Rob Winch
8 years ago
2 changed files with 414 additions and 0 deletions
@ -0,0 +1,147 @@
@@ -0,0 +1,147 @@
|
||||
/* |
||||
* Copyright 2002-2018 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.client.web.reactive.result.method.annotation; |
||||
|
||||
import org.springframework.core.MethodParameter; |
||||
import org.springframework.core.annotation.AnnotatedElementUtils; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder; |
||||
import org.springframework.security.core.context.SecurityContext; |
||||
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException; |
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; |
||||
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService; |
||||
import org.springframework.security.oauth2.client.annotation.OAuth2Client; |
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; |
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration; |
||||
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository; |
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken; |
||||
import org.springframework.util.Assert; |
||||
import org.springframework.util.StringUtils; |
||||
import org.springframework.web.reactive.BindingContext; |
||||
import org.springframework.web.reactive.result.method.HandlerMethodArgumentResolver; |
||||
import org.springframework.web.server.ServerWebExchange; |
||||
|
||||
import reactor.core.publisher.Mono; |
||||
|
||||
/** |
||||
* An implementation of a {@link HandlerMethodArgumentResolver} that is capable |
||||
* of resolving a method parameter into an argument value for the following types: |
||||
* {@link ClientRegistration}, {@link OAuth2AuthorizedClient} and {@link OAuth2AccessToken}. |
||||
* |
||||
* <p> |
||||
* For example: |
||||
* <pre> |
||||
* @Controller |
||||
* public class MyController { |
||||
* @GetMapping("/client-registration") |
||||
* public Mono<String></String> clientRegistration(@OAuth2Client("login-client") ClientRegistration clientRegistration) { |
||||
* // do something with clientRegistration
|
||||
* } |
||||
* |
||||
* @GetMapping("/authorized-client") |
||||
* public Mono<String></String> authorizedClient(@OAuth2Client("login-client") OAuth2AuthorizedClient authorizedClient) { |
||||
* // do something with authorizedClient
|
||||
* } |
||||
* |
||||
* @GetMapping("/access-token") |
||||
* public Mono<String> accessToken(@OAuth2Client("login-client") OAuth2AccessToken accessToken) { |
||||
* // do something with accessToken
|
||||
* } |
||||
* } |
||||
* </pre> |
||||
* |
||||
* @author Rob Winch |
||||
* @since 5.1 |
||||
* @see OAuth2Client |
||||
*/ |
||||
public final class OAuth2ClientArgumentResolver implements HandlerMethodArgumentResolver { |
||||
private final ReactiveClientRegistrationRepository clientRegistrationRepository; |
||||
private final ReactiveOAuth2AuthorizedClientService authorizedClientService; |
||||
|
||||
/** |
||||
* Constructs an {@code OAuth2ClientArgumentResolver} using the provided parameters. |
||||
* |
||||
* @param clientRegistrationRepository the repository of client registrations |
||||
* @param authorizedClientService the authorized client service |
||||
*/ |
||||
public OAuth2ClientArgumentResolver(ReactiveClientRegistrationRepository clientRegistrationRepository, |
||||
ReactiveOAuth2AuthorizedClientService authorizedClientService) { |
||||
Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null"); |
||||
Assert.notNull(authorizedClientService, "authorizedClientService cannot be null"); |
||||
this.clientRegistrationRepository = clientRegistrationRepository; |
||||
this.authorizedClientService = authorizedClientService; |
||||
} |
||||
|
||||
@Override |
||||
public boolean supportsParameter(MethodParameter parameter) { |
||||
return AnnotatedElementUtils.findMergedAnnotation(parameter.getParameter(), OAuth2Client.class) != null; |
||||
} |
||||
|
||||
@Override |
||||
public Mono<Object> resolveArgument( |
||||
MethodParameter parameter, BindingContext bindingContext, ServerWebExchange exchange) { |
||||
return Mono.defer(() -> { |
||||
OAuth2Client oauth2ClientAnnotation = AnnotatedElementUtils |
||||
.findMergedAnnotation(parameter.getParameter(), OAuth2Client.class); |
||||
|
||||
Mono<String> clientRegistrationId = Mono.justOrEmpty(oauth2ClientAnnotation.registrationId()) |
||||
.filter(id -> !StringUtils.isEmpty(id)) |
||||
.switchIfEmpty(clientRegistrationId()) |
||||
.switchIfEmpty(Mono.defer(() -> Mono.error(new IllegalArgumentException( |
||||
"Unable to resolve the Client Registration Identifier. It must be provided via @OAuth2Client(\"client1\") or @OAuth2Client(registrationId = \"client1\").")))); |
||||
|
||||
if (ClientRegistration.class.isAssignableFrom(parameter.getParameterType())) { |
||||
