Merge branch '5.8.x'
Closes gh-11894
This commit is contained in:
@@ -32,6 +32,7 @@ import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.ArgumentMatchers.isNull;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
@@ -74,46 +75,44 @@ public class CsrfAuthenticationStrategyTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setRequestAttributeHandlerWhenNullThenIllegalStateException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setRequestAttributeHandler(null))
|
||||
.withMessage("requestAttributeHandler cannot be null");
|
||||
public void setRequestHandlerWhenNullThenIllegalStateException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setRequestHandler(null))
|
||||
.withMessage("requestHandler cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void onAuthenticationWhenCustomRequestAttributeHandlerThenUsed() {
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
|
||||
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
|
||||
|
||||
CsrfTokenRequestAttributeHandler requestAttributeHandler = mock(CsrfTokenRequestAttributeHandler.class);
|
||||
this.strategy.setRequestAttributeHandler(requestAttributeHandler);
|
||||
public void onAuthenticationWhenCustomRequestHandlerThenUsed() {
|
||||
CsrfTokenRequestHandler requestHandler = mock(CsrfTokenRequestHandler.class);
|
||||
this.strategy.setRequestHandler(requestHandler);
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
verify(requestAttributeHandler).handle(eq(this.request), eq(this.response), any());
|
||||
verifyNoMoreInteractions(requestAttributeHandler);
|
||||
verify(requestHandler).handle(eq(this.request), eq(this.response));
|
||||
verifyNoMoreInteractions(requestHandler);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void logoutRemovesCsrfTokenAndSavesNew() {
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(null, this.existingToken);
|
||||
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
verify(this.csrfTokenRepository).saveToken(null, this.request, this.response);
|
||||
verify(this.csrfTokenRepository).saveToken(eq(this.generatedToken), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
// SEC-2404, SEC-2832
|
||||
CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
|
||||
assertThat(tokenInRequest.getToken()).isSameAs(this.generatedToken.getToken());
|
||||
assertThat(tokenInRequest.getHeaderName()).isSameAs(this.generatedToken.getHeaderName());
|
||||
assertThat(tokenInRequest.getParameterName()).isSameAs(this.generatedToken.getParameterName());
|
||||
assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest);
|
||||
// verify after the test accesses the CsrfToken which causes the lazy save to
|
||||
// occur
|
||||
verify(this.csrfTokenRepository).saveToken(null, this.request, this.response);
|
||||
verify(this.csrfTokenRepository).saveToken(eq(this.generatedToken), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
// SEC-2872
|
||||
@Test
|
||||
public void delaySavingCsrf() {
|
||||
this.strategy = new CsrfAuthenticationStrategy(new LazyCsrfTokenRepository(this.csrfTokenRepository));
|
||||
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
|
||||
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
@@ -127,10 +126,10 @@ public class CsrfAuthenticationStrategyTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void logoutRemovesNoActionIfNullToken() {
|
||||
public void logoutWhenNoCsrfToken() {
|
||||
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
|
||||
this.response);
|
||||
verify(this.csrfTokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
|
||||
verify(this.csrfTokenRepository).saveToken(isNull(), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
|
||||
@@ -23,8 +23,6 @@ import jakarta.servlet.FilterChain;
|
||||
import jakarta.servlet.ServletException;
|
||||
import jakarta.servlet.http.HttpServletRequest;
|
||||
import jakarta.servlet.http.HttpServletResponse;
|
||||
import org.assertj.core.api.AbstractObjectAssert;
|
||||
import org.assertj.core.api.ObjectAssert;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
@@ -45,10 +43,12 @@ import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.lenient;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.spy;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoInteractions;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
import static org.springframework.security.web.csrf.CsrfTokenAssert.assertThatCsrfToken;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -127,8 +127,8 @@ public class CsrfFilterTests {
|
||||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
@@ -139,8 +139,8 @@ public class CsrfFilterTests {
