package com.netflix.genie.web.security.oauth2.pingfederate;

import com.google.common.collect.Sets;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter;

/* loaded from: input_file:WEB-INF/lib/genie-web-3.3.5.jar:com/netflix/genie/web/security/oauth2/pingfederate/PingFederateUserAuthenticationConverter.class */
public class PingFederateUserAuthenticationConverter extends DefaultUserAuthenticationConverter {
    protected static final String CLIENT_ID_KEY = "client_id";
    protected static final String SCOPE_KEY = "scope";
    protected static final String GENIE_PREFIX = "genie_";
    protected static final String ROLE_PREFIX = "ROLE_";
    private static final GrantedAuthority USER_AUTHORITY = new SimpleGrantedAuthority("ROLE_USER");

    @Override // org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter, org.springframework.security.oauth2.provider.token.UserAuthenticationConverter
    public Authentication extractAuthentication(Map<String, ?> map) {
        if (!map.containsKey("client_id")) {
            throw new InvalidTokenException("No client id key found in map");
        }
        Object obj = map.get("client_id");
        if (!(obj instanceof String)) {
            throw new InvalidTokenException("Client id wasn't string");
        }
        String str = (String) obj;
        if (StringUtils.isBlank(str)) {
            throw new InvalidTokenException("Client id was blank. Unable to use as user name");
        }
        Object obj2 = map.get("scope");
        if (!(obj2 instanceof Collection)) {
            throw new InvalidTokenException("Scopes were not a collection");
        }
        Collection collection = (Collection) obj2;
        if (collection.isEmpty()) {
            throw new InvalidTokenException("No scopes available. Unable to authenticate");
        }
        HashSet newHashSet = Sets.newHashSet(USER_AUTHORITY);
        collection.stream().filter(str2 -> {
            return str2.contains(GENIE_PREFIX);
        }).distinct().forEach(str3 -> {
            newHashSet.add(new SimpleGrantedAuthority(ROLE_PREFIX + StringUtils.removeStartIgnoreCase(str3, GENIE_PREFIX).toUpperCase()));
        });
        return new UsernamePasswordAuthenticationToken(str, "N/A", newHashSet);
    }
}
