Add reactive support for BREACH

Closes gh-11959
This commit is contained in:
Steve Riesenberg
2022-09-01 16:10:55 -05:00
parent f4ca90e719
commit f462134e87
5 changed files with 414 additions and 5 deletions

View File

@@ -33,6 +33,8 @@ import reactor.core.publisher.Mono;
import reactor.test.publisher.TestPublisher;
import org.springframework.http.HttpStatus;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.config.annotation.web.reactive.ServerHttpSecurityConfigurationBuilder;
@@ -69,6 +71,7 @@ import org.springframework.security.web.server.csrf.CsrfWebFilter;
import org.springframework.security.web.server.csrf.DefaultCsrfToken;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
import org.springframework.security.web.server.csrf.XorServerCsrfTokenRequestAttributeHandler;
import org.springframework.security.web.server.savedrequest.ServerRequestCache;
import org.springframework.security.web.server.savedrequest.WebSessionServerRequestCache;
import org.springframework.test.util.ReflectionTestUtils;
@@ -526,6 +529,38 @@ public class ServerHttpSecurityTests {
verify(requestHandler).resolveCsrfTokenValue(any(ServerWebExchange.class), any());
}
@Test
public void postWhenServerXorCsrfTokenRequestAttributeHandlerThenOk() {
CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
given(this.csrfTokenRepository.loadToken(any(ServerWebExchange.class))).willReturn(Mono.just(csrfToken));
given(this.csrfTokenRepository.generateToken(any(ServerWebExchange.class))).willReturn(Mono.empty());
ServerCsrfTokenRequestHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler();
// @formatter:off
this.http.csrf((csrf) -> csrf
.csrfTokenRepository(this.csrfTokenRepository)
.csrfTokenRequestHandler(requestHandler)
);
// @formatter:on
// Generate masked CSRF token value
ServerWebExchange exchange = MockServerWebExchange.from(MockServerHttpRequest.get("/").build());
requestHandler.handle(exchange, Mono.just(csrfToken));
Mono<CsrfToken> csrfTokenAttribute = exchange.getAttribute(CsrfToken.class.getName());
String actualTokenValue = csrfTokenAttribute.map(CsrfToken::getToken).block();
assertThat(actualTokenValue).isNotEqualTo(csrfToken.getToken());
WebTestClient client = buildClient();
// @formatter:off
client.post()
.uri("/")
.header(csrfToken.getHeaderName(), actualTokenValue)
.exchange()
.expectStatus().isOk();
// @formatter:on
verify(this.csrfTokenRepository, times(2)).loadToken(any(ServerWebExchange.class));
verify(this.csrfTokenRepository).generateToken(any(ServerWebExchange.class));
}
@Test
public void shouldConfigureRequestCacheForOAuth2LoginAuthenticationEntryPointAndSuccessHandler() {
ServerRequestCache requestCache = spy(new WebSessionServerRequestCache());