package org.cloudfoundry.identity.uaa.scim.security;

import java.util.Collection;
import org.apache.log4j.spi.LocationInfo;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
import org.cloudfoundry.identity.uaa.scim.ScimGroupMembershipManager;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-scim-2.2.4.jar:org/cloudfoundry/identity/uaa/scim/security/GroupVoter.class */
public class GroupVoter implements AccessDecisionVoter<Object> {
    private ScimGroupMembershipManager membershipManager;
    private String groupPrefix = "groupScope=";

    public void setGroupPrefix(String str) {
        this.groupPrefix = str;
    }

    public void setMembershipManager(ScimGroupMembershipManager scimGroupMembershipManager) {
        this.membershipManager = scimGroupMembershipManager;
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public boolean supports(ConfigAttribute configAttribute) {
        return StringUtils.hasText(configAttribute.getAttribute()) && configAttribute.getAttribute().startsWith(this.groupPrefix);
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public boolean supports(Class<?> cls) {
        return FilterInvocation.class.isAssignableFrom(cls);
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public int vote(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) {
        if ((authentication instanceof OAuth2Authentication) && ((OAuth2Authentication) authentication).isClientOnly()) {
            return 0;
        }
        String id = ((UaaPrincipal) authentication.getPrincipal()).getId();
        String groupId = getGroupId(((FilterInvocation) obj).getRequestUrl());
        for (ConfigAttribute configAttribute : collection) {
            if (supports(configAttribute)) {
                return this.membershipManager.getMembers(groupId, ScimGroupMember.Role.valueOf(configAttribute.getAttribute().substring(this.groupPrefix.length()).toUpperCase())).contains(new ScimGroupMember(id)) ? 1 : -1;
            }
        }
        return 0;
    }

    private String getGroupId(String str) {
        return str.substring(str.lastIndexOf("/") + 1, str.indexOf(LocationInfo.NA) > 0 ? str.indexOf(LocationInfo.NA) : str.length());
    }
}
