SEC-1574: Add CSRF Support

This commit is contained in:
Rob Winch
2013-08-15 14:49:21 -05:00
parent 5f35d9e3ec
commit e9bb9e766e
93 changed files with 2895 additions and 348 deletions

View File

@@ -0,0 +1,64 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import static org.mockito.Mockito.verify;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
/**
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class CsrfAuthenticationStrategyTests {
@Mock
private CsrfTokenRepository csrfTokenRepository;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfAuthenticationStrategy strategy;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
strategy = new CsrfAuthenticationStrategy(csrfTokenRepository);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullCsrfTokenRepository() {
new CsrfAuthenticationStrategy(null);
}
@Test
public void logoutRemovesCsrfToken() {
strategy.onAuthentication(new TestingAuthenticationToken("user", "password", "ROLE_USER"),request, response);
verify(csrfTokenRepository).saveToken(null, request, response);
}
}

View File

@@ -0,0 +1,303 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import static org.fest.assertions.Assertions.assertThat;
import static org.mockito.Matchers.any;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import java.io.IOException;
import java.util.Arrays;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.util.RequestMatcher;
/**
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class CsrfFilterTests {
@Mock
private RequestMatcher requestMatcher;
@Mock
private CsrfTokenRepository tokenRepository;
@Mock
private FilterChain filterChain;
@Mock
private AccessDeniedHandler deniedHandler;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfToken token;
private CsrfFilter filter;
@Before
public void setup() {
token = new CsrfToken("headerName","paramName", "csrfTokenValue");
resetRequestResponse();
filter = new CsrfFilter(tokenRepository);
filter.setRequireCsrfProtectionMatcher(requestMatcher);
filter.setAccessDeniedHandler(deniedHandler);
}
private void resetRequestResponse() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullRepository() {
new CsrfFilter(null);
}
@Test
public void doFilterAccessDeniedNoTokenPresent() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
verifyZeroInteractions(filterChain);
}
@Test
public void doFilterAccessDeniedIncorrectTokenPresent() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setParameter(token.getParameterName(), token.getToken()+ " INVALID");
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
verifyZeroInteractions(filterChain);
}
@Test
public void doFilterAccessDeniedIncorrectTokenPresentHeader() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.addHeader(token.getHeaderName(), token.getToken()+ " INVALID");
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
verifyZeroInteractions(filterChain);
}
@Test
public void doFilterAccessDeniedIncorrectTokenPresentHeaderPreferredOverParameter() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setParameter(token.getParameterName(), token.getToken());
request.addHeader(token.getHeaderName(), token.getToken()+ " INVALID");
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
verifyZeroInteractions(filterChain);
}
@Test
public void doFilterNotCsrfRequestExistingToken() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(false);
when(tokenRepository.loadToken(request)).thenReturn(token);
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterNotCsrfRequestGenerateToken() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(false);
when(tokenRepository.generateAndSaveToken(request, response)).thenReturn(token);
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterIsCsrfRequestExistingTokenHeader() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.addHeader(token.getHeaderName(), token.getToken());
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterIsCsrfRequestExistingTokenHeaderPreferredOverInvalidParam() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setParameter(token.getParameterName(), token.getToken()+ " INVALID");
request.addHeader(token.getHeaderName(), token.getToken());
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterIsCsrfRequestExistingToken() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setParameter(token.getParameterName(), token.getToken());
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterIsCsrfRequestGenerateToken() throws ServletException, IOException {
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.generateAndSaveToken(request, response)).thenReturn(token);
request.setParameter(token.getParameterName(), token.getToken());
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
@Test
public void doFilterDefaultRequireCsrfProtectionMatcherAllowedMethods() throws ServletException, IOException {
filter = new CsrfFilter(tokenRepository);
filter.setAccessDeniedHandler(deniedHandler);
for(String method : Arrays.asList("GET","TRACE", "OPTIONS", "HEAD")) {
resetRequestResponse();
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setMethod(method);
filter.doFilter(request, response, filterChain);
verify(filterChain).doFilter(request, response);
verifyZeroInteractions(deniedHandler);
}
}
@Test
public void doFilterDefaultRequireCsrfProtectionMatcherDeniedMethods() throws ServletException, IOException {
filter = new CsrfFilter(tokenRepository);
filter.setAccessDeniedHandler(deniedHandler);
for(String method : Arrays.asList("POST","PUT", "PATCH", "DELETE", "INVALID")) {
resetRequestResponse();
when(tokenRepository.loadToken(request)).thenReturn(token);
request.setMethod(method);
filter.doFilter(request, response, filterChain);
verify(deniedHandler).handle(eq(request), eq(response), any(InvalidCsrfTokenException.class));
verifyZeroInteractions(filterChain);
}
}
@Test
public void doFilterDefaultAccessDenied() throws ServletException, IOException {
filter = new CsrfFilter(tokenRepository);
filter.setRequireCsrfProtectionMatcher(requestMatcher);
when(requestMatcher.matches(request)).thenReturn(true);
when(tokenRepository.loadToken(request)).thenReturn(token);
filter.doFilter(request, response, filterChain);
assertThat(response.getHeader(token.getHeaderName())).isEqualTo(token.getToken());
assertThat(request.getAttribute(token.getParameterName())).isEqualTo(token);
assertThat(request.getAttribute(CsrfToken.class.getName())).isEqualTo(token);
assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
verifyZeroInteractions(filterChain);
}
@Test(expected = IllegalArgumentException.class)
public void setRequireCsrfProtectionMatcherNull() {
filter.setRequireCsrfProtectionMatcher(null);
}
@Test(expected = IllegalArgumentException.class)
public void setAccessDeniedHandlerNull() {
filter.setAccessDeniedHandler(null);
}
}

