Provide more control over access to endpoint operations

This commit reworks the support for enabling and disabling endpoints,
replacing the on/off support that it provided with a finer-grained
access model that supports only allowing read-only access to endpoint
operations in addition to disabling an endpoint (access of none) and
fully enabling it (access of unrestricted).

The following properties are deprecated:

- management.endpoints.enabled-by-default
- management.endpoint.<id>.enabled

Their replacements are:

- management.endpoints.access.default
- management.endpoint.<id>.access

Similarly, the enableByDefault attribute on @endpoint has been
deprecated with a new defaultAccess attribute replacing it.

Additionally, a new property has been introduced that allows an
operator to control the level of access to Actuator endpoints
that is permitted:

- management.endpoints.access.max-permitted

This property caps any access that may has been configured for
an endpoint. For example, if
management.endpoints.access.max-permitted is set to read-only and
management.endpoint.loggers.access is set to unrestricted, only
read-only access to the loggers endpoint will be allowed.

Closes gh-39046

Author: wilkinsona

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/CloudFoundryWebEndpointDiscoverer.java

@@ -17,18 +17,21 @@
 package org.springframework.boot.actuate.autoconfigure.cloudfoundry;
 
 import java.util.Collection;
+import java.util.Collections;
 import java.util.List;
 
 import org.springframework.aot.hint.MemberCategory;
 import org.springframework.aot.hint.RuntimeHints;
 import org.springframework.aot.hint.RuntimeHintsRegistrar;
 import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryWebEndpointDiscoverer.CloudFoundryWebEndpointDiscovererRuntimeHints;
 import org.springframework.boot.actuate.endpoint.EndpointFilter;
+import org.springframework.boot.actuate.endpoint.OperationFilter;
 import org.springframework.boot.actuate.endpoint.invoke.OperationInvokerAdvisor;
 import org.springframework.boot.actuate.endpoint.invoke.ParameterValueMapper;
 import org.springframework.boot.actuate.endpoint.web.EndpointMediaTypes;
 import org.springframework.boot.actuate.endpoint.web.ExposableWebEndpoint;
 import org.springframework.boot.actuate.endpoint.web.PathMapper;
+import org.springframework.boot.actuate.endpoint.web.WebOperation;
 import org.springframework.boot.actuate.endpoint.web.annotation.EndpointWebExtension;
 import org.springframework.boot.actuate.endpoint.web.annotation.WebEndpointDiscoverer;
 import org.springframework.boot.actuate.health.HealthEndpoint;
@@ -53,14 +56,37 @@ public class CloudFoundryWebEndpointDiscoverer extends WebEndpointDiscoverer {
 	 * @param endpointMediaTypes the endpoint media types
 	 * @param endpointPathMappers the endpoint path mappers
 	 * @param invokerAdvisors invoker advisors to apply
-	 * @param filters filters to apply
+	 * @param endpointFilters endpoint filters to apply
+	 * @deprecated since 3.4.0 for removal in 3.6.0 in favor of
+	 * {@link #CloudFoundryWebEndpointDiscoverer(ApplicationContext, ParameterValueMapper, EndpointMediaTypes, List, Collection, Collection, Collection)}
 	 */
+	@Deprecated(since = "3.4.0", forRemoval = true)
 	public CloudFoundryWebEndpointDiscoverer(ApplicationContext applicationContext,
 			ParameterValueMapper parameterValueMapper, EndpointMediaTypes endpointMediaTypes,
 			List<PathMapper> endpointPathMappers, Collection<OperationInvokerAdvisor> invokerAdvisors,
-			Collection<EndpointFilter<ExposableWebEndpoint>> filters) {
+			Collection<EndpointFilter<ExposableWebEndpoint>> endpointFilters) {
+		this(applicationContext, parameterValueMapper, endpointMediaTypes, endpointPathMappers, invokerAdvisors,
+				endpointFilters, Collections.emptyList());
+	}
+
+	/**
+	 * Create a new {@link WebEndpointDiscoverer} instance.
+	 * @param applicationContext the source application context
+	 * @param parameterValueMapper the parameter value mapper
+	 * @param endpointMediaTypes the endpoint media types
+	 * @param endpointPathMappers the endpoint path mappers
+	 * @param invokerAdvisors invoker advisors to apply
+	 * @param endpointFilters endpoint filters to apply
+	 * @param operationFilters operation filters to apply
+	 * @since 3.4.0
+	 */
+	public CloudFoundryWebEndpointDiscoverer(ApplicationContext applicationContext,
+			ParameterValueMapper parameterValueMapper, EndpointMediaTypes endpointMediaTypes,
+			List<PathMapper> endpointPathMappers, Collection<OperationInvokerAdvisor> invokerAdvisors,
+			Collection<EndpointFilter<ExposableWebEndpoint>> endpointFilters,
+			Collection<OperationFilter<WebOperation>> operationFilters) {
 		super(applicationContext, parameterValueMapper, endpointMediaTypes, endpointPathMappers, null, invokerAdvisors,
-				filters);
+				endpointFilters, operationFilters);
 	}
 
