Josh Cummings
4 years ago
38 changed files with 3394 additions and 191 deletions
@ -0,0 +1,87 @@
@@ -0,0 +1,87 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.config.annotation.method.configuration; |
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired; |
||||
import org.springframework.beans.factory.config.BeanDefinition; |
||||
import org.springframework.context.annotation.Bean; |
||||
import org.springframework.context.annotation.Configuration; |
||||
import org.springframework.context.annotation.Role; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.authentication.ReactiveAuthenticationManager; |
||||
import org.springframework.security.authorization.method.AuthorizationManagerAfterReactiveMethodInterceptor; |
||||
import org.springframework.security.authorization.method.AuthorizationManagerBeforeReactiveMethodInterceptor; |
||||
import org.springframework.security.authorization.method.PostAuthorizeReactiveAuthorizationManager; |
||||
import org.springframework.security.authorization.method.PostFilterAuthorizationReactiveMethodInterceptor; |
||||
import org.springframework.security.authorization.method.PreAuthorizeReactiveAuthorizationManager; |
||||
import org.springframework.security.authorization.method.PreFilterAuthorizationReactiveMethodInterceptor; |
||||
import org.springframework.security.config.core.GrantedAuthorityDefaults; |
||||
|
||||
/** |
||||
* Configuration for a {@link ReactiveAuthenticationManager} based Method Security. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
@Configuration(proxyBeanMethods = false) |
||||
final class ReactiveAuthorizationManagerMethodSecurityConfiguration { |
||||
|
||||
@Bean |
||||
@Role(BeanDefinition.ROLE_INFRASTRUCTURE) |
||||
PreFilterAuthorizationReactiveMethodInterceptor preFilterInterceptor( |
||||
MethodSecurityExpressionHandler expressionHandler) { |
||||
return new PreFilterAuthorizationReactiveMethodInterceptor(expressionHandler); |
||||
} |
||||
|
||||
@Bean |
||||
@Role(BeanDefinition.ROLE_INFRASTRUCTURE) |
||||
AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorizeInterceptor( |
||||
MethodSecurityExpressionHandler expressionHandler) { |
||||
PreAuthorizeReactiveAuthorizationManager authorizationManager = new PreAuthorizeReactiveAuthorizationManager( |
||||
expressionHandler); |
||||
return AuthorizationManagerBeforeReactiveMethodInterceptor.preAuthorize(authorizationManager); |
||||
} |
||||
|
||||
@Bean |
||||
@Role(BeanDefinition.ROLE_INFRASTRUCTURE) |
||||
PostFilterAuthorizationReactiveMethodInterceptor postFilterInterceptor( |
||||
MethodSecurityExpressionHandler expressionHandler) { |
||||
return new PostFilterAuthorizationReactiveMethodInterceptor(expressionHandler); |
||||
} |
||||
|
||||
@Bean |
||||
@Role(BeanDefinition.ROLE_INFRASTRUCTURE) |
||||
AuthorizationManagerAfterReactiveMethodInterceptor postAuthorizeInterceptor( |
||||
MethodSecurityExpressionHandler expressionHandler) { |
||||
PostAuthorizeReactiveAuthorizationManager authorizationManager = new PostAuthorizeReactiveAuthorizationManager( |
||||
expressionHandler); |
||||
return AuthorizationManagerAfterReactiveMethodInterceptor.postAuthorize(authorizationManager); |
||||
} |
||||
|
||||
@Bean |
||||
@Role(BeanDefinition.ROLE_INFRASTRUCTURE) |
||||
DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler( |
||||
@Autowired(required = false) GrantedAuthorityDefaults grantedAuthorityDefaults) { |
||||
DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler(); |
||||
if (grantedAuthorityDefaults != null) { |
||||
handler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix()); |
||||
} |
||||
return handler; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,484 @@
@@ -0,0 +1,484 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.config.annotation.method.configuration; |
||||
|
||||
import org.junit.jupiter.api.AfterEach; |
||||
import org.junit.jupiter.api.Test; |
||||
import org.junit.jupiter.api.extension.ExtendWith; |
||||
import org.reactivestreams.Publisher; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
import reactor.test.StepVerifier; |
||||
import reactor.test.publisher.TestPublisher; |
||||
import reactor.util.context.Context; |
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired; |
||||
import org.springframework.context.annotation.Bean; |
||||
import org.springframework.security.access.AccessDeniedException; |
||||
import org.springframework.security.authentication.TestingAuthenticationToken; |
||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder; |
||||
import org.springframework.test.context.ContextConfiguration; |
||||
import org.springframework.test.context.junit.jupiter.SpringExtension; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException; |
||||
import static org.mockito.BDDMockito.given; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.reset; |
||||
|
||||
/** |
||||
* Tests for {@link EnableReactiveMethodSecurity} with the |
||||
* {@link EnableReactiveMethodSecurity#useAuthorizationManager()} flag set to true. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
@ExtendWith(SpringExtension.class) |
||||
@ContextConfiguration |
||||
public class EnableAuthorizationManagerReactiveMethodSecurityTests { |
||||
|
||||
@Autowired |
||||
ReactiveMessageService messageService; |
||||
|
||||
ReactiveMessageService delegate; |
||||
|
||||
TestPublisher<String> result = TestPublisher.create(); |
||||
|
||||
Context withAdmin = ReactiveSecurityContextHolder |
||||
.withAuthentication(new TestingAuthenticationToken("admin", "password", "ROLE_USER", "ROLE_ADMIN")); |
||||
|
||||
Context withUser = ReactiveSecurityContextHolder |
||||
.withAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
|
||||
@AfterEach |
||||
public void cleanup() { |
||||
reset(this.delegate); |
||||
} |
||||
|
||||
@Autowired |
||||
public void setConfig(Config config) { |
||||
this.delegate = config.delegate; |
||||
} |
||||
|
||||
@Test |
||||
public void notPublisherPreAuthorizeFindByIdThenThrowsIllegalStateException() { |
||||
assertThatIllegalStateException().isThrownBy(() -> this.messageService.notPublisherPreAuthorizeFindById(1L)) |
||||
.withMessage("The returnType class java.lang.String on public abstract java.lang.String " |
||||
+ "org.springframework.security.config.annotation.method.configuration.ReactiveMessageService" |
||||
+ ".notPublisherPreAuthorizeFindById(long) must return an instance of org.reactivestreams" |
||||
+ ".Publisher (for example, a Mono or Flux) in order to support Reactor Context"); |
||||
} |
||||
|
||||
@Test |
||||
public void monoWhenPermitAllThenAopDoesNotSubscribe() { |
||||
given(this.delegate.monoFindById(1L)).willReturn(Mono.from(this.result)); |
||||
this.delegate.monoFindById(1L); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoWhenPermitAllThenSuccess() { |
||||
given(this.delegate.monoFindById(1L)).willReturn(Mono.just("success")); |
||||
StepVerifier.create(this.delegate.monoFindById(1L)).expectNext("success").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeHasRoleWhenGrantedThenSuccess() { |
||||
given(this.delegate.monoPreAuthorizeHasRoleFindById(1L)).willReturn(Mono.just("result")); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeHasRoleFindById(1L).contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeHasRoleWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeHasRoleFindById(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeHasRoleFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeHasRoleWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeHasRoleFindById(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeHasRoleFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanWhenGrantedThenSuccess() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindById(2L)).willReturn(Mono.just("result")); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindById(2L).contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanWhenNotAuthenticatedAndGrantedThenSuccess() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindById(2L)).willReturn(Mono.just("result")); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindById(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindById(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanReactiveExpressionWhenGrantedThenSuccess() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindByIdReactiveExpression(2L)).willReturn(Mono.just("result")); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindByIdReactiveExpression(2L) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanReactiveExpressionWhenNotAuthenticatedAndGrantedThenSuccess() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindByIdReactiveExpression(2L)).willReturn(Mono.just("result")); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindByIdReactiveExpression(2L); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanReactiveExpressionWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindByIdReactiveExpression(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindByIdReactiveExpression(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPreAuthorizeBeanReactiveExpressionWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.monoPreAuthorizeBeanFindByIdReactiveExpression(1L)).willReturn(Mono.from(this.result)); |
||||
Mono<String> findById = this.messageService.monoPreAuthorizeBeanFindByIdReactiveExpression(1L) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPostAuthorizeWhenAuthorizedThenSuccess() { |
||||
given(this.delegate.monoPostAuthorizeFindById(1L)).willReturn(Mono.just("user")); |
||||
Mono<String> findById = this.messageService.monoPostAuthorizeFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPostAuthorizeWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.monoPostAuthorizeBeanFindById(1L)).willReturn(Mono.just("not-authorized")); |
||||
Mono<String> findById = this.messageService.monoPostAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPostAuthorizeWhenBeanAndAuthorizedThenSuccess() { |
||||
given(this.delegate.monoPostAuthorizeBeanFindById(2L)).willReturn(Mono.just("user")); |
||||
Mono<String> findById = this.messageService.monoPostAuthorizeBeanFindById(2L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPostAuthorizeWhenBeanAndNotAuthenticatedAndAuthorizedThenSuccess() { |
||||
given(this.delegate.monoPostAuthorizeBeanFindById(2L)).willReturn(Mono.just("anonymous")); |
||||
Mono<String> findById = this.messageService.monoPostAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("anonymous").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void monoPostAuthorizeWhenBeanAndNotAuthorizedThenDenied() { |
||||
given(this.delegate.monoPostAuthorizeBeanFindById(1L)).willReturn(Mono.just("not-authorized")); |
||||
Mono<String> findById = this.messageService.monoPostAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
// Flux tests
|
||||
@Test |
||||
public void fluxWhenPermitAllThenAopDoesNotSubscribe() { |
||||
given(this.delegate.fluxFindById(1L)).willReturn(Flux.from(this.result)); |
||||
this.delegate.fluxFindById(1L); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxWhenPermitAllThenSuccess() { |
||||
given(this.delegate.fluxFindById(1L)).willReturn(Flux.just("success")); |
||||
StepVerifier.create(this.delegate.fluxFindById(1L)).expectNext("success").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeHasRoleWhenGrantedThenSuccess() { |
||||
