Polish

Author: philwebb

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/EndpointAccessOperationFilter.java

@@ -80,7 +80,7 @@ private static Access determineDefaultAccess(PropertyResolver properties) {
 	@Override
 	public Access accessFor(EndpointId endpointId, Access defaultAccess) {
 		return this.accessCache.computeIfAbsent(endpointId,
-				(key) -> capAccess(resolveAccess(endpointId, defaultAccess)));
+				(key) -> resolveAccess(endpointId, defaultAccess).cap(this.maxPermittedAccess));
 	}
 
 	private Access resolveAccess(EndpointId endpointId, Access defaultAccess) {
@@ -101,8 +101,4 @@ private Access resolveAccess(EndpointId endpointId, Access defaultAccess) {
 		return (this.endpointsDefaultAccess != null) ? this.endpointsDefaultAccess : defaultAccess;
 	}
 
-	private Access capAccess(Access access) {
-		return Access.values()[Math.min(access.ordinal(), this.maxPermittedAccess.ordinal())];
-	}
-
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/PropertiesEndpointAccessResolver.java

@@ -22,7 +22,6 @@
 
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.boot.LazyInitializationExcludeFilter;
-import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAccessOperationFilter;
 import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.EndpointExposure;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.IncludeExcludeEndpointFilter;
@@ -123,9 +122,8 @@ static LazyInitializationExcludeFilter eagerlyInitializeJmxEndpointExporter() {
 	}
 
 	@Bean
-	EndpointAccessOperationFilter<JmxOperation> jmxAccessPropertiesOperationFilter(
-			EndpointAccessResolver endpointAccessResolver) {
-		return new EndpointAccessOperationFilter<>(endpointAccessResolver);
+	OperationFilter<JmxOperation> jmxAccessPropertiesOperationFilter(EndpointAccessResolver endpointAccessResolver) {
+		return OperationFilter.byAccess(endpointAccessResolver);
 	}
 
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/jmx/JmxEndpointAutoConfiguration.java

@@ -20,7 +20,6 @@
 import java.util.Collections;
 
 import org.springframework.beans.factory.ObjectProvider;
-import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAccessOperationFilter;
 import org.springframework.boot.actuate.autoconfigure.endpoint.EndpointAutoConfiguration;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.EndpointExposure;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.IncludeExcludeEndpointFilter;
@@ -130,9 +129,8 @@ public IncludeExcludeEndpointFilter<org.springframework.boot.actuate.endpoint.we
 	}
 
 	@Bean
-	EndpointAccessOperationFilter<WebOperation> webAccessPropertiesOperationFilter(
-			EndpointAccessResolver endpointAccessResolver) {
-		return new EndpointAccessOperationFilter<>(endpointAccessResolver);
+	OperationFilter<WebOperation> webAccessPropertiesOperationFilter(EndpointAccessResolver endpointAccessResolver) {
+		return OperationFilter.byAccess(endpointAccessResolver);
 	}
 
 	@Configuration(proxyBeanMethods = false)

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/web/WebEndpointAutoConfiguration.java

@@ -16,6 +16,8 @@
 
 package org.springframework.boot.actuate.endpoint;
 
+import org.springframework.util.Assert;
+
 /**
  * Permitted level of access to an endpoint and its operations.
  *
@@ -37,6 +39,16 @@ public enum Access {
 	/**
 	 * Unrestricted access to the endpoint is permitted.
 	 */
-	UNRESTRICTED
+	UNRESTRICTED;
+
+	/**
+	 * Cap access to a maximum permitted.
+	 * @param maxPermitted the maximum permitted access
+	 * @return this access if less than the maximum or the maximum permitted
+	 */
+	public Access cap(Access maxPermitted) {
+		Assert.notNull(maxPermitted, "'maxPermittedAccess' must not be null");
+		return (ordinal() <= maxPermitted.ordinal()) ? this : maxPermitted;
+	}
 
 }

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/Access.java

@@ -35,4 +35,22 @@ public interface OperationFilter<O extends Operation> {
 	 */
 	boolean match(O operation, EndpointId endpointId, Access defaultAccess);
 
+	/**
+	 * Return an {@link OperationFilter} that filters based on the allowed {@link Access
+	 * access} as determined by an {@link EndpointAccessResolver access resolver}.
+	 * @param <O> the operation type
+	 * @param accessResolver the access resolver
+	 * @return a new {@link OperationFilter}
+	 */
+	static <O extends Operation> OperationFilter<O> byAccess(EndpointAccessResolver accessResolver) {
+		return (operation, endpointId, defaultAccess) -> {
+			Access access = accessResolver.accessFor(endpointId, defaultAccess);
+			return switch (access) {
+				case NONE -> false;
+				case READ_ONLY -> operation.getType() == OperationType.READ;
+				case UNRESTRICTED -> true;
+			};
+		};
+	}
+
 }