 	@Override

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveCloudFoundryActuatorAutoConfiguration.java

@@ -113,7 +113,8 @@ public CloudFoundryWebFluxEndpointHandlerMapping cloudFoundryWebFluxEndpointHand
 			org.springframework.boot.actuate.endpoint.web.annotation.ControllerEndpointsSupplier controllerEndpointsSupplier,
 			ApplicationContext applicationContext) {
 		CloudFoundryWebEndpointDiscoverer endpointDiscoverer = new CloudFoundryWebEndpointDiscoverer(applicationContext,
-				parameterMapper, endpointMediaTypes, null, Collections.emptyList(), Collections.emptyList());
+				parameterMapper, endpointMediaTypes, null, Collections.emptyList(), Collections.emptyList(),
+				Collections.emptyList());
 		CloudFoundrySecurityInterceptor securityInterceptor = getSecurityInterceptor(webClientBuilder,
 				applicationContext.getEnvironment());
 		Collection<ExposableWebEndpoint> webEndpoints = endpointDiscoverer.getEndpoints();

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/CloudFoundryActuatorAutoConfiguration.java

@@ -117,7 +117,8 @@ public CloudFoundryWebEndpointServletHandlerMapping cloudFoundryWebEndpointServl
 			org.springframework.boot.actuate.endpoint.web.annotation.ControllerEndpointsSupplier controllerEndpointsSupplier,
 			ApplicationContext applicationContext) {
 		CloudFoundryWebEndpointDiscoverer discoverer = new CloudFoundryWebEndpointDiscoverer(applicationContext,
-				parameterMapper, endpointMediaTypes, null, Collections.emptyList(), Collections.emptyList());
+				parameterMapper, endpointMediaTypes, null, Collections.emptyList(), Collections.emptyList(),
+				Collections.emptyList());
 		CloudFoundrySecurityInterceptor securityInterceptor = getSecurityInterceptor(restTemplateBuilder,
 				applicationContext.getEnvironment());
 		Collection<ExposableWebEndpoint> webEndpoints = discoverer.getEndpoints();