return clientRegistrationId.flatMap(id -> this.clientRegistrationRepository.findByRegistrationId(id) |
||||
.switchIfEmpty(Mono.defer(() -> Mono.error(new IllegalArgumentException( |
||||
"Unable to find ClientRegistration with registration identifier \"" |
||||
+ id + "\"."))))).cast(Object.class); |
||||
} |
||||
|
||||
Mono<String> principalName = ReactiveSecurityContextHolder.getContext() |
||||
.map(SecurityContext::getAuthentication).map(Authentication::getName); |
||||
|
||||
Mono<OAuth2AuthorizedClient> authorizedClient = Mono |
||||
.zip(clientRegistrationId, principalName).switchIfEmpty( |
||||
clientRegistrationId.flatMap(id -> Mono.error(new IllegalStateException( |
||||
"Unable to resolve the Authorized Client with registration identifier \"" |
||||
+ id |
||||
+ "\". An \"authenticated\" or \"unauthenticated\" session is required. To allow for unauthenticated access, ensure ServerHttpSecurity.anonymous() is configured.")))) |
||||
.flatMap(zipped -> { |
||||
String registrationId = zipped.getT1(); |
||||
String username = zipped.getT2(); |
||||
return this.authorizedClientService |
||||
.loadAuthorizedClient(registrationId, username).switchIfEmpty(Mono.defer(() -> Mono |
||||
.error(new ClientAuthorizationRequiredException( |
||||
registrationId)))); |
||||
}).cast(OAuth2AuthorizedClient.class); |
||||
|
||||
if (OAuth2AccessToken.class.isAssignableFrom(parameter.getParameterType())) { |
||||
return authorizedClient.map(OAuth2AuthorizedClient::getAccessToken); |
||||
} |
||||
|
||||
return authorizedClient.cast(Object.class); |
||||
}); |
||||
} |
||||
|
||||
private Mono<String> clientRegistrationId() { |
||||
return ReactiveSecurityContextHolder.getContext() |
||||
.map(SecurityContext::getAuthentication) |
||||
.filter(authentication -> authentication instanceof OAuth2AuthenticationToken) |
||||
.cast(OAuth2AuthenticationToken.class) |
||||
.map(OAuth2AuthenticationToken::getAuthorizedClientRegistrationId); |
||||
} |
||||
} |
||||
@ -0,0 +1,267 @@
@@ -0,0 +1,267 @@
|
||||
/* |
||||
* Copyright 2002-2018 the original author or authors. |
||||
* |
||||
* Licensed under the Apache License, Version 2.0 (the "License"); |
||||
* you may not use this file except in compliance with the License. |
||||
* You may obtain a copy of the License at |
||||
* |
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
* |
||||
* Unless required by applicable law or agreed to in writing, software |
||||
* distributed under the License is distributed on an "AS IS" BASIS, |
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
* See the License for the specific language governing permissions and |
||||
* limitations under the License. |
||||
*/ |
||||
|
||||
package org.springframework.security.oauth2.client.web.reactive.result.method.annotation; |
||||
|
||||
import static org.assertj.core.api.AssertionsForClassTypes.assertThat; |
||||
import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy; |
||||
import static org.mockito.ArgumentMatchers.any; |
||||
import static org.mockito.ArgumentMatchers.anyString; |
||||
import static org.mockito.Mockito.mock; |
||||
import static org.mockito.Mockito.when; |
||||
|
||||
import java.lang.reflect.Method; |
||||
|
||||
import org.junit.Before; |
||||
import org.junit.Test; |
||||
import org.junit.runner.RunWith; |
||||
import org.mockito.Mock; |
||||
import org.mockito.junit.MockitoJUnitRunner; |
||||
import org.springframework.core.MethodParameter; |
||||
import org.springframework.security.authentication.TestingAuthenticationToken; |
||||
import org.springframework.security.core.Authentication; |
||||
import org.springframework.security.core.context.ReactiveSecurityContextHolder; |
||||
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException; |
||||
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; |
||||
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService; |
||||
import org.springframework.security.oauth2.client.annotation.OAuth2Client; |
||||
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; |
||||
import org.springframework.security.oauth2.client.registration.ClientRegistration; |
||||
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository; |
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType; |
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod; |
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken; |
||||
import org.springframework.util.ReflectionUtils; |
||||
|
||||
import reactor.core.publisher.Hooks; |
||||
import reactor.core.publisher.Mono; |
||||
import reactor.util.context.Context; |
||||
|
||||
/** |
||||
* @author Rob Winch |
||||
* @since 5.1 |
||||
*/ |
||||
@RunWith(MockitoJUnitRunner.class) |
||||
public class OAuth2ClientArgumentResolverTests { |
||||
@Mock |
||||
