package org.cloudfoundry.identity.uaa.security;

import com.fasterxml.jackson.core.type.TypeReference;
import java.util.Map;
import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
import org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.cloudfoundry.identity.uaa.zone.IdentityZone;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.cloudfoundry.identity.uaa.zone.ZoneManagementScopes;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationDetails;
import org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-3.9.1.jar:org/cloudfoundry/identity/uaa/security/ContextSensitiveOAuth2SecurityExpressionMethods.class */
public class ContextSensitiveOAuth2SecurityExpressionMethods extends OAuth2SecurityExpressionMethods {
    private final IdentityZone identityZone;
    private final Authentication authentication;

    private String replaceContext(String str) {
        return str.replace(ZoneManagementScopes.ZONE_ID_MATCH, IdentityZoneHolder.get().getId());
    }

    private String[] replaceContext(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return strArr;
        }
        String[] strArr2 = new String[strArr.length];
        for (int i = 0; i < strArr.length; i++) {
            strArr2[i] = replaceContext(strArr[i]);
        }
        return strArr2;
    }

    public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication) {
        this(authentication, IdentityZone.getUaa());
    }

    public ContextSensitiveOAuth2SecurityExpressionMethods(Authentication authentication, IdentityZone identityZone) {
        super(authentication);
        this.authentication = authentication;
        this.identityZone = identityZone;
    }

    @Override // org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods
    public boolean clientHasRole(String str) {
        return super.clientHasRole(replaceContext(str));
    }

    @Override // org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods
    public boolean clientHasAnyRole(String... strArr) {
        return super.clientHasAnyRole(replaceContext(strArr));
    }

    private boolean isUaaAdmin() {
        return super.hasAnyScope("uaa.admin");
    }

    @Override // org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods
    public boolean hasAnyScope(String... strArr) {
        return isUaaAdmin() || super.hasAnyScope(replaceContext(strArr));
    }

    @Override // org.springframework.security.oauth2.provider.expression.OAuth2SecurityExpressionMethods
    public boolean hasAnyScopeMatching(String... strArr) {
        return isUaaAdmin() || super.hasAnyScopeMatching(replaceContext(strArr));
    }

    public boolean hasScopeInAuthZone(String str) {
        boolean hasScope = hasScope(str);
        String authenticationZoneId = getAuthenticationZoneId();
        boolean z = hasScope && StringUtils.hasText(authenticationZoneId);
        if (z) {
            z = this.identityZone != null && this.identityZone.getId().equals(authenticationZoneId);
        }
        return z;
    }

    private String getAuthenticationZoneId() {
        if (this.authentication.getPrincipal() instanceof UaaPrincipal) {
            return ((UaaPrincipal) this.authentication.getPrincipal()).getZoneId();
        }
        if (this.authentication instanceof UaaOauth2Authentication) {
            return ((UaaOauth2Authentication) this.authentication).getZoneId();
        }
        if (this.authentication.getDetails() instanceof OAuth2AuthenticationDetails) {
            return getZoneIdFromToken(((OAuth2AuthenticationDetails) this.authentication.getDetails()).getTokenValue());
        }
        return null;
    }

    private String getZoneIdFromToken(String str) {
        try {
            try {
                return (String) ((Map) JsonUtils.readValue(JwtHelper.decode(str).getClaims(), new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.security.ContextSensitiveOAuth2SecurityExpressionMethods.1
                })).get(ClaimConstants.ZONE_ID);
            } catch (JsonUtils.JsonUtilException e) {
                throw new IllegalStateException("Cannot read token claims", e);
            }
        } catch (Throwable th) {
            throw new IllegalStateException("Cannot decode token", th);
        }
    }
}