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/EndpointAccessOperationFilter.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.autoconfigure.endpoint;
+
+import org.springframework.boot.actuate.endpoint.Access;
+import org.springframework.boot.actuate.endpoint.EndpointAccessResolver;
+import org.springframework.boot.actuate.endpoint.EndpointId;
+import org.springframework.boot.actuate.endpoint.Operation;
+import org.springframework.boot.actuate.endpoint.OperationFilter;
+import org.springframework.boot.actuate.endpoint.OperationType;
+
+/**
+ * An {@link OperationFilter} that filters based on the allowed {@link Access access} as
+ * determined by an {@link EndpointAccessResolver access resolver}.
+ *
+ * @param <O> the operation type
+ * @author Andy Wilkinson
+ * @since 3.4.0
+ */
+public class EndpointAccessOperationFilter<O extends Operation> implements OperationFilter<O> {
+
+	private final EndpointAccessResolver accessResolver;
+
+	public EndpointAccessOperationFilter(EndpointAccessResolver accessResolver) {
+		this.accessResolver = accessResolver;
+	}
+
+	@Override
+	public boolean match(O operation, EndpointId endpointId, Access defaultAccess) {
+		Access access = this.accessResolver.accessFor(endpointId, defaultAccess);
+		return switch (access) {
+			case NONE -> false;
+			case READ_ONLY -> operation.getType() == OperationType.READ;
+			case UNRESTRICTED -> true;
+		};
+	}
+
+}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/EndpointAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2022 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.util.List;
 
 import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.boot.actuate.endpoint.EndpointAccessResolver;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
 import org.springframework.boot.actuate.endpoint.annotation.EndpointConverter;
 import org.springframework.boot.actuate.endpoint.invoke.ParameterValueMapper;
@@ -73,4 +74,10 @@ public CachingOperationInvokerAdvisor endpointCachingOperationInvokerAdvisor(Env
 		return new CachingOperationInvokerAdvisor(new EndpointIdTimeToLivePropertyFunction(environment));
 	}
 
+	@Bean
+	@ConditionalOnMissingBean(EndpointAccessResolver.class)
+	PropertiesEndpointAccessResolver propertiesEndpointAccessResolver(Environment environment) {
+		return new PropertiesEndpointAccessResolver(environment);
+	}
+
 }

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/PropertiesEndpointAccessResolver.java

@@ -0,0 +1,108 @@
+/*
+ * Copyright 2012-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.actuate.autoconfigure.endpoint;
+
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+import org.springframework.boot.actuate.endpoint.Access;
+import org.springframework.boot.actuate.endpoint.EndpointAccessResolver;
+import org.springframework.boot.actuate.endpoint.EndpointId;
+import org.springframework.boot.context.properties.source.MutuallyExclusiveConfigurationPropertiesException;
+import org.springframework.core.env.PropertyResolver;
+
+/**
+ * {@link EndpointAccessResolver} that resolves the permitted level of access to an
+ * endpoint using the following properties:
+ * <ol>
+ * <li>{@code management.endpoint.<id>.access} or {@code management.endpoint.<id>.enabled}
+ * (deprecated)
+ * <li>{@code management.endpoints.access.default} or
+ * {@code management.endpoints.enabled-by-default} (deprecated)
+ * </ol>
+ * The resulting access is capped using {@code management.endpoints.access.max-permitted}.
+ *
+ * @author Andy Wilkinson
+ * @since 3.4.0
+ */
+public class PropertiesEndpointAccessResolver implements EndpointAccessResolver {
+
+	private static final String DEFAULT_ACCESS_KEY = "management.endpoints.access.default";
+
+	private static final String ENABLED_BY_DEFAULT_KEY = "management.endpoints.enabled-by-default";
+
+	private final PropertyResolver properties;
+
+	private final Access endpointsDefaultAccess;
+
+	private final Access maxPermittedAccess;
+
+	private final Map<EndpointId, Access> accessCache = new ConcurrentHashMap<>();
+
+	public PropertiesEndpointAccessResolver(PropertyResolver properties) {
+		this.properties = properties;
+		this.endpointsDefaultAccess = determineDefaultAccess(properties);
+		this.maxPermittedAccess = properties.getProperty("management.endpoints.access.max-permitted", Access.class,
+				Access.UNRESTRICTED);
+	}
+
+	private static Access determineDefaultAccess(PropertyResolver properties) {
+		Access defaultAccess = properties.getProperty(DEFAULT_ACCESS_KEY, Access.class);
+		Boolean endpointsEnabledByDefault = properties.getProperty(ENABLED_BY_DEFAULT_KEY, Boolean.class);
+		MutuallyExclusiveConfigurationPropertiesException.throwIfMultipleNonNullValuesIn((entries) -> {
+			entries.put(DEFAULT_ACCESS_KEY, defaultAccess);
+			entries.put(ENABLED_BY_DEFAULT_KEY, endpointsEnabledByDefault);
+		});
+		if (defaultAccess != null) {
+			return defaultAccess;
+		}
+		if (endpointsEnabledByDefault != null) {
+			return endpointsEnabledByDefault ? org.springframework.boot.actuate.endpoint.Access.UNRESTRICTED
+					: org.springframework.boot.actuate.endpoint.Access.NONE;
+		}
+		return null;
+	}
+
+	@Override
+	public Access accessFor(EndpointId endpointId, Access defaultAccess) {
+		return this.accessCache.computeIfAbsent(endpointId,
+				(key) -> capAccess(resolveAccess(endpointId, defaultAccess)));
+	}
+
+	private Access resolveAccess(EndpointId endpointId, Access defaultAccess) {
+		String accessKey = "management.endpoint.%s.access".formatted(endpointId);
+		String enabledKey = "management.endpoint.%s.enabled".formatted(endpointId);
+		Access access = this.properties.getProperty(accessKey, Access.class);
+		Boolean enabled = this.properties.getProperty(enabledKey, Boolean.class);
+		MutuallyExclusiveConfigurationPropertiesException.throwIfMultipleNonNullValuesIn((entries) -> {
+			entries.put(accessKey, access);
+			entries.put(enabledKey, enabled);
+		});
+		if (access != null) {
+			return access;
+		}
+		if (enabled != null) {
+			return (enabled) ? Access.UNRESTRICTED : Access.NONE;
+		}
+		return (this.endpointsDefaultAccess != null) ? this.endpointsDefaultAccess : defaultAccess;
+	}
+
+	private Access capAccess(Access access) {
+		return Access.values()[Math.min(access.ordinal(), this.maxPermittedAccess.ordinal())];
+	}
+
+}

spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/condition/OnAvailableEndpointCondition.java

@@ -23,11 +23,13 @@
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Optional;
 import java.util.Set;
 
+import org.springframework.boot.actuate.autoconfigure.endpoint.PropertiesEndpointAccessResolver;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.EndpointExposure;
 import org.springframework.boot.actuate.autoconfigure.endpoint.expose.IncludeExcludeEndpointFilter;
+import org.springframework.boot.actuate.endpoint.Access;
+import org.springframework.boot.actuate.endpoint.EndpointAccessResolver;
 import org.springframework.boot.actuate.endpoint.EndpointId;
 import org.springframework.boot.actuate.endpoint.ExposableEndpoint;
 import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
@@ -51,7 +53,7 @@
 import org.springframework.util.ConcurrentReferenceHashMap;
 
 /**
- * A condition that checks if an endpoint is available (i.e. enabled and exposed).
+ * A condition that checks if an endpoint is available (i.e. accessible and exposed).
  *
  * @author Brian Clozel
  * @author Stephane Nicoll
@@ -63,12 +65,10 @@ class OnAvailableEndpointCondition extends SpringBootCondition {
 
 	private static final String JMX_ENABLED_KEY = "spring.jmx.enabled";
 
-	private static final String ENABLED_BY_DEFAULT_KEY = "management.endpoints.enabled-by-default";
+	private static final Map<Environment, EndpointAccessResolver> accessResolversCache = new ConcurrentReferenceHashMap<>();
 
 	private static final Map<Environment, Set<EndpointExposureOutcomeContributor>> exposureOutcomeContributorsCache = new ConcurrentReferenceHashMap<>();
 
