You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1400 lines
36 KiB
1400 lines
36 KiB
[[test-webflux]] |
|
= Reactive Test Support |
|
|
|
[[test-erms]] |
|
== Testing Reactive Method Security |
|
|
|
For example, we can test our example from xref:reactive/method.adoc#jc-erms[] using the same setup and annotations we did in xref:servlet/test/method.adoc#test-method[]. |
|
Here is a minimal sample of what we can do: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@RunWith(SpringRunner.class) |
|
@ContextConfiguration(classes = HelloWebfluxMethodApplication.class) |
|
public class HelloWorldMessageServiceTests { |
|
@Autowired |
|
HelloWorldMessageService messages; |
|
|
|
@Test |
|
public void messagesWhenNotAuthenticatedThenDenied() { |
|
StepVerifier.create(this.messages.findMessage()) |
|
.expectError(AccessDeniedException.class) |
|
.verify(); |
|
} |
|
|
|
@Test |
|
@WithMockUser |
|
public void messagesWhenUserThenDenied() { |
|
StepVerifier.create(this.messages.findMessage()) |
|
.expectError(AccessDeniedException.class) |
|
.verify(); |
|
} |
|
|
|
@Test |
|
@WithMockUser(roles = "ADMIN") |
|
public void messagesWhenAdminThenOk() { |
|
StepVerifier.create(this.messages.findMessage()) |
|
.expectNext("Hello World!") |
|
.verifyComplete(); |
|
} |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@RunWith(SpringRunner::class) |
|
@ContextConfiguration(classes = [HelloWebfluxMethodApplication::class]) |
|
class HelloWorldMessageServiceTests { |
|
@Autowired |
|
lateinit var messages: HelloWorldMessageService |
|
|
|
@Test |
|
fun messagesWhenNotAuthenticatedThenDenied() { |
|
StepVerifier.create(messages.findMessage()) |
|
.expectError(AccessDeniedException::class.java) |
|
.verify() |
|
} |
|
|
|
@Test |
|
@WithMockUser |
|
fun messagesWhenUserThenDenied() { |
|
StepVerifier.create(messages.findMessage()) |
|
.expectError(AccessDeniedException::class.java) |
|
.verify() |
|
} |
|
|
|
@Test |
|
@WithMockUser(roles = ["ADMIN"]) |
|
fun messagesWhenAdminThenOk() { |
|
StepVerifier.create(messages.findMessage()) |
|
.expectNext("Hello World!") |
|
.verifyComplete() |
|
} |
|
} |
|
---- |
|
==== |
|
|
|
[[test-webtestclient]] |
|
== WebTestClientSupport |
|
|
|
Spring Security provides integration with `WebTestClient`. |
|
The basic setup looks like this: |
|
|
|
[source,java] |
|
---- |
|
@RunWith(SpringRunner.class) |
|
@ContextConfiguration(classes = HelloWebfluxMethodApplication.class) |
|
public class HelloWebfluxMethodApplicationTests { |
|
@Autowired |
|
ApplicationContext context; |
|
|
|
WebTestClient rest; |
|
|
|
@Before |
|
public void setup() { |
|
this.rest = WebTestClient |
|
.bindToApplicationContext(this.context) |
|
// add Spring Security test Support |
|
.apply(springSecurity()) |
|
.configureClient() |
|
.filter(basicAuthentication()) |
|
.build(); |
|
} |
|
// ... |
|
} |
|
---- |
|
|
|
=== Authentication |
|
|
|
After applying the Spring Security support to `WebTestClient` we can use either annotations or `mutateWith` support. |
|
For example: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@Test |
|
public void messageWhenNotAuthenticated() throws Exception { |
|
this.rest |
|
.get() |
|
.uri("/message") |
|
.exchange() |
|
.expectStatus().isUnauthorized(); |
|
} |
|
|
|
// --- WithMockUser --- |
|
|
|
@Test |
|
@WithMockUser |
|
public void messageWhenWithMockUserThenForbidden() throws Exception { |
|
this.rest |
|
.get() |
|
.uri("/message") |
|
.exchange() |
|
.expectStatus().isEqualTo(HttpStatus.FORBIDDEN); |
|
} |
|
|
|
@Test |
|
@WithMockUser(roles = "ADMIN") |
|
public void messageWhenWithMockAdminThenOk() throws Exception { |
|
this.rest |
|
.get() |
|
.uri("/message") |
|
.exchange() |
|
.expectStatus().isOk() |
|
.expectBody(String.class).isEqualTo("Hello World!"); |
|
} |
|
|
|
// --- mutateWith mockUser --- |
|
|
|
@Test |
|
public void messageWhenMutateWithMockUserThenForbidden() throws Exception { |
|
this.rest |
|
.mutateWith(mockUser()) |
|
.get() |
|
.uri("/message") |
|
.exchange() |
|
.expectStatus().isEqualTo(HttpStatus.FORBIDDEN); |
|
} |
|
|
|
@Test |
|
public void messageWhenMutateWithMockAdminThenOk() throws Exception { |
|
this.rest |
|
.mutateWith(mockUser().roles("ADMIN")) |
|
.get() |
|
.uri("/message") |
|
.exchange() |
|
.expectStatus().isOk() |
|
.expectBody(String.class).isEqualTo("Hello World!"); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
import org.springframework.test.web.reactive.server.expectBody |
|
|
|
//... |
|
|
|
@Test |
|