given(this.delegate.fluxPreAuthorizeHasRoleFindById(1L)).willReturn(Flux.just("result")); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeHasRoleFindById(1L).contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).consumeNextWith((s) -> assertThat(s).isEqualTo("result")).verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeHasRoleWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.fluxPreAuthorizeHasRoleFindById(1L)).willReturn(Flux.from(this.result)); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeHasRoleFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeHasRoleWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.fluxPreAuthorizeHasRoleFindById(1L)).willReturn(Flux.from(this.result)); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeHasRoleFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeBeanWhenGrantedThenSuccess() { |
||||
given(this.delegate.fluxPreAuthorizeBeanFindById(2L)).willReturn(Flux.just("result")); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeBeanFindById(2L).contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeBeanWhenNotAuthenticatedAndGrantedThenSuccess() { |
||||
given(this.delegate.fluxPreAuthorizeBeanFindById(2L)).willReturn(Flux.just("result")); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeBeanWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.fluxPreAuthorizeBeanFindById(1L)).willReturn(Flux.from(this.result)); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeBeanFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPreAuthorizeBeanWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.fluxPreAuthorizeBeanFindById(1L)).willReturn(Flux.from(this.result)); |
||||
Flux<String> findById = this.messageService.fluxPreAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostAuthorizeWhenAuthorizedThenSuccess() { |
||||
given(this.delegate.fluxPostAuthorizeFindById(1L)).willReturn(Flux.just("user")); |
||||
Flux<String> findById = this.messageService.fluxPostAuthorizeFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostAuthorizeWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.fluxPostAuthorizeBeanFindById(1L)).willReturn(Flux.just("not-authorized")); |
||||
Flux<String> findById = this.messageService.fluxPostAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostAuthorizeWhenBeanAndAuthorizedThenSuccess() { |
||||
given(this.delegate.fluxPostAuthorizeBeanFindById(2L)).willReturn(Flux.just("user")); |
||||
Flux<String> findById = this.messageService.fluxPostAuthorizeBeanFindById(2L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostAuthorizeWhenBeanAndNotAuthenticatedAndAuthorizedThenSuccess() { |
||||
given(this.delegate.fluxPostAuthorizeBeanFindById(2L)).willReturn(Flux.just("anonymous")); |
||||
Flux<String> findById = this.messageService.fluxPostAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("anonymous").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostAuthorizeWhenBeanAndNotAuthorizedThenDenied() { |
||||
given(this.delegate.fluxPostAuthorizeBeanFindById(1L)).willReturn(Flux.just("not-authorized")); |
||||
Flux<String> findById = this.messageService.fluxPostAuthorizeBeanFindById(1L).contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxManyAnnotationsWhenMeetsConditionsThenReturnsFilteredFlux() { |
||||
Flux<String> flux = this.messageService.fluxManyAnnotations(Flux.just("harold", "jonathan", "pete", "bo")) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(flux).expectNext("harold", "jonathan").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxManyAnnotationsWhenUserThenFails() { |
||||
Flux<String> flux = this.messageService.fluxManyAnnotations(Flux.just("harold", "jonathan", "pete", "bo")) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(flux).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxManyAnnotationsWhenNameNotAllowedThenFails() { |
||||
Flux<String> flux = this.messageService |
||||
.fluxManyAnnotations(Flux.just("harold", "jonathan", "michael", "pete", "bo")) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(flux).expectNext("harold", "jonathan").expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void fluxPostFilterWhenFilteringThenWorks() { |
||||
Flux<String> flux = this.messageService.fluxPostFilter(Flux.just("harold", "jonathan", "michael", "pete", "bo")) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(flux).expectNext("harold", "jonathan", "michael").verifyComplete(); |
||||
} |
||||
|
||||
// Publisher tests
|
||||
@Test |
||||
public void publisherWhenPermitAllThenAopDoesNotSubscribe() { |
||||
given(this.delegate.publisherFindById(1L)).willReturn(this.result); |
||||
this.delegate.publisherFindById(1L); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherWhenPermitAllThenSuccess() { |
||||
given(this.delegate.publisherFindById(1L)).willReturn(publisherJust("success")); |
||||
StepVerifier.create(this.delegate.publisherFindById(1L)).expectNext("success").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeHasRoleWhenGrantedThenSuccess() { |
||||
given(this.delegate.publisherPreAuthorizeHasRoleFindById(1L)).willReturn(publisherJust("result")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPreAuthorizeHasRoleFindById(1L)) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).consumeNextWith((s) -> assertThat(s).isEqualTo("result")).verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeHasRoleWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.publisherPreAuthorizeHasRoleFindById(1L)).willReturn(this.result); |
||||
Publisher<String> findById = this.messageService.publisherPreAuthorizeHasRoleFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeHasRoleWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.publisherPreAuthorizeHasRoleFindById(1L)).willReturn(this.result); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPreAuthorizeHasRoleFindById(1L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeBeanWhenGrantedThenSuccess() { |
||||
given(this.delegate.publisherPreAuthorizeBeanFindById(2L)).willReturn(publisherJust("result")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPreAuthorizeBeanFindById(2L)) |
||||
.contextWrite(this.withAdmin); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeBeanWhenNotAuthenticatedAndGrantedThenSuccess() { |
||||
given(this.delegate.publisherPreAuthorizeBeanFindById(2L)).willReturn(publisherJust("result")); |
||||
Publisher<String> findById = this.messageService.publisherPreAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("result").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeBeanWhenNoAuthenticationThenDenied() { |
||||
given(this.delegate.publisherPreAuthorizeBeanFindById(1L)).willReturn(this.result); |
||||
Publisher<String> findById = this.messageService.publisherPreAuthorizeBeanFindById(1L); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPreAuthorizeBeanWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.publisherPreAuthorizeBeanFindById(1L)).willReturn(this.result); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPreAuthorizeBeanFindById(1L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
this.result.assertNoSubscribers(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPostAuthorizeWhenAuthorizedThenSuccess() { |
||||
given(this.delegate.publisherPostAuthorizeFindById(1L)).willReturn(publisherJust("user")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPostAuthorizeFindById(1L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPostAuthorizeWhenNotAuthorizedThenDenied() { |
||||
given(this.delegate.publisherPostAuthorizeBeanFindById(1L)).willReturn(publisherJust("not-authorized")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPostAuthorizeBeanFindById(1L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPostAuthorizeWhenBeanAndAuthorizedThenSuccess() { |
||||
given(this.delegate.publisherPostAuthorizeBeanFindById(2L)).willReturn(publisherJust("user")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPostAuthorizeBeanFindById(2L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectNext("user").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPostAuthorizeWhenBeanAndNotAuthenticatedAndAuthorizedThenSuccess() { |
||||
given(this.delegate.publisherPostAuthorizeBeanFindById(2L)).willReturn(publisherJust("anonymous")); |
||||
Publisher<String> findById = this.messageService.publisherPostAuthorizeBeanFindById(2L); |
||||
StepVerifier.create(findById).expectNext("anonymous").verifyComplete(); |
||||
} |
||||
|
||||
@Test |
||||
public void publisherPostAuthorizeWhenBeanAndNotAuthorizedThenDenied() { |
||||
given(this.delegate.publisherPostAuthorizeBeanFindById(1L)).willReturn(publisherJust("not-authorized")); |
||||
Publisher<String> findById = Flux.from(this.messageService.publisherPostAuthorizeBeanFindById(1L)) |
||||
.contextWrite(this.withUser); |
||||
StepVerifier.create(findById).expectError(AccessDeniedException.class).verify(); |
||||
} |
||||
|
||||
static <T> Publisher<T> publisher(Flux<T> flux) { |
||||
return (subscriber) -> flux.subscribe(subscriber); |
||||
} |
||||
|
||||
static <T> Publisher<T> publisherJust(T... data) { |
||||
return publisher(Flux.just(data)); |
||||
} |
||||
|
||||
@EnableReactiveMethodSecurity(useAuthorizationManager = true) |
||||
static class Config { |
||||
|
||||
ReactiveMessageService delegate = mock(ReactiveMessageService.class); |
||||
|
||||
@Bean |
||||
DelegatingReactiveMessageService defaultMessageService() { |
||||
return new DelegatingReactiveMessageService(this.delegate); |
||||
} |
||||
|
||||
@Bean |
||||
Authz authz() { |
||||
return new Authz(); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,153 @@
@@ -0,0 +1,153 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
import java.util.function.Function; |
||||
|
||||
import org.aopalliance.aop.Advice; |
||||
import org.aopalliance.intercept.MethodInterceptor; |
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.reactivestreams.Publisher; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.aop.PointcutAdvisor; |
||||
import org.springframework.aop.framework.AopInfrastructureBean; |
||||
import org.springframework.core.Ordered; |
||||
import org.springframework.core.ReactiveAdapter; |
||||
import org.springframework.core.ReactiveAdapterRegistry; |
||||
import org.springframework.security.access.prepost.PostAuthorize; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A {@link MethodInterceptor} which can determine if an {@link Authentication} has access |
||||
* to the returned object from the {@link MethodInvocation} using the configured |
||||
* {@link ReactiveAuthorizationManager}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
public final class AuthorizationManagerAfterReactiveMethodInterceptor |
||||
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { |
||||
|
||||
private final Pointcut pointcut; |
||||
|
||||
private final ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager; |
||||
|
||||
private int order = AuthorizationInterceptorsOrder.LAST.getOrder(); |
||||
|
||||
/** |
||||
* Creates an instance for the {@link PostAuthorize} annotation. |
||||
* @return the {@link AuthorizationManagerAfterReactiveMethodInterceptor} to use |
||||
*/ |
||||
public static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorize() { |
||||
return postAuthorize(new PostAuthorizeReactiveAuthorizationManager()); |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance for the {@link PostAuthorize} annotation. |
||||
* @param authorizationManager the {@link ReactiveAuthorizationManager} to use |
||||
* @return the {@link AuthorizationManagerAfterReactiveMethodInterceptor} to use |
||||
*/ |
||||
public static AuthorizationManagerAfterReactiveMethodInterceptor postAuthorize( |
||||
ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager) { |
||||
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( |
||||
AuthorizationMethodPointcuts.forAnnotations(PostAuthorize.class), authorizationManager); |
||||
interceptor.setOrder(AuthorizationInterceptorsOrder.POST_AUTHORIZE.getOrder()); |
