Polish

Author: philwebb

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/AccessLevel.java

@@ -24,6 +24,7 @@
  * endpoints.
  *
  * @author Madhura Bhave
+ * @since 2.0.0
  */
 public enum AccessLevel {
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/CloudFoundryAuthorizationException.java

@@ -22,6 +22,7 @@
  * Authorization exceptions thrown to limit access to the endpoints.
  *
  * @author Madhura Bhave
+ * @since 2.0.0
  */
 public class CloudFoundryAuthorizationException extends RuntimeException {
 
@@ -31,7 +32,8 @@ public CloudFoundryAuthorizationException(Reason reason, String message) {
 		this(reason, message, null);
 	}
 
-	public CloudFoundryAuthorizationException(Reason reason, String message, Throwable cause) {
+	public CloudFoundryAuthorizationException(Reason reason, String message,
+			Throwable cause) {
 		super(message);
 		this.reason = reason;
 	}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/SecurityResponse.java

@@ -22,6 +22,7 @@
  * Response from the Cloud Foundry security interceptors.
  *
  * @author Madhura Bhave
+ * @since 2.0.0
  */
 public class SecurityResponse {
 

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/Token.java

@@ -29,6 +29,7 @@
  * The JSON web token provided with each request that originates from Cloud Foundry.
  *
  * @author Madhura Bhave
+ * @since 2.0.0
  */
 public class Token {
 
@@ -47,16 +48,14 @@ public Token(String encoded) {
 		int firstPeriod = encoded.indexOf('.');
 		int lastPeriod = encoded.lastIndexOf('.');
 		if (firstPeriod <= 0 || lastPeriod <= firstPeriod) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.INVALID_TOKEN,
+			throw new CloudFoundryAuthorizationException(Reason.INVALID_TOKEN,
 					"JWT must have header, body and signature");
 		}
 		this.header = parseJson(encoded.substring(0, firstPeriod));
 		this.claims = parseJson(encoded.substring(firstPeriod + 1, lastPeriod));
 		this.signature = encoded.substring(lastPeriod + 1);
 		if (!StringUtils.hasLength(this.signature)) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.INVALID_TOKEN,
+			throw new CloudFoundryAuthorizationException(Reason.INVALID_TOKEN,
 					"Token must have non-empty crypto segment");
 		}
 	}
@@ -67,8 +66,7 @@ private Map<String, Object> parseJson(String base64) {
 			return JsonParserFactory.getJsonParser().parseMap(new String(bytes, UTF_8));
 		}
 		catch (RuntimeException ex) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.INVALID_TOKEN,
+			throw new CloudFoundryAuthorizationException(Reason.INVALID_TOKEN,
 					"Token could not be parsed", ex);
 		}
 	}
@@ -106,13 +104,11 @@ public String getKeyId() {
 	private <T> T getRequired(Map<String, Object> map, String key, Class<T> type) {
 		Object value = map.get(key);
 		if (value == null) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.INVALID_TOKEN,
+			throw new CloudFoundryAuthorizationException(Reason.INVALID_TOKEN,
 					"Unable to get value from key " + key);
 		}
 		if (!type.isInstance(value)) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.INVALID_TOKEN,
+			throw new CloudFoundryAuthorizationException(Reason.INVALID_TOKEN,
 					"Unexpected value type from key " + key + " value " + value);
 		}
 		return (T) value;

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/CloudFoundryWebFluxEndpointHandlerMapping.java

