From bbd31f0e331302155645802e5239474142487feb Mon Sep 17 00:00:00 2001
From: Josh Cummings <josh.cummings@gmail.com>
Date: Fri, 24 Feb 2023 11:03:32 -0700
Subject: [PATCH] Defer ObservationRegistry Lookup

Closes gh-12780
---
 ...servationReactiveAuthorizationManager.java | 51 +++++++++++++++++++
 ...ionManagerMethodSecurityConfiguration.java |  9 +---
 2 files changed, 53 insertions(+), 7 deletions(-)
 create mode 100644 config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java

diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java
new file mode 100644
index 00000000000..9061cb64bb7
--- /dev/null
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/DeferringObservationReactiveAuthorizationManager.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.method.configuration;
+
+import java.util.function.Supplier;
+
+import io.micrometer.observation.ObservationRegistry;
+import reactor.core.publisher.Mono;
+
+import org.springframework.beans.factory.ObjectProvider;
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
+import org.springframework.security.authorization.ReactiveAuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.function.SingletonSupplier;
+
+final class DeferringObservationReactiveAuthorizationManager<T> implements ReactiveAuthorizationManager<T> {
+
+	private final Supplier<ReactiveAuthorizationManager<T>> delegate;
+
+	DeferringObservationReactiveAuthorizationManager(ObjectProvider<ObservationRegistry> provider,
+			ReactiveAuthorizationManager<T> delegate) {
+		this.delegate = SingletonSupplier.of(() -> {
+			ObservationRegistry registry = provider.getIfAvailable(() -> ObservationRegistry.NOOP);
+			if (registry.isNoop()) {
+				return delegate;
+			}
+			return new ObservationReactiveAuthorizationManager<>(registry, delegate);
+		});
+	}
+
+	@Override
+	public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, T object) {
+		return this.delegate.get().check(authentication, object);
+	}
+
+}
diff --git a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
index 40e498e512c..4f53005f7c8 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/method/configuration/ReactiveAuthorizationManagerMethodSecurityConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,7 +28,6 @@
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.authentication.ReactiveAuthenticationManager;
-import org.springframework.security.authorization.ObservationReactiveAuthorizationManager;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor;
@@ -93,11 +92,7 @@ static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(
 
 	static <T> ReactiveAuthorizationManager<T> manager(ReactiveAuthorizationManager<T> delegate,
 			ObjectProvider<ObservationRegistry> registryProvider) {
-		ObservationRegistry registry = registryProvider.getIfAvailable(() -> ObservationRegistry.NOOP);
-		if (registry.isNoop()) {
-			return delegate;
-		}
-		return new ObservationReactiveAuthorizationManager<>(registry, delegate);
+		return new DeferringObservationReactiveAuthorizationManager<>(registryProvider, delegate);
 	}
 
 }