package io.micronaut.security.rules;

import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.http.HttpAttributes;
import io.micronaut.http.HttpRequest;
import io.micronaut.inject.ExecutableMethod;
import io.micronaut.management.endpoint.EndpointSensitivityHandler;
import io.micronaut.management.endpoint.EndpointSensitivityProcessor;
import io.micronaut.management.endpoint.beans.BeansEndpoint;
import io.micronaut.management.endpoint.env.EnvironmentEndpoint;
import io.micronaut.management.endpoint.health.HealthEndpoint;
import io.micronaut.management.endpoint.info.InfoEndpoint;
import io.micronaut.management.endpoint.loggers.LoggersEndpoint;
import io.micronaut.management.endpoint.refresh.RefreshEndpoint;
import io.micronaut.management.endpoint.routes.RoutesEndpoint;
import io.micronaut.management.endpoint.stop.ServerStopEndpoint;
import io.micronaut.management.endpoint.threads.ThreadDumpEndpoint;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.web.router.MethodBasedRouteMatch;
import io.micronaut.web.router.RouteMatch;
import jakarta.inject.Singleton;
import java.util.Map;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.core.publisher.Mono;

@Singleton
@Requires(classes = {EndpointSensitivityProcessor.class, HttpRequest.class})
/* loaded from: input_file:io/micronaut/security/rules/SensitiveEndpointRule.class */
public class SensitiveEndpointRule implements SecurityRule<HttpRequest<?>>, EndpointSensitivityHandler {
    public static final String NON_REPLACED_SECURITY_ERROR_MESSAGE = "For security purposes, sensitive endpoints are disabled until you supply your own replacement for SensitiveEndpointRule::checkSensitiveAuthenticated, eg:\n\n@Singleton\n@Replaces(SensitiveEndpointRule.class)\nclass SensitiveEndpointRuleReplacement extends SensitiveEndpointRule {\n\n    SensitiveEndpointRuleReplacement(EndpointSensitivityProcessor endpointSensitivityProcessor) {\n        super(endpointSensitivityProcessor);\n    }\n\n    @Override\n    @NonNull\n    protected Publisher<SecurityRuleResult> checkSensitiveAuthenticated(@NonNull HttpRequest<?> request,\n                                                                        @NonNull Authentication authentication,\n                                                                        @NonNull ExecutableMethod<?, ?> method) {\n        return Mono.just(authentication.getRoles().contains(\"ADMIN\") ? SecurityRuleResult.ALLOWED : SecurityRuleResult.REJECTED);\n    }\n}\n";
    private static final String ENDPOINTS_BEANS = "beans";
    private static final String ENDPOINTS_INFO = "info";
    private static final String ENDPOINTS_HEALTH = "health";
    private static final String ENDPOINTS_REFRESH = "refresh";
    private static final String ENDPOINTS_ROUTES = "routes";
    private static final String ENDPOINTS_LOGGERS = "loggers";
    private static final String ENDPOINTS_SERVER_STOP = "serverStop";
    private static final String ENDPOINTS_ENVIRONMENT = "environment";
    private static final String ENDPOINTS_THREAD_DUMP = "threadDump";
    protected final Map<ExecutableMethod, Boolean> endpointMethods;
    public static final Integer ORDER = 0;
    private static final Logger LOG = LoggerFactory.getLogger(SensitiveEndpointRule.class);

    public SensitiveEndpointRule(EndpointSensitivityProcessor endpointSensitivityProcessor) {
        this.endpointMethods = endpointSensitivityProcessor.getEndpointMethods();
    }

    @Override // io.micronaut.security.rules.SecurityRule
    public Publisher<SecurityRuleResult> check(HttpRequest<?> httpRequest, @Nullable Authentication authentication) {
        MethodBasedRouteMatch methodBasedRouteMatch = (RouteMatch) httpRequest.getAttribute(HttpAttributes.ROUTE_MATCH, RouteMatch.class).orElse(null);
        if (methodBasedRouteMatch instanceof MethodBasedRouteMatch) {
            ExecutableMethod<?, ?> executableMethod = methodBasedRouteMatch.getExecutableMethod();
            if (this.endpointMethods.containsKey(executableMethod)) {
                return check(httpRequest, authentication, executableMethod);
            }
        }
        return Mono.just(SecurityRuleResult.UNKNOWN);
    }

    @NonNull
    protected Publisher<SecurityRuleResult> check(@NonNull HttpRequest<?> httpRequest, @Nullable Authentication authentication, @NonNull ExecutableMethod<?, ?> executableMethod) {
        return Boolean.TRUE.equals(this.endpointMethods.get(executableMethod)) ? authentication == null ? checkSensitiveAnonymous(httpRequest, executableMethod) : checkSensitiveAuthenticated(httpRequest, authentication, executableMethod) : checkNotSensitive(httpRequest, authentication, executableMethod);
    }

    public int getOrder() {
        return ORDER.intValue();
    }

    @NonNull
    protected Publisher<SecurityRuleResult> checkSensitiveAuthenticated(@NonNull HttpRequest<?> httpRequest, @NonNull Authentication authentication, @NonNull ExecutableMethod<?, ?> executableMethod) {
        return Mono.error(new UnsupportedOperationException(NON_REPLACED_SECURITY_ERROR_MESSAGE));
    }

    @NonNull
    protected Publisher<SecurityRuleResult> checkSensitiveAnonymous(@NonNull HttpRequest<?> httpRequest, @NonNull ExecutableMethod<?, ?> executableMethod) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("{} endpoint is sensitive and no authentication was found. Rejecting the request.", endpointName(executableMethod));
        }
        return Mono.just(SecurityRuleResult.REJECTED);
    }

    @NonNull
    protected Publisher<SecurityRuleResult> checkNotSensitive(@NonNull HttpRequest<?> httpRequest, @Nullable Authentication authentication, @NonNull ExecutableMethod<?, ?> executableMethod) {
        if (LOG.isTraceEnabled()) {
            LOG.debug("{} endpoint is not sensitive. Allowing the request.", endpointName(executableMethod));
        }
        return Mono.just(SecurityRuleResult.ALLOWED);
    }

    @NonNull
    protected String endpointName(@NonNull ExecutableMethod<?, ?> executableMethod) {
        Class declaringType = executableMethod.getDeclaringType();
        return declaringType == BeansEndpoint.class ? ENDPOINTS_BEANS : declaringType == InfoEndpoint.class ? ENDPOINTS_INFO : declaringType == HealthEndpoint.class ? ENDPOINTS_HEALTH : declaringType == RefreshEndpoint.class ? ENDPOINTS_REFRESH : declaringType == RoutesEndpoint.class ? ENDPOINTS_ROUTES : declaringType == LoggersEndpoint.class ? ENDPOINTS_LOGGERS : declaringType == ServerStopEndpoint.class ? ENDPOINTS_SERVER_STOP : declaringType == EnvironmentEndpoint.class ? ENDPOINTS_ENVIRONMENT : declaringType == ThreadDumpEndpoint.class ? ENDPOINTS_THREAD_DUMP : executableMethod.getDeclaringType().getSimpleName();
    }
}