private ReactiveClientRegistrationRepository clientRegistrationRepository; |
||||
@Mock |
||||
private ReactiveOAuth2AuthorizedClientService authorizedClientService; |
||||
private OAuth2ClientArgumentResolver argumentResolver; |
||||
private ClientRegistration clientRegistration; |
||||
private OAuth2AuthorizedClient authorizedClient; |
||||
private OAuth2AccessToken accessToken; |
||||
|
||||
private Authentication authentication = new TestingAuthenticationToken("test", "this"); |
||||
|
||||
@Before |
||||
public void setUp() { |
||||
this.argumentResolver = new OAuth2ClientArgumentResolver( |
||||
this.clientRegistrationRepository, this.authorizedClientService); |
||||
this.clientRegistration = ClientRegistration.withRegistrationId("client1") |
||||
.clientId("client-id") |
||||
.clientSecret("secret") |
||||
.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC) |
||||
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) |
||||
.redirectUriTemplate("{baseUrl}/client1") |
||||
.scope("scope1", "scope2") |
||||
.authorizationUri("https://provider.com/oauth2/auth") |
||||
.tokenUri("https://provider.com/oauth2/token") |
||||
.clientName("Client 1") |
||||
.build(); |
||||
when(this.clientRegistrationRepository.findByRegistrationId(anyString())).thenReturn(Mono.just(this.clientRegistration)); |
||||
this.authorizedClient = mock(OAuth2AuthorizedClient.class); |
||||
when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(Mono.just(this.authorizedClient)); |
||||
this.accessToken = mock(OAuth2AccessToken.class); |
||||
when(this.authorizedClient.getAccessToken()).thenReturn(this.accessToken); |
||||
Hooks.onOperatorDebug(); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenClientRegistrationRepositoryIsNullThenThrowIllegalArgumentException() { |
||||
assertThatThrownBy(() -> new OAuth2ClientArgumentResolver(null, this.authorizedClientService)) |
||||
.isInstanceOf(IllegalArgumentException.class); |
||||
} |
||||
|
||||
@Test |
||||
public void constructorWhenOAuth2AuthorizedClientServiceIsNullThenThrowIllegalArgumentException() { |
||||
assertThatThrownBy(() -> new OAuth2ClientArgumentResolver(this.clientRegistrationRepository, null)) |
||||
.isInstanceOf(IllegalArgumentException.class); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeOAuth2AccessTokenThenTrue() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeOAuth2AccessTokenWithoutAnnotationThenFalse() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessTokenWithoutAnnotation", OAuth2AccessToken.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeOAuth2AuthorizedClientThenTrue() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeOAuth2AuthorizedClientWithoutAnnotationThenFalse() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClientWithoutAnnotation", OAuth2AuthorizedClient.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeClientRegistrationThenTrue() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isTrue(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeClientRegistrationWithoutAnnotationThenFalse() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistrationWithoutAnnotation", ClientRegistration.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void supportsParameterWhenParameterTypeUnsupportedWithoutAnnotationThenFalse() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeUnsupportedWithoutAnnotation", String.class); |
||||
assertThat(this.argumentResolver.supportsParameter(methodParameter)).isFalse(); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenRegistrationIdEmptyAndNotOAuth2AuthenticationThenThrowIllegalArgumentException() { |
||||
MethodParameter methodParameter = this.getMethodParameter("registrationIdEmpty", OAuth2AccessToken.class); |
||||
assertThatThrownBy(() -> resolveArgument(methodParameter)) |
||||
.isInstanceOf(IllegalArgumentException.class) |
||||
.hasMessage("Unable to resolve the Client Registration Identifier. It must be provided via @OAuth2Client(\"client1\") or @OAuth2Client(registrationId = \"client1\")."); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenRegistrationIdEmptyAndOAuth2AuthenticationThenResolves() { |
||||
this.authentication = mock(OAuth2AuthenticationToken.class); |
||||
when(this.authentication.getName()).thenReturn("client1"); |
||||
when(((OAuth2AuthenticationToken) this.authentication).getAuthorizedClientRegistrationId()).thenReturn("client1"); |
||||
MethodParameter methodParameter = this.getMethodParameter("registrationIdEmpty", OAuth2AccessToken.class); |
||||
resolveArgument(methodParameter); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenClientRegistrationFoundThenResolves() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class); |
||||
assertThat(resolveArgument(methodParameter)).isSameAs(this.clientRegistration); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenClientRegistrationNotFoundThenThrowIllegalArgumentException() { |