@@ -28,6 +28,7 @@
 import reactor.core.publisher.Mono;
 
 import org.springframework.boot.actuate.autoconfigure.cloudfoundry.AccessLevel;
+import org.springframework.boot.actuate.autoconfigure.cloudfoundry.SecurityResponse;
 import org.springframework.boot.actuate.endpoint.EndpointInfo;
 import org.springframework.boot.actuate.endpoint.OperationInvoker;
 import org.springframework.boot.actuate.endpoint.OperationType;
@@ -58,7 +59,8 @@
  *
  * @author Madhura Bhave
  */
-public class CloudFoundryWebFluxEndpointHandlerMapping extends AbstractWebFluxEndpointHandlerMapping {
+class CloudFoundryWebFluxEndpointHandlerMapping
+		extends AbstractWebFluxEndpointHandlerMapping {
 
 	private final Method handleRead = ReflectionUtils
 			.findMethod(ReadOperationHandler.class, "handle", ServerWebExchange.class);
@@ -85,38 +87,38 @@ protected void registerMappingForOperation(WebEndpointOperation operation) {
 		if (operation.isBlocking()) {
 			operationInvoker = new ElasticSchedulerOperationInvoker(operationInvoker);
 		}
-		registerMapping(createRequestMappingInfo(operation),
-				operationType == OperationType.WRITE
-						? new WriteOperationHandler(operationInvoker, operation.getId())
-						: new ReadOperationHandler(operationInvoker, operation.getId()),
-				operationType == OperationType.WRITE ? this.handleWrite
-						: this.handleRead);
+		Object handler = (operationType == OperationType.WRITE
+				? new WriteOperationHandler(operationInvoker, operation.getId())
+				: new ReadOperationHandler(operationInvoker, operation.getId()));
+		Method method = (operationType == OperationType.WRITE ? this.handleWrite
+				: this.handleRead);
+		registerMapping(createRequestMappingInfo(operation), handler, method);
 	}
 
 	@ResponseBody
 	private Publisher<ResponseEntity<Object>> links(ServerWebExchange exchange) {
 		ServerHttpRequest request = exchange.getRequest();
-		return this.securityInterceptor
-				.preHandle(exchange, "")
-				.map(securityResponse -> {
-					if (!securityResponse.getStatus().equals(HttpStatus.OK)) {
-						return new ResponseEntity<>(securityResponse.getStatus());
-					}
-					AccessLevel accessLevel = exchange.getAttribute(AccessLevel.REQUEST_ATTRIBUTE);
-					Map<String, Link> links = this.endpointLinksResolver.resolveLinks(getEndpoints(),
-							request.getURI().toString());
-					return new ResponseEntity<>(Collections.singletonMap("_links",
-							getAccessibleLinks(accessLevel, links)), HttpStatus.OK);
-				});
+		return this.securityInterceptor.preHandle(exchange, "").map(securityResponse -> {
+			if (!securityResponse.getStatus().equals(HttpStatus.OK)) {
+				return new ResponseEntity<>(securityResponse.getStatus());
+			}
+			AccessLevel accessLevel = exchange
+					.getAttribute(AccessLevel.REQUEST_ATTRIBUTE);
+			Map<String, Link> links = this.endpointLinksResolver
+					.resolveLinks(getEndpoints(), request.getURI().toString());
+			return new ResponseEntity<>(Collections.singletonMap("_links",
+					getAccessibleLinks(accessLevel, links)), HttpStatus.OK);
+		});
 	}
 
-	private Map<String, Link> getAccessibleLinks(AccessLevel accessLevel, Map<String, Link> links) {
+	private Map<String, Link> getAccessibleLinks(AccessLevel accessLevel,
+			Map<String, Link> links) {
 		if (accessLevel == null) {
 			return new LinkedHashMap<>();
 		}
 		return links.entrySet().stream()
-				.filter((e) -> e.getKey().equals("self")
-						|| accessLevel.isAccessAllowed(e.getKey()))
+				.filter((entry) -> entry.getKey().equals("self")
+						|| accessLevel.isAccessAllowed(entry.getKey()))
 				.collect(Collectors.toMap(Map.Entry::getKey, Map.Entry::getValue));
 	}
 
