package org.springframework.security.authorization;

import io.micrometer.observation.Observation;
import io.micrometer.observation.ObservationConvention;
import io.micrometer.observation.ObservationRegistry;
import io.micrometer.observation.contextpropagation.ObservationThreadLocalAccessor;
import java.util.Objects;
import org.aopalliance.intercept.MethodInvocation;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler;
import org.springframework.security.authorization.method.MethodInvocationResult;
import org.springframework.security.authorization.method.ThrowingMethodAuthorizationDeniedHandler;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:META-INF/lib/spring-security-core-6.3.3.jar:org/springframework/security/authorization/ObservationReactiveAuthorizationManager.class */
public final class ObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T>, MethodAuthorizationDeniedHandler {
    private final ObservationRegistry registry;
    private final ReactiveAuthorizationManager<T> delegate;
    private ObservationConvention<AuthorizationObservationContext<?>> convention = new AuthorizationObservationConvention();
    private MethodAuthorizationDeniedHandler handler;

    public ObservationReactiveAuthorizationManager(ObservationRegistry observationRegistry, ReactiveAuthorizationManager<T> reactiveAuthorizationManager) {
        this.handler = new ThrowingMethodAuthorizationDeniedHandler();
        this.registry = observationRegistry;
        this.delegate = reactiveAuthorizationManager;
        if (reactiveAuthorizationManager instanceof MethodAuthorizationDeniedHandler) {
            this.handler = (MethodAuthorizationDeniedHandler) reactiveAuthorizationManager;
        }
    }

    @Override // org.springframework.security.authorization.ReactiveAuthorizationManager
    public Mono<AuthorizationDecision> check(Mono<Authentication> mono, T t) {
        AuthorizationObservationContext authorizationObservationContext = new AuthorizationObservationContext(t);
        Mono map = mono.map(authentication -> {
            authorizationObservationContext.setAuthentication(authentication);
            return authorizationObservationContext.getAuthentication();
        });
        return Mono.deferContextual(contextView -> {
            Observation start = Observation.createNotStarted(this.convention, () -> {
                return authorizationObservationContext;
            }, this.registry).parentObservation((Observation) contextView.getOrDefault(ObservationThreadLocalAccessor.KEY, (Object) null)).start();
            Mono doOnSuccess = this.delegate.check(map, t).doOnSuccess(authorizationDecision -> {
                authorizationObservationContext.setDecision(authorizationDecision);
                if (authorizationDecision == null || !authorizationDecision.isGranted()) {
                    start.error(new AccessDeniedException("Access Denied"));
                }
                start.stop();
            });
            Objects.requireNonNull(start);
            return doOnSuccess.doOnCancel(start::stop).doOnError(th -> {
                start.error(th);
                start.stop();
            });
        });
    }

    public void setObservationConvention(ObservationConvention<AuthorizationObservationContext<?>> observationConvention) {
        Assert.notNull(observationConvention, "The observation convention cannot be null");
        this.convention = observationConvention;
    }

    @Override // org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler
    public Object handleDeniedInvocation(MethodInvocation methodInvocation, AuthorizationResult authorizationResult) {
        return this.handler.handleDeniedInvocation(methodInvocation, authorizationResult);
    }

    @Override // org.springframework.security.authorization.method.MethodAuthorizationDeniedHandler
    public Object handleDeniedInvocationResult(MethodInvocationResult methodInvocationResult, AuthorizationResult authorizationResult) {
        return this.handler.handleDeniedInvocationResult(methodInvocationResult, authorizationResult);
    }
}