@WithMockUser |
|
fun messageWhenWithMockUserThenForbidden() { |
|
this.rest.get().uri("/message") |
|
.exchange() |
|
.expectStatus().isEqualTo(HttpStatus.FORBIDDEN) |
|
} |
|
|
|
@Test |
|
@WithMockUser(roles = ["ADMIN"]) |
|
fun messageWhenWithMockAdminThenOk() { |
|
this.rest.get().uri("/message") |
|
.exchange() |
|
.expectStatus().isOk |
|
.expectBody<String>().isEqualTo("Hello World!") |
|
|
|
} |
|
|
|
// --- mutateWith mockUser --- |
|
|
|
@Test |
|
fun messageWhenMutateWithMockUserThenForbidden() { |
|
this.rest |
|
.mutateWith(mockUser()) |
|
.get().uri("/message") |
|
.exchange() |
|
.expectStatus().isEqualTo(HttpStatus.FORBIDDEN) |
|
} |
|
|
|
@Test |
|
fun messageWhenMutateWithMockAdminThenOk() { |
|
this.rest |
|
.mutateWith(mockUser().roles("ADMIN")) |
|
.get().uri("/message") |
|
.exchange() |
|
.expectStatus().isOk |
|
.expectBody<String>().isEqualTo("Hello World!") |
|
} |
|
---- |
|
==== |
|
|
|
|
|
=== CSRF Support |
|
|
|
Spring Security also provides support for CSRF testing with `WebTestClient`. |
|
For example: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
this.rest |
|
// provide a valid CSRF token |
|
.mutateWith(csrf()) |
|
.post() |
|
.uri("/login") |
|
... |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
this.rest |
|
// provide a valid CSRF token |
|
.mutateWith(csrf()) |
|
.post() |
|
.uri("/login") |
|
... |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2]] |
|
=== Testing OAuth 2.0 |
|
|
|
When it comes to OAuth 2.0, the same principles covered earlier still apply: Ultimately, it depends on what your method under test is expecting to be in the `SecurityContextHolder`. |
|
|
|
For example, for a controller that looks like this: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(Principal user) { |
|
return Mono.just(user.getName()); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(user: Principal): Mono<String> { |
|
return Mono.just(user.name) |
|
} |
|
---- |
|
==== |
|
|
|
There's nothing OAuth2-specific about it, so you will likely be able to simply <<test-erms,use `@WithMockUser`>> and be fine. |
|
|
|
But, in cases where your controllers are bound to some aspect of Spring Security's OAuth 2.0 support, like the following: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@AuthenticationPrincipal OidcUser user) { |
|
return Mono.just(user.getIdToken().getSubject()); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(@AuthenticationPrincipal user: OidcUser): Mono<String> { |
|
return Mono.just(user.idToken.subject) |
|
} |
|
---- |
|
==== |
|
|
|
then Spring Security's test support can come in handy. |
|
|
|
[[webflux-testing-oidc-login]] |
|
=== Testing OIDC Login |
|
|
|
Testing the method above with `WebTestClient` would require simulating some kind of grant flow with an authorization server. |
|
Certainly this would be a daunting task, which is why Spring Security ships with support for removing this boilerplate. |
|
|
|
For example, we can tell Spring Security to include a default `OidcUser` using the `SecurityMockServerConfigurers#mockOidcLogin` method, like so: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin()).get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin()) |
|
.get().uri("/endpoint") |
|
.exchange() |
|
---- |
|
==== |
|
|
|
What this will do is configure the associated `MockServerRequest` with an `OidcUser` that includes a simple `OidcIdToken`, `OidcUserInfo`, and `Collection` of granted authorities. |
|
|
|
Specifically, it will include an `OidcIdToken` with a `sub` claim set to `user`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(user.getIdToken().getClaim("sub")).isEqualTo("user"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(user.idToken.getClaim<String>("sub")).isEqualTo("user") |
|
---- |
|
==== |
|
|
|
an `OidcUserInfo` with no claims set: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(user.getUserInfo().getClaims()).isEmpty(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(user.userInfo.claims).isEmpty() |
|
---- |
|
==== |
|
|
|
and a `Collection` of authorities with just one authority, `SCOPE_read`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(user.getAuthorities()).hasSize(1); |
|
assertThat(user.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read")); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(user.authorities).hasSize(1) |
|
assertThat(user.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read")) |
|
---- |
|
==== |
|
|
|