@@ -129,7 +131,7 @@ private Map<String, Link> getAccessibleLinks(AccessLevel accessLevel, Map<String
 	 * @param corsConfiguration the CORS configuration for the endpoints
 	 * @param securityInterceptor the Security Interceptor
 	 */
-	public CloudFoundryWebFluxEndpointHandlerMapping(EndpointMapping endpointMapping,
+	CloudFoundryWebFluxEndpointHandlerMapping(EndpointMapping endpointMapping,
 			Collection<EndpointInfo<WebEndpointOperation>> webEndpoints,
 			EndpointMediaTypes endpointMediaTypes, CorsConfiguration corsConfiguration,
 			ReactiveCloudFoundrySecurityInterceptor securityInterceptor) {
@@ -148,31 +150,35 @@ abstract class AbstractOperationHandler {
 
 		private final ReactiveCloudFoundrySecurityInterceptor securityInterceptor;
 
-		AbstractOperationHandler(OperationInvoker operationInvoker, String endpointId, ReactiveCloudFoundrySecurityInterceptor securityInterceptor) {
+		AbstractOperationHandler(OperationInvoker operationInvoker, String endpointId,
+				ReactiveCloudFoundrySecurityInterceptor securityInterceptor) {
 			this.operationInvoker = operationInvoker;
 			this.endpointId = endpointId;
 			this.securityInterceptor = securityInterceptor;
 		}
 
-		@SuppressWarnings({ "unchecked" })
 		Publisher<ResponseEntity<Object>> doHandle(ServerWebExchange exchange,
 				Map<String, String> body) {
-			return this.securityInterceptor
-					.preHandle(exchange, this.endpointId)
-					.flatMap(securityResponse -> {
-						if (!securityResponse.getStatus().equals(HttpStatus.OK)) {
-							return Mono.just(new ResponseEntity<>(securityResponse.getStatus()));
-						}
-						Map<String, Object> arguments = new HashMap<>(exchange
-								.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE));
-						if (body != null) {
-							arguments.putAll(body);
-						}
-						exchange.getRequest().getQueryParams().forEach((name, values) -> arguments
-								.put(name, values.size() == 1 ? values.get(0) : values));
-						return handleResult((Publisher<?>) this.operationInvoker.invoke(arguments),
-								exchange.getRequest().getMethod());
-					});
+			return this.securityInterceptor.preHandle(exchange, this.endpointId)
+					.flatMap((securityResponse) -> flatMapResponse(exchange, body,
+							securityResponse));
+		}
+
+		private Mono<? extends ResponseEntity<Object>> flatMapResponse(
+				ServerWebExchange exchange, Map<String, String> body,
+				SecurityResponse securityResponse) {
+			if (!securityResponse.getStatus().equals(HttpStatus.OK)) {
+				return Mono.just(new ResponseEntity<>(securityResponse.getStatus()));
+			}
+			Map<String, Object> arguments = new HashMap<>(exchange
+					.getAttribute(HandlerMapping.URI_TEMPLATE_VARIABLES_ATTRIBUTE));
+			if (body != null) {
+				arguments.putAll(body);
+			}
+			exchange.getRequest().getQueryParams().forEach((name, values) -> arguments
+					.put(name, (values.size() == 1 ? values.get(0) : values)));
+			return handleResult((Publisher<?>) this.operationInvoker.invoke(arguments),
+					exchange.getRequest().getMethod());
 		}
 
 		private Mono<ResponseEntity<Object>> handleResult(Publisher<?> result,
@@ -203,7 +209,8 @@ private ResponseEntity<Object> toResponseEntity(Object response) {
 	final class WriteOperationHandler extends AbstractOperationHandler {
 
 		WriteOperationHandler(OperationInvoker operationInvoker, String endpointId) {
-			super(operationInvoker, endpointId, CloudFoundryWebFluxEndpointHandlerMapping.this.securityInterceptor);
+			super(operationInvoker, endpointId,
+					CloudFoundryWebFluxEndpointHandlerMapping.this.securityInterceptor);
 		}
 
 		@ResponseBody
@@ -220,7 +227,8 @@ public Publisher<ResponseEntity<Object>> handle(ServerWebExchange exchange,
 	final class ReadOperationHandler extends AbstractOperationHandler {
 
