Add reactive interfaces for CSRF request handling

Issue gh-11959
This commit is contained in:
Steve Riesenberg
2022-09-01 15:11:04 -05:00
parent f3321c256c
commit f4ca90e719
10 changed files with 477 additions and 29 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -34,13 +34,17 @@ import org.springframework.test.web.reactive.server.WebTestClient;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilterChain;
import org.springframework.web.server.WebSession;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
/**
@@ -65,6 +69,15 @@ public class CsrfWebFilterTests {
private MockServerWebExchange post = MockServerWebExchange.from(MockServerHttpRequest.post("/"));
@Test
public void setRequestHandlerWhenNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.csrfFilter.setRequestHandler(null))
.withMessage("requestHandler cannot be null");
// @formatter:on
}
@Test
public void filterWhenGetThenSessionNotCreatedAndChainContinues() {
PublisherProbe<Void> chainResult = PublisherProbe.empty();
@@ -145,6 +158,28 @@ public class CsrfWebFilterTests {
chainResult.assertWasSubscribed();
}
@Test
public void filterWhenRequestHandlerSetThenUsed() {
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
.willReturn(Mono.just(this.token.getToken()));
this.csrfFilter.setRequestHandler(requestHandler);
PublisherProbe<Void> chainResult = PublisherProbe.empty();
given(this.chain.filter(any())).willReturn(chainResult.mono());
this.csrfFilter.setCsrfTokenRepository(this.repository);
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
this.post = MockServerWebExchange
.from(MockServerHttpRequest.post("/").header(this.token.getHeaderName(), this.token.getToken()));
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
StepVerifier.create(result).verifyComplete();
chainResult.assertWasSubscribed();
verify(requestHandler).handle(eq(this.post), any());
verify(requestHandler).resolveCsrfTokenValue(this.post, this.token);
}
@Test
// gh-8452
public void matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed() {

View File

@@ -0,0 +1,132 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.csrf;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
/**
* Tests for {@link ServerCsrfTokenRequestAttributeHandler}.
*
* @author Steve Riesenberg
* @since 5.8
*/
public class ServerCsrfTokenRequestAttributeHandlerTests {
private ServerCsrfTokenRequestAttributeHandler handler;
private MockServerWebExchange exchange;
private CsrfToken token;
@BeforeEach
public void setUp() {
this.handler = new ServerCsrfTokenRequestAttributeHandler();
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.get("/")).build();
this.token = new DefaultCsrfToken("headerName", "paramName", "csrfTokenValue");
}
@Test
public void handleWhenExchangeIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.handle(null, Mono.just(this.token)))
.withMessage("exchange cannot be null");
// @formatter:on
}
@Test
public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.handle(this.exchange, null))
.withMessage("csrfToken cannot be null");
// @formatter:on
}
@Test
public void handleWhenValidParametersThenExchangeAttributeSet() {
Mono<CsrfToken> csrfToken = Mono.just(this.token);
this.handler.handle(this.exchange, csrfToken);
Mono<CsrfToken> csrfTokenAttribute = this.exchange.getAttribute(CsrfToken.class.getName());
assertThat(csrfTokenAttribute).isNotNull();
assertThat(csrfTokenAttribute).isEqualTo(csrfToken);
}
@Test
public void resolveCsrfTokenValueWhenExchangeIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
.withMessage("exchange cannot be null");
// @formatter:on
}
@Test
public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
// @formatter:off
assertThatIllegalArgumentException()
.isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.exchange, null))
.withMessage("csrfToken cannot be null");
// @formatter:on
}
@Test
public void resolveCsrfTokenValueWhenTokenNotSetThenReturnsEmptyMono() {
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
StepVerifier.create(csrfToken).verifyComplete();
}
@Test
public void resolveCsrfTokenValueWhenFormDataSetThenReturnsTokenValue() {
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.body(this.token.getParameterName() + "=" + this.token.getToken())).build();
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
}
@Test
public void resolveCsrfTokenValueWhenHeaderSetThenReturnsTokenValue() {
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.header(this.token.getHeaderName(), this.token.getToken())).build();
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
}
@Test
public void resolveCsrfTokenValueWhenHeaderAndFormDataSetThenFormDataIsPreferred() {
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
.header(this.token.getHeaderName(), "header")
.body(this.token.getParameterName() + "=" + this.token.getToken())).build();
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
}
}