Spring Security does the necessary work to make sure that the `OidcUser` instance is available for xref:servlet/integrations/mvc.adoc#mvc-authentication-principal[the `@AuthenticationPrincipal` annotation]. |
|
|
|
Further, it also links that `OidcUser` to a simple instance of `OAuth2AuthorizedClient` that it deposits into a mock `ServerOAuth2AuthorizedClientRepository`. |
|
This can be handy if your tests <<webflux-testing-oauth2-client,use the `@RegisteredOAuth2AuthorizedClient` annotation>>.. |
|
|
|
[[webflux-testing-oidc-login-authorities]] |
|
==== Configuring Authorities |
|
|
|
In many circumstances, your method is protected by filter or method security and needs your `Authentication` to have certain granted authorities to allow the request. |
|
|
|
In this case, you can supply what granted authorities you need using the `authorities()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin() |
|
.authorities(new SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin() |
|
.authorities(SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oidc-login-claims]] |
|
==== Configuring Claims |
|
|
|
And while granted authorities are quite common across all of Spring Security, we also have claims in the case of OAuth 2.0. |
|
|
|
Let's say, for example, that you've got a `user_id` claim that indicates the user's id in your system. |
|
You might access it like so in a controller: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@AuthenticationPrincipal OidcUser oidcUser) { |
|
String userId = oidcUser.getIdToken().getClaim("user_id"); |
|
// ... |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(@AuthenticationPrincipal oidcUser: OidcUser): Mono<String> { |
|
val userId = oidcUser.idToken.getClaim<String>("user_id") |
|
// ... |
|
} |
|
---- |
|
==== |
|
|
|
In that case, you'd want to specify that claim with the `idToken()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin() |
|
.idToken(token -> token.claim("user_id", "1234")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOidcLogin() |
|
.idToken { token -> token.claim("user_id", "1234") } |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
since `OidcUser` collects its claims from `OidcIdToken`. |
|
|
|
[[webflux-testing-oidc-login-user]] |
|
==== Additional Configurations |
|
|
|
There are additional methods, too, for further configuring the authentication; it simply depends on what data your controller expects: |
|
|
|
* `userInfo(OidcUserInfo.Builder)` - For configuring the `OidcUserInfo` instance |
|
* `clientRegistration(ClientRegistration)` - For configuring the associated `OAuth2AuthorizedClient` with a given `ClientRegistration` |
|
* `oidcUser(OidcUser)` - For configuring the complete `OidcUser` instance |
|
|
|
That last one is handy if you: |
|
1. Have your own implementation of `OidcUser`, or |
|
2. Need to change the name attribute |
|
|
|
For example, let's say that your authorization server sends the principal name in the `user_name` claim instead of the `sub` claim. |
|
In that case, you can configure an `OidcUser` by hand: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
OidcUser oidcUser = new DefaultOidcUser( |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read"), |
|
OidcIdToken.withTokenValue("id-token").claim("user_name", "foo_user").build(), |
|
"user_name"); |
|
|
|
client |
|
.mutateWith(mockOidcLogin().oidcUser(oidcUser)) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val oidcUser: OidcUser = DefaultOidcUser( |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read"), |
|
OidcIdToken.withTokenValue("id-token").claim("user_name", "foo_user").build(), |
|
"user_name" |
|
) |
|
|
|
client |
|
.mutateWith(mockOidcLogin().oidcUser(oidcUser)) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2-login]] |
|
=== Testing OAuth 2.0 Login |
|
|
|
As with <<webflux-testing-oidc-login,testing OIDC login>>, testing OAuth 2.0 Login presents a similar challenge of mocking a grant flow. |
|
And because of that, Spring Security also has test support for non-OIDC use cases. |
|
|
|
Let's say that we've got a controller that gets the logged-in user as an `OAuth2User`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@AuthenticationPrincipal OAuth2User oauth2User) { |
|
return Mono.just(oauth2User.getAttribute("sub")); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(@AuthenticationPrincipal oauth2User: OAuth2User): Mono<String> { |
|
return Mono.just(oauth2User.getAttribute("sub")) |
|
} |
|
---- |
|
==== |
|
|
|
