package org.springframework.boot.actuate.autoconfigure.cloudfoundry.servlet;

import jakarta.servlet.http.HttpServletRequest;
import java.util.Locale;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.AccessLevel;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.SecurityResponse;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.Token;
import org.springframework.boot.actuate.endpoint.EndpointId;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsUtils;

/* loaded from: input_file:org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundrySecurityInterceptor.class */
class CloudFoundrySecurityInterceptor {
    private final TokenValidator tokenValidator;
    private final CloudFoundrySecurityService cloudFoundrySecurityService;
    private final String applicationId;
    private static final Log logger = LogFactory.getLog((Class<?>) CloudFoundrySecurityInterceptor.class);
    private static final SecurityResponse SUCCESS = SecurityResponse.success();

    /* JADX INFO: Access modifiers changed from: package-private */
    public CloudFoundrySecurityInterceptor(TokenValidator tokenValidator, CloudFoundrySecurityService cloudFoundrySecurityService, String str) {
        this.tokenValidator = tokenValidator;
        this.cloudFoundrySecurityService = cloudFoundrySecurityService;
        this.applicationId = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityResponse preHandle(HttpServletRequest httpServletRequest, EndpointId endpointId) {
        if (CorsUtils.isPreFlightRequest(httpServletRequest)) {
            return SecurityResponse.success();
        }
        try {
            if (!StringUtils.hasText(this.applicationId)) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Application id is not available");
            }
            if (this.cloudFoundrySecurityService == null) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Cloud controller URL is not available");
            }
            if (HttpMethod.OPTIONS.matches(httpServletRequest.getMethod())) {
                return SUCCESS;
            }
            check(httpServletRequest, endpointId);
            return SecurityResponse.success();
        } catch (Exception e) {
            logger.error(e);
            if (!(e instanceof CloudFoundryAuthorizationException)) {
                return new SecurityResponse(HttpStatus.INTERNAL_SERVER_ERROR, e.getMessage());
            }
            CloudFoundryAuthorizationException cloudFoundryAuthorizationException = (CloudFoundryAuthorizationException) e;
            return new SecurityResponse(cloudFoundryAuthorizationException.getStatusCode(), "{\"security_error\":\"" + cloudFoundryAuthorizationException.getMessage() + "\"}");
        }
    }

    private void check(HttpServletRequest httpServletRequest, EndpointId endpointId) {
        Token token = getToken(httpServletRequest);
        this.tokenValidator.validate(token);
        AccessLevel accessLevel = this.cloudFoundrySecurityService.getAccessLevel(token.toString(), this.applicationId);
        if (!accessLevel.isAccessAllowed(endpointId != null ? endpointId.toLowerCaseString() : "")) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.ACCESS_DENIED, "Access denied");
        }
        httpServletRequest.setAttribute(AccessLevel.REQUEST_ATTRIBUTE, accessLevel);
    }

    private Token getToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.toLowerCase(Locale.ENGLISH).startsWith("bearer ")) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.MISSING_AUTHORIZATION, "Authorization header is missing or invalid");
        }
        return new Token(header.substring("bearer ".length()));
    }
}
