package org.forgerock.oauth2.core;

import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.inject.Singleton;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnsupportedResponseTypeException;
import org.forgerock.openam.oauth2.OAuth2Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/forgerock/oauth2/core/ResponseTypeValidator.class */
public class ResponseTypeValidator {
    private final Logger logger = LoggerFactory.getLogger("OAuth2Provider");

    public void validate(ClientRegistration clientRegistration, Set<String> set, OAuth2ProviderSettings oAuth2ProviderSettings, OAuth2Request oAuth2Request) throws InvalidRequestException, UnsupportedResponseTypeException, ServerException {
        if (set == null || set.isEmpty()) {
            throw new UnsupportedResponseTypeException("Response type is not supported.");
        }
        OAuth2Constants.UrlLocation requiredUrlLocation = Utils.getRequiredUrlLocation(set, clientRegistration);
        Map<String, ResponseTypeHandler> allowedResponseTypes = oAuth2ProviderSettings.getAllowedResponseTypes();
        if (allowedResponseTypes == null || allowedResponseTypes.isEmpty()) {
            throw new InvalidRequestException("Invalid Response Type.", requiredUrlLocation);
        }
        if (!allowedResponseTypes.keySet().containsAll(set)) {
            throw new UnsupportedResponseTypeException("Response type is not supported.", requiredUrlLocation);
        }
        boolean z = false;
        Iterator<String> it = clientRegistration.getAllowedResponseTypes().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            String next = it.next();
            if (Utils.splitResponseType(next).containsAll(set) && Utils.splitResponseType(next).size() == set.size()) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new UnsupportedResponseTypeException("Client does not support this response type.", requiredUrlLocation);
        }
        validateForOAuth2(clientRegistration, set);
        Set<String> splitScope = Utils.splitScope((String) oAuth2Request.getParameter("scope"));
        if (Utils.isOpenIdConnectClient(clientRegistration) && splitScope.contains("openid")) {
            validateOpenidResponseTypes(clientRegistration, set);
        }
    }

    private void validateForOAuth2(ClientRegistration clientRegistration, Set<String> set) throws UnsupportedResponseTypeException {
        if (!Utils.isOpenIdConnectClient(clientRegistration) && set.contains("token") && set.contains("code")) {
            this.logger.debug("Response type is not supported. OAuth2 client does not support scope=\"token code\".");
            throw new UnsupportedResponseTypeException("Response type is not supported.", Utils.getRequiredUrlLocation(set, clientRegistration));
        }
    }

    private void validateOpenidResponseTypes(ClientRegistration clientRegistration, Set<String> set) throws UnsupportedResponseTypeException {
        if (!set.contains("token") || set.contains("code") || set.contains("id_token")) {
            return;
        }
        this.logger.debug("Response type is not supported. OpenId Connect client does not support scope=\"token\".");
        throw new UnsupportedResponseTypeException("Response type is not supported.", Utils.getRequiredUrlLocation(set, clientRegistration));
    }
}