In that case, we can tell Spring Security to include a default `OAuth2User` using the `SecurityMockServerConfigurers#mockOAuth2Login` method, like so: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login()) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login()) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
What this will do is configure the associated `MockServerRequest` with an `OAuth2User` that includes a simple `Map` of attributes and `Collection` of granted authorities. |
|
|
|
Specifically, it will include a `Map` with a key/value pair of `sub`/`user`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat((String) user.getAttribute("sub")).isEqualTo("user"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(user.getAttribute<String>("sub")).isEqualTo("user") |
|
---- |
|
==== |
|
|
|
and a `Collection` of authorities with just one authority, `SCOPE_read`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(user.getAuthorities()).hasSize(1); |
|
assertThat(user.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read")); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(user.authorities).hasSize(1) |
|
assertThat(user.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read")) |
|
---- |
|
==== |
|
|
|
Spring Security does the necessary work to make sure that the `OAuth2User` instance is available for xref:servlet/integrations/mvc.adoc#mvc-authentication-principal[the `@AuthenticationPrincipal` annotation]. |
|
|
|
Further, it also links that `OAuth2User` to a simple instance of `OAuth2AuthorizedClient` that it deposits in a mock `ServerOAuth2AuthorizedClientRepository`. |
|
This can be handy if your tests <<webflux-testing-oauth2-client,use the `@RegisteredOAuth2AuthorizedClient` annotation>>. |
|
|
|
[[webflux-testing-oauth2-login-authorities]] |
|
==== Configuring Authorities |
|
|
|
In many circumstances, your method is protected by filter or method security and needs your `Authentication` to have certain granted authorities to allow the request. |
|
|
|
In this case, you can supply what granted authorities you need using the `authorities()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login() |
|
.authorities(new SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login() |
|
.authorities(SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2-login-claims]] |
|
==== Configuring Claims |
|
|
|
And while granted authorities are quite common across all of Spring Security, we also have claims in the case of OAuth 2.0. |
|
|
|
Let's say, for example, that you've got a `user_id` attribute that indicates the user's id in your system. |
|
You might access it like so in a controller: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@AuthenticationPrincipal OAuth2User oauth2User) { |
|
String userId = oauth2User.getAttribute("user_id"); |
|
// ... |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(@AuthenticationPrincipal oauth2User: OAuth2User): Mono<String> { |
|
val userId = oauth2User.getAttribute<String>("user_id") |
|
// ... |
|
} |
|
---- |
|
==== |
|
|
|
In that case, you'd want to specify that attribute with the `attributes()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login() |
|
.attributes(attrs -> attrs.put("user_id", "1234")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Login() |
|
.attributes { attrs -> attrs["user_id"] = "1234" } |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2-login-user]] |
|
==== Additional Configurations |
|
|
|
There are additional methods, too, for further configuring the authentication; it simply depends on what data your controller expects: |
|
|
|
* `clientRegistration(ClientRegistration)` - For configuring the associated `OAuth2AuthorizedClient` with a given `ClientRegistration` |
|
* `oauth2User(OAuth2User)` - For configuring the complete `OAuth2User` instance |
|
|
|
That last one is handy if you: |
|
1. Have your own implementation of `OAuth2User`, or |
|
2. Need to change the name attribute |
|
|
|
For example, let's say that your authorization server sends the principal name in the `user_name` claim instead of the `sub` claim. |
|
In that case, you can configure an `OAuth2User` by hand: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
OAuth2User oauth2User = new DefaultOAuth2User( |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read"), |
|
Collections.singletonMap("user_name", "foo_user"), |
|
"user_name"); |
|
|
|
client |
|
.mutateWith(mockOAuth2Login().oauth2User(oauth2User)) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val oauth2User: OAuth2User = DefaultOAuth2User( |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read"), |
