baseClientDetails.setAdditionalInformation(hashMap);
            try {
                this.clientRegistrationService.addClientDetails(baseClientDetails, IdentityZone.getUaa().getId());
            } catch (ClientAlreadyExistsException e) {
                if (bool == null || bool.booleanValue()) {
                    logger.debug("Overriding client details for " + key);
                    this.clientRegistrationService.updateClientDetails(baseClientDetails, IdentityZone.getUaa().getId());
                    if (didPasswordChange(key, baseClientDetails.getClientSecret())) {
                        this.clientRegistrationService.updateClientSecret(key, baseClientDetails.getClientSecret(), IdentityZone.getUaa().getId());
                    }
                } else {
                    logger.debug(e.getMessage());
                }
            }
            for (String str : Arrays.asList("authorization_code", "implicit")) {
                if (baseClientDetails.getAuthorizedGrantTypes().contains(str) && isMissingRedirectUris(baseClientDetails)) {
                    throw new InvalidClientDetailsException(str + " grant type requires at least one redirect URL. ClientID: " + baseClientDetails.getClientId());
                }
            }
            this.clientMetadataProvisioning.update(buildClientMetadata(value, key), IdentityZoneHolder.get().getId());
        }
    }

    private boolean isMissingRedirectUris(BaseClientDetails baseClientDetails) {
        return baseClientDetails.getRegisteredRedirectUri() == null || baseClientDetails.getRegisteredRedirectUri().isEmpty();
    }

    private ClientMetadata buildClientMetadata(Map<String, Object> map, String str) {
        Boolean bool = (Boolean) map.get("show-on-homepage");
        String str2 = (String) map.get("app-launch-url");
        String str3 = (String) map.get("app-icon");
        ClientMetadata clientMetadata = new ClientMetadata();
        clientMetadata.setClientId(str);
        clientMetadata.setAppIcon(str3);
        clientMetadata.setShowOnHomePage(bool != null && bool.booleanValue());
        if (StringUtils.hasText(str2)) {
            try {
                clientMetadata.setAppLaunchUrl(new URL(str2));
            } catch (MalformedURLException e) {
                logger.info(new ClientMetadataException("Invalid app-launch-url for client " + str, e, HttpStatus.INTERNAL_SERVER_ERROR));
            }
        }
        return clientMetadata;
    }

    protected boolean didPasswordChange(String str, String str2) {
        if (getPasswordEncoder() != null) {
            return !getPasswordEncoder().matches(str2, this.clientRegistrationService.loadClientByClientId(str, IdentityZoneHolder.get().getId()).getClientSecret());
        }
        return true;
    }

    public ClientMetadataProvisioning getClientMetadataProvisioning() {
        return this.clientMetadataProvisioning;
    }

    public void setClientMetadataProvisioning(ClientMetadataProvisioning clientMetadataProvisioning) {
        this.clientMetadataProvisioning = clientMetadataProvisioning;
    }

    @Override // org.springframework.context.ApplicationListener
    public void onApplicationEvent(ContextRefreshedEvent contextRefreshedEvent) {
        SystemAuthentication systemAuthentication = SystemAuthentication.SYSTEM_AUTHENTICATION;
        for (String str : (List) Optional.ofNullable(this.clientsToDelete).orElse(Collections.emptyList())) {
            try {
                ClientDetails loadClientByClientId = this.clientRegistrationService.loadClientByClientId(str, IdentityZoneHolder.get().getId());
                logger.debug("Deleting client from manifest:" + str);
                publish(new EntityDeletedEvent(loadClientByClientId, systemAuthentication));
            } catch (NoSuchClientException e) {
                logger.debug("Ignoring delete for non existent client:" + str);
            }
        }
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        this.publisher = applicationEventPublisher;
    }

    public void publish(ApplicationEvent applicationEvent) {
        if (this.publisher != null) {
            this.publisher.publishEvent(applicationEvent);
        }
    }
}