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
@@ -151,8 +151,8 @@ public class CsrfFilterTests {
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
@@ -165,8 +165,8 @@ public class CsrfFilterTests {
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
@@ -176,8 +176,8 @@ public class CsrfFilterTests {
|
||||
given(this.requestMatcher.matches(this.request)).willReturn(false);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
@@ -187,8 +187,8 @@ public class CsrfFilterTests {
|
||||
given(this.requestMatcher.matches(this.request)).willReturn(false);
|
||||
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
@@ -199,8 +199,8 @@ public class CsrfFilterTests {
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
@@ -213,8 +213,8 @@ public class CsrfFilterTests {
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
|
||||
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
}
|
||||
@@ -225,8 +225,8 @@ public class CsrfFilterTests {
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
verifyNoMoreInteractions(this.deniedHandler);
|
||||
verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
|
||||
@@ -239,8 +239,8 @@ public class CsrfFilterTests {
|
||||
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
// LazyCsrfTokenRepository requires the response as an attribute
|
||||
assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
@@ -254,7 +254,6 @@ public class CsrfFilterTests {
|
||||
this.filter.setAccessDeniedHandler(this.deniedHandler);
|
||||
for (String method : Arrays.asList("GET", "TRACE", "OPTIONS", "HEAD")) {
|
||||
resetRequestResponse();
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.request.setMethod(method);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
@@ -305,8 +304,8 @@ public class CsrfFilterTests {
|
||||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
|
||||
verifyNoMoreInteractions(this.filterChain);
|
||||
}
|
||||
@@ -337,14 +336,14 @@ public class CsrfFilterTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenRequestAttributeHandlerThenUsed() throws Exception {
|
||||
given(this.requestMatcher.matches(this.request)).willReturn(true);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
CsrfTokenRequestAttributeHandler requestAttributeHandler = mock(CsrfTokenRequestAttributeHandler.class);
|
||||
this.filter.setRequestAttributeHandler(requestAttributeHandler);
|
||||
public void doFilterWhenRequestHandlerThenUsed() throws Exception {
|
||||
CsrfTokenRequestHandler requestHandler = mock(CsrfTokenRequestHandler.class);
|
||||
given(requestHandler.handle(this.request, this.response))
|
||||
.willReturn(new TestDeferredCsrfToken(this.token, false));
|
||||
this.filter.setRequestHandler(requestHandler);
|
||||
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
|
||||
this.filter.doFilter(this.request, this.response, this.filterChain);
|
||||
verify(requestAttributeHandler).handle(eq(this.request), eq(this.response), any());
|
||||
verify(requestHandler).handle(eq(this.request), eq(this.response));
|
||||
verify(this.filterChain).doFilter(this.request, this.response);
|
||||
}
|
||||
|
||||
@@ -377,39 +376,40 @@ public class CsrfFilterTests {
|
||||
CsrfFilter filter = createCsrfFilter(this.tokenRepository);
|
||||
String csrfAttrName = "_csrf";
|
||||
CsrfTokenRequestProcessor csrfTokenRequestProcessor = new CsrfTokenRequestProcessor();
|
||||
csrfTokenRequestProcessor.setTokenRepository(this.tokenRepository);
|
||||
csrfTokenRequestProcessor.setCsrfRequestAttributeName(csrfAttrName);
|
||||
filter.setRequestAttributeHandler(csrfTokenRequestProcessor);
|
||||
CsrfToken expectedCsrfToken = mock(CsrfToken.class);
|
||||
filter.setRequestHandler(csrfTokenRequestProcessor);
|
||||
CsrfToken expectedCsrfToken = spy(this.token);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(expectedCsrfToken);
|
||||
|
||||
filter.doFilter(this.request, this.response, this.filterChain);
|
||||
|
||||
verifyNoInteractions(expectedCsrfToken);
|
||||
CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName);
|
||||
assertThat(tokenFromRequest).isEqualTo(expectedCsrfToken);
|
||||
assertThatCsrfToken(tokenFromRequest).isEqualTo(expectedCsrfToken);
|
||||
}
|
||||
|
||||
private static CsrfTokenAssert assertToken(Object token) {
|
||||
return new CsrfTokenAssert((CsrfToken) token);
|
||||
}
|
||||
private static final class TestDeferredCsrfToken implements DeferredCsrfToken {
|
||||
|
||||
private static class CsrfTokenAssert extends AbstractObjectAssert<CsrfTokenAssert, CsrfToken> {
|
||||
private final CsrfToken csrfToken;
|
||||
|
||||
/**
|
||||
* Creates a new {@link ObjectAssert}.
|
||||
* @param actual the target to verify.