||||
return interceptor; |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance. |
||||
* @param pointcut the {@link Pointcut} to use |
||||
* @param authorizationManager the {@link ReactiveAuthorizationManager} to use |
||||
*/ |
||||
public AuthorizationManagerAfterReactiveMethodInterceptor(Pointcut pointcut, |
||||
ReactiveAuthorizationManager<MethodInvocationResult> authorizationManager) { |
||||
Assert.notNull(pointcut, "pointcut cannot be null"); |
||||
Assert.notNull(authorizationManager, "authorizationManager cannot be null"); |
||||
this.pointcut = pointcut; |
||||
this.authorizationManager = authorizationManager; |
||||
} |
||||
|
||||
/** |
||||
* Determines if an {@link Authentication} has access to the returned object from the |
||||
* {@link MethodInvocation} using the configured {@link ReactiveAuthorizationManager}. |
||||
* @param mi the {@link MethodInvocation} to use |
||||
* @return the {@link Publisher} from the {@link MethodInvocation} or a |
||||
* {@link Publisher} error if access is denied |
||||
*/ |
||||
@Override |
||||
public Object invoke(MethodInvocation mi) throws Throwable { |
||||
Method method = mi.getMethod(); |
||||
Class<?> type = method.getReturnType(); |
||||
Assert.state(Publisher.class.isAssignableFrom(type), |
||||
() -> String.format("The returnType %s on %s must return an instance of org.reactivestreams.Publisher " |
||||
+ "(for example, a Mono or Flux) in order to support Reactor Context", type, method)); |
||||
Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication(); |
||||
Function<Object, Mono<?>> postAuthorize = (result) -> postAuthorize(authentication, mi, result); |
||||
ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type); |
||||
Publisher<?> publisher = ReactiveMethodInvocationUtils.proceed(mi); |
||||
if (isMultiValue(type, adapter)) { |
||||
Flux<?> flux = Flux.from(publisher).flatMap(postAuthorize); |
||||
return (adapter != null) ? adapter.fromPublisher(flux) : flux; |
||||
} |
||||
Mono<?> mono = Mono.from(publisher).flatMap(postAuthorize); |
||||
return (adapter != null) ? adapter.fromPublisher(mono) : mono; |
||||
} |
||||
|
||||
private boolean isMultiValue(Class<?> returnType, ReactiveAdapter adapter) { |
||||
if (Flux.class.isAssignableFrom(returnType)) { |
||||
return true; |
||||
} |
||||
return adapter == null || adapter.isMultiValue(); |
||||
} |
||||
|
||||
private Mono<?> postAuthorize(Mono<Authentication> authentication, MethodInvocation mi, Object result) { |
||||
return this.authorizationManager.verify(authentication, new MethodInvocationResult(mi, result)) |
||||
.thenReturn(result); |
||||
} |
||||
|
||||
@Override |
||||
public Pointcut getPointcut() { |
||||
return this.pointcut; |
||||
} |
||||
|
||||
@Override |
||||
public Advice getAdvice() { |
||||
return this; |
||||
} |
||||
|
||||
@Override |
||||
public boolean isPerInstance() { |
||||
return true; |
||||
} |
||||
|
||||
@Override |
||||
public int getOrder() { |
||||
return this.order; |
||||
} |
||||
|
||||
public void setOrder(int order) { |
||||
this.order = order; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,149 @@
@@ -0,0 +1,149 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.aopalliance.aop.Advice; |
||||
import org.aopalliance.intercept.MethodInterceptor; |
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.reactivestreams.Publisher; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.aop.PointcutAdvisor; |
||||
import org.springframework.aop.framework.AopInfrastructureBean; |
||||
import org.springframework.core.Ordered; |
||||
import org.springframework.core.ReactiveAdapter; |
||||
import org.springframework.core.ReactiveAdapterRegistry; |
||||
import org.springframework.security.access.prepost.PreAuthorize; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A {@link MethodInterceptor} which can determine if an {@link Authentication} has access |
||||
* to the {@link MethodInvocation} using the configured |
||||
* {@link ReactiveAuthorizationManager}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @author Josh Cummings |
||||
* @since 5.8 |
||||
*/ |
||||
public final class AuthorizationManagerBeforeReactiveMethodInterceptor |
||||
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { |
||||
|
||||
private final Pointcut pointcut; |
||||
|
||||
private final ReactiveAuthorizationManager<MethodInvocation> authorizationManager; |
||||
|
||||
private int order = AuthorizationInterceptorsOrder.FIRST.getOrder(); |
||||
|
||||
/** |
||||
* Creates an instance for the {@link PreAuthorize} annotation. |
||||
* @return the {@link AuthorizationManagerBeforeReactiveMethodInterceptor} to use |
||||
*/ |
||||
public static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorize() { |
||||
return preAuthorize(new PreAuthorizeReactiveAuthorizationManager()); |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance for the {@link PreAuthorize} annotation. |
||||
* @param authorizationManager the {@link ReactiveAuthorizationManager} to use |
||||
* @return the {@link AuthorizationManagerBeforeReactiveMethodInterceptor} to use |
||||
*/ |
||||
public static AuthorizationManagerBeforeReactiveMethodInterceptor preAuthorize( |
||||
ReactiveAuthorizationManager<MethodInvocation> authorizationManager) { |
||||
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( |
||||
AuthorizationMethodPointcuts.forAnnotations(PreAuthorize.class), authorizationManager); |
||||
interceptor.setOrder(AuthorizationInterceptorsOrder.PRE_AUTHORIZE.getOrder()); |
||||
return interceptor; |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance. |
||||
* @param pointcut the {@link Pointcut} to use |
||||
* @param authorizationManager the {@link ReactiveAuthorizationManager} to use |
||||
*/ |
||||
public AuthorizationManagerBeforeReactiveMethodInterceptor(Pointcut pointcut, |
||||
ReactiveAuthorizationManager<MethodInvocation> authorizationManager) { |
||||
Assert.notNull(pointcut, "pointcut cannot be null"); |
||||
Assert.notNull(authorizationManager, "authorizationManager cannot be null"); |
||||
this.pointcut = pointcut; |
||||
this.authorizationManager = authorizationManager; |
||||
} |
||||
|
||||
/** |
||||
* Determines if an {@link Authentication} has access to the {@link MethodInvocation} |
||||
* using the configured {@link ReactiveAuthorizationManager}. |
||||
* @param mi the {@link MethodInvocation} to use |
||||
* @return the {@link Publisher} from the {@link MethodInvocation} or a |
||||
* {@link Publisher} error if access is denied |
||||
*/ |
||||
@Override |
||||
public Object invoke(MethodInvocation mi) throws Throwable { |
||||
Method method = mi.getMethod(); |
||||
Class<?> type = method.getReturnType(); |
||||
Assert.state(Publisher.class.isAssignableFrom(type), |
||||
() -> String.format("The returnType %s on %s must return an instance of org.reactivestreams.Publisher " |
||||
+ "(for example, a Mono or Flux) in order to support Reactor Context", type, method)); |
||||
Mono<Authentication> authentication = ReactiveAuthenticationUtils.getAuthentication(); |
||||
ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type); |
||||
Mono<Void> preAuthorize = this.authorizationManager.verify(authentication, mi); |
||||
if (isMultiValue(type, adapter)) { |
||||
Publisher<?> publisher = Flux.defer(() -> ReactiveMethodInvocationUtils.proceed(mi)); |
||||
Flux<?> result = preAuthorize.thenMany(publisher); |
||||
return (adapter != null) ? adapter.fromPublisher(result) : result; |
||||
} |
||||
Mono<?> publisher = Mono.defer(() -> ReactiveMethodInvocationUtils.proceed(mi)); |
||||
Mono<?> result = preAuthorize.then(publisher); |
||||
return (adapter != null) ? adapter.fromPublisher(result) : result; |
||||
} |
||||
|
||||
private boolean isMultiValue(Class<?> returnType, ReactiveAdapter adapter) { |
||||
if (Flux.class.isAssignableFrom(returnType)) { |
||||
return true; |
||||
} |
||||
return adapter == null || adapter.isMultiValue(); |
||||
} |
||||
|
||||
@Override |
||||
public Pointcut getPointcut() { |
||||
return this.pointcut; |
||||
} |
||||
|
||||
@Override |
||||
public Advice getAdvice() { |
||||
return this; |
||||
} |
||||
|
||||
@Override |
||||
public boolean isPerInstance() { |
||||
return true; |
||||
} |
||||
|
||||
@Override |
||||
public int getOrder() { |
||||
return this.order; |
||||
} |
||||
|
||||
public void setOrder(int order) { |
||||
this.order = order; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,72 @@
@@ -0,0 +1,72 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import reactor.util.annotation.NonNull; |
||||
|
||||
import org.springframework.aop.support.AopUtils; |
||||
import org.springframework.expression.Expression; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PostAuthorize; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class PostAuthorizeExpressionAttributeRegistry extends AbstractExpressionAttributeRegistry<ExpressionAttribute> { |
||||
|
||||
private final MethodSecurityExpressionHandler expressionHandler; |
||||
|
||||
PostAuthorizeExpressionAttributeRegistry() { |
||||
this(new DefaultMethodSecurityExpressionHandler()); |
||||
} |
||||
|
||||
PostAuthorizeExpressionAttributeRegistry(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.expressionHandler = expressionHandler; |
||||
} |
||||
|
||||
MethodSecurityExpressionHandler getExpressionHandler() { |
||||
return this.expressionHandler; |
||||
} |
||||
|
||||
@NonNull |
||||
@Override |
||||
ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) { |
||||
Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass); |
||||
PostAuthorize postAuthorize = findPostAuthorizeAnnotation(specificMethod); |
||||
if (postAuthorize == null) { |
||||
return ExpressionAttribute.NULL_ATTRIBUTE; |
||||
} |
||||
Expression postAuthorizeExpression = this.expressionHandler.getExpressionParser() |
||||
.parseExpression(postAuthorize.value()); |
||||
return new ExpressionAttribute(postAuthorizeExpression); |
||||
} |
||||
|
||||
private PostAuthorize findPostAuthorizeAnnotation(Method method) { |
||||
PostAuthorize postAuthorize = AuthorizationAnnotationUtils.findUniqueAnnotation(method, PostAuthorize.class); |
||||
return (postAuthorize != null) ? postAuthorize |
||||
: AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), PostAuthorize.class); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,78 @@
@@ -0,0 +1,78 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PostAuthorize; |
||||
import org.springframework.security.authorization.AuthorizationDecision; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A {@link ReactiveAuthorizationManager} which can determine if an {@link Authentication} |
||||
* has access to the returned object from the {@link MethodInvocation} by evaluating an |
||||
* expression from the {@link PostAuthorize} annotation. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
public final class PostAuthorizeReactiveAuthorizationManager |
||||
implements ReactiveAuthorizationManager<MethodInvocationResult> { |
||||
|
||||
private final PostAuthorizeExpressionAttributeRegistry registry; |
||||
|
||||
public PostAuthorizeReactiveAuthorizationManager() { |
||||
this(new DefaultMethodSecurityExpressionHandler()); |
||||
} |
||||
|
||||
public PostAuthorizeReactiveAuthorizationManager(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.registry = new PostAuthorizeExpressionAttributeRegistry(expressionHandler); |
||||
} |
||||
|
||||
/** |
||||
* Determines if an {@link Authentication} has access to the returned object from the |
||||
* {@link MethodInvocation} by evaluating an expression from the {@link PostAuthorize} |
||||
* annotation. |
||||
