package pl.edu.icm.unity.oauth.as;

import com.nimbusds.oauth2.sdk.Scope;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.attribute.AttributeExt;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributesManagement;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.oauth.as.OAuthSystemAttributesProvider;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/OAuthRequestValidator.class */
public class OAuthRequestValidator {
    private static final Logger log = Log.getLogger("unity.server.oauth", OAuthRequestValidator.class);
    protected OAuthASProperties oauthConfig;
    protected EntityManagement identitiesMan;
    protected AttributesManagement attributesMan;
    protected OAuthScopesService scopeService;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/OAuthRequestValidator$OAuthRequestValidatorFactory.class */
    public static class OAuthRequestValidatorFactory {
        private final EntityManagement identitiesMan;
        private final AttributesManagement attributesMan;
        private final OAuthScopesService scopeService;

        @Autowired
        public OAuthRequestValidatorFactory(EntityManagement entityManagement, @Qualifier("insecure") AttributesManagement attributesManagement, OAuthScopesService oAuthScopesService) {
            this.identitiesMan = entityManagement;
            this.attributesMan = attributesManagement;
            this.scopeService = oAuthScopesService;
        }

        public OAuthRequestValidator getOAuthRequestValidator(OAuthASProperties oAuthASProperties) {
            return new OAuthRequestValidator(oAuthASProperties, this.identitiesMan, this.attributesMan, this.scopeService);
        }
    }

    public OAuthRequestValidator(OAuthASProperties oAuthASProperties, EntityManagement entityManagement, AttributesManagement attributesManagement, OAuthScopesService oAuthScopesService) {
        this.oauthConfig = oAuthASProperties;
        this.identitiesMan = entityManagement;
        this.attributesMan = attributesManagement;
        this.scopeService = oAuthScopesService;
    }

    public void validateGroupMembership(EntityParam entityParam, String str) throws OAuthValidationException {
        try {
            if (!this.identitiesMan.getGroups(entityParam).keySet().contains(this.oauthConfig.getValue(OAuthASProperties.CLIENTS_GROUP))) {
                throw new OAuthValidationException("The '" + str + "' is not authorized as OAuth client (not in the clients group)");
            }
        } catch (EngineException e) {
            log.error("Problem retrieving groups of the OAuth client", e);
            throw new OAuthValidationException("Internal error, can not retrieve OAuth client's data");
        }
    }

    public Map<String, AttributeExt> getAttributesNoAuthZ(EntityParam entityParam) throws OAuthValidationException {
        try {
            Collection allAttributes = this.attributesMan.getAllAttributes(entityParam, true, this.oauthConfig.getValue(OAuthASProperties.CLIENTS_GROUP), (String) null, false);
            HashMap hashMap = new HashMap();
            allAttributes.stream().forEach(attributeExt -> {
                hashMap.put(attributeExt.getName(), attributeExt);
            });
            return hashMap;
        } catch (EngineException e) {
            log.error("Problem retrieving attributes of the OAuth client", e);
            throw new OAuthValidationException("Internal error, can not retrieve OAuth client's data");
        }
    }

    public Set<OAuthSystemAttributesProvider.GrantFlow> getAllowedFlows(Map<String, AttributeExt> map) {
        HashSet hashSet = new HashSet();
        AttributeExt attributeExt = map.get(OAuthSystemAttributesProvider.ALLOWED_FLOWS);
        if (attributeExt == null) {
            hashSet.add(OAuthSystemAttributesProvider.GrantFlow.authorizationCode);
        } else {
            Iterator it = attributeExt.getValues().iterator();
            while (it.hasNext()) {
                hashSet.add(OAuthSystemAttributesProvider.GrantFlow.valueOf(it.next().toString()));
            }
        }
        return hashSet;
    }

    public Optional<Set<String>> getAllowedScopes(Map<String, AttributeExt> map) {
        AttributeExt attributeExt = map.get(OAuthSystemAttributesProvider.ALLOWED_SCOPES);
        return attributeExt == null ? Optional.empty() : Optional.of(Set.copyOf(attributeExt.getValues()));
    }

    public List<OAuthScope> getValidRequestedScopes(Map<String, AttributeExt> map, Scope scope) {
        List<OAuthScope> activeScopes = this.scopeService.getActiveScopes(this.oauthConfig);
        Optional<Set<String>> allowedScopes = getAllowedScopes(map);
        Set set = (Set) scope.stream().map(value -> {
            return value.getValue();
        }).filter(str -> {
            return allowedScopes.isPresent() && !((Set) allowedScopes.get()).contains(str);
        }).collect(Collectors.toSet());
        if (!set.isEmpty()) {
            log.info("Requested scopes not allowed for the client and ignored: %", String.join(",", set));
        }
        Set set2 = (Set) scope.stream().map(value2 -> {
            return value2.getValue();
        }).filter(str2 -> {
            return !activeScopes.stream().filter(oAuthScope -> {
                return str2.equals(oAuthScope.name);
            }).findAny().isPresent();
        }).collect(Collectors.toSet());
        if (!set2.isEmpty()) {
            log.info("Requested scopes not available on the endpoint and ignored: " + String.join(",", set2));
        }
        return (List) activeScopes.stream().filter(oAuthScope -> {
            return scope.contains(oAuthScope.name) && !set.contains(oAuthScope.name);
        }).collect(Collectors.toList());
    }
}