|
mapOf(Pair("user_name", "foo_user")), |
|
"user_name" |
|
) |
|
|
|
client |
|
.mutateWith(mockOAuth2Login().oauth2User(oauth2User)) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2-client]] |
|
=== Testing OAuth 2.0 Clients |
|
|
|
Independent of how your user authenticates, you may have other tokens and client registrations that are in play for the request you are testing. |
|
For example, your controller may be relying on the client credentials grant to get a token that isn't associated with the user at all: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@RegisteredOAuth2AuthorizedClient("my-app") OAuth2AuthorizedClient authorizedClient) { |
|
return this.webClient.get() |
|
.attributes(oauth2AuthorizedClient(authorizedClient)) |
|
.retrieve() |
|
.bodyToMono(String.class); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
import org.springframework.web.reactive.function.client.bodyToMono |
|
|
|
// ... |
|
|
|
@GetMapping("/endpoint") |
|
fun foo(@RegisteredOAuth2AuthorizedClient("my-app") authorizedClient: OAuth2AuthorizedClient?): Mono<String> { |
|
return this.webClient.get() |
|
.attributes(oauth2AuthorizedClient(authorizedClient)) |
|
.retrieve() |
|
.bodyToMono() |
|
} |
|
---- |
|
==== |
|
|
|
Simulating this handshake with the authorization server could be cumbersome. |
|
Instead, you can use `SecurityMockServerConfigurers#mockOAuth2Client` to add a `OAuth2AuthorizedClient` into a mock `ServerOAuth2AuthorizedClientRepository`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Client("my-app")) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Client("my-app")) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
What this will do is create an `OAuth2AuthorizedClient` that has a simple `ClientRegistration`, `OAuth2AccessToken`, and resource owner name. |
|
|
|
Specifically, it will include a `ClientRegistration` with a client id of "test-client" and client secret of "test-secret": |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(authorizedClient.getClientRegistration().getClientId()).isEqualTo("test-client"); |
|
assertThat(authorizedClient.getClientRegistration().getClientSecret()).isEqualTo("test-secret"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(authorizedClient.clientRegistration.clientId).isEqualTo("test-client") |
|
assertThat(authorizedClient.clientRegistration.clientSecret).isEqualTo("test-secret") |
|
---- |
|
==== |
|
|
|
a resource owner name of "user": |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(authorizedClient.getPrincipalName()).isEqualTo("user"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(authorizedClient.principalName).isEqualTo("user") |
|
---- |
|
==== |
|
|
|
and an `OAuth2AccessToken` with just one scope, `read`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(authorizedClient.getAccessToken().getScopes()).hasSize(1); |
|
assertThat(authorizedClient.getAccessToken().getScopes()).containsExactly("read"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(authorizedClient.accessToken.scopes).hasSize(1) |
|
assertThat(authorizedClient.accessToken.scopes).containsExactly("read") |
|
---- |
|
==== |
|
|
|
The client can then be retrieved as normal using `@RegisteredOAuth2AuthorizedClient` in a controller method. |
|
|
|
[[webflux-testing-oauth2-client-scopes]] |
|
==== Configuring Scopes |
|
|
|
In many circumstances, the OAuth 2.0 access token comes with a set of scopes. |
|
If your controller inspects these, say like so: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(@RegisteredOAuth2AuthorizedClient("my-app") OAuth2AuthorizedClient authorizedClient) { |
|
Set<String> scopes = authorizedClient.getAccessToken().getScopes(); |
|
if (scopes.contains("message:read")) { |
|
return this.webClient.get() |
|
.attributes(oauth2AuthorizedClient(authorizedClient)) |
|
.retrieve() |
|
.bodyToMono(String.class); |
|
} |
|
// ... |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
import org.springframework.web.reactive.function.client.bodyToMono |
|
|
|
// ... |
|
|
|
@GetMapping("/endpoint") |
|
fun foo(@RegisteredOAuth2AuthorizedClient("my-app") authorizedClient: OAuth2AuthorizedClient): Mono<String> { |
|
val scopes = authorizedClient.accessToken.scopes |
|
if (scopes.contains("message:read")) { |
|
return webClient.get() |
|
.attributes(oauth2AuthorizedClient(authorizedClient)) |
|
.retrieve() |
|
.bodyToMono() |
|
} |
|
// ... |
|
} |
|
---- |
|
==== |
|
