package org.springframework.security.oauth2.provider.vote;

import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.3.3.RELEASE.jar:org/springframework/security/oauth2/provider/vote/ScopeVoter.class */
public class ScopeVoter implements AccessDecisionVoter<Object> {
    private String scopePrefix = "SCOPE_";
    private String denyAccess = "DENY_OAUTH";
    private boolean throwException = true;

    public void setThrowException(boolean z) {
        this.throwException = z;
    }

    public void setScopePrefix(String str) {
        this.scopePrefix = str;
    }

    public void setDenyAccess(String str) {
        this.denyAccess = str;
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public boolean supports(ConfigAttribute configAttribute) {
        if (this.denyAccess.equals(configAttribute.getAttribute())) {
            return true;
        }
        return configAttribute.getAttribute() != null && configAttribute.getAttribute().startsWith(this.scopePrefix);
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public boolean supports(Class<?> cls) {
        return true;
    }

    @Override // org.springframework.security.access.AccessDecisionVoter
    public int vote(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) {
        int i = 0;
        if (!(authentication instanceof OAuth2Authentication)) {
            return 0;
        }
        Iterator<ConfigAttribute> it = collection.iterator();
        while (it.hasNext()) {
            if (this.denyAccess.equals(it.next().getAttribute())) {
                return -1;
            }
        }
        OAuth2Request oAuth2Request = ((OAuth2Authentication) authentication).getOAuth2Request();
        for (ConfigAttribute configAttribute : collection) {
            if (supports(configAttribute)) {
                i = -1;
                Iterator it2 = oAuth2Request.getScope().iterator();
                while (it2.hasNext()) {
                    if (configAttribute.getAttribute().toUpperCase().equals((this.scopePrefix + ((String) it2.next())).toUpperCase())) {
                        return 1;
                    }
                }
                if (-1 == -1 && this.throwException) {
                    InsufficientScopeException insufficientScopeException = new InsufficientScopeException("Insufficient scope for this resource", Collections.singleton(configAttribute.getAttribute().substring(this.scopePrefix.length())));
                    throw new AccessDeniedException(insufficientScopeException.getMessage(), insufficientScopeException);
                }
            }
        }
        return i;
    }
}
