package org.cloudfoundry.identity.uaa.client;

import org.cloudfoundry.identity.uaa.client.ClientDetailsValidator;
import org.cloudfoundry.identity.uaa.zone.ClientSecretValidator;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.provider.ClientDetails;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.30.0.jar:org/cloudfoundry/identity/uaa/client/RestrictUaaScopesClientValidator.class */
public class RestrictUaaScopesClientValidator implements ClientDetailsValidator {
    private final UaaScopes uaaScopes;

    public RestrictUaaScopesClientValidator(UaaScopes uaaScopes) {
        this.uaaScopes = uaaScopes;
    }

    public UaaScopes getUaaScopes() {
        return this.uaaScopes;
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientSecretValidator getClientSecretValidator() {
        return null;
    }

    @Override // org.cloudfoundry.identity.uaa.client.ClientDetailsValidator
    public ClientDetails validate(ClientDetails clientDetails, ClientDetailsValidator.Mode mode) throws InvalidClientDetailsException {
        if (ClientDetailsValidator.Mode.CREATE.equals(mode) || ClientDetailsValidator.Mode.MODIFY.equals(mode)) {
            for (String str : clientDetails.getScope()) {
                if (this.uaaScopes.isUaaScope(str)) {
                    throw new InvalidClientDetailsException(str + " is a restricted scope.");
                }
            }
            for (GrantedAuthority grantedAuthority : clientDetails.getAuthorities()) {
                if (this.uaaScopes.isUaaScope(grantedAuthority)) {
                    throw new InvalidClientDetailsException(grantedAuthority.getAuthority() + " is a restricted authority.");
                }
            }
        }
        return clientDetails;
    }
}
