package org.cloudfoundry.identity.uaa.zone;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthentication;
import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
import org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/zone/IdentityZoneSwitchingFilter.class */
public class IdentityZoneSwitchingFilter extends OncePerRequestFilter {
    private final IdentityZoneProvisioning dao;
    public static final String HEADER = "X-Identity-Zone-Id";
    public static final String SUBDOMAIN_HEADER = "X-Identity-Zone-Subdomain";
    public static final List<String> zoneScopestoNotStripPrefix = Collections.unmodifiableList(Arrays.asList("admin", "read"));

    @Autowired
    public IdentityZoneSwitchingFilter(IdentityZoneProvisioning identityZoneProvisioning) {
        this.dao = identityZoneProvisioning;
    }

    protected OAuth2Authentication getAuthenticationForZone(String str, HttpServletRequest httpServletRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication instanceof OAuth2Authentication)) {
            return null;
        }
        OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) authentication;
        Object details = oAuth2Authentication.getDetails();
        OAuth2Request oAuth2Request = oAuth2Authentication.getOAuth2Request();
        Set<String> stringsFromAuthorities = UaaStringUtils.getStringsFromAuthorities(oAuth2Request.getAuthorities());
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (String str2 : ZoneManagementScopes.getZoneSwitchingScopes(str)) {
            String stripPrefix = stripPrefix(str2, str);
            if (oAuth2Request.getScope().contains(str2)) {
                hashSet.add(stripPrefix);
            }
            if (stringsFromAuthorities.contains(str2)) {
                hashSet2.add(stripPrefix);
            }
        }
        OAuth2Request oAuth2Request2 = new OAuth2Request(oAuth2Request.getRequestParameters(), oAuth2Request.getClientId(), UaaStringUtils.getAuthoritiesFromStrings(hashSet2), oAuth2Request.isApproved(), hashSet, oAuth2Request.getResourceIds(), oAuth2Request.getRedirectUri(), oAuth2Request.getResponseTypes(), oAuth2Request.getExtensions());
        UaaAuthentication uaaAuthentication = (UaaAuthentication) oAuth2Authentication.getUserAuthentication();
        if (uaaAuthentication != null) {
            uaaAuthentication = new UaaAuthentication(uaaAuthentication.getPrincipal(), null, UaaStringUtils.getAuthoritiesFromStrings(hashSet), new UaaAuthenticationDetails(httpServletRequest), true, uaaAuthentication.getAuthenticatedTime());
        }
        UaaOauth2Authentication uaaOauth2Authentication = new UaaOauth2Authentication(((UaaOauth2Authentication) oAuth2Authentication).getTokenValue(), IdentityZoneHolder.get().getId(), oAuth2Request2, uaaAuthentication);
        uaaOauth2Authentication.setDetails(details);
        return uaaOauth2Authentication;
    }

    protected String stripPrefix(String str, String str2) {
        if (!StringUtils.hasText(str)) {
            return str;
        }
        String str3 = ZoneManagementScopes.ZONES_ZONE_ID_PREFIX + str2 + ".";
        Iterator<String> it = zoneScopestoNotStripPrefix.iterator();
        while (it.hasNext()) {
            if (str.equals(str3 + it.next())) {
                return str;
            }
        }
        return str.startsWith(str3) ? str.substring(str3.length()) : str;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String header = httpServletRequest.getHeader(HEADER);
        String header2 = httpServletRequest.getHeader(SUBDOMAIN_HEADER);
        if (StringUtils.isEmpty(header) && StringUtils.isEmpty(header2)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        IdentityZone validateIdentityZone = validateIdentityZone(header, header2);
        if (validateIdentityZone == null) {
            httpServletResponse.sendError(404, "Identity zone with id/subdomain " + header + "/" + header2 + " does not exist");
            return;
        }
        String id = validateIdentityZone.getId();
        OAuth2Authentication authenticationForZone = getAuthenticationForZone(id, httpServletRequest);
        if (!IdentityZoneHolder.isUaa() || authenticationForZone == null || authenticationForZone.getOAuth2Request().getScope().isEmpty()) {
            httpServletResponse.sendError(403, "User is not authorized to switch to IdentityZone with id " + id);
            return;
        }
        SecurityContextHolder.getContext().setAuthentication(authenticationForZone);
        IdentityZone identityZone = IdentityZoneHolder.get();
        try {
            IdentityZoneHolder.set(validateIdentityZone);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            IdentityZoneHolder.set(identityZone);
        } catch (Throwable th) {
            IdentityZoneHolder.set(identityZone);
            throw th;
        }
    }

    private IdentityZone validateIdentityZone(String str, String str2) throws IOException {
        IdentityZone identityZone = null;
        try {
            identityZone = StringUtils.isEmpty(str) ? this.dao.retrieveBySubdomain(str2) : this.dao.retrieve(str);
        } catch (ZoneDoesNotExistsException | EmptyResultDataAccessException e) {
        } catch (Exception e2) {
            throw e2;
        }
        return identityZone;
    }
}
