package ee.bitweb.core.actuator;

import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.autoconfigure.health.HealthEndpointProperties;
import org.springframework.boot.actuate.autoconfigure.health.HealthProperties;
import org.springframework.boot.actuate.autoconfigure.security.servlet.EndpointRequest;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;

@Configuration
@ConditionalOnProperty(value = {"ee.bitweb.core.actuator.security.enabled"}, havingValue = "true")
@Order(111)
/* loaded from: input_file:ee/bitweb/core/actuator/ActuatorHealthSecurity.class */
public class ActuatorHealthSecurity extends WebSecurityConfigurerAdapter {
    private static final Logger log = LoggerFactory.getLogger("ee.bitweb.core.actuator");
    private final ActuatorSecurityProperties actuatorSecurityProperties;
    private final HealthEndpointProperties healthEndpointProperties;

    protected void configure(HttpSecurity httpSecurity) throws Exception {
        List<String> healthEndpointRoles = this.actuatorSecurityProperties.getHealthEndpointRoles();
        logUnsafeHealthEndpointWarning();
        httpSecurity.requestMatcher(EndpointRequest.to(new String[]{"health"})).csrf().disable().authenticationProvider(new ActuatorAuthenticationProvider(this.actuatorSecurityProperties)).authorizeRequests(expressionInterceptUrlRegistry -> {
            ((ExpressionUrlAuthorizationConfigurer.AuthorizedUrl) expressionInterceptUrlRegistry.anyRequest()).hasAnyRole((String[]) healthEndpointRoles.toArray(new String[0]));
        }).httpBasic();
        log.info("Configured actuator security for health endpoint, allowing roles {}", healthEndpointRoles);
    }

    private void logUnsafeHealthEndpointWarning() {
        if (!this.actuatorSecurityProperties.getDisableUnsafeHealthEndpointWarning().booleanValue() && this.healthEndpointProperties.getShowDetails().equals(HealthProperties.Show.ALWAYS)) {
            log.warn("Detected potentially unsafe configuration, please make sure that no sensitive information leaks from health endpoint or set 'management.endpoint.health.show-details' to 'when_authorized'!");
        }
    }

    public ActuatorHealthSecurity(ActuatorSecurityProperties actuatorSecurityProperties, HealthEndpointProperties healthEndpointProperties) {
        this.actuatorSecurityProperties = actuatorSecurityProperties;
        this.healthEndpointProperties = healthEndpointProperties;
    }
}