|
||||
*/
|
||||
protected CsrfTokenAssert(CsrfToken actual) {
|
||||
super(actual, CsrfTokenAssert.class);
|
||||
private final boolean isGenerated;
|
||||
|
||||
private TestDeferredCsrfToken(CsrfToken csrfToken, boolean isGenerated) {
|
||||
this.csrfToken = csrfToken;
|
||||
this.isGenerated = isGenerated;
|
||||
}
|
||||
|
||||
CsrfTokenAssert isEqualTo(CsrfToken expected) {
|
||||
assertThat(this.actual.getHeaderName()).isEqualTo(expected.getHeaderName());
|
||||
assertThat(this.actual.getParameterName()).isEqualTo(expected.getParameterName());
|
||||
assertThat(this.actual.getToken()).isEqualTo(expected.getToken());
|
||||
return this;
|
||||
@Override
|
||||
public CsrfToken get() {
|
||||
return this.csrfToken;
|
||||
}
|
||||
|
||||
}
|
||||
@Override
|
||||
public boolean isGenerated() {
|
||||
return this.isGenerated;
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.csrf;
|
||||
|
||||
import org.assertj.core.api.AbstractAssert;
|
||||
import org.assertj.core.api.Assertions;
|
||||
|
||||
/**
|
||||
* Assertion for validating the properties on CsrfToken are the same.
|
||||
*/
|
||||
public class CsrfTokenAssert extends AbstractAssert<CsrfTokenAssert, CsrfToken> {
|
||||
|
||||
protected CsrfTokenAssert(CsrfToken csrfToken) {
|
||||
super(csrfToken, CsrfTokenAssert.class);
|
||||
}
|
||||
|
||||
public static CsrfTokenAssert assertThatCsrfToken(Object csrfToken) {
|
||||
return new CsrfTokenAssert((CsrfToken) csrfToken);
|
||||
}
|
||||
|
||||
public static CsrfTokenAssert assertThat(CsrfToken csrfToken) {
|
||||
return new CsrfTokenAssert(csrfToken);
|
||||
}
|
||||
|
||||
public CsrfTokenAssert isEqualTo(CsrfToken csrfToken) {
|
||||
isNotNull();
|
||||
assertThat(csrfToken).isNotNull();
|
||||
Assertions.assertThat(this.actual.getHeaderName()).isEqualTo(csrfToken.getHeaderName());
|
||||
Assertions.assertThat(this.actual.getParameterName()).isEqualTo(csrfToken.getParameterName());
|
||||
Assertions.assertThat(this.actual.getToken()).isEqualTo(csrfToken.getToken());
|
||||
return this;
|
||||
}
|
||||
|
||||
}
|
||||
@@ -18,12 +18,17 @@ package org.springframework.security.web.csrf;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.jupiter.MockitoExtension;
|
||||
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.springframework.security.web.csrf.CsrfTokenAssert.assertThatCsrfToken;
|
||||
|
||||
/**
|
||||
* Tests for {@link CsrfTokenRequestProcessor}.
|
||||
@@ -31,8 +36,12 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
*/
|
||||
@ExtendWith(MockitoExtension.class)
|
||||
public class CsrfTokenRequestProcessorTests {
|
||||
|
||||
@Mock
|
||||
CsrfTokenRepository tokenRepository;
|
||||
|
||||
private MockHttpServletRequest request;
|
||||
|
||||
private MockHttpServletResponse response;
|
||||
@@ -47,48 +56,36 @@ public class CsrfTokenRequestProcessorTests {
|
||||
this.response = new MockHttpServletResponse();
|
||||
this.token = new DefaultCsrfToken("headerName", "paramName", "csrfTokenValue");
|
||||
this.processor = new CsrfTokenRequestProcessor();
|
||||
this.processor.setTokenRepository(this.tokenRepository);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenRequestIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.processor.handle(null, this.response, () -> this.token))
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(null, this.response))
|
||||
.withMessage("request cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenResponseIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.processor.handle(this.request, null, () -> this.token))
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(this.request, null))
|
||||
.withMessage("response cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenCsrfTokenSupplierIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(this.request, this.response, null))
|
||||
.withMessage("csrfToken supplier cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.processor.handle(this.request, this.response, () -> null))
|
||||
.withMessage("csrfToken cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenCsrfRequestAttributeSetThenUsed() {
|
||||
this.processor.setCsrfRequestAttributeName("_csrf.attr");
|
||||
this.processor.handle(this.request, this.response, () -> this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute("_csrf.attr")).isEqualTo(this.token);
|
||||
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
|
||||
this.processor.setCsrfRequestAttributeName("_csrf");
|
||||
this.processor.handle(this.request, this.response);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute("_csrf")).isEqualTo(this.token);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenValidParametersThenRequestAttributesSet() {
|
||||
this.processor.handle(this.request, this.response, () -> this.token);
|
||||
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
|
||||
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
|
||||
this.processor.handle(this.request, this.response);
|
||||
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
|
||||
assertThatCsrfToken(this.request.getAttribute("_csrf")).isEqualTo(this.token);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
Reference in New Issue
Block a user