||||
when(this.clientRegistrationRepository.findByRegistrationId(anyString())).thenReturn(Mono.empty()); |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeClientRegistration", ClientRegistration.class); |
||||
assertThatThrownBy(() -> resolveArgument(methodParameter)) |
||||
.isInstanceOf(IllegalArgumentException.class) |
||||
.hasMessage("Unable to find ClientRegistration with registration identifier \"client1\"."); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenParameterTypeOAuth2AuthorizedClientAndCurrentAuthenticationNullThenThrowIllegalStateException() { |
||||
this.authentication = null; |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class); |
||||
assertThatThrownBy(() -> resolveArgument(methodParameter)) |
||||
.isInstanceOf(IllegalStateException.class) |
||||
.hasMessage("Unable to resolve the Authorized Client with registration identifier \"client1\". " + |
||||
"An \"authenticated\" or \"unauthenticated\" session is required. " + |
||||
"To allow for unauthenticated access, ensure ServerHttpSecurity.anonymous() is configured."); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenOAuth2AuthorizedClientFoundThenResolves() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class); |
||||
assertThat(resolveArgument(methodParameter)).isSameAs(this.authorizedClient); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenOAuth2AuthorizedClientNotFoundThenThrowClientAuthorizationRequiredException() { |
||||
when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(Mono.empty()); |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAuthorizedClient", OAuth2AuthorizedClient.class); |
||||
assertThatThrownBy(() -> resolveArgument(methodParameter)) |
||||
.isInstanceOf(ClientAuthorizationRequiredException.class); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenOAuth2AccessTokenAndOAuth2AuthorizedClientFoundThenResolves() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class); |
||||
assertThat(resolveArgument(methodParameter)).isSameAs(this.authorizedClient.getAccessToken()); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenOAuth2AccessTokenAndOAuth2AuthorizedClientNotFoundThenThrowClientAuthorizationRequiredException() { |
||||
when(this.authorizedClientService.loadAuthorizedClient(anyString(), any())).thenReturn(Mono.empty()); |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessToken", OAuth2AccessToken.class); |
||||
assertThatThrownBy(() -> resolveArgument(methodParameter)) |
||||
.isInstanceOf(ClientAuthorizationRequiredException.class); |
||||
} |
||||
|
||||
@Test |
||||
public void resolveArgumentWhenOAuth2AccessTokenAndAnnotationRegistrationIdSetThenResolves() { |
||||
MethodParameter methodParameter = this.getMethodParameter("paramTypeAccessTokenAnnotationRegistrationId", OAuth2AccessToken.class); |
||||
assertThat(resolveArgument(methodParameter)).isSameAs(this.authorizedClient.getAccessToken()); |
||||
} |
||||
|
||||
private Object resolveArgument(MethodParameter methodParameter) { |
||||
return this.argumentResolver.resolveArgument(methodParameter, null, null) |
||||
.subscriberContext(this.authentication == null ? Context.empty() : ReactiveSecurityContextHolder.withAuthentication(this.authentication)) |
||||
.block(); |
||||
} |
||||
|
||||
private MethodParameter getMethodParameter(String methodName, Class<?>... paramTypes) { |
||||
Method method = ReflectionUtils.findMethod( |
||||
TestController.class, methodName, paramTypes); |
||||
return new MethodParameter(method, 0); |
||||
} |
||||
|
||||
static class TestController { |
||||
void paramTypeAccessToken(@OAuth2Client("client1") OAuth2AccessToken accessToken) { |
||||
} |
||||
|
||||
void paramTypeAccessTokenWithoutAnnotation(OAuth2AccessToken accessToken) { |
||||
} |
||||
|
||||
void paramTypeAuthorizedClient(@OAuth2Client("client1") OAuth2AuthorizedClient authorizedClient) { |
||||
} |
||||
|
||||
void paramTypeAuthorizedClientWithoutAnnotation(OAuth2AuthorizedClient authorizedClient) { |
||||
} |
||||
|
||||
void paramTypeClientRegistration(@OAuth2Client("client1") ClientRegistration clientRegistration) { |
||||
} |
||||
|
||||
void paramTypeClientRegistrationWithoutAnnotation(ClientRegistration clientRegistration) { |
||||
} |
||||
|
||||
void paramTypeUnsupported(@OAuth2Client("client1") String param) { |
||||
} |
||||
|
||||
void paramTypeUnsupportedWithoutAnnotation(String param) { |
||||
} |
||||
|
||||
void registrationIdEmpty(@OAuth2Client OAuth2AccessToken accessToken) { |
||||
} |
||||
|
||||
void paramTypeAccessTokenAnnotationRegistrationId(@OAuth2Client(registrationId = "client1") OAuth2AccessToken accessToken) { |
||||
} |
||||
} |
||||
} |
||||
Loading…
Reference in new issue