package org.springframework.boot.actuate.cloudfoundry;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.actuate.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.util.StringUtils;
import org.springframework.web.cors.CorsUtils;
import org.springframework.web.method.HandlerMethod;
import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;

/* loaded from: input_file:WEB-INF/lib/spring-boot-actuator-1.5.10.RELEASE.jar:org/springframework/boot/actuate/cloudfoundry/CloudFoundrySecurityInterceptor.class */
class CloudFoundrySecurityInterceptor extends HandlerInterceptorAdapter {
    private static final Log logger = LogFactory.getLog(CloudFoundrySecurityInterceptor.class);
    private final TokenValidator tokenValidator;
    private final CloudFoundrySecurityService cloudFoundrySecurityService;
    private final String applicationId;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CloudFoundrySecurityInterceptor(TokenValidator tokenValidator, CloudFoundrySecurityService cloudFoundrySecurityService, String str) {
        this.tokenValidator = tokenValidator;
        this.cloudFoundrySecurityService = cloudFoundrySecurityService;
        this.applicationId = str;
    }

    @Override // org.springframework.web.servlet.handler.HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        if (CorsUtils.isPreFlightRequest(httpServletRequest)) {
            return true;
        }
        try {
            if (!StringUtils.hasText(this.applicationId)) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Application id is not available");
            }
            if (this.cloudFoundrySecurityService == null) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.SERVICE_UNAVAILABLE, "Cloud controller URL is not available");
            }
            HandlerMethod handlerMethod = (HandlerMethod) obj;
            if (HttpMethod.OPTIONS.matches(httpServletRequest.getMethod()) && !(handlerMethod.getBean() instanceof MvcEndpoint)) {
                return true;
            }
            check(httpServletRequest, (MvcEndpoint) handlerMethod.getBean());
            return true;
        } catch (CloudFoundryAuthorizationException e) {
            logger.error(e);
            httpServletResponse.setContentType(MediaType.APPLICATION_JSON.toString());
            httpServletResponse.getWriter().write("{\"security_error\":\"" + e.getMessage() + "\"}");
            httpServletResponse.setStatus(e.getStatusCode().value());
            return false;
        }
    }

    private void check(HttpServletRequest httpServletRequest, MvcEndpoint mvcEndpoint) throws Exception {
        Token token = getToken(httpServletRequest);
        this.tokenValidator.validate(token);
        AccessLevel accessLevel = this.cloudFoundrySecurityService.getAccessLevel(token.toString(), this.applicationId);
        if (!accessLevel.isAccessAllowed(mvcEndpoint.getPath())) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.ACCESS_DENIED, "Access denied");
        }
        accessLevel.put(httpServletRequest);
    }

    private Token getToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.toLowerCase().startsWith("bearer ")) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.MISSING_AUTHORIZATION, "Authorization header is missing or invalid");
        }
        return new Token(header.substring("bearer ".length()));
    }
}