View File

@@ -0,0 +1,63 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import static org.mockito.Mockito.verify;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
/**
* @author Rob Winch
* @since 3.2
*/
@RunWith(MockitoJUnitRunner.class)
public class CsrfLogoutHandlerTests {
@Mock
private CsrfTokenRepository csrfTokenRepository;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfLogoutHandler handler;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
handler = new CsrfLogoutHandler(csrfTokenRepository);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullCsrfTokenRepository() {
new CsrfLogoutHandler(null);
}
@Test
public void logoutRemovesCsrfToken() {
handler.logout(request, response, new TestingAuthenticationToken("user", "password", "ROLE_USER"));
verify(csrfTokenRepository).saveToken(null, request, response);
}
}

View File

@@ -0,0 +1,58 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import org.junit.Test;
/**
* @author Rob Winch
*
*/
public class CsrfTokenTests {
private final String headerName = "headerName";
private final String parameterName = "parameterName";
private final String tokenValue = "tokenValue";
@Test(expected = IllegalArgumentException.class)
public void constructorNullHeaderName() {
new CsrfToken(null,parameterName, tokenValue);
}
@Test(expected = IllegalArgumentException.class)
public void constructorEmptyHeaderName() {
new CsrfToken("",parameterName, tokenValue);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullParameterName() {
new CsrfToken(headerName,null, tokenValue);
}
@Test(expected = IllegalArgumentException.class)
public void constructorEmptyParameterName() {
new CsrfToken(headerName,"", tokenValue);
}
@Test(expected = IllegalArgumentException.class)
public void constructorNullTokenValue() {
new CsrfToken(headerName,parameterName, null);
}
@Test(expected = IllegalArgumentException.class)
public void constructorEmptyTokenValue() {
new CsrfToken(headerName,parameterName, "");
}
}