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/OperationFilter.java

@@ -117,18 +117,27 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 				throws IOException, ServletException {
 			if (request instanceof HttpServletRequest httpRequest
 					&& response instanceof HttpServletResponse httpResponse) {
-				if (READ_ONLY_ACCESS_REQUEST_METHODS.contains(httpRequest.getMethod().toUpperCase(Locale.ROOT))) {
-					chain.doFilter(httpRequest, response);
-				}
-				else {
-					httpResponse.sendError(METHOD_NOT_ALLOWED);
-				}
+				doFilter(httpRequest, httpResponse, chain);
 			}
 			else {
 				throw new ServletException();
 			}
 		}
 
+		private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+				throws IOException, ServletException {
+			if (isReadOnlyAccessMethod(request)) {
+				chain.doFilter(request, response);
+			}
+			else {
+				response.sendError(METHOD_NOT_ALLOWED);
+			}
+		}
+
+		private boolean isReadOnlyAccessMethod(HttpServletRequest request) {
+			return READ_ONLY_ACCESS_REQUEST_METHODS.contains(request.getMethod().toUpperCase(Locale.ROOT));
+		}
+
 	}
 
 }

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/web/ServletEndpointRegistrar.java

@@ -125,15 +125,14 @@ protected void registerHandlerMethod(Object handler, Method method, RequestMappi
 	}
 
 	private RequestMappingInfo withReadOnlyAccess(Access access, RequestMappingInfo mapping) {
-		Set<RequestMethod> methods = mapping.getMethodsCondition().getMethods();
-		Set<RequestMethod> modifiedMethods = new HashSet<>(methods);
-		if (modifiedMethods.isEmpty()) {
-			modifiedMethods.addAll(READ_ONLY_ACCESS_REQUEST_METHODS);
+		Set<RequestMethod> methods = new HashSet<>(mapping.getMethodsCondition().getMethods());
+		if (methods.isEmpty()) {
+			methods.addAll(READ_ONLY_ACCESS_REQUEST_METHODS);
 		}
 		else {
-			modifiedMethods.retainAll(READ_ONLY_ACCESS_REQUEST_METHODS);
+			methods.retainAll(READ_ONLY_ACCESS_REQUEST_METHODS);
 		}
-		return mapping.mutate().methods(modifiedMethods.toArray(new RequestMethod[0])).build();
+		return mapping.mutate().methods(methods.toArray(new RequestMethod[0])).build();
 	}
 
 	private RequestMappingInfo withEndpointMappedPatterns(ExposableControllerEndpoint endpoint,

spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/web/reactive/ControllerEndpointHandlerMapping.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.endpoint;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link Access}.
+ *
+ * @author Phillip Webb
+ */
+class AccessTests {
+
+	@Test
+	void capWhenAboveMaximum() {
+		assertThat(Access.UNRESTRICTED.cap(Access.READ_ONLY)).isEqualTo(Access.READ_ONLY);
+	}
+
+	@Test
+	void capWhenAtMaximum() {
+		assertThat(Access.READ_ONLY.cap(Access.READ_ONLY)).isEqualTo(Access.READ_ONLY);
+	}
+
+	@Test
+	void capWhenBelowMaximum() {
+		assertThat(Access.NONE.cap(Access.READ_ONLY)).isEqualTo(Access.NONE);
+	}
+
+}

spring-boot-project/spring-boot-actuator/src/test/java/org/springframework/boot/actuate/endpoint/AccessTests.java

@@ -14,33 +14,26 @@
  * limitations under the License.
  */
 
-package org.springframework.boot.actuate.autoconfigure.endpoint;
+package org.springframework.boot.actuate.endpoint;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.boot.actuate.endpoint.Access;
-import org.springframework.boot.actuate.endpoint.EndpointAccessResolver;
-import org.springframework.boot.actuate.endpoint.EndpointId;
-import org.springframework.boot.actuate.endpoint.Operation;
-import org.springframework.boot.actuate.endpoint.OperationType;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.mock;
 
 /**
- * Tests for {@link EndpointAccessOperationFilter}.
+ * Tests for {@link OperationFilter}.
  *
  * @author Andy Wilkinson
  */
-class EndpointAccessOperationFilterTests {
+class OperationFilterTests {
 
 	private final EndpointAccessResolver accessResolver = mock(EndpointAccessResolver.class);
 
 	private final Operation operation = mock(Operation.class);
 
-	private final EndpointAccessOperationFilter<Operation> filter = new EndpointAccessOperationFilter<>(
-			this.accessResolver);
+	private final OperationFilter<Operation> filter = OperationFilter.byAccess(this.accessResolver);
 
 	@Test
 	void whenAccessIsUnrestrictedThenMatchReturnsTrue() {