* @param authentication the {@link Mono} of the {@link Authentication} to check |
||||
* @param result the {@link MethodInvocationResult} to check |
||||
* @return a Mono of the {@link AuthorizationDecision} or an empty {@link Mono} if the |
||||
* {@link PostAuthorize} annotation is not present |
||||
*/ |
||||
@Override |
||||
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, MethodInvocationResult result) { |
||||
MethodInvocation mi = result.getMethodInvocation(); |
||||
ExpressionAttribute attribute = this.registry.getAttribute(mi); |
||||
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) { |
||||
return Mono.empty(); |
||||
} |
||||
MethodSecurityExpressionHandler expressionHandler = this.registry.getExpressionHandler(); |
||||
// @formatter:off
|
||||
return authentication |
||||
.map((auth) -> expressionHandler.createEvaluationContext(auth, mi)) |
||||
.doOnNext((ctx) -> expressionHandler.setReturnObject(result.getResult(), ctx)) |
||||
.flatMap((ctx) -> ReactiveExpressionUtils.evaluateAsBoolean(attribute.getExpression(), ctx)) |
||||
.map((granted) -> new ExpressionAttributeAuthorizationDecision(granted, attribute)); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,153 @@
@@ -0,0 +1,153 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.aopalliance.aop.Advice; |
||||
import org.aopalliance.intercept.MethodInterceptor; |
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.reactivestreams.Publisher; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.aop.PointcutAdvisor; |
||||
import org.springframework.aop.framework.AopInfrastructureBean; |
||||
import org.springframework.core.Ordered; |
||||
import org.springframework.core.ReactiveAdapter; |
||||
import org.springframework.core.ReactiveAdapterRegistry; |
||||
import org.springframework.expression.EvaluationContext; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations; |
||||
import org.springframework.security.access.prepost.PostFilter; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A {@link MethodInterceptor} which filters the returned object from the |
||||
* {@link MethodInvocation} by evaluating an expression from the {@link PostFilter} |
||||
* annotation. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
public final class PostFilterAuthorizationReactiveMethodInterceptor |
||||
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { |
||||
|
||||
private final PostFilterExpressionAttributeRegistry registry; |
||||
|
||||
private final Pointcut pointcut = AuthorizationMethodPointcuts.forAnnotations(PostFilter.class); |
||||
|
||||
private int order = AuthorizationInterceptorsOrder.POST_FILTER.getOrder(); |
||||
|
||||
/** |
||||
* Creates an instance. |
||||
*/ |
||||
public PostFilterAuthorizationReactiveMethodInterceptor() { |
||||
this(new DefaultMethodSecurityExpressionHandler()); |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance. |
||||
*/ |
||||
public PostFilterAuthorizationReactiveMethodInterceptor(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.registry = new PostFilterExpressionAttributeRegistry(expressionHandler); |
||||
} |
||||
|
||||
/** |
||||
* Filters the returned object from the {@link MethodInvocation} by evaluating an |
||||
* expression from the {@link PostFilter} annotation. |
||||
* @param mi the {@link MethodInvocation} to use |
||||
* @return the {@link Publisher} to use |
||||
*/ |
||||
@Override |
||||
public Object invoke(MethodInvocation mi) throws Throwable { |
||||
ExpressionAttribute attribute = this.registry.getAttribute(mi); |
||||
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) { |
||||
return ReactiveMethodInvocationUtils.proceed(mi); |
||||
} |
||||
Mono<EvaluationContext> toInvoke = ReactiveAuthenticationUtils.getAuthentication() |
||||
.map((auth) -> this.registry.getExpressionHandler().createEvaluationContext(auth, mi)); |
||||
Method method = mi.getMethod(); |
||||
Class<?> type = method.getReturnType(); |
||||
Assert.state(Publisher.class.isAssignableFrom(type), |
||||
() -> String.format("The parameter type %s on %s must be an instance of org.reactivestreams.Publisher " |
||||
+ "(for example, a Mono or Flux) in order to support Reactor Context", type, method)); |
||||
ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type); |
||||
if (isMultiValue(type, adapter)) { |
||||
Publisher<?> publisher = Flux.defer(() -> ReactiveMethodInvocationUtils.proceed(mi)); |
||||
Flux<?> flux = toInvoke.flatMapMany((ctx) -> filterMultiValue(publisher, ctx, attribute)); |
||||
return (adapter != null) ? adapter.fromPublisher(flux) : flux; |
||||
} |
||||
Publisher<?> publisher = Mono.defer(() -> ReactiveMethodInvocationUtils.proceed(mi)); |
||||
Mono<?> mono = toInvoke.flatMap((ctx) -> filterSingleValue(publisher, ctx, attribute)); |
||||
return (adapter != null) ? adapter.fromPublisher(mono) : mono; |
||||
} |
||||
|
||||
private boolean isMultiValue(Class<?> returnType, ReactiveAdapter adapter) { |
||||
if (Flux.class.isAssignableFrom(returnType)) { |
||||
return true; |
||||
} |
||||
return adapter == null || adapter.isMultiValue(); |
||||
} |
||||
|
||||
private Mono<?> filterSingleValue(Publisher<?> publisher, EvaluationContext ctx, ExpressionAttribute attribute) { |
||||
return Mono.from(publisher).doOnNext((result) -> setFilterObject(ctx, result)) |
||||
.flatMap((result) -> postFilter(ctx, result, attribute)); |
||||
} |
||||
|
||||
private Flux<?> filterMultiValue(Publisher<?> publisher, EvaluationContext ctx, ExpressionAttribute attribute) { |
||||
return Flux.from(publisher).doOnNext((result) -> setFilterObject(ctx, result)) |
||||
.flatMap((result) -> postFilter(ctx, result, attribute)); |
||||
} |
||||
|
||||
private void setFilterObject(EvaluationContext ctx, Object result) { |
||||
((MethodSecurityExpressionOperations) ctx.getRootObject().getValue()).setFilterObject(result); |
||||
} |
||||
|
||||
private Mono<?> postFilter(EvaluationContext ctx, Object result, ExpressionAttribute attribute) { |
||||
return ReactiveExpressionUtils.evaluateAsBoolean(attribute.getExpression(), ctx) |
||||
.flatMap((granted) -> granted ? Mono.just(result) : Mono.empty()); |
||||
} |
||||
|
||||
@Override |
||||
public Pointcut getPointcut() { |
||||
return this.pointcut; |
||||
} |
||||
|
||||
@Override |
||||
public Advice getAdvice() { |
||||
return this; |
||||
} |
||||
|
||||
@Override |
||||
public boolean isPerInstance() { |
||||
return true; |
||||
} |
||||
|
||||
@Override |
||||
public int getOrder() { |
||||
return this.order; |
||||
} |
||||
|
||||
public void setOrder(int order) { |
||||
this.order = order; |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,71 @@
@@ -0,0 +1,71 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.springframework.aop.support.AopUtils; |
||||
import org.springframework.expression.Expression; |
||||
import org.springframework.lang.NonNull; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PostFilter; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class PostFilterExpressionAttributeRegistry extends AbstractExpressionAttributeRegistry<ExpressionAttribute> { |
||||
|
||||
private final MethodSecurityExpressionHandler expressionHandler; |
||||
|
||||
PostFilterExpressionAttributeRegistry() { |
||||
this.expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
} |
||||
|
||||
PostFilterExpressionAttributeRegistry(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.expressionHandler = expressionHandler; |
||||
} |
||||
|
||||
MethodSecurityExpressionHandler getExpressionHandler() { |
||||
return this.expressionHandler; |
||||
} |
||||
|
||||
@NonNull |
||||
@Override |
||||
ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) { |
||||
Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass); |
||||
PostFilter postFilter = findPostFilterAnnotation(specificMethod); |
||||
if (postFilter == null) { |
||||
return ExpressionAttribute.NULL_ATTRIBUTE; |
||||
} |
||||
Expression postFilterExpression = this.expressionHandler.getExpressionParser() |
||||
.parseExpression(postFilter.value()); |
||||
return new ExpressionAttribute(postFilterExpression); |
||||
} |
||||
|
||||
private PostFilter findPostFilterAnnotation(Method method) { |
||||
PostFilter postFilter = AuthorizationAnnotationUtils.findUniqueAnnotation(method, PostFilter.class); |
||||
return (postFilter != null) ? postFilter |
||||
: AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), PostFilter.class); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,76 @@
@@ -0,0 +1,76 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import reactor.util.annotation.NonNull; |
||||
|
||||
import org.springframework.aop.support.AopUtils; |
||||
import org.springframework.expression.Expression; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PreAuthorize; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class PreAuthorizeExpressionAttributeRegistry extends AbstractExpressionAttributeRegistry<ExpressionAttribute> { |
||||
|
||||
private final MethodSecurityExpressionHandler expressionHandler; |
||||
|
||||
PreAuthorizeExpressionAttributeRegistry() { |
||||
this.expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
} |
||||
|
||||
PreAuthorizeExpressionAttributeRegistry(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.expressionHandler = expressionHandler; |
||||
} |
||||
|
||||
/** |
||||
* Returns the {@link MethodSecurityExpressionHandler}. |
||||
* @return the {@link MethodSecurityExpressionHandler} to use |
||||
*/ |
||||
MethodSecurityExpressionHandler getExpressionHandler() { |
||||
return this.expressionHandler; |
||||
} |
||||
|
||||
@NonNull |
||||
@Override |
||||
ExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) { |
||||
Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass); |
||||
PreAuthorize preAuthorize = findPreAuthorizeAnnotation(specificMethod); |
||||
if (preAuthorize == null) { |
||||
return ExpressionAttribute.NULL_ATTRIBUTE; |
||||
} |
||||
Expression preAuthorizeExpression = this.expressionHandler.getExpressionParser() |
||||
.parseExpression(preAuthorize.value()); |
||||
return new ExpressionAttribute(preAuthorizeExpression); |
||||
} |
||||
|
||||
private PreAuthorize findPreAuthorizeAnnotation(Method method) { |
||||
PreAuthorize preAuthorize = AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreAuthorize.class); |
||||
return (preAuthorize != null) ? preAuthorize |
||||
: AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), PreAuthorize.class); |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,73 @@
@@ -0,0 +1,73 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PreAuthorize; |
||||
import org.springframework.security.authorization.AuthorizationDecision; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* A {@link ReactiveAuthorizationManager} which can determine if an {@link Authentication} |
||||
* has access to the {@link MethodInvocation} by evaluating an expression from the |
||||
* {@link PreAuthorize} annotation. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
public final class PreAuthorizeReactiveAuthorizationManager implements ReactiveAuthorizationManager<MethodInvocation> { |
||||
|
||||
private final PreAuthorizeExpressionAttributeRegistry registry; |
||||
|
||||
public PreAuthorizeReactiveAuthorizationManager() { |
||||
this(new DefaultMethodSecurityExpressionHandler()); |
||||
} |
||||
|
||||
public PreAuthorizeReactiveAuthorizationManager(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.registry = new PreAuthorizeExpressionAttributeRegistry(expressionHandler); |
||||
} |
||||
|
||||
/** |
||||
* Determines if an {@link Authentication} has access to the {@link MethodInvocation} |
||||
* by evaluating an expression from the {@link PreAuthorize} annotation. |