|
|
then you can configure the scope using the `accessToken()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Client("my-app") |
|
.accessToken(new OAuth2AccessToken(BEARER, "token", null, null, Collections.singleton("message:read"))) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOAuth2Client("my-app") |
|
.accessToken(OAuth2AccessToken(BEARER, "token", null, null, setOf("message:read"))) |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-oauth2-client-registration]] |
|
==== Additional Configurations |
|
|
|
There are additional methods, too, for further configuring the authentication; it simply depends on what data your controller expects: |
|
|
|
* `principalName(String)` - For configuring the resource owner name |
|
* `clientRegistration(Consumer<ClientRegistration.Builder>)` - For configuring the associated `ClientRegistration` |
|
* `clientRegistration(ClientRegistration)` - For configuring the complete `ClientRegistration` |
|
|
|
That last one is handy if you want to use a real `ClientRegistration` |
|
|
|
For example, let's say that you are wanting to use one of your app's `ClientRegistration` definitions, as specified in your `application.yml`. |
|
|
|
In that case, your test can autowire the `ReactiveClientRegistrationRepository` and look up the one your test needs: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@Autowired |
|
ReactiveClientRegistrationRepository clientRegistrationRepository; |
|
|
|
// ... |
|
|
|
client |
|
.mutateWith(mockOAuth2Client() |
|
.clientRegistration(this.clientRegistrationRepository.findByRegistrationId("facebook").block()) |
|
) |
|
.get().uri("/exchange").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@Autowired |
|
lateinit var clientRegistrationRepository: ReactiveClientRegistrationRepository |
|
|
|
// ... |
|
|
|
client |
|
.mutateWith(mockOAuth2Client() |
|
.clientRegistration(this.clientRegistrationRepository.findByRegistrationId("facebook").block()) |
|
) |
|
.get().uri("/exchange").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-jwt]] |
|
=== Testing JWT Authentication |
|
|
|
In order to make an authorized request on a resource server, you need a bearer token. |
|
If your resource server is configured for JWTs, then this would mean that the bearer token needs to be signed and then encoded according to the JWT specification. |
|
All of this can be quite daunting, especially when this isn't the focus of your test. |
|
|
|
Fortunately, there are a number of simple ways that you can overcome this difficulty and allow your tests to focus on authorization and not on representing bearer tokens. |
|
We'll look at two of them now: |
|
|
|
==== `mockJwt() WebTestClientConfigurer` |
|
|
|
The first way is via a `WebTestClientConfigurer`. |
|
The simplest of these would be to use the `SecurityMockServerConfigurers#mockJwt` method like the following: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt()).get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt()).get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
What this will do is create a mock `Jwt`, passing it correctly through any authentication APIs so that it's available for your authorization mechanisms to verify. |
|
|
|
By default, the `JWT` that it creates has the following characteristics: |
|
|
|
[source,json] |
|
---- |
|
{ |
|
"headers" : { "alg" : "none" }, |
|
"claims" : { |
|
"sub" : "user", |
|
"scope" : "read" |
|
} |
|
} |
|
---- |
|
|
|
And the resulting `Jwt`, were it tested, would pass in the following way: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(jwt.getTokenValue()).isEqualTo("token"); |
|
assertThat(jwt.getHeaders().get("alg")).isEqualTo("none"); |
|
assertThat(jwt.getSubject()).isEqualTo("sub"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(jwt.tokenValue).isEqualTo("token") |
|
assertThat(jwt.headers["alg"]).isEqualTo("none") |
|
assertThat(jwt.subject).isEqualTo("sub") |
|
---- |
|
==== |
|
|
|
These values can, of course be configured. |
|
|
|
Any headers or claims can be configured with their corresponding methods: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().jwt(jwt -> jwt.header("kid", "one") |
|
.claim("iss", "https://idp.example.org"))) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().jwt { jwt -> jwt.header("kid", "one") |
|
.claim("iss", "https://idp.example.org") |
|
}) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().jwt(jwt -> jwt.claims(claims -> claims.remove("scope")))) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().jwt { jwt -> |
