package org.cloudfoundry.identity.uaa.zone;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.expression.OAuth2ExpressionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/zone/IdentityZoneSwitchingFilter.class */
public class IdentityZoneSwitchingFilter extends OncePerRequestFilter {
    private final IdentityZoneProvisioning dao;
    public static final String HEADER = "X-Identity-Zone-Id";
    public static final String ZONE_ID_MATCH = "{zone_id}";
    public static final String ZONES_ZONE_ID_PREFIX = "zones.";
    public static final String ZONES_ZONE_ID_ADMIN = "zones.{zone_id}.admin";
    public static final List<String> zoneSwitchScopes = Collections.unmodifiableList(Arrays.asList(ZONES_ZONE_ID_ADMIN, "zones.{zone_id}.read", "zones.{zone_id}.clients.admin", "zones.{zone_id}.clients.read", "zones.{zone_id}.clients.write", "zones.{zone_id}.idps.read"));
    public static final List<String> zoneScopestoNotStripPrefix = Collections.unmodifiableList(Arrays.asList("admin", "read"));

    @Autowired
    public IdentityZoneSwitchingFilter(IdentityZoneProvisioning identityZoneProvisioning) {
        this.dao = identityZoneProvisioning;
    }

    protected boolean isAuthorizedToSwitchToIdentityZone(String str) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication instanceof OAuth2Authentication) && IdentityZoneHolder.isUaa() && OAuth2ExpressionUtils.hasAnyScope(authentication, getZoneSwitchingScopes(str));
    }

    protected void stripScopesFromAuthentication(String str, HttpServletRequest httpServletRequest) {
        OAuth2Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        Object details = authentication.getDetails();
        OAuth2Request oAuth2Request = authentication.getOAuth2Request();
        Set<String> stringsFromAuthorities = UaaStringUtils.getStringsFromAuthorities(oAuth2Request.getAuthorities());
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (String str2 : getZoneSwitchingScopes(str)) {
            String stripPrefix = stripPrefix(str2, str);
            if (oAuth2Request.getScope().contains(str2)) {
                hashSet.add(stripPrefix);
            }
            if (stringsFromAuthorities.contains(str2)) {
                hashSet2.add(stripPrefix);
            }
        }
        OAuth2Request oAuth2Request2 = new OAuth2Request(oAuth2Request.getRequestParameters(), oAuth2Request.getClientId(), UaaStringUtils.getAuthoritiesFromStrings(hashSet2), oAuth2Request.isApproved(), hashSet, oAuth2Request.getResourceIds(), oAuth2Request.getRedirectUri(), oAuth2Request.getResponseTypes(), oAuth2Request.getExtensions());
        UaaAuthentication uaaAuthentication = (UaaAuthentication) authentication.getUserAuthentication();
        if (uaaAuthentication != null) {
            uaaAuthentication = new UaaAuthentication(uaaAuthentication.m11getPrincipal(), null, UaaStringUtils.getAuthoritiesFromStrings(hashSet), new UaaAuthenticationDetails(httpServletRequest), true, uaaAuthentication.getAuthenticatedTime());
        }
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(oAuth2Request2, uaaAuthentication);
        oAuth2Authentication.setDetails(details);
        SecurityContextHolder.getContext().setAuthentication(oAuth2Authentication);
    }

    protected String stripPrefix(String str, String str2) {
        if (!StringUtils.hasText(str)) {
            return str;
        }
        String str3 = ZONES_ZONE_ID_PREFIX + str2 + ".";
        Iterator<String> it = zoneScopestoNotStripPrefix.iterator();
        while (it.hasNext()) {
            if (str.equals(str3 + it.next())) {
                return str;
            }
        }
        return str.startsWith(str3) ? str.substring(str3.length()) : str;
    }

    protected String[] getZoneSwitchingScopes(String str) {
        String[] strArr = new String[zoneSwitchScopes.size()];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = zoneSwitchScopes.get(i).replace(ZONE_ID_MATCH, str);
        }
        return strArr;
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(HEADER);
        if (!StringUtils.hasText(header)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (!isAuthorizedToSwitchToIdentityZone(header)) {
            httpServletResponse.sendError(403, "User is not authorized to switch to IdentityZone with id " + header);
            return;
        }
        IdentityZone identityZone = IdentityZoneHolder.get();
        IdentityZone identityZone2 = null;
        try {
            try {
                identityZone2 = this.dao.retrieve(header);
            } catch (ZoneDoesNotExistsException e) {
            } catch (Exception e2) {
                throw e2;
            } catch (EmptyResultDataAccessException e3) {
            }
            if (identityZone2 == null) {
                httpServletResponse.sendError(404, "Identity zone with id " + header + " does not exist");
                IdentityZoneHolder.set(identityZone);
            } else {
                stripScopesFromAuthentication(header, httpServletRequest);
                IdentityZoneHolder.set(identityZone2);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                IdentityZoneHolder.set(identityZone);
            }
        } catch (Throwable th) {
            IdentityZoneHolder.set(identityZone);
            throw th;
        }
    }
}
