Make Csrf cookie secure flag configurable (WebFlux)

Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository.

Closes gh-9678
This commit is contained in:
Thomas Vitale
2021-04-26 18:13:20 +02:00
committed by Eleftheria Stein-Kousathana
parent 006b9b9607
commit e2993d93e1
2 changed files with 113 additions and 17 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2018 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -16,12 +16,15 @@
package org.springframework.security.web.server.csrf;
import java.security.cert.X509Certificate;
import java.time.Duration;
import org.junit.Before;
import org.junit.Test;
import org.springframework.http.HttpCookie;
import org.springframework.http.ResponseCookie;
import org.springframework.http.server.reactive.SslInfo;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.util.StringUtils;
@@ -30,13 +33,14 @@ import static org.assertj.core.api.Assertions.assertThat;
/**
* @author Eric Deandrea
* @author Thomas Vitale
* @since 5.1
*/
public class CookieServerCsrfTokenRepositoryTests {
private MockServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/someUri"));
private CookieServerCsrfTokenRepository csrfTokenRepository;
private CookieServerCsrfTokenRepository csrfTokenRepository = new CookieServerCsrfTokenRepository();
private MockServerHttpRequest.BaseBuilder<?> request;
private String expectedHeaderName = CookieServerCsrfTokenRepository.DEFAULT_CSRF_HEADER_NAME;
@@ -56,6 +60,12 @@ public class CookieServerCsrfTokenRepositoryTests {
private String expectedCookieValue = "csrfToken";
@Before
public void setUp() {
this.csrfTokenRepository = new CookieServerCsrfTokenRepository();
this.request = MockServerHttpRequest.get("/someUri");
}
@Test
public void generateTokenWhenDefaultThenDefaults() {
generateTokenAndAssertExpectedValues();
@@ -82,8 +92,9 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test
public void saveTokenWhenNoSubscriptionThenNotWritten() {
this.csrfTokenRepository.saveToken(this.exchange, createToken());
assertThat(this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, createToken());
assertThat(exchange.getResponse().getCookies().getFirst(this.expectedCookieName)).isNull();
}
@Test
@@ -112,6 +123,56 @@ public class CookieServerCsrfTokenRepositoryTests {
saveAndAssertExpectedValues(createToken());
}
@Test
public void saveTokenWhenSslInfoPresentThenSecure() {
this.request.sslInfo(new MockSslInfo());
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isTrue();
}
@Test
public void saveTokenWhenSslInfoNullThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test
public void saveTokenWhenSecureFlagTrueThenSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.setSecure(true);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isTrue();
}
@Test
public void saveTokenWhenSecureFlagFalseThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.setSecure(false);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test
public void saveTokenWhenSecureFlagFalseAndSslInfoThenNotSecure() {
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.request.sslInfo(new MockSslInfo());
this.csrfTokenRepository.setSecure(false);
this.csrfTokenRepository.saveToken(exchange, createToken()).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.isSecure()).isFalse();
}
@Test
public void loadTokenWhenCookieExistThenTokenFound() {
loadAndAssertExpectedValues();
@@ -127,7 +188,8 @@ public class CookieServerCsrfTokenRepositoryTests {
@Test
public void loadTokenWhenNoCookiesThenNullToken() {
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
assertThat(csrfToken).isNull();
}
@@ -180,8 +242,8 @@ public class CookieServerCsrfTokenRepositoryTests {
private void loadAndAssertExpectedValues() {
MockServerHttpRequest.BodyBuilder request = MockServerHttpRequest.post("/someUri")
.cookie(new HttpCookie(this.expectedCookieName, this.expectedCookieValue));
this.exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(this.exchange).block();
MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = this.csrfTokenRepository.loadToken(exchange).block();
if (StringUtils.hasText(this.expectedCookieValue)) {
assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
@@ -198,8 +260,9 @@ public class CookieServerCsrfTokenRepositoryTests {
this.expectedMaxAge = Duration.ofSeconds(0);
this.expectedCookieValue = "";
}
this.csrfTokenRepository.saveToken(this.exchange, token).block();
ResponseCookie cookie = this.exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
this.csrfTokenRepository.saveToken(exchange, token).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst(this.expectedCookieName);
assertThat(cookie).isNotNull();
assertThat(cookie.getMaxAge()).isEqualTo(this.expectedMaxAge);
assertThat(cookie.getDomain()).isEqualTo(this.expectedDomain);
@@ -211,7 +274,8 @@ public class CookieServerCsrfTokenRepositoryTests {
}
private void generateTokenAndAssertExpectedValues() {
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(this.exchange).block();
MockServerWebExchange exchange = MockServerWebExchange.from(this.request);
CsrfToken csrfToken = this.csrfTokenRepository.generateToken(exchange).block();
assertThat(csrfToken).isNotNull();
assertThat(csrfToken.getHeaderName()).isEqualTo(this.expectedHeaderName);
assertThat(csrfToken.getParameterName()).isEqualTo(this.expectedParameterName);
@@ -226,4 +290,18 @@ public class CookieServerCsrfTokenRepositoryTests {
return new DefaultCsrfToken(headerName, parameterName, tokenValue);
}
static class MockSslInfo implements SslInfo {
@Override
public String getSessionId() {
return "sessionId";
}
@Override
public X509Certificate[] getPeerCertificates() {
return new X509Certificate[] {};
}
}
}