|
jwt.claims { claims -> claims.remove("scope") } |
|
}) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
The `scope` and `scp` claims are processed the same way here as they are in a normal bearer token request. |
|
However, this can be overridden simply by providing the list of `GrantedAuthority` instances that you need for your test: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().authorities(new SimpleGrantedAuthority("SCOPE_messages"))) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().authorities(SimpleGrantedAuthority("SCOPE_messages"))) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
Or, if you have a custom `Jwt` to `Collection<GrantedAuthority>` converter, you can also use that to derive the authorities: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().authorities(new MyConverter())) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockJwt().authorities(MyConverter())) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
You can also specify a complete `Jwt`, for which `{security-api-url}org/springframework/security/oauth2/jwt/Jwt.Builder.html[Jwt.Builder]` comes quite handy: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
Jwt jwt = Jwt.withTokenValue("token") |
|
.header("alg", "none") |
|
.claim("sub", "user") |
|
.claim("scope", "read") |
|
.build(); |
|
|
|
client |
|
.mutateWith(mockJwt().jwt(jwt)) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val jwt: Jwt = Jwt.withTokenValue("token") |
|
.header("alg", "none") |
|
.claim("sub", "user") |
|
.claim("scope", "read") |
|
.build() |
|
|
|
client |
|
.mutateWith(mockJwt().jwt(jwt)) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
==== `authentication()` `WebTestClientConfigurer` |
|
|
|
The second way is by using the `authentication()` `Mutator`. |
|
Essentially, you can instantiate your own `JwtAuthenticationToken` and provide it in your test, like so: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
Jwt jwt = Jwt.withTokenValue("token") |
|
.header("alg", "none") |
|
.claim("sub", "user") |
|
.build(); |
|
Collection<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("SCOPE_read"); |
|
JwtAuthenticationToken token = new JwtAuthenticationToken(jwt, authorities); |
|
|
|
client |
|
.mutateWith(mockAuthentication(token)) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val jwt = Jwt.withTokenValue("token") |
|
.header("alg", "none") |
|
.claim("sub", "user") |
|
.build() |
|
val authorities: Collection<GrantedAuthority> = AuthorityUtils.createAuthorityList("SCOPE_read") |
|
val token = JwtAuthenticationToken(jwt, authorities) |
|
|
|
client |
|
.mutateWith(mockAuthentication<JwtMutator>(token)) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
Note that as an alternative to these, you can also mock the `ReactiveJwtDecoder` bean itself with a `@MockBean` annotation. |
|
|
|
[[webflux-testing-opaque-token]] |
|
=== Testing Opaque Token Authentication |
|
|
|
Similar to <<webflux-testing-jwt,JWTs>>, opaque tokens require an authorization server in order to verify their validity, which can make testing more difficult. |
|
To help with that, Spring Security has test support for opaque tokens. |
|
|
|
Let's say that we've got a controller that retrieves the authentication as a `BearerTokenAuthentication`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(BearerTokenAuthentication authentication) { |
|
return Mono.just((String) authentication.getTokenAttributes().get("sub")); |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(authentication: BearerTokenAuthentication): Mono<String?> { |
|
return Mono.just(authentication.tokenAttributes["sub"] as String?) |
|
} |
|
---- |
|
==== |
|
|
|
In that case, we can tell Spring Security to include a default `BearerTokenAuthentication` using the `SecurityMockServerConfigurers#mockOpaqueToken` method, like so: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken()) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken()) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
What this will do is configure the associated `MockHttpServletRequest` with a `BearerTokenAuthentication` that includes a simple `OAuth2AuthenticatedPrincipal`, `Map` of attributes, and `Collection` of granted authorities. |
|
|
|
Specifically, it will include a `Map` with a key/value pair of `sub`/`user`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat((String) token.getTokenAttributes().get("sub")).isEqualTo("user"); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(token.tokenAttributes["sub"] as String?).isEqualTo("user") |
