Add Request-level CSRF Skip
Fixes gh-7367
This commit is contained in:
@@ -31,6 +31,7 @@ import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
|
||||
import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.web.access.AccessDeniedHandler;
|
||||
@@ -39,6 +40,8 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.Mockito.lenient;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
import static org.mockito.Mockito.times;
|
||||
import static org.mockito.Mockito.verify;
|
||||
@@ -390,6 +393,22 @@ public class CsrfFilterTests {
|
||||
verifyZeroInteractions(this.filterChain);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenSkipRequestInvokedThenSkips()
|
||||
throws Exception {
|
||||
|
||||
CsrfTokenRepository repository = mock(CsrfTokenRepository.class);
|
||||
CsrfFilter filter = new CsrfFilter(repository);
|
||||
|
||||
lenient().when(repository.loadToken(any(HttpServletRequest.class))).thenReturn(this.token);
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
CsrfFilter.skipRequest(request);
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
verifyZeroInteractions(repository);
|
||||
}
|
||||
|
||||
@Test(expected = IllegalArgumentException.class)
|
||||
public void setRequireCsrfProtectionMatcherNull() {
|
||||
this.filter.setRequireCsrfProtectionMatcher(null);
|
||||
|
||||
@@ -20,19 +20,24 @@ import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.web.server.WebFilterChain;
|
||||
import org.springframework.web.server.WebSession;
|
||||
import reactor.core.publisher.Mono;
|
||||
import reactor.test.StepVerifier;
|
||||
import reactor.test.publisher.PublisherProbe;
|
||||
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
|
||||
import org.springframework.web.server.WebFilterChain;
|
||||
import org.springframework.web.server.WebSession;
|
||||
|
||||
import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verifyZeroInteractions;
|
||||
import static org.mockito.Mockito.when;
|
||||
import static org.springframework.mock.web.server.MockServerWebExchange.from;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -49,10 +54,10 @@ public class CsrfWebFilterTests {
|
||||
|
||||
private CsrfWebFilter csrfFilter = new CsrfWebFilter();
|
||||
|
||||
private MockServerWebExchange get = MockServerWebExchange.from(
|
||||
private MockServerWebExchange get = from(
|
||||
MockServerHttpRequest.get("/"));
|
||||
|
||||
private MockServerWebExchange post = MockServerWebExchange.from(
|
||||
private MockServerWebExchange post = from(
|
||||
MockServerHttpRequest.post("/"));
|
||||
|
||||
@Test
|
||||
@@ -104,7 +109,7 @@ public class CsrfWebFilterTests {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
when(this.repository.loadToken(any()))
|
||||
.thenReturn(Mono.just(this.token));
|
||||
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
|
||||
this.post = from(MockServerHttpRequest.post("/")
|
||||
.body(this.token.getParameterName() + "="+this.token.getToken()+"INVALID"));
|
||||
|
||||
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
|
||||
@@ -125,7 +130,7 @@ public class CsrfWebFilterTests {
|
||||
.thenReturn(Mono.just(this.token));
|
||||
when(this.repository.generateToken(any()))
|
||||
.thenReturn(Mono.just(this.token));
|
||||
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
|
||||
this.post = from(MockServerHttpRequest.post("/")
|
||||
.contentType(MediaType.APPLICATION_FORM_URLENCODED)
|
||||
.body(this.token.getParameterName() + "="+this.token.getToken()));
|
||||
|
||||
@@ -142,7 +147,7 @@ public class CsrfWebFilterTests {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
when(this.repository.loadToken(any()))
|
||||
.thenReturn(Mono.just(this.token));
|
||||
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
|
||||
this.post = from(MockServerHttpRequest.post("/")
|
||||
.header(this.token.getHeaderName(), this.token.getToken()+"INVALID"));
|
||||
|
||||
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
|
||||
@@ -163,7 +168,7 @@ public class CsrfWebFilterTests {
|
||||
.thenReturn(Mono.just(this.token));
|
||||
when(this.repository.generateToken(any()))
|
||||
.thenReturn(Mono.just(this.token));
|
||||
this.post = MockServerWebExchange.from(MockServerHttpRequest.post("/")
|
||||
this.post = from(MockServerHttpRequest.post("/")
|
||||
.header(this.token.getHeaderName(), this.token.getToken()));
|
||||
|
||||
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
|
||||
@@ -173,4 +178,19 @@ public class CsrfWebFilterTests {
|
||||
|
||||
chainResult.assertWasSubscribed();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterWhenSkipExchangeInvokedThenSkips() {
|
||||
PublisherProbe<Void> chainResult = PublisherProbe.empty();
|
||||
when(this.chain.filter(any())).thenReturn(chainResult.mono());
|
||||
|
||||
ServerWebExchangeMatcher matcher = mock(ServerWebExchangeMatcher.class);
|
||||
this.csrfFilter.setRequireCsrfProtectionMatcher(matcher);
|
||||
|
||||
MockServerWebExchange exchange = from(MockServerHttpRequest.post("/post").build());
|
||||
CsrfWebFilter.skipExchange(exchange);
|
||||
this.csrfFilter.filter(exchange, this.chain).block();
|
||||
|
||||
verifyZeroInteractions(matcher);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user