Add WebFlux CSRF Protection

Fixes gh-4734
This commit is contained in:
Rob Winch
2017-10-28 20:27:57 -05:00
parent f040bd054d
commit 8da2c7f657
16 changed files with 943 additions and 12 deletions

View File

@@ -0,0 +1,185 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.csrf;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.server.WebFilterChain;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import reactor.test.publisher.PublisherProbe;
import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when;
/**
* @author Rob Winch
* @since 5.0
*/
@RunWith(MockitoJUnitRunner.class)
public class CsrfWebFilterTests {
@Mock
private WebFilterChain chain;
@Mock
private ServerCsrfTokenRepository repository;
private CsrfToken token = new DefaultCsrfToken("csrf", "CSRF", "a");
private CsrfWebFilter csrfFilter = new CsrfWebFilter();
private MockServerWebExchange get = MockServerWebExchange.from(
MockServerHttpRequest.get("/"));
private MockServerWebExchange post = MockServerWebExchange.from(
MockServerHttpRequest.post("/"));
@Test
public void filterWhenGetThenSessionNotCreatedAndChainContinues() {
PublisherProbe<Void> chainResult = PublisherProbe.empty();
when(this.chain.filter(this.get)).thenReturn(chainResult.mono());
Mono<Void> result = this.csrfFilter.filter(this.get, this.chain);
StepVerifier.create(result)
.verifyComplete();
Mono<Boolean> isSessionStarted = this.get.getSession()
.map(WebSession::isStarted);
StepVerifier.create(isSessionStarted)
.expectNext(false)
.verifyComplete();
chainResult.assertWasSubscribed();
}
@Test
public void filterWhenPostAndNoTokenThenCsrfException() {
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
}
@Test
public void filterWhenPostAndEstablishedCsrfTokenAndRequestMissingTokenThenCsrfException() {
this.csrfFilter.setServerCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
}
@Test
public void filterWhenPostAndEstablishedCsrfTokenAndRequestParamInvalidTokenThenCsrfException() {
this.csrfFilter.setServerCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID"));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
}
@Test
public void filterWhenPostAndEstablishedCsrfTokenAndRequestParamValidTokenThenContinues() {
PublisherProbe<Void> chainResult = PublisherProbe.empty();
when(this.chain.filter(any())).thenReturn(chainResult.mono());
this.csrfFilter.setServerCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
.body(this.token.getParameterName() + "="+this.token.getToken()));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
chainResult.assertWasSubscribed();
}
@Test
public void filterWhenPostAndEstablishedCsrfTokenAndHeaderInvalidTokenThenCsrfException() {
this.csrfFilter.setServerCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.header(this.token.getHeaderName(), this.token.getToken()+"INVALID"));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
}
@Test
public void filterWhenPostAndEstablishedCsrfTokenAndHeaderValidTokenThenContinues() {
PublisherProbe<Void> chainResult = PublisherProbe.empty();
when(this.chain.filter(any())).thenReturn(chainResult.mono());
this.csrfFilter.setServerCsrfTokenRepository(this.repository);
when(this.repository.loadToken(any()))
.thenReturn(Mono.just(this.token));
when(this.repository.generateToken(any()))
.thenReturn(Mono.just(this.token));
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
.header(this.token.getHeaderName(), this.token.getToken()));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result)
.verifyComplete();
chainResult.assertWasSubscribed();
}
}

View File

@@ -0,0 +1,112 @@
/*
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.csrf;
import org.junit.Test;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.web.server.WebSession;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import java.util.Map;
import static org.assertj.core.api.Assertions.*;
/**
* @author Rob Winch
* @since 5.0
*/
public class WebSessionServerCsrfTokenRepositoryTests {
private WebSessionServerCsrfTokenRepository repository = new WebSessionServerCsrfTokenRepository();
private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/"));
@Test
public void generateTokenWhenNoSubscriptionThenNoSession() {
Mono<CsrfToken> result = this.repository.generateToken(this.exchange);
Mono<Boolean> isSessionStarted = this.exchange.getSession()
.map(WebSession::isStarted);
StepVerifier.create(isSessionStarted)
.expectNext(false)
.verifyComplete();
}
@Test
public void generateTokenWhenSubscriptionThenAddsToSession() {
Mono<CsrfToken> result = this.repository.generateToken(this.exchange);
StepVerifier.create(result)
.consumeNextWith( t -> assertThat(t).isNotNull())
.verifyComplete();
WebSession session = this.exchange.getSession().block();
Map<String, Object> attributes = session.getAttributes();
assertThat(session.isStarted()).isTrue();
assertThat(attributes).hasSize(1);
assertThat(attributes.values().iterator().next()).isInstanceOf(CsrfToken.class);
}
@Test
public void saveTokenWhenSetSessionAttributeNameAndSubscriptionThenAddsToSession() {
CsrfToken token = new DefaultCsrfToken("h","p", "t");
String attrName = "ATTR";
this.repository.setSessionAttributeName(attrName);
Mono<Void> result = this.repository.saveToken(this.exchange, token);
StepVerifier.create(result)
.verifyComplete();
WebSession session = this.exchange.getSession().block();
assertThat(session.isStarted()).isTrue();
assertThat(session.<WebSession>getAttribute(attrName)).isEqualTo(token);
}
@Test
public void saveTokenWhenNullThenDeletes() {
CsrfToken token = new DefaultCsrfToken("h","p", "t");
this.repository.saveToken(this.exchange, token).block();
Mono<Void> result = this.repository.saveToken(this.exchange, null);
StepVerifier.create(result)
.verifyComplete();
WebSession session = this.exchange.getSession().block();
assertThat(session.getAttributes()).isEmpty();
}
@Test
public void generateTokenAndLoadTokenDeleteTokenWhenNullThenDeletes() {
CsrfToken generate = this.repository.generateToken(this.exchange).block();
CsrfToken load = this.repository.loadToken(this.exchange).block();
assertThat(load).isEqualTo(generate);
this.repository.saveToken(this.exchange, null).block();
WebSession session = this.exchange.getSession().block();
assertThat(session.getAttributes()).isEmpty();
load = this.repository.loadToken(this.exchange).block();
assertThat(load).isNull();
}
}