||||
* @param authentication the {@link Mono} of the {@link Authentication} to check |
||||
* @param mi the {@link MethodInvocation} to check |
||||
* @return a {@link Mono} of the {@link AuthorizationDecision} or an empty |
||||
* {@link Mono} if the {@link PreAuthorize} annotation is not present |
||||
*/ |
||||
@Override |
||||
public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, MethodInvocation mi) { |
||||
ExpressionAttribute attribute = this.registry.getAttribute(mi); |
||||
if (attribute == ExpressionAttribute.NULL_ATTRIBUTE) { |
||||
return Mono.empty(); |
||||
} |
||||
// @formatter:off
|
||||
return authentication |
||||
.map((auth) -> this.registry.getExpressionHandler().createEvaluationContext(auth, mi)) |
||||
.flatMap((ctx) -> ReactiveExpressionUtils.evaluateAsBoolean(attribute.getExpression(), ctx)) |
||||
.map((granted) -> new ExpressionAttributeAuthorizationDecision(granted, attribute)); |
||||
// @formatter:on
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,213 @@
@@ -0,0 +1,213 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.aopalliance.aop.Advice; |
||||
import org.aopalliance.intercept.MethodInterceptor; |
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.reactivestreams.Publisher; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.aop.PointcutAdvisor; |
||||
import org.springframework.aop.framework.AopInfrastructureBean; |
||||
import org.springframework.aop.support.AopUtils; |
||||
import org.springframework.core.Ordered; |
||||
import org.springframework.core.ParameterNameDiscoverer; |
||||
import org.springframework.core.ReactiveAdapter; |
||||
import org.springframework.core.ReactiveAdapterRegistry; |
||||
import org.springframework.expression.EvaluationContext; |
||||
import org.springframework.expression.Expression; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations; |
||||
import org.springframework.security.access.prepost.PreFilter; |
||||
import org.springframework.security.core.parameters.DefaultSecurityParameterNameDiscoverer; |
||||
import org.springframework.util.Assert; |
||||
import org.springframework.util.StringUtils; |
||||
|
||||
/** |
||||
* A {@link MethodInterceptor} which filters a reactive method argument by evaluating an |
||||
* expression from the {@link PreFilter} annotation. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
public final class PreFilterAuthorizationReactiveMethodInterceptor |
||||
implements Ordered, MethodInterceptor, PointcutAdvisor, AopInfrastructureBean { |
||||
|
||||
private final PreFilterExpressionAttributeRegistry registry; |
||||
|
||||
private final Pointcut pointcut = AuthorizationMethodPointcuts.forAnnotations(PreFilter.class); |
||||
|
||||
private ParameterNameDiscoverer parameterNameDiscoverer = new DefaultSecurityParameterNameDiscoverer(); |
||||
|
||||
private int order = AuthorizationInterceptorsOrder.PRE_FILTER.getOrder(); |
||||
|
||||
public PreFilterAuthorizationReactiveMethodInterceptor() { |
||||
this(new DefaultMethodSecurityExpressionHandler()); |
||||
} |
||||
|
||||
/** |
||||
* Creates an instance. |
||||
*/ |
||||
public PreFilterAuthorizationReactiveMethodInterceptor(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.registry = new PreFilterExpressionAttributeRegistry(expressionHandler); |
||||
} |
||||
|
||||
/** |
||||
* Sets the {@link ParameterNameDiscoverer}. |
||||
* @param parameterNameDiscoverer the {@link ParameterNameDiscoverer} to use |
||||
*/ |
||||
public void setParameterNameDiscoverer(ParameterNameDiscoverer parameterNameDiscoverer) { |
||||
Assert.notNull(parameterNameDiscoverer, "parameterNameDiscoverer cannot be null"); |
||||
this.parameterNameDiscoverer = parameterNameDiscoverer; |
||||
} |
||||
|
||||
/** |
||||
* Filters a reactive method argument by evaluating an expression from the |
||||
* {@link PreFilter} annotation. |
||||
* @param mi the {@link MethodInvocation} to use |
||||
* @return the {@link Publisher} to use |
||||
*/ |
||||
@Override |
||||
public Object invoke(MethodInvocation mi) throws Throwable { |
||||
PreFilterExpressionAttributeRegistry.PreFilterExpressionAttribute attribute = this.registry.getAttribute(mi); |
||||
if (attribute == PreFilterExpressionAttributeRegistry.PreFilterExpressionAttribute.NULL_ATTRIBUTE) { |
||||
return ReactiveMethodInvocationUtils.proceed(mi); |
||||
} |
||||
FilterTarget filterTarget = findFilterTarget(attribute.getFilterTarget(), mi); |
||||
Mono<EvaluationContext> toInvoke = ReactiveAuthenticationUtils.getAuthentication() |
||||
.map((auth) -> this.registry.getExpressionHandler().createEvaluationContext(auth, mi)); |
||||
Method method = mi.getMethod(); |
||||
Class<?> type = filterTarget.value.getClass(); |
||||
Assert.state(Publisher.class.isAssignableFrom(type), |
||||
() -> String.format("The parameter type %s on %s must be an instance of org.reactivestreams.Publisher " |
||||
+ "(for example, a Mono or Flux) in order to support Reactor Context", type, method)); |
||||
ReactiveAdapter adapter = ReactiveAdapterRegistry.getSharedInstance().getAdapter(type); |
||||
if (isMultiValue(type, adapter)) { |
||||
Flux<?> result = toInvoke |
||||
.flatMapMany((ctx) -> filterMultiValue(filterTarget.value, attribute.getExpression(), ctx)); |
||||
mi.getArguments()[filterTarget.index] = (adapter != null) ? adapter.fromPublisher(result) : result; |
||||
} |
||||
else { |
||||
Mono<?> result = toInvoke |
||||
.flatMap((ctx) -> filterSingleValue(filterTarget.value, attribute.getExpression(), ctx)); |
||||
mi.getArguments()[filterTarget.index] = (adapter != null) ? adapter.fromPublisher(result) : result; |
||||
} |
||||
return ReactiveMethodInvocationUtils.proceed(mi); |
||||
} |
||||
|
||||
private FilterTarget findFilterTarget(String name, MethodInvocation mi) { |
||||
Object value = null; |
||||
int index = 0; |
||||
if (StringUtils.hasText(name)) { |
||||
Object target = mi.getThis(); |
||||
Class<?> targetClass = (target != null) ? AopUtils.getTargetClass(target) : null; |
||||
Method specificMethod = AopUtils.getMostSpecificMethod(mi.getMethod(), targetClass); |
||||
String[] parameterNames = this.parameterNameDiscoverer.getParameterNames(specificMethod); |
||||
if (parameterNames != null && parameterNames.length > 0) { |
||||
Object[] arguments = mi.getArguments(); |
||||
for (index = 0; index < parameterNames.length; index++) { |
||||
if (name.equals(parameterNames[index])) { |
||||
value = arguments[index]; |
||||
break; |
||||
} |
||||
} |
||||
Assert.notNull(value, |
||||
"Filter target was null, or no argument with name '" + name + "' found in method."); |
||||
} |
||||
} |
||||
else { |
||||
Object[] arguments = mi.getArguments(); |
||||
Assert.state(arguments.length == 1, |
||||
"Unable to determine the method argument for filtering. Specify the filter target."); |
||||
value = arguments[0]; |
||||
Assert.notNull(value, |
||||
"Filter target was null. Make sure you passing the correct value in the method argument."); |
||||
} |
||||
Assert.state(value instanceof Publisher<?>, "Filter target must be an instance of Publisher."); |
||||
return new FilterTarget((Publisher<?>) value, index); |
||||
} |
||||
|
||||
private boolean isMultiValue(Class<?> returnType, ReactiveAdapter adapter) { |
||||
if (Flux.class.isAssignableFrom(returnType)) { |
||||
return true; |
||||
} |
||||
return adapter == null || adapter.isMultiValue(); |
||||
} |
||||
|
||||
private Mono<?> filterSingleValue(Publisher<?> filterTarget, Expression filterExpression, EvaluationContext ctx) { |
||||
MethodSecurityExpressionOperations rootObject = (MethodSecurityExpressionOperations) ctx.getRootObject() |
||||
.getValue(); |
||||
return Mono.from(filterTarget).filterWhen((filterObject) -> { |
||||
rootObject.setFilterObject(filterObject); |
||||
return ReactiveExpressionUtils.evaluateAsBoolean(filterExpression, ctx); |
||||
}); |
||||
} |
||||
|
||||
private Flux<?> filterMultiValue(Publisher<?> filterTarget, Expression filterExpression, EvaluationContext ctx) { |
||||
MethodSecurityExpressionOperations rootObject = (MethodSecurityExpressionOperations) ctx.getRootObject() |
||||
.getValue(); |
||||
return Flux.from(filterTarget).filterWhen((filterObject) -> { |
||||
rootObject.setFilterObject(filterObject); |
||||
return ReactiveExpressionUtils.evaluateAsBoolean(filterExpression, ctx); |
||||
}); |
||||
} |
||||
|
||||
@Override |
||||
public Pointcut getPointcut() { |
||||
return this.pointcut; |
||||
} |
||||
|
||||
@Override |
||||
public Advice getAdvice() { |
||||
return this; |
||||
} |
||||
|
||||
@Override |
||||
public boolean isPerInstance() { |
||||
return true; |
||||
} |
||||
|
||||
@Override |
||||
public int getOrder() { |
||||
return this.order; |
||||
} |
||||
|
||||
public void setOrder(int order) { |
||||
this.order = order; |
||||
} |
||||
|
||||
private static final class FilterTarget { |
||||
|
||||
private final Publisher<?> value; |
||||
|
||||
private final int index; |
||||
|
||||
private FilterTarget(Publisher<?> value, int index) { |
||||
this.value = value; |
||||
this.index = index; |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,89 @@
@@ -0,0 +1,89 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.springframework.aop.support.AopUtils; |
||||
import org.springframework.expression.Expression; |
||||
import org.springframework.lang.NonNull; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.prepost.PreFilter; |
||||
import org.springframework.util.Assert; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class PreFilterExpressionAttributeRegistry |
||||
extends AbstractExpressionAttributeRegistry<PreFilterExpressionAttributeRegistry.PreFilterExpressionAttribute> { |
||||
|
||||
private final MethodSecurityExpressionHandler expressionHandler; |
||||
|
||||
PreFilterExpressionAttributeRegistry() { |
||||
this.expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
} |
||||
|
||||
PreFilterExpressionAttributeRegistry(MethodSecurityExpressionHandler expressionHandler) { |
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null"); |
||||
this.expressionHandler = expressionHandler; |
||||
} |
||||
|
||||
MethodSecurityExpressionHandler getExpressionHandler() { |
||||
return this.expressionHandler; |
||||
} |
||||
|
||||
@NonNull |
||||
@Override |
||||
PreFilterExpressionAttribute resolveAttribute(Method method, Class<?> targetClass) { |
||||
Method specificMethod = AopUtils.getMostSpecificMethod(method, targetClass); |
||||
PreFilter preFilter = findPreFilterAnnotation(specificMethod); |
||||
if (preFilter == null) { |
||||
return PreFilterExpressionAttribute.NULL_ATTRIBUTE; |
||||
} |
||||
Expression preFilterExpression = this.expressionHandler.getExpressionParser() |
||||
.parseExpression(preFilter.value()); |
||||
return new PreFilterExpressionAttribute(preFilterExpression, preFilter.filterTarget()); |
||||
} |
||||
|
||||
private PreFilter findPreFilterAnnotation(Method method) { |
||||
PreFilter preFilter = AuthorizationAnnotationUtils.findUniqueAnnotation(method, PreFilter.class); |
||||
return (preFilter != null) ? preFilter |
||||
: AuthorizationAnnotationUtils.findUniqueAnnotation(method.getDeclaringClass(), PreFilter.class); |
||||
} |
||||
|
||||
static final class PreFilterExpressionAttribute extends ExpressionAttribute { |
||||
|
||||
static final PreFilterExpressionAttribute NULL_ATTRIBUTE = new PreFilterExpressionAttribute(null, null); |
||||
|
||||
private final String filterTarget; |
||||
|
||||
private PreFilterExpressionAttribute(Expression expression, String filterTarget) { |
||||
super(expression); |
||||
this.filterTarget = filterTarget; |
||||
} |
||||
|
||||
String getFilterTarget() { |
||||
