package org.cloudfoundry.identity.uaa.zone;

import java.util.Collections;
import org.apache.commons.lang.StringUtils;
import org.cloudfoundry.identity.uaa.client.ClientAdminEndpointsValidator;
import org.cloudfoundry.identity.uaa.client.ClientDetailsValidator;
import org.cloudfoundry.identity.uaa.client.InvalidClientDetailsException;
import org.cloudfoundry.identity.uaa.constants.OriginKeys;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.client.BaseClientDetails;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.25.0.jar:org/cloudfoundry/identity/uaa/zone/ZoneEndpointsClientDetailsValidator.class */
public class ZoneEndpointsClientDetailsValidator implements ClientDetailsValidator {
    private final String requiredScope;
    private ClientSecretValidator clientSecretValidator;

    public ZoneEndpointsClientDetailsValidator(String str) {
        this.requiredScope = str;
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientDetails validate(ClientDetails clientDetails, ClientDetailsValidator.Mode mode) throws InvalidClientDetailsException {
        if (mode != ClientDetailsValidator.Mode.CREATE) {
            if (mode == ClientDetailsValidator.Mode.MODIFY) {
                throw new IllegalStateException("This validator cannot be used for modification requests");
            }
            if (mode != ClientDetailsValidator.Mode.DELETE) {
                throw new IllegalStateException("This validator must be called with a mode");
            }
            if (this.requiredScope.equals(clientDetails.getAdditionalInformation().get(ClientConstants.CREATED_WITH))) {
                return clientDetails;
            }
            throw new InvalidClientDetailsException("client must have been createdwith scope " + this.requiredScope);
        }
        if (!Collections.singleton("openid").equals(clientDetails.getScope())) {
            throw new InvalidClientDetailsException("only openid scope is allowed");
        }
        if (!Collections.singleton("uaa.resource").equals(AuthorityUtils.authorityListToSet(clientDetails.getAuthorities()))) {
            throw new InvalidClientDetailsException("only uaa.resource authority is allowed");
        }
        if (StringUtils.isBlank(clientDetails.getClientId())) {
            throw new InvalidClientDetailsException("client_id cannot be blank");
        }
        ClientAdminEndpointsValidator.checkRequestedGrantTypes(clientDetails.getAuthorizedGrantTypes());
        if (clientDetails.getAuthorizedGrantTypes().contains(TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS) || clientDetails.getAuthorizedGrantTypes().contains(TokenConstants.GRANT_TYPE_AUTHORIZATION_CODE) || clientDetails.getAuthorizedGrantTypes().contains(TokenConstants.GRANT_TYPE_USER_TOKEN) || clientDetails.getAuthorizedGrantTypes().contains("refresh_token") || clientDetails.getAuthorizedGrantTypes().contains(TokenConstants.GRANT_TYPE_SAML2_BEARER) || clientDetails.getAuthorizedGrantTypes().contains(TokenConstants.GRANT_TYPE_JWT_BEARER) || clientDetails.getAuthorizedGrantTypes().contains("password")) {
            if (StringUtils.isBlank(clientDetails.getClientSecret())) {
                throw new InvalidClientDetailsException("client_secret cannot be blank");
            }
            this.clientSecretValidator.validate(clientDetails.getClientSecret());
        }
        if (!Collections.singletonList(OriginKeys.UAA).equals(clientDetails.getAdditionalInformation().get(ClientConstants.ALLOWED_PROVIDERS))) {
            throw new InvalidClientDetailsException("only the internal IdP ('uaa') is allowed");
        }
        BaseClientDetails baseClientDetails = new BaseClientDetails(clientDetails);
        baseClientDetails.setAdditionalInformation(clientDetails.getAdditionalInformation());
        baseClientDetails.setResourceIds(Collections.singleton("none"));
        baseClientDetails.addAdditionalInformation(ClientConstants.CREATED_WITH, this.requiredScope);
        return baseClientDetails;
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientSecretValidator getClientSecretValidator() {
        return this.clientSecretValidator;
    }

    public void setClientSecretValidator(ClientSecretValidator clientSecretValidator) {
        this.clientSecretValidator = clientSecretValidator;
    }
}