 		ReadOperationHandler(OperationInvoker operationInvoker, String endpointId) {
-			super(operationInvoker, endpointId, CloudFoundryWebFluxEndpointHandlerMapping.this.securityInterceptor);
+			super(operationInvoker, endpointId,
+					CloudFoundryWebFluxEndpointHandlerMapping.this.securityInterceptor);
 		}
 
 		@ResponseBody

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundryActuatorAutoConfiguration.java

@@ -69,13 +69,16 @@ public class ReactiveCloudFoundryActuatorAutoConfiguration {
 	public CloudFoundryWebFluxEndpointHandlerMapping cloudFoundryWebFluxEndpointHandlerMapping(
 			ParameterMapper parameterMapper, EndpointMediaTypes endpointMediaTypes,
 			WebClient.Builder webClientBuilder, Environment environment,
-			DefaultCachingConfigurationFactory cachingConfigurationFactory, WebEndpointProperties webEndpointProperties) {
+			DefaultCachingConfigurationFactory cachingConfigurationFactory,
+			WebEndpointProperties webEndpointProperties) {
 		WebAnnotationEndpointDiscoverer endpointDiscoverer = new WebAnnotationEndpointDiscoverer(
 				this.applicationContext, parameterMapper, cachingConfigurationFactory,
 				endpointMediaTypes, (id) -> id);
 		return new CloudFoundryWebFluxEndpointHandlerMapping(
 				new EndpointMapping("/cloudfoundryapplication"),
-				endpointDiscoverer.discoverEndpoints(), endpointMediaTypes, getCorsConfiguration(), getSecurityInterceptor(webClientBuilder, environment));
+				endpointDiscoverer.discoverEndpoints(), endpointMediaTypes,
+				getCorsConfiguration(),
+				getSecurityInterceptor(webClientBuilder, environment));
 	}
 
 	private ReactiveCloudFoundrySecurityInterceptor getSecurityInterceptor(
@@ -91,11 +94,10 @@ private ReactiveCloudFoundrySecurityInterceptor getSecurityInterceptor(
 
 	private ReactiveCloudFoundrySecurityService getCloudFoundrySecurityService(
 			WebClient.Builder webClientBuilder, Environment environment) {
-		String cloudControllerUrl = environment
-				.getProperty("vcap.application.cf_api");
+		String cloudControllerUrl = environment.getProperty("vcap.application.cf_api");
 		return (cloudControllerUrl == null ? null
 				: new ReactiveCloudFoundrySecurityService(webClientBuilder,
-				cloudControllerUrl));
+						cloudControllerUrl));
 	}
 
 	private CorsConfiguration getCorsConfiguration() {
@@ -111,30 +113,38 @@ private CorsConfiguration getCorsConfiguration() {
 	@Configuration
 	@ConditionalOnClass(MatcherSecurityWebFilterChain.class)
 	static class IgnoredPathsSecurityConfiguration {
+
 		@Bean
-		public BeanPostProcessor webFilterChainPostProcessor() {
-			return new BeanPostProcessor() {
-				@Override
-				public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
-					if (bean instanceof WebFilterChainProxy) {
-						return postProcess((WebFilterChainProxy) bean);
-					}
-					return bean;
-				}
-			};
+		public WebFilterChainPostProcessor webFilterChainPostProcessor() {
+			return new WebFilterChainPostProcessor();
+		}
+
+	}
+
+	private static class WebFilterChainPostProcessor implements BeanPostProcessor {
+
+		@Override
+		public Object postProcessAfterInitialization(Object bean, String beanName)
+				throws BeansException {
+			if (bean instanceof WebFilterChainProxy) {
+				return postProcess((WebFilterChainProxy) bean);
+			}
+			return bean;
 		}
 
