From ee9449dbfebe9efe29ef52e7907e0782363696fb Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Wed, 5 Oct 2022 16:09:18 -0500
Subject: [PATCH] Fix tests for deferred CSRF tokens

Issue gh-4001
---
 .../XorCsrfTokenRequestAttributeHandlerTests.java | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java b/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java
index 8b03382451..58d271f8d5 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/XorCsrfTokenRequestAttributeHandlerTests.java
@@ -105,9 +105,11 @@ public class XorCsrfTokenRequestAttributeHandlerTests {
 
 	@Test
 	public void handleWhenCsrfTokenIsNullThenThrowsIllegalStateException() {
+		this.handler.handle(this.request, this.response, () -> null);
+		CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute("_csrf");
 		// @formatter:off
 		assertThatIllegalStateException()
-				.isThrownBy(() -> this.handler.handle(this.request, this.response, () -> null))
+				.isThrownBy(csrfTokenAttribute::getToken)
 				.withMessage("csrfToken supplier returned null");
 		// @formatter:on
 	}
@@ -128,8 +130,12 @@ public class XorCsrfTokenRequestAttributeHandlerTests {
 
 	@Test
 	public void handleWhenSecureRandomSetThenUsed() {
+		willAnswer(fillByteArray()).given(this.secureRandom).nextBytes(anyByteArray());
+
 		this.handler.setSecureRandom(this.secureRandom);
 		this.handler.handle(this.request, this.response, () -> this.token);
+		CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
+		assertThat(csrfTokenAttribute.getToken()).isEqualTo(XOR_CSRF_TOKEN_VALUE);
 		verify(this.secureRandom).nextBytes(anyByteArray());
 		verifyNoMoreInteractions(this.secureRandom);
 	}
@@ -140,12 +146,11 @@ public class XorCsrfTokenRequestAttributeHandlerTests {
 
 		this.handler.setSecureRandom(this.secureRandom);
 		this.handler.handle(this.request, this.response, () -> this.token);
-		verify(this.secureRandom).nextBytes(anyByteArray());
-		assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
-		assertThat(this.request.getAttribute(this.token.getParameterName())).isNotNull();
-
 		CsrfToken csrfTokenAttribute = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
 		assertThat(csrfTokenAttribute.getToken()).isEqualTo(XOR_CSRF_TOKEN_VALUE);
+		verify(this.secureRandom).nextBytes(anyByteArray());
+		assertThat(this.request.getAttribute(CsrfToken.class.getName())).isNotNull();
+		assertThat(this.request.getAttribute("_csrf")).isNotNull();
 	}
 
 	@Test