CsrfTokenRequestAttributeHandler -> CsrfTokenRequestHandler

This renames CsrfTokenRequestAttributeHandler to CsrfTokenRequestHandler and
moves usage from CsrfFilter into CsrfTokenRequestHandler.

Closes gh-11892
This commit is contained in:
Rob Winch
2022-09-22 09:26:53 -05:00
parent c1d27612af
commit d94677f87e
27 changed files with 408 additions and 312 deletions

View File

@@ -75,27 +75,24 @@ public class CsrfAuthenticationStrategyTests {
}
@Test
public void setRequestAttributeHandlerWhenNullThenIllegalStateException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setRequestAttributeHandler(null))
.withMessage("requestAttributeHandler cannot be null");
public void setRequestHandlerWhenNullThenIllegalStateException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.strategy.setRequestHandler(null))
.withMessage("requestHandler cannot be null");
}
@Test
public void onAuthenticationWhenCustomRequestAttributeHandlerThenUsed() {
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
CsrfTokenRequestAttributeHandler requestAttributeHandler = mock(CsrfTokenRequestAttributeHandler.class);
this.strategy.setRequestAttributeHandler(requestAttributeHandler);
public void onAuthenticationWhenCustomRequestHandlerThenUsed() {
CsrfTokenRequestHandler requestHandler = mock(CsrfTokenRequestHandler.class);
this.strategy.setRequestHandler(requestHandler);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
verify(requestAttributeHandler).handle(eq(this.request), eq(this.response), any());
verifyNoMoreInteractions(requestAttributeHandler);
verify(requestHandler).handle(eq(this.request), eq(this.response));
verifyNoMoreInteractions(requestHandler);
}
@Test
public void logoutRemovesCsrfTokenAndSavesNew() {
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(null, this.existingToken);
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
@@ -114,7 +111,6 @@ public class CsrfAuthenticationStrategyTests {
@Test
public void delaySavingCsrf() {
this.strategy = new CsrfAuthenticationStrategy(new LazyCsrfTokenRepository(this.csrfTokenRepository));
given(this.csrfTokenRepository.loadToken(this.request)).willReturn(this.existingToken);
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
@@ -128,10 +124,11 @@ public class CsrfAuthenticationStrategyTests {
}
@Test
public void logoutRemovesNoActionIfNullToken() {
public void logoutWhenNoCsrfToken() {
given(this.csrfTokenRepository.generateToken(this.request)).willReturn(this.generatedToken);
this.strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"), this.request,
this.response);
verify(this.csrfTokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
verify(this.csrfTokenRepository).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
any(HttpServletResponse.class));
}

View File

@@ -24,8 +24,6 @@ import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.assertj.core.api.AbstractObjectAssert;
import org.assertj.core.api.ObjectAssert;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
@@ -46,10 +44,12 @@ import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.springframework.security.web.csrf.CsrfTokenAssert.assertThatCsrfToken;
/**
* @author Rob Winch
@@ -126,8 +126,8 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain);
}
@@ -138,8 +138,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain);
}
@@ -150,8 +150,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain);
}
@@ -164,8 +164,8 @@ public class CsrfFilterTests {
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
verifyNoMoreInteractions(this.filterChain);
}
@@ -175,8 +175,8 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(false);
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler);
}
@@ -186,8 +186,8 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(false);
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
this.filter.doFilter(this.request, this.response, this.filterChain);
assertToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler);
}
@@ -198,8 +198,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler);
}
@@ -212,8 +212,8 @@ public class CsrfFilterTests {
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler);
}
@@ -224,8 +224,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
verify(this.filterChain).doFilter(this.request, this.response);
verifyNoMoreInteractions(this.deniedHandler);
verify(this.tokenRepository, never()).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
@@ -238,8 +238,8 @@ public class CsrfFilterTests {
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
assertToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
// LazyCsrfTokenRepository requires the response as an attribute
assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
verify(this.filterChain).doFilter(this.request, this.response);
@@ -304,8 +304,8 @@ public class CsrfFilterTests {
given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.filter.doFilter(this.request, this.response, this.filterChain);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
verifyNoMoreInteractions(this.filterChain);
}
@@ -336,14 +336,14 @@ public class CsrfFilterTests {
}
@Test
public void doFilterWhenRequestAttributeHandlerThenUsed() throws Exception {
given(this.requestMatcher.matches(this.request)).willReturn(true);
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
CsrfTokenRequestAttributeHandler requestAttributeHandler = mock(CsrfTokenRequestAttributeHandler.class);
this.filter.setRequestAttributeHandler(requestAttributeHandler);
public void doFilterWhenRequestHandlerThenUsed() throws Exception {
CsrfTokenRequestHandler requestHandler = mock(CsrfTokenRequestHandler.class);
given(requestHandler.handle(this.request, this.response))
.willReturn(new TestDeferredCsrfToken(this.token, false));
this.filter.setRequestHandler(requestHandler);
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
this.filter.doFilter(this.request, this.response, this.filterChain);
verify(requestAttributeHandler).handle(eq(this.request), eq(this.response), any());
verify(requestHandler).handle(eq(this.request), eq(this.response));
verify(this.filterChain).doFilter(this.request, this.response);
}
@@ -376,39 +376,40 @@ public class CsrfFilterTests {
CsrfFilter filter = createCsrfFilter(this.tokenRepository);
String csrfAttrName = "_csrf";
CsrfTokenRequestProcessor csrfTokenRequestProcessor = new CsrfTokenRequestProcessor();
csrfTokenRequestProcessor.setTokenRepository(this.tokenRepository);
csrfTokenRequestProcessor.setCsrfRequestAttributeName(csrfAttrName);
filter.setRequestAttributeHandler(csrfTokenRequestProcessor);
CsrfToken expectedCsrfToken = mock(CsrfToken.class);
filter.setRequestHandler(csrfTokenRequestProcessor);
CsrfToken expectedCsrfToken = spy(this.token);
given(this.tokenRepository.loadToken(this.request)).willReturn(expectedCsrfToken);
filter.doFilter(this.request, this.response, this.filterChain);
verifyNoInteractions(expectedCsrfToken);
CsrfToken tokenFromRequest = (CsrfToken) this.request.getAttribute(csrfAttrName);
assertThat(tokenFromRequest).isEqualTo(expectedCsrfToken);
assertThatCsrfToken(tokenFromRequest).isEqualTo(expectedCsrfToken);
}
private static CsrfTokenAssert assertToken(Object token) {
return new CsrfTokenAssert((CsrfToken) token);
}
private static final class TestDeferredCsrfToken implements DeferredCsrfToken {
private static class CsrfTokenAssert extends AbstractObjectAssert<CsrfTokenAssert, CsrfToken> {
private final CsrfToken csrfToken;
/**
* Creates a new {@link ObjectAssert}.
* @param actual the target to verify.
*/
protected CsrfTokenAssert(CsrfToken actual) {
super(actual, CsrfTokenAssert.class);
private final boolean isGenerated;
private TestDeferredCsrfToken(CsrfToken csrfToken, boolean isGenerated) {
this.csrfToken = csrfToken;
this.isGenerated = isGenerated;
}
CsrfTokenAssert isEqualTo(CsrfToken expected) {
assertThat(this.actual.getHeaderName()).isEqualTo(expected.getHeaderName());
assertThat(this.actual.getParameterName()).isEqualTo(expected.getParameterName());
assertThat(this.actual.getToken()).isEqualTo(expected.getToken());
return this;
@Override
public CsrfToken get() {
return this.csrfToken;
}
}
@Override
public boolean isGenerated() {
return this.isGenerated;
}
};
}

