package org.cloudfoundry.identity.uaa.oauth;

import java.net.URI;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.lang.ArrayUtils;
import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver;
import org.springframework.util.AntPathMatcher;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.30.0.jar:org/cloudfoundry/identity/uaa/oauth/AntPathRedirectResolver.class */
public class AntPathRedirectResolver extends DefaultRedirectResolver {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) AntPathRedirectResolver.class);

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.30.0.jar:org/cloudfoundry/identity/uaa/oauth/AntPathRedirectResolver$ClientRedirectUriPattern.class */
    private static class ClientRedirectUriPattern {
        private static final Pattern URI_EXTRACTOR = Pattern.compile("^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\\?([^#]*))?(#(.*))?");
        private static final int URI_EXTRACTOR_AUTHORITY_GROUP = 4;
        private Matcher redirectMatcher;
        private boolean isValidRedirect;
        private AntPathMatcher matcher;
        private String redirectUri;

        ClientRedirectUriPattern(String str) {
            this.isValidRedirect = true;
            if (str == null) {
                throw new IllegalArgumentException("Client Redirect URI was null");
            }
            this.redirectUri = str;
            this.matcher = new AntPathMatcher();
            this.redirectMatcher = URI_EXTRACTOR.matcher(str);
            if (this.redirectMatcher.matches()) {
                return;
            }
            this.isValidRedirect = false;
        }

        boolean isSafeRedirect(URI uri) {
            String[] splitAndReverseHost = splitAndReverseHost(getHost());
            String[] splitAndReverseHost2 = splitAndReverseHost(uri.getHost());
            if (splitAndReverseHost2.length < splitAndReverseHost.length) {
                return false;
            }
            boolean z = true;
            for (int i = 0; i < splitAndReverseHost.length && !isWildcard(splitAndReverseHost[i]); i++) {
                z = z && splitAndReverseHost[i].equals(splitAndReverseHost2[i]);
            }
            return z;
        }

        boolean isValidRedirect() {
            return this.isValidRedirect;
        }

        boolean match(URI uri) {
            return this.matcher.match(this.redirectUri, uri.toString());
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isWildcard(String str) {
            return str.contains("*");
        }

        private String getHost() {
            return stripPort(stripAuthority(this.redirectMatcher.group(4)));
        }

        private String stripAuthority(String str) {
            return str.contains("@") ? str.split("@")[1] : str;
        }

        private String stripPort(String str) {
            return str.contains(":") ? str.split(":")[0] : str;
        }

        private static String[] splitAndReverseHost(String str) {
            String[] split = str.split("\\.");
            ArrayUtils.reverse(split);
            return split;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver
    public boolean redirectMatches(String str, String str2) {
        try {
            URI create = URI.create(str);
            ClientRedirectUriPattern clientRedirectUriPattern = new ClientRedirectUriPattern(str2);
            if (!clientRedirectUriPattern.isValidRedirect()) {
                logger.error(String.format("Invalid redirect uri: %s", str2));
                return false;
            }
            if (clientRedirectUriPattern.isWildcard(str2) && clientRedirectUriPattern.isSafeRedirect(create) && clientRedirectUriPattern.match(create)) {
                return true;
            }
            return super.redirectMatches(str, str2);
        } catch (IllegalArgumentException e) {
            logger.error(String.format("Could not validate whether requestedRedirect (%s) matches clientRedirectUri (%s)", str, str2), (Throwable) e);
            return false;
        }
    }

    @Override // org.springframework.security.oauth2.provider.endpoint.DefaultRedirectResolver, org.springframework.security.oauth2.provider.endpoint.RedirectResolver
    public String resolveRedirect(String str, ClientDetails clientDetails) throws OAuth2Exception {
        Set set = (Set) Optional.ofNullable(clientDetails.getRegisteredRedirectUri()).orElse(Collections.emptySet());
        if (set.isEmpty()) {
            throw new RedirectMismatchException("Client registration is missing redirect_uri");
        }
        List list = (List) set.stream().filter(str2 -> {
            return !UaaUrlUtils.isValidRegisteredRedirectUrl(str2);
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return super.resolveRedirect(str, clientDetails);
        }
        throw new RedirectMismatchException("Client registration contains invalid redirect_uri: " + list);
    }
}
