Add x509 support for Reactive Security

[gh #5038]
This commit is contained in:
Alexey Nesterov
2018-12-24 13:33:29 +03:00
committed by Rob Winch
parent 0957ecb1e9
commit 9a67441507
6 changed files with 484 additions and 0 deletions

View File

@@ -0,0 +1,104 @@
/*
* Copyright 2002-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import org.junit.Test;
import org.springframework.security.authentication.AccountExpiredException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.LockedException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import reactor.core.publisher.Mono;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
/**
* @author Alexey Nesterov
* @since 5.2
*/
public class ReactivePreAuthenticatedAuthenticationManagerTest {
private ReactiveUserDetailsService mockUserDetailsService
= mock(ReactiveUserDetailsService.class);
private ReactivePreAuthenticatedAuthenticationManager manager
= new ReactivePreAuthenticatedAuthenticationManager(mockUserDetailsService);
private final User validAccount = new User("valid", "", Collections.emptySet());
private final User nonExistingAccount = new User("non existing", "", Collections.emptySet());
private final User disabledAccount = new User("disabled", "", false, true, true, true, Collections.emptySet());
private final User expiredAccount = new User("expired", "", true, false, true, true, Collections.emptySet());
private final User accountWithExpiredCredentials = new User("credentials expired", "", true, true, false, true, Collections.emptySet());
private final User lockedAccount = new User("locked", "", true, true, true, false, Collections.emptySet());
@Test
public void returnsAuthenticatedTokenForValidAccount() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.just(validAccount));
Authentication authentication = manager.authenticate(tokenForUser(validAccount.getUsername())).block();
assertThat(authentication.isAuthenticated()).isEqualTo(true);
}
@Test(expected = UsernameNotFoundException.class)
public void returnsNullForNonExistingAccount() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.empty());
manager.authenticate(tokenForUser(nonExistingAccount.getUsername())).block();
}
@Test(expected = LockedException.class)
public void throwsExceptionForLockedAccount() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.just(lockedAccount));
manager.authenticate(tokenForUser(lockedAccount.getUsername())).block();
}
@Test(expected = DisabledException.class)
public void throwsExceptionForDisabledAccount() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.just(disabledAccount));
manager.authenticate(tokenForUser(disabledAccount.getUsername())).block();
}
@Test(expected = AccountExpiredException.class)
public void throwsExceptionForExpiredAccount() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.just(expiredAccount));
manager.authenticate(tokenForUser(expiredAccount.getUsername())).block();
}
@Test(expected = CredentialsExpiredException.class)
public void throwsExceptionForAccountWithExpiredCredentials() {
when(mockUserDetailsService.findByUsername(anyString())).thenReturn(Mono.just(accountWithExpiredCredentials));
manager.authenticate(tokenForUser(accountWithExpiredCredentials.getUsername())).block();
}
private Authentication tokenForUser(String username) {
return new PreAuthenticatedAuthenticationToken(username, null);
}
}

View File

@@ -0,0 +1,94 @@
/*
* Copyright 2002-2018 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
import org.springframework.security.web.authentication.preauth.x509.X509TestUtils;
import java.security.cert.X509Certificate;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.when;
@RunWith(MockitoJUnitRunner.class)
public class ServerX509AuthenticationConverterTests {
@Mock
private X509PrincipalExtractor principalExtractor;
@InjectMocks
private ServerX509AuthenticationConverter converter;
private X509Certificate certificate;
private MockServerHttpRequest.BaseBuilder<?> request;
@Before
public void setUp() throws Exception {
request = MockServerHttpRequest.get("/");
certificate = X509TestUtils.buildTestCertificate();
when(principalExtractor.extractPrincipal(any())).thenReturn("Luke Taylor");
}
@Test
public void shouldReturnNullForInvalidCertificate() {
Authentication authentication = converter.convert(MockServerWebExchange.from(request.build())).block();
assertThat(authentication).isNull();
}
@Test
public void shouldReturnAuthenticationForValidCertificate() {
request.sslInfo(new MockSslInfo(certificate));
Authentication authentication = converter.convert(MockServerWebExchange.from(request.build())).block();
assertThat(authentication.getName()).isEqualTo("Luke Taylor");
assertThat(authentication.getCredentials()).isEqualTo(certificate);
}
class MockSslInfo implements SslInfo {
private final X509Certificate[] peerCertificates;
MockSslInfo(X509Certificate... peerCertificates) {
this.peerCertificates = peerCertificates;
}
@Override
public String getSessionId() {
return "mock-session-id";
}
@Override
public X509Certificate[] getPeerCertificates() {
return this.peerCertificates;
}
}
}