-	private static final ConcurrentReferenceHashMap<Environment, Optional<Boolean>> enabledByDefaultCache = new ConcurrentReferenceHashMap<>();
-
 	@Override
 	public ConditionOutcome getMatchOutcome(ConditionContext context, AnnotatedTypeMetadata metadata) {
 		Environment environment = context.getEnvironment();
@@ -114,35 +114,27 @@ private ConditionOutcome getMatchOutcome(Environment environment,
 			MergedAnnotation<Endpoint> endpointAnnotation) {
 		ConditionMessage.Builder message = ConditionMessage.forCondition(ConditionalOnAvailableEndpoint.class);
 		EndpointId endpointId = EndpointId.of(environment, endpointAnnotation.getString("id"));
-		ConditionOutcome enablementOutcome = getEnablementOutcome(environment, endpointAnnotation, endpointId, message);
-		ConditionOutcome exposureOutcome = (!enablementOutcome.isMatch()) ? null
-				: getExposureOutcome(environment, conditionAnnotation, endpointAnnotation, endpointId, message);
-		return (exposureOutcome != null) ? exposureOutcome
-				: ConditionOutcome.noMatch(message.because("not enabled or exposed"));
+		ConditionOutcome accessOutcome = getAccessOutcome(environment, endpointAnnotation, endpointId, message);
+		if (!accessOutcome.isMatch()) {
+			return accessOutcome;
+		}
+		ConditionOutcome exposureOutcome = getExposureOutcome(environment, conditionAnnotation, endpointAnnotation,
+				endpointId, message);
+		return (exposureOutcome != null) ? exposureOutcome : ConditionOutcome.noMatch(message.because("not exposed"));
 	}
 
-	private ConditionOutcome getEnablementOutcome(Environment environment,
-			MergedAnnotation<Endpoint> endpointAnnotation, EndpointId endpointId, ConditionMessage.Builder message) {
-		String key = "management.endpoint." + endpointId.toLowerCaseString() + ".enabled";
-		Boolean userDefinedEnabled = environment.getProperty(key, Boolean.class);
-		if (userDefinedEnabled != null) {
-			return new ConditionOutcome(userDefinedEnabled,
-					message.because("found property " + key + " with value " + userDefinedEnabled));
-		}
-		Boolean userDefinedDefault = isEnabledByDefault(environment);
-		if (userDefinedDefault != null) {
-			return new ConditionOutcome(userDefinedDefault, message
-				.because("no property " + key + " found so using user defined default from " + ENABLED_BY_DEFAULT_KEY));
-		}
-		boolean endpointDefault = endpointAnnotation.getBoolean("enableByDefault");
-		return new ConditionOutcome(endpointDefault,
-				message.because("no property " + key + " found so using endpoint default of " + endpointDefault));
+	private ConditionOutcome getAccessOutcome(Environment environment, MergedAnnotation<Endpoint> endpointAnnotation,
+			EndpointId endpointId, ConditionMessage.Builder message) {
+		Access defaultAccess = endpointAnnotation.getEnum("defaultAccess", Access.class);
+		boolean enableByDefault = endpointAnnotation.getBoolean("enableByDefault");
+		Access access = getAccess(environment, endpointId, (enableByDefault) ? defaultAccess : Access.NONE);
+		return new ConditionOutcome(access != Access.NONE,
+				message.because("the configured access for endpoint '%s' is %s".formatted(endpointId, access)));
 	}
 
-	private Boolean isEnabledByDefault(Environment environment) {
-		Optional<Boolean> enabledByDefault = enabledByDefaultCache.computeIfAbsent(environment,
-				(ignore) -> Optional.ofNullable(environment.getProperty(ENABLED_BY_DEFAULT_KEY, Boolean.class)));
-		return enabledByDefault.orElse(null);
+	private Access getAccess(Environment environment, EndpointId endpointId, Access defaultAccess) {
+		return accessResolversCache.computeIfAbsent(environment, PropertiesEndpointAccessResolver::new)
+			.accessFor(endpointId, defaultAccess);
 	}
 
 	private ConditionOutcome getExposureOutcome(Environment environment,