-		WebFilterChainProxy postProcess(WebFilterChainProxy existing) {
-			ServerWebExchangeMatcher cloudFoundryRequestMatcher = ServerWebExchangeMatchers.pathMatchers(
-					"/cloudfoundryapplication/**");
+		private WebFilterChainProxy postProcess(WebFilterChainProxy existing) {
+			ServerWebExchangeMatcher cloudFoundryRequestMatcher = ServerWebExchangeMatchers
+					.pathMatchers("/cloudfoundryapplication/**");
 			WebFilter noOpFilter = (exchange, chain) -> chain.filter(exchange);
 			MatcherSecurityWebFilterChain ignoredRequestFilterChain = new MatcherSecurityWebFilterChain(
 					cloudFoundryRequestMatcher, Collections.singletonList(noOpFilter));
 			MatcherSecurityWebFilterChain allRequestsFilterChain = new MatcherSecurityWebFilterChain(
-					ServerWebExchangeMatchers.anyExchange(), Collections.singletonList(existing));
-			return new WebFilterChainProxy(ignoredRequestFilterChain, allRequestsFilterChain);
+					ServerWebExchangeMatchers.anyExchange(),
+					Collections.singletonList(existing));
+			return new WebFilterChainProxy(ignoredRequestFilterChain,
+					allRequestsFilterChain);
 		}
+
 	}
 
 }
-

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundrySecurityInterceptor.java

@@ -63,28 +63,31 @@ Mono<SecurityResponse> preHandle(ServerWebExchange exchange, String endpointId)
 		}
 		if (!StringUtils.hasText(this.applicationId)) {
 			return Mono.error(new CloudFoundryAuthorizationException(
-					Reason.SERVICE_UNAVAILABLE,
-					"Application id is not available"));
+					Reason.SERVICE_UNAVAILABLE, "Application id is not available"));
 		}
 		if (this.cloudFoundrySecurityService == null) {
 			return Mono.error(new CloudFoundryAuthorizationException(
-					Reason.SERVICE_UNAVAILABLE,
-					"Cloud controller URL is not available"));
+					Reason.SERVICE_UNAVAILABLE, "Cloud controller URL is not available"));
 		}
-		return check(exchange, endpointId)
-				.then(SUCCESS)
-				.doOnError(throwable -> logger.error(throwable.getMessage(), throwable))
+		return check(exchange, endpointId).then(SUCCESS).doOnError(this::logError)
 				.onErrorResume(this::getErrorResponse);
 	}
 
+	private void logError(Throwable ex) {
+		logger.error(ex.getMessage(), ex);
+	}
+
 	private Mono<Void> check(ServerWebExchange exchange, String path) {
 		try {
 			Token token = getToken(exchange.getRequest());
-			return this.tokenValidator.validate(token).then(this.cloudFoundrySecurityService.getAccessLevel(token.toString(), this.applicationId))
-					.filter(accessLevel -> accessLevel.isAccessAllowed(path))
-					.switchIfEmpty(Mono.error(new CloudFoundryAuthorizationException(Reason.ACCESS_DENIED,
-							"Access denied")))
-					.doOnSuccess(accessLevel -> exchange.getAttributes().put("cloudFoundryAccessLevel", accessLevel))
+			return this.tokenValidator.validate(token)
+					.then(this.cloudFoundrySecurityService
+							.getAccessLevel(token.toString(), this.applicationId))
+					.filter((accessLevel) -> accessLevel.isAccessAllowed(path))
+					.switchIfEmpty(Mono.error(new CloudFoundryAuthorizationException(
+							Reason.ACCESS_DENIED, "Access denied")))
+					.doOnSuccess((accessLevel) -> exchange.getAttributes()
+							.put("cloudFoundryAccessLevel", accessLevel))
 					.then();
 		}
 		catch (CloudFoundryAuthorizationException ex) {
@@ -107,8 +110,7 @@ private Token getToken(ServerHttpRequest request) {
 		String bearerPrefix = "bearer ";
 		if (authorization == null
 				|| !authorization.toLowerCase().startsWith(bearerPrefix)) {
-			throw new CloudFoundryAuthorizationException(
-					Reason.MISSING_AUTHORIZATION,
+			throw new CloudFoundryAuthorizationException(Reason.MISSING_AUTHORIZATION,
 					"Authorization header is missing or invalid");
 		}
 		return new Token(authorization.substring(bearerPrefix.length()));