package org.springframework.boot.actuate.endpoint.mvc;

import java.util.Iterator;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-2.0.0.M3.jar:org/springframework/boot/actuate/endpoint/mvc/MvcEndpointSecurityInterceptor.class */
public class MvcEndpointSecurityInterceptor extends HandlerInterceptorAdapter {
    private static final Log logger = LogFactory.getLog((Class<?>) MvcEndpointSecurityInterceptor.class);
    private final boolean secure;
    private final List<String> roles;
    private AtomicBoolean loggedUnauthorizedAttempt = new AtomicBoolean();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-2.0.0.M3.jar:org/springframework/boot/actuate/endpoint/mvc/MvcEndpointSecurityInterceptor$AuthoritiesValidator.class */
    public static class AuthoritiesValidator {
        private AuthoritiesValidator() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean hasAuthority(String str) {
            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
            if (authentication == null) {
                return false;
            }
            Iterator it = authentication.getAuthorities().iterator();
            while (it.hasNext()) {
                if (((GrantedAuthority) it.next()).getAuthority().equals(str)) {
                    return true;
                }
            }
            return false;
        }
    }

    public MvcEndpointSecurityInterceptor(boolean z, List<String> list) {
        this.secure = z;
        this.roles = list;
    }

    @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        if (CorsUtils.isPreFlightRequest(httpServletRequest) || !this.secure) {
            return true;
        }
        HandlerMethod handlerMethod = (HandlerMethod) obj;
        if ((HttpMethod.OPTIONS.matches(httpServletRequest.getMethod()) && !(handlerMethod.getBean() instanceof MvcEndpoint)) || !((MvcEndpoint) handlerMethod.getBean()).isSensitive() || isUserAllowedAccess(httpServletRequest)) {
            return true;
        }
        sendFailureResponse(httpServletRequest, httpServletResponse);
        return false;
    }

    private boolean isUserAllowedAccess(HttpServletRequest httpServletRequest) {
        AuthoritiesValidator authoritiesValidator = isSpringSecurityAvailable() ? new AuthoritiesValidator() : null;
        for (String str : this.roles) {
            if (httpServletRequest.isUserInRole(str)) {
                return true;
            }
            if (authoritiesValidator != null && authoritiesValidator.hasAuthority(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean isSpringSecurityAvailable() {
        return ClassUtils.isPresent("org.springframework.security.config.annotation.web.WebSecurityConfigurer", getClass().getClassLoader());
    }

    private void sendFailureResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        if (httpServletRequest.getUserPrincipal() != null) {
            httpServletResponse.sendError(HttpStatus.FORBIDDEN.value(), "Access is denied. User must have one of the these roles: " + StringUtils.collectionToDelimitedString(this.roles, " "));
        } else {
            logUnauthorizedAttempt();
            httpServletResponse.sendError(HttpStatus.UNAUTHORIZED.value(), "Full authentication is required to access this resource.");
        }
    }

    private void logUnauthorizedAttempt() {
        if (this.loggedUnauthorizedAttempt.compareAndSet(false, true) && logger.isInfoEnabled()) {
            logger.info("Full authentication is required to access actuator endpoints. Consider adding Spring Security or set 'management.security.enabled' to false.");
        }
    }
}
