Support AuthorizationManager for intercept-methods Element

Closes gh-11328
This commit is contained in:
Josh Cummings
2022-07-06 12:52:32 -06:00
parent 415a674edc
commit 74a007dc91
6 changed files with 308 additions and 5 deletions

View File

@@ -16,6 +16,7 @@
package org.springframework.security.config.method;
import org.aopalliance.intercept.MethodInvocation;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
@@ -32,6 +33,8 @@ import org.springframework.security.authentication.AuthenticationCredentialsNotF
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.TestBusinessBean;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
@@ -41,6 +44,9 @@ import org.springframework.test.context.junit.jupiter.SpringExtension;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.verify;
/**
* @author Luke Taylor
@@ -57,6 +63,21 @@ public class InterceptMethodsBeanDefinitionDecoratorTests implements Application
@Qualifier("transactionalTarget")
private TestBusinessBean transactionalTarget;
@Autowired
@Qualifier("targetAuthorizationManager")
private TestBusinessBean targetAuthorizationManager;
@Autowired
@Qualifier("transactionalTargetAuthorizationManager")
private TestBusinessBean transactionalTargetAuthorizationManager;
@Autowired
@Qualifier("targetCustomAuthorizationManager")
private TestBusinessBean targetCustomAuthorizationManager;
@Autowired
private AuthorizationManager<MethodInvocation> mockAuthorizationManager;
private ApplicationContext appContext;
@BeforeAll
@@ -72,10 +93,12 @@ public class InterceptMethodsBeanDefinitionDecoratorTests implements Application
@Test
public void targetDoesntLoseApplicationListenerInterface() {
assertThat(this.appContext.getBeansOfType(ApplicationListener.class)).hasSize(1);
assertThat(this.appContext.getBeanNamesForType(ApplicationListener.class)).hasSize(1);
assertThat(this.appContext.getBeansOfType(ApplicationListener.class)).isNotEmpty();
assertThat(this.appContext.getBeanNamesForType(ApplicationListener.class)).isNotEmpty();
this.appContext.publishEvent(new AuthenticationSuccessEvent(new TestingAuthenticationToken("user", "")));
assertThat(this.target).isInstanceOf(ApplicationListener.class);
assertThat(this.targetAuthorizationManager).isInstanceOf(ApplicationListener.class);
assertThat(this.targetCustomAuthorizationManager).isInstanceOf(ApplicationListener.class);
}
@Test
@@ -110,6 +133,46 @@ public class InterceptMethodsBeanDefinitionDecoratorTests implements Application
assertThatExceptionOfType(AuthenticationException.class).isThrownBy(this.transactionalTarget::doSomething);
}
@Test
public void targetAuthorizationManagerShouldAllowUnprotectedMethodInvocationWithNoContext() {
this.targetAuthorizationManager.unprotected();
}
@Test
public void targetAuthorizationManagerShouldPreventProtectedMethodInvocationWithNoContext() {
assertThatExceptionOfType(AuthenticationCredentialsNotFoundException.class)
.isThrownBy(this.targetAuthorizationManager::doSomething);
}
@Test
public void targetAuthorizationManagerShouldAllowProtectedMethodInvocationWithCorrectRole() {
UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test",
"Password", AuthorityUtils.createAuthorityList("ROLE_USER"));
SecurityContextHolder.getContext().setAuthentication(token);
this.targetAuthorizationManager.doSomething();
}
@Test
public void targetAuthorizationManagerShouldPreventProtectedMethodInvocationWithIncorrectRole() {
UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated("Test",
"Password", AuthorityUtils.createAuthorityList("ROLE_SOMEOTHERROLE"));
SecurityContextHolder.getContext().setAuthentication(token);
assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(this.targetAuthorizationManager::doSomething);
}
@Test
public void transactionalAuthorizationManagerMethodsShouldBeSecured() {
assertThatExceptionOfType(AuthenticationException.class)
.isThrownBy(this.transactionalTargetAuthorizationManager::doSomething);
}
@Test
public void targetCustomAuthorizationManagerUsed() {
given(this.mockAuthorizationManager.check(any(), any())).willReturn(new AuthorizationDecision(true));
this.targetCustomAuthorizationManager.doSomething();
verify(this.mockAuthorizationManager).check(any(), any());
}
@Override
public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
this.appContext = applicationContext;