package org.cloudfoundry.identity.uaa.zone;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.expression.OAuth2ExpressionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-common-2.2.5.jar:org/cloudfoundry/identity/uaa/zone/IdentityZoneSwitchingFilter.class */
public class IdentityZoneSwitchingFilter extends OncePerRequestFilter {
    private final IdentityZoneProvisioning dao;
    public static final String HEADER = "X-Identity-Zone-Id";

    @Autowired
    public IdentityZoneSwitchingFilter(IdentityZoneProvisioning identityZoneProvisioning) {
        this.dao = identityZoneProvisioning;
    }

    protected boolean isAuthorizedToSwitchToIdentityZone(String str) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication instanceof OAuth2Authentication) && IdentityZoneHolder.isUaa() && OAuth2ExpressionUtils.hasAnyScope(authentication, new String[]{new StringBuilder().append("zones.").append(str).append(".admin").toString()});
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(HEADER);
        if (!StringUtils.hasText(header)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (!isAuthorizedToSwitchToIdentityZone(header)) {
            httpServletResponse.sendError(403, "User is not authorized to switch to IdentityZone with id " + header);
            return;
        }
        IdentityZone identityZone = IdentityZoneHolder.get();
        IdentityZone identityZone2 = null;
        try {
            try {
                identityZone2 = this.dao.retrieve(header);
            } catch (ZoneDoesNotExistsException e) {
            } catch (EmptyResultDataAccessException e2) {
            } catch (Exception e3) {
                throw e3;
            }
            if (identityZone2 == null) {
                httpServletResponse.sendError(404, "Identity zone with id " + header + " does not exist");
                IdentityZoneHolder.set(identityZone);
            } else {
                IdentityZoneHolder.set(identityZone2);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                IdentityZoneHolder.set(identityZone);
            }
        } catch (Throwable th) {
            IdentityZoneHolder.set(identityZone);
            throw th;
        }
    }
}