return this.filterTarget; |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,46 @@
@@ -0,0 +1,46 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.security.authentication.AnonymousAuthenticationToken; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.security.core.authority.AuthorityUtils; |
||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder; |
||||
import org.springframework.security.core.context.SecurityContext; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class ReactiveAuthenticationUtils { |
||||
|
||||
private static final Authentication ANONYMOUS = new AnonymousAuthenticationToken("key", "anonymous", |
||||
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); |
||||
|
||||
static Mono<Authentication> getAuthentication() { |
||||
return ReactiveSecurityContextHolder.getContext().map(SecurityContext::getAuthentication) |
||||
.defaultIfEmpty(ANONYMOUS); |
||||
} |
||||
|
||||
private ReactiveAuthenticationUtils() { |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,67 @@
@@ -0,0 +1,67 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.expression.EvaluationContext; |
||||
import org.springframework.expression.EvaluationException; |
||||
import org.springframework.expression.Expression; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class ReactiveExpressionUtils { |
||||
|
||||
static Mono<Boolean> evaluateAsBoolean(Expression expr, EvaluationContext ctx) { |
||||
return Mono.defer(() -> { |
||||
Object value; |
||||
try { |
||||
value = expr.getValue(ctx); |
||||
} |
||||
catch (EvaluationException ex) { |
||||
return Mono.error(() -> new IllegalArgumentException( |
||||
"Failed to evaluate expression '" + expr.getExpressionString() + "'", ex)); |
||||
} |
||||
if (value instanceof Boolean) { |
||||
return Mono.just((Boolean) value); |
||||
} |
||||
if (value instanceof Mono<?>) { |
||||
Mono<?> monoValue = (Mono<?>) value; |
||||
// @formatter:off
|
||||
return monoValue |
||||
.filter(Boolean.class::isInstance) |
||||
.map(Boolean.class::cast) |
||||
.switchIfEmpty(createInvalidReturnTypeMono(expr)); |
||||
// @formatter:on
|
||||
} |
||||
return createInvalidReturnTypeMono(expr); |
||||
}); |
||||
} |
||||
|
||||
private static Mono<Boolean> createInvalidReturnTypeMono(Expression expr) { |
||||
return Mono.error(() -> new IllegalStateException( |
||||
"Expression: '" + expr.getExpressionString() + "' must return boolean or Mono<Boolean>")); |
||||
} |
||||
|
||||
private ReactiveExpressionUtils() { |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,42 @@
@@ -0,0 +1,42 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import reactor.core.Exceptions; |
||||
|
||||
/** |
||||
* For internal use only, as this contract is likely to change. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
* @since 5.8 |
||||
*/ |
||||
final class ReactiveMethodInvocationUtils { |
||||
|
||||
static <T> T proceed(MethodInvocation mi) { |
||||
try { |
||||
return (T) mi.proceed(); |
||||
} |
||||
catch (Throwable ex) { |
||||
throw Exceptions.propagate(ex); |
||||
} |
||||
} |
||||
|
||||
private ReactiveMethodInvocationUtils() { |
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,124 @@
@@ -0,0 +1,124 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.assertj.core.api.InstanceOfAssertFactories; |
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.security.access.AccessDeniedException; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.BDDMockito.given; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.spy; |
||||
import static org.mockito.Mockito.times; |
||||
import static org.mockito.Mockito.verify; |
||||
|
||||
/** |
||||
* Tests for {@link AuthorizationManagerAfterReactiveMethodInterceptor}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class AuthorizationManagerAfterReactiveMethodInterceptorTests { |
||||
|
||||
@Test |
||||
public void instantiateWhenPointcutNullThenException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new AuthorizationManagerAfterReactiveMethodInterceptor(null, |
||||
mock(ReactiveAuthorizationManager.class))) |
||||
.withMessage("pointcut cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void instantiateWhenAuthorizationManagerNullThenException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new AuthorizationManagerAfterReactiveMethodInterceptor(mock(Pointcut.class), null)) |
||||
.withMessage("authorizationManager cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeMonoWhenMockReactiveAuthorizationManagerThenVerify() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("mono"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john")); |
||||
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), any())).willReturn(Mono.empty()); |
||||
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block) |
||||
.isEqualTo("john"); |
||||
verify(mockReactiveAuthorizationManager).verify(any(), any()); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeFluxWhenMockReactiveAuthorizationManagerThenVerify() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("flux"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob")); |
||||
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), any())).willReturn(Mono.empty()); |
||||
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Flux.class)).extracting(Flux::collectList) |
||||
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class)).containsExactly("john", "bob"); |
||||
verify(mockReactiveAuthorizationManager, times(2)).verify(any(), any()); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeWhenMockReactiveAuthorizationManagerDeniedThenAccessDeniedException() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("mono"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john")); |
||||
ReactiveAuthorizationManager<MethodInvocationResult> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), any())) |
||||
.willReturn(Mono.error(new AccessDeniedException("Access Denied"))); |
||||
AuthorizationManagerAfterReactiveMethodInterceptor interceptor = new AuthorizationManagerAfterReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> assertThat(result) |
||||
.asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block)) |
||||
.withMessage("Access Denied"); |
||||
verify(mockReactiveAuthorizationManager).verify(any(), any()); |
||||
} |
||||
|
||||
class Sample { |
||||
|
||||
Mono<String> mono() { |
||||
return Mono.just("john"); |
||||
} |
||||
|
||||
Flux<String> flux() { |
||||
return Flux.just("john", "bob"); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,125 @@
@@ -0,0 +1,125 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import org.aopalliance.intercept.MethodInvocation; |
||||
import org.assertj.core.api.InstanceOfAssertFactories; |
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.aop.Pointcut; |
||||
import org.springframework.security.access.AccessDeniedException; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.authorization.ReactiveAuthorizationManager; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.ArgumentMatchers.eq; |
||||
import static org.mockito.BDDMockito.given; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.spy; |
||||
import static org.mockito.Mockito.verify; |
||||
|
||||
/** |
||||
* Tests for {@link AuthorizationManagerBeforeReactiveMethodInterceptor}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class AuthorizationManagerBeforeReactiveMethodInterceptorTests { |
||||
|
||||
@Test |
||||
public void instantiateWhenPointcutNullThenException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new AuthorizationManagerBeforeReactiveMethodInterceptor(null, |
||||
mock(ReactiveAuthorizationManager.class))) |
||||
.withMessage("pointcut cannot be null"); |
||||
|
||||
} |
||||
|
||||
@Test |
||||
public void instantiateWhenAuthorizationManagerNullThenException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new AuthorizationManagerBeforeReactiveMethodInterceptor(mock(Pointcut.class), null)) |
||||
.withMessage("authorizationManager cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeMonoWhenMockReactiveAuthorizationManagerThenVerify() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("mono"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john")); |
||||
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); |
||||
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block) |
||||
.isEqualTo("john"); |
||||
verify(mockReactiveAuthorizationManager).verify(any(), eq(mockMethodInvocation)); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeFluxWhenMockReactiveAuthorizationManagerThenVerify() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("flux"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Flux.just("john", "bob")); |
||||
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), eq(mockMethodInvocation))).willReturn(Mono.empty()); |
||||
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Flux.class)).extracting(Flux::collectList) |
||||
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class)).containsExactly("john", "bob"); |
||||
verify(mockReactiveAuthorizationManager).verify(any(), eq(mockMethodInvocation)); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeWhenMockReactiveAuthorizationManagerDeniedThenAccessDeniedException() throws Throwable { |
||||
MethodInvocation mockMethodInvocation = spy( |
||||
new MockMethodInvocation(new Sample(), Sample.class.getDeclaredMethod("mono"))); |
||||
given(mockMethodInvocation.proceed()).willReturn(Mono.just("john")); |
||||
ReactiveAuthorizationManager<MethodInvocation> mockReactiveAuthorizationManager = mock( |
||||
ReactiveAuthorizationManager.class); |
||||
given(mockReactiveAuthorizationManager.verify(any(), eq(mockMethodInvocation))) |
||||
.willReturn(Mono.error(new AccessDeniedException("Access Denied"))); |
||||
AuthorizationManagerBeforeReactiveMethodInterceptor interceptor = new AuthorizationManagerBeforeReactiveMethodInterceptor( |
||||
Pointcut.TRUE, mockReactiveAuthorizationManager); |
||||
Object result = interceptor.invoke(mockMethodInvocation); |
||||
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> assertThat(result) |
||||
.asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block)) |
||||
.withMessage("Access Denied"); |
||||
verify(mockReactiveAuthorizationManager).verify(any(), eq(mockMethodInvocation)); |
||||
} |
||||
|
||||
class Sample { |
||||
|
||||
Mono<String> mono() { |
||||
return Mono.just("john"); |
||||
} |
||||
|
||||
Flux<String> flux() { |
||||
return Flux.just("john", "bob"); |
||||
} |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,246 @@
@@ -0,0 +1,246 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.annotation.Retention; |
||||
import java.lang.annotation.RetentionPolicy; |
||||
import java.util.Arrays; |
||||
import java.util.Collections; |
||||
import java.util.List; |
||||
|
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.core.annotation.AnnotationConfigurationException; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.access.prepost.PostAuthorize; |
||||
import org.springframework.security.authentication.TestingAuthenticationToken; |
||||
import org.springframework.security.authorization.AuthorizationDecision; |
||||
import org.springframework.security.core.Authentication; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
|
||||
/** |
||||
* Tests for {@link PostAuthorizeReactiveAuthorizationManager}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class PostAuthorizeReactiveAuthorizationManagerTests { |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNotNullThenSetsExpressionHandler() { |
||||
MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager( |
||||
expressionHandler); |
||||