View File

@@ -0,0 +1,48 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import org.assertj.core.api.AbstractAssert;
import org.assertj.core.api.Assertions;
/**
* Assertion for validating the properties on CsrfToken are the same.
*/
public class CsrfTokenAssert extends AbstractAssert<CsrfTokenAssert, CsrfToken> {
protected CsrfTokenAssert(CsrfToken csrfToken) {
super(csrfToken, CsrfTokenAssert.class);
}
public static CsrfTokenAssert assertThatCsrfToken(Object csrfToken) {
return new CsrfTokenAssert((CsrfToken) csrfToken);
}
public static CsrfTokenAssert assertThat(CsrfToken csrfToken) {
return new CsrfTokenAssert(csrfToken);
}
public CsrfTokenAssert isEqualTo(CsrfToken csrfToken) {
isNotNull();
assertThat(csrfToken).isNotNull();
Assertions.assertThat(this.actual.getHeaderName()).isEqualTo(csrfToken.getHeaderName());
Assertions.assertThat(this.actual.getParameterName()).isEqualTo(csrfToken.getParameterName());
Assertions.assertThat(this.actual.getToken()).isEqualTo(csrfToken.getToken());
return this;
}
}

View File

@@ -18,12 +18,17 @@ package org.springframework.security.web.csrf;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.BDDMockito.given;
import static org.springframework.security.web.csrf.CsrfTokenAssert.assertThatCsrfToken;
/**
* Tests for {@link CsrfTokenRequestProcessor}.
@@ -31,8 +36,12 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
* @author Steve Riesenberg
* @since 5.8
*/
@ExtendWith(MockitoExtension.class)
public class CsrfTokenRequestProcessorTests {
@Mock
CsrfTokenRepository tokenRepository;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
@@ -47,48 +56,36 @@ public class CsrfTokenRequestProcessorTests {
this.response = new MockHttpServletResponse();
this.token = new DefaultCsrfToken("headerName", "paramName", "csrfTokenValue");
this.processor = new CsrfTokenRequestProcessor();
this.processor.setTokenRepository(this.tokenRepository);
}
@Test
public void handleWhenRequestIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> this.processor.handle(null, this.response, () -> this.token))
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(null, this.response))
.withMessage("request cannot be null");
}
@Test
public void handleWhenResponseIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> this.processor.handle(this.request, null, () -> this.token))
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(this.request, null))
.withMessage("response cannot be null");
}
@Test
public void handleWhenCsrfTokenSupplierIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> this.processor.handle(this.request, this.response, null))
.withMessage("csrfToken supplier cannot be null");
}
@Test
public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
assertThatIllegalArgumentException()
.isThrownBy(() -> this.processor.handle(this.request, this.response, () -> null))
.withMessage("csrfToken cannot be null");
}
@Test
public void handleWhenCsrfRequestAttributeSetThenUsed() {
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
this.processor.setCsrfRequestAttributeName("_csrf");
this.processor.handle(this.request, this.response, () -> this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
this.processor.handle(this.request, this.response);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute("_csrf")).isEqualTo(this.token);
}
@Test
public void handleWhenValidParametersThenRequestAttributesSet() {
this.processor.handle(this.request, this.response, () -> this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
this.processor.handle(this.request, this.response);
assertThatCsrfToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
assertThatCsrfToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
}
@Test