|
---- |
|
==== |
|
|
|
and a `Collection` of authorities with just one authority, `SCOPE_read`: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
assertThat(token.getAuthorities()).hasSize(1); |
|
assertThat(token.getAuthorities()).containsExactly(new SimpleGrantedAuthority("SCOPE_read")); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
assertThat(token.authorities).hasSize(1) |
|
assertThat(token.authorities).containsExactly(SimpleGrantedAuthority("SCOPE_read")) |
|
---- |
|
==== |
|
|
|
Spring Security does the necessary work to make sure that the `BearerTokenAuthentication` instance is available for your controller methods. |
|
|
|
[[webflux-testing-opaque-token-authorities]] |
|
==== Configuring Authorities |
|
|
|
In many circumstances, your method is protected by filter or method security and needs your `Authentication` to have certain granted authorities to allow the request. |
|
|
|
In this case, you can supply what granted authorities you need using the `authorities()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken() |
|
.authorities(new SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken() |
|
.authorities(SimpleGrantedAuthority("SCOPE_message:read")) |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-opaque-token-attributes]] |
|
==== Configuring Claims |
|
|
|
And while granted authorities are quite common across all of Spring Security, we also have attributes in the case of OAuth 2.0. |
|
|
|
Let's say, for example, that you've got a `user_id` attribute that indicates the user's id in your system. |
|
You might access it like so in a controller: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
public Mono<String> foo(BearerTokenAuthentication authentication) { |
|
String userId = (String) authentication.getTokenAttributes().get("user_id"); |
|
// ... |
|
} |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
@GetMapping("/endpoint") |
|
fun foo(authentication: BearerTokenAuthentication): Mono<String?> { |
|
val userId = authentication.tokenAttributes["user_id"] as String? |
|
// ... |
|
} |
|
---- |
|
==== |
|
|
|
In that case, you'd want to specify that attribute with the `attributes()` method: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken() |
|
.attributes(attrs -> attrs.put("user_id", "1234")) |
|
) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
client |
|
.mutateWith(mockOpaqueToken() |
|
.attributes { attrs -> attrs["user_id"] = "1234" } |
|
) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
[[webflux-testing-opaque-token-principal]] |
|
==== Additional Configurations |
|
|
|
There are additional methods, too, for further configuring the authentication; it simply depends on what data your controller expects. |
|
|
|
One such is `principal(OAuth2AuthenticatedPrincipal)`, which you can use to configure the complete `OAuth2AuthenticatedPrincipal` instance that underlies the `BearerTokenAuthentication` |
|
|
|
It's handy if you: |
|
1. Have your own implementation of `OAuth2AuthenticatedPrincipal`, or |
|
2. Want to specify a different principal name |
|
|
|
For example, let's say that your authorization server sends the principal name in the `user_name` attribute instead of the `sub` attribute. |
|
In that case, you can configure an `OAuth2AuthenticatedPrincipal` by hand: |
|
|
|
==== |
|
.Java |
|
[source,java,role="primary"] |
|
---- |
|
Map<String, Object> attributes = Collections.singletonMap("user_name", "foo_user"); |
|
OAuth2AuthenticatedPrincipal principal = new DefaultOAuth2AuthenticatedPrincipal( |
|
(String) attributes.get("user_name"), |
|
attributes, |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read")); |
|
|
|
client |
|
.mutateWith(mockOpaqueToken().principal(principal)) |
|
.get().uri("/endpoint").exchange(); |
|
---- |
|
|
|
.Kotlin |
|
[source,kotlin,role="secondary"] |
|
---- |
|
val attributes: Map<String, Any> = mapOf(Pair("user_name", "foo_user")) |
|
val principal: OAuth2AuthenticatedPrincipal = DefaultOAuth2AuthenticatedPrincipal( |
|
attributes["user_name"] as String?, |
|
attributes, |
|
AuthorityUtils.createAuthorityList("SCOPE_message:read") |
|
) |
|
|
|
client |
|
.mutateWith(mockOpaqueToken().principal(principal)) |
|
.get().uri("/endpoint").exchange() |
|
---- |
|
==== |
|
|
|
Note that as an alternative to using `mockOpaqueToken()` test support, you can also mock the `OpaqueTokenIntrospector` bean itself with a `@MockBean` annotation.
|
|
|