assertThat(manager).extracting("registry").extracting("expressionHandler").isEqualTo(expressionHandler); |
||||
} |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNullThenException() { |
||||
assertThatIllegalArgumentException().isThrownBy(() -> new PostAuthorizeReactiveAuthorizationManager(null)) |
||||
.withMessage("expressionHandler cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingWhenNoPostAuthorizeAnnotationThenNullDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomething", new Class[] {}, new Object[] {}); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block(); |
||||
assertThat(decision).isNull(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingStringWhenArgIsGrantThenGrantedDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" }); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingStringWhenArgIsNotGrantThenDeniedDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" }); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingListWhenReturnObjectContainsGrantThenGrantedDecision() throws Exception { |
||||
List<String> list = Arrays.asList("grant", "deny"); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingList", new Class[] { List.class }, new Object[] { list }); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingListWhenReturnObjectNotContainsGrantThenDeniedDecision() throws Exception { |
||||
List<String> list = Collections.singletonList("deny"); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingList", new Class[] { List.class }, new Object[] { list }); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, list); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(ReactiveAuthenticationUtils.getAuthentication(), result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "securedAdmin"); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(authentication, result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN")); |
||||
decision = manager.check(authentication, result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkRequiresUserWhenClassAnnotationsThenApplies() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "securedUser"); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(authentication, result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN")); |
||||
decision = manager.check(authentication, result).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenDuplicatedThenAnnotationConfigurationException() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"inheritedAnnotations"); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> manager.check(authentication, result)); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenConflictingThenAnnotationConfigurationException() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "inheritedAnnotations"); |
||||
MethodInvocationResult result = new MethodInvocationResult(methodInvocation, null); |
||||
PostAuthorizeReactiveAuthorizationManager manager = new PostAuthorizeReactiveAuthorizationManager(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> manager.check(authentication, result)); |
||||
} |
||||
|
||||
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { |
||||
|
||||
public void doSomething() { |
||||
|
||||
} |
||||
|
||||
@PostAuthorize("#s == 'grant'") |
||||
public String doSomethingString(String s) { |
||||
return s; |
||||
} |
||||
|
||||
@PostAuthorize("returnObject.contains('grant')") |
||||
public List<String> doSomethingList(List<String> list) { |
||||
return list; |
||||
} |
||||
|
||||
@Override |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
@PostAuthorize("hasRole('USER')") |
||||
public static class ClassLevelAnnotations implements InterfaceAnnotationsThree { |
||||
|
||||
@PostAuthorize("hasRole('ADMIN')") |
||||
public void securedAdmin() { |
||||
|
||||
} |
||||
|
||||
public void securedUser() { |
||||
|
||||
} |
||||
|
||||
@Override |
||||
@PostAuthorize("hasRole('ADMIN')") |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsOne { |
||||
|
||||
@PostAuthorize("hasRole('ADMIN')") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsTwo { |
||||
|
||||
@PostAuthorize("hasRole('USER')") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsThree { |
||||
|
||||
@MyPostAuthorize |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
@Retention(RetentionPolicy.RUNTIME) |
||||
@PostAuthorize("hasRole('USER')") |
||||
public @interface MyPostAuthorize { |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,191 @@
@@ -0,0 +1,191 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.annotation.Retention; |
||||
import java.lang.annotation.RetentionPolicy; |
||||
|
||||
import org.assertj.core.api.InstanceOfAssertFactories; |
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.core.annotation.AnnotationConfigurationException; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.access.prepost.PostFilter; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
|
||||
/** |
||||
* Tests for {@link PostFilterAuthorizationReactiveMethodInterceptor}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class PostFilterAuthorizationReactiveMethodInterceptorTests { |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNotNullThenSetsExpressionHandler() { |
||||
MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor( |
||||
expressionHandler); |
||||
assertThat(interceptor).extracting("registry").extracting("expressionHandler").isEqualTo(expressionHandler); |
||||
} |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNullThenException() { |
||||
assertThatIllegalArgumentException() |
||||
.isThrownBy(() -> new PostFilterAuthorizationReactiveMethodInterceptor(null)) |
||||
.withMessage("expressionHandler cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void methodMatcherWhenMethodHasNotPostFilterAnnotationThenNotMatches() throws Exception { |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThat(interceptor.getPointcut().getMethodMatcher() |
||||
.matches(NoPostFilterClass.class.getMethod("doSomething"), NoPostFilterClass.class)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void methodMatcherWhenMethodHasPostFilterAnnotationThenMatches() throws Exception { |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThat(interceptor.getPointcut().getMethodMatcher() |
||||
.matches(TestClass.class.getMethod("doSomethingFlux", Flux.class), TestClass.class)).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeWhenMonoThenFilteredMono() throws Throwable { |
||||
Mono<String> mono = Mono.just("bob"); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingMono", new Class[] { Mono.class }, new Object[] { mono }) { |
||||
@Override |
||||
public Object proceed() { |
||||
return mono; |
||||
} |
||||
}; |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
Object result = interceptor.invoke(methodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block).isNull(); |
||||
} |
||||
|
||||
@Test |
||||
public void invokeWhenFluxThenFilteredFlux() throws Throwable { |
||||
Flux<String> flux = Flux.just("john", "bob"); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingFluxClassLevel", new Class[] { Flux.class }, new Object[] { flux }) { |
||||
@Override |
||||
public Object proceed() { |
||||
return flux; |
||||
} |
||||
}; |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
Object result = interceptor.invoke(methodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Flux.class)).extracting(Flux::collectList) |
||||
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class)).containsOnly("john"); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenDuplicatedThenAnnotationConfigurationException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"inheritedAnnotations"); |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> interceptor.invoke(methodInvocation)); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenConflictingThenAnnotationConfigurationException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ConflictingAnnotations(), |
||||
ConflictingAnnotations.class, "inheritedAnnotations"); |
||||
PostFilterAuthorizationReactiveMethodInterceptor interceptor = new PostFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> interceptor.invoke(methodInvocation)); |
||||
} |
||||
|
||||
@PostFilter("filterObject == 'john'") |
||||
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { |
||||
|
||||
@PostFilter("filterObject == 'john'") |
||||
public Flux<String> doSomethingFlux(Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
public Flux<String> doSomethingFluxClassLevel(Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
@PostFilter("filterObject == 'john'") |
||||
public Mono<String> doSomethingMono(Mono<String> mono) { |
||||
return mono; |
||||
} |
||||
|
||||
@Override |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public static class NoPostFilterClass { |
||||
|
||||
public void doSomething() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public static class ConflictingAnnotations implements InterfaceAnnotationsThree { |
||||
|
||||
@Override |
||||
@PostFilter("filterObject == 'jack'") |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsOne { |
||||
|
||||
@PostFilter("filterObject == 'jim'") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsTwo { |
||||
|
||||
@PostFilter("filterObject == 'jane'") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsThree { |
||||
|
||||
@MyPostFilter |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
@Retention(RetentionPolicy.RUNTIME) |
||||
@PostFilter("filterObject == 'john'") |
||||
public @interface MyPostFilter { |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,210 @@
@@ -0,0 +1,210 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.annotation.Retention; |
||||
import java.lang.annotation.RetentionPolicy; |
||||
|
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.core.annotation.AnnotationConfigurationException; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.access.prepost.PreAuthorize; |
||||
import org.springframework.security.authentication.TestingAuthenticationToken; |
||||
import org.springframework.security.authorization.AuthorizationDecision; |
||||
import org.springframework.security.core.Authentication; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
|
||||
/** |
||||
* Tests for {@link PreAuthorizeReactiveAuthorizationManager}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class PreAuthorizeReactiveAuthorizationManagerTests { |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNotNullThenSetsExpressionHandler() { |
||||
MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager( |
||||
expressionHandler); |
||||
assertThat(manager).extracting("registry").extracting("expressionHandler").isEqualTo(expressionHandler); |
||||
} |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNullThenException() { |
||||
assertThatIllegalArgumentException().isThrownBy(() -> new PreAuthorizeReactiveAuthorizationManager(null)) |
||||
.withMessage("expressionHandler cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingWhenNoPostAuthorizeAnnotationThenNullDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomething", new Class[] {}, new Object[] {}); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager |
||||
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation).block(); |
||||
assertThat(decision).isNull(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingStringWhenArgIsGrantThenGrantedDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingString", new Class[] { String.class }, new Object[] { "grant" }); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager |
||||