View File

@@ -0,0 +1,127 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.csrf;
import static org.fest.assertions.Assertions.assertThat;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
/**
* @author Rob Winch
*
*/
public class HttpSessionCsrfTokenRepositoryTests {
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfToken token;
private HttpSessionCsrfTokenRepository repo;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
repo = new HttpSessionCsrfTokenRepository();
}
@Test
public void generateAndSaveToken() {
token = repo.generateAndSaveToken(request, response);
assertThat(token.getParameterName()).isEqualTo("_csrf");
assertThat(token.getToken()).isNotEmpty();
CsrfToken loadedToken = repo.loadToken(request);
assertThat(loadedToken).isEqualTo(token);
}
@Test
public void generateAndSaveTokenCustomParameter() {
String paramName = "_csrf";
repo.setParameterName(paramName);
token = repo.generateAndSaveToken(request, response);
assertThat(token.getParameterName()).isEqualTo(paramName);
assertThat(token.getToken()).isNotEmpty();
}
@Test
public void loadTokenNull() {
assertThat(repo.loadToken(request)).isNull();
}
@Test
public void saveToken() {
CsrfToken tokenToSave = new CsrfToken("123", "abc", "def");
repo.saveToken(tokenToSave, request, response);
String attrName = request.getSession().getAttributeNames()
.nextElement();
CsrfToken loadedToken = (CsrfToken) request.getSession().getAttribute(
attrName);
assertThat(loadedToken).isEqualTo(tokenToSave);
}
@Test
public void saveTokenCustomSessionAttribute() {
CsrfToken tokenToSave = new CsrfToken("123", "abc", "def");
String sessionAttributeName = "custom";
repo.setSessionAttributeName(sessionAttributeName);
repo.saveToken(tokenToSave, request, response);
CsrfToken loadedToken = (CsrfToken) request.getSession().getAttribute(
sessionAttributeName);
assertThat(loadedToken).isEqualTo(tokenToSave);
}
@Test
public void saveTokenNullToken() {
saveToken();
repo.saveToken(null, request, response);
assertThat(request.getSession().getAttributeNames().hasMoreElements())
.isFalse();
}
@Test(expected = IllegalArgumentException.class)
public void setSessionAttributeNameEmpty() {
repo.setSessionAttributeName("");
}
@Test(expected = IllegalArgumentException.class)
public void setSessionAttributeNameNull() {
repo.setSessionAttributeName(null);
}
@Test(expected = IllegalArgumentException.class)
public void setParameterNameEmpty() {
repo.setParameterName("");
}
@Test(expected = IllegalArgumentException.class)
public void setParameterNameNull() {
repo.setParameterName(null);
}
}

View File

@@ -0,0 +1,79 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.servlet.support.csrf;
import static org.fest.assertions.Assertions.assertThat;
import java.util.HashMap;
import java.util.Map;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.web.csrf.CsrfToken;
/**
* @author Rob Winch
*
*/
public class CsrfRequestDataValueProcessorTests {
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private CsrfRequestDataValueProcessor processor;
@Before
public void setup() {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
processor = new CsrfRequestDataValueProcessor();
}
@Test
public void getExtraHiddenFieldsNoCsrfToken() {
assertThat(processor.getExtraHiddenFields(request)).isEmpty();
}
@Test
public void getExtraHiddenFieldsHasCsrfToken() {
CsrfToken token = new CsrfToken("1", "a", "b");
request.setAttribute(CsrfToken.class.getName(), token);
Map<String,String> expected = new HashMap<String,String>();
expected.put(token.getParameterName(),token.getToken());
assertThat(processor.getExtraHiddenFields(request)).isEqualTo(expected);
}
@Test
public void processAction() {
String action = "action";
assertThat(processor.processAction(request, action)).isEqualTo(action);
}
@Test
public void processFormFieldValue() {
String value = "action";
assertThat(processor.processFormFieldValue(request, "name", value, "hidden")).isEqualTo(value);
}
@Test
public void processUrl() {
String url = "url";
assertThat(processor.processUrl(request, url)).isEqualTo(url);
}
}