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkDoSomethingStringWhenArgIsNotGrantThenDeniedDecision() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingString", new Class[] { String.class }, new Object[] { "deny" }); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager |
||||
.check(ReactiveAuthenticationUtils.getAuthentication(), methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "securedAdmin"); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(authentication, methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN")); |
||||
decision = manager.check(authentication, methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkRequiresUserWhenClassAnnotationsThenApplies() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "securedUser"); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
AuthorizationDecision decision = manager.check(authentication, methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isTrue(); |
||||
authentication = Mono.just(new TestingAuthenticationToken("user", "password", "ROLE_ADMIN")); |
||||
decision = manager.check(authentication, methodInvocation).block(); |
||||
assertThat(decision).isNotNull(); |
||||
assertThat(decision.isGranted()).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenDuplicatedThenAnnotationConfigurationException() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"inheritedAnnotations"); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> manager.check(authentication, methodInvocation)); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenConflictingThenAnnotationConfigurationException() throws Exception { |
||||
Mono<Authentication> authentication = Mono |
||||
.just(new TestingAuthenticationToken("user", "password", "ROLE_USER")); |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ClassLevelAnnotations(), |
||||
ClassLevelAnnotations.class, "inheritedAnnotations"); |
||||
PreAuthorizeReactiveAuthorizationManager manager = new PreAuthorizeReactiveAuthorizationManager(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> manager.check(authentication, methodInvocation)); |
||||
} |
||||
|
||||
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { |
||||
|
||||
public void doSomething() { |
||||
|
||||
} |
||||
|
||||
@PreAuthorize("#s == 'grant'") |
||||
public String doSomethingString(String s) { |
||||
return s; |
||||
} |
||||
|
||||
@Override |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
@PreAuthorize("hasRole('USER')") |
||||
public static class ClassLevelAnnotations implements InterfaceAnnotationsThree { |
||||
|
||||
@PreAuthorize("hasRole('ADMIN')") |
||||
public void securedAdmin() { |
||||
|
||||
} |
||||
|
||||
public void securedUser() { |
||||
|
||||
} |
||||
|
||||
@Override |
||||
@PreAuthorize("hasRole('ADMIN')") |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsOne { |
||||
|
||||
@PreAuthorize("hasRole('ADMIN')") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsTwo { |
||||
|
||||
@PreAuthorize("hasRole('USER')") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsThree { |
||||
|
||||
@MyPreAuthorize |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
@Retention(RetentionPolicy.RUNTIME) |
||||
@PreAuthorize("hasRole('USER')") |
||||
public @interface MyPreAuthorize { |
||||
|
||||
} |
||||
|
||||
} |
||||
@ -0,0 +1,236 @@
@@ -0,0 +1,236 @@
|
||||
/* |
||||
* Copyright 2002-2022 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.authorization.method; |
||||
|
||||
import java.lang.annotation.Retention; |
||||
import java.lang.annotation.RetentionPolicy; |
||||
|
||||
import org.assertj.core.api.InstanceOfAssertFactories; |
||||
import org.junit.jupiter.api.Test; |
||||
import reactor.core.publisher.Flux; |
||||
import reactor.core.publisher.Mono; |
||||
|
||||
import org.springframework.core.ParameterNameDiscoverer; |
||||
import org.springframework.core.annotation.AnnotationConfigurationException; |
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler; |
||||
import org.springframework.security.access.intercept.method.MockMethodInvocation; |
||||
import org.springframework.security.access.prepost.PreFilter; |
||||
import org.springframework.security.core.parameters.DefaultSecurityParameterNameDiscoverer; |
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat; |
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; |
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; |
||||
|
||||
/** |
||||
* Tests for {@link PreFilterAuthorizationReactiveMethodInterceptor}. |
||||
* |
||||
* @author Evgeniy Cheban |
||||
*/ |
||||
public class PreFilterAuthorizationReactiveMethodInterceptorTests { |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNotNullThenSetsExpressionHandler() { |
||||
MethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor( |
||||
expressionHandler); |
||||
assertThat(interceptor).extracting("registry").extracting("expressionHandler").isEqualTo(expressionHandler); |
||||
} |
||||
|
||||
@Test |
||||
public void setExpressionHandlerWhenNullThenException() { |
||||
assertThatIllegalArgumentException().isThrownBy(() -> new PreFilterAuthorizationReactiveMethodInterceptor(null)) |
||||
.withMessage("expressionHandler cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void setParameterNameDiscovererWhenNotNullThenSetsParameterNameDiscoverer() { |
||||
ParameterNameDiscoverer parameterNameDiscoverer = new DefaultSecurityParameterNameDiscoverer(); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
interceptor.setParameterNameDiscoverer(parameterNameDiscoverer); |
||||
assertThat(interceptor).extracting("parameterNameDiscoverer").isEqualTo(parameterNameDiscoverer); |
||||
} |
||||
|
||||
@Test |
||||
public void setParameterNameDiscovererWhenNullThenException() { |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatIllegalArgumentException().isThrownBy(() -> interceptor.setParameterNameDiscoverer(null)) |
||||
.withMessage("parameterNameDiscoverer cannot be null"); |
||||
} |
||||
|
||||
@Test |
||||
public void methodMatcherWhenMethodHasNotPreFilterAnnotationThenNotMatches() throws Exception { |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThat(interceptor.getPointcut().getMethodMatcher().matches(NoPreFilterClass.class.getMethod("doSomething"), |
||||
NoPreFilterClass.class)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void methodMatcherWhenMethodHasPreFilterAnnotationThenMatches() throws Exception { |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThat(interceptor.getPointcut().getMethodMatcher() |
||||
.matches(TestClass.class.getMethod("doSomethingFluxFilterTargetMatch", Flux.class), TestClass.class)) |
||||
.isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void findFilterTargetWhenNameProvidedAndNotMatchThenException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingFluxFilterTargetNotMatch", new Class[] { Flux.class }, new Object[] { Flux.empty() }); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatIllegalArgumentException().isThrownBy(() -> interceptor.invoke(methodInvocation)).withMessage( |
||||
"Filter target was null, or no argument with name 'filterTargetNotMatch' found in method."); |
||||
} |
||||
|
||||
@Test |
||||
public void findFilterTargetWhenNameProvidedAndMatchAndNullThenException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingFluxFilterTargetMatch", new Class[] { Flux.class }, new Object[] { null }); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatIllegalArgumentException().isThrownBy(() -> interceptor.invoke(methodInvocation)) |
||||
.withMessage("Filter target was null, or no argument with name 'flux' found in method."); |
||||
} |
||||
|
||||
@Test |
||||
public void findFilterTargetWhenNameNotProvidedAndSingleArgMonoThenFiltersMono() throws Throwable { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingMonoFilterTargetNotProvided", new Class[] { Mono.class }, |
||||
new Object[] { Mono.just("bob") }) { |
||||
@Override |
||||
public Object proceed() { |
||||
return getArguments()[0]; |
||||
} |
||||
}; |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
Object result = interceptor.invoke(methodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Mono.class)).extracting(Mono::block).isNull(); |
||||
} |
||||
|
||||
@Test |
||||
public void findFilterTargetWhenNameNotProvidedAndSingleArgFluxThenFiltersFlux() throws Throwable { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"doSomethingFluxFilterTargetNotProvided", new Class[] { Flux.class }, |
||||
new Object[] { Flux.just("john", "bob") }) { |
||||
@Override |
||||
public Object proceed() { |
||||
return getArguments()[0]; |
||||
} |
||||
}; |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
Object result = interceptor.invoke(methodInvocation); |
||||
assertThat(result).asInstanceOf(InstanceOfAssertFactories.type(Flux.class)).extracting(Flux::collectList) |
||||
.extracting(Mono::block, InstanceOfAssertFactories.list(String.class)).containsOnly("john"); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenDuplicatedThenAnnotationConfigurationException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class, |
||||
"inheritedAnnotations"); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> interceptor.invoke(methodInvocation)); |
||||
} |
||||
|
||||
@Test |
||||
public void checkInheritedAnnotationsWhenConflictingThenAnnotationConfigurationException() throws Exception { |
||||
MockMethodInvocation methodInvocation = new MockMethodInvocation(new ConflictingAnnotations(), |
||||
ConflictingAnnotations.class, "inheritedAnnotations"); |
||||
PreFilterAuthorizationReactiveMethodInterceptor interceptor = new PreFilterAuthorizationReactiveMethodInterceptor(); |
||||
assertThatExceptionOfType(AnnotationConfigurationException.class) |
||||
.isThrownBy(() -> interceptor.invoke(methodInvocation)); |
||||
} |
||||
|
||||
@PreFilter("filterObject == 'john'") |
||||
public static class TestClass implements InterfaceAnnotationsOne, InterfaceAnnotationsTwo { |
||||
|
||||
@PreFilter(value = "filterObject == 'john'", filterTarget = "filterTargetNotMatch") |
||||
public Flux<String> doSomethingFluxFilterTargetNotMatch(Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
@PreFilter(value = "filterObject == 'john'", filterTarget = "flux") |
||||
public Flux<String> doSomethingFluxFilterTargetMatch(Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
@PreFilter("filterObject == 'john'") |
||||
public Flux<String> doSomethingFluxFilterTargetNotProvided(Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
@PreFilter("filterObject == 'john'") |
||||
public Mono<String> doSomethingMonoFilterTargetNotProvided(Mono<String> mono) { |
||||
return mono; |
||||
} |
||||
|
||||
public Flux<String> doSomethingTwoArgsFilterTargetNotProvided(String s, Flux<String> flux) { |
||||
return flux; |
||||
} |
||||
|
||||
@Override |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public static class NoPreFilterClass { |
||||
|
||||
public void doSomething() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public static class ConflictingAnnotations implements InterfaceAnnotationsThree { |
||||
|
||||
@Override |
||||
@PreFilter("filterObject == 'jack'") |
||||
public void inheritedAnnotations() { |
||||
|
||||
} |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsOne { |
||||
|
||||
@PreFilter("filterObject == 'jim'") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsTwo { |
||||
|
||||
@PreFilter("filterObject == 'jane'") |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
public interface InterfaceAnnotationsThree { |
||||
|
||||
@MyPreFilter |
||||
void inheritedAnnotations(); |
||||
|
||||
} |
||||
|
||||
@Retention(RetentionPolicy.RUNTIME) |
||||
@PreFilter("filterObject == 'john'") |
||||
public @interface MyPreFilter { |
||||
|
||||
} |
||||
|
||||
} |
||||
Loading…
Reference in new issue