Add MethodExpressionAuthorizationManager

Closes gh-11493
This commit is contained in:
Josh Cummings 2022-07-12 14:29:54 -06:00
parent 51475e2583
commit 281814a955
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
3 changed files with 217 additions and 1 deletions

View File

@ -0,0 +1,46 @@
/*
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authorization;
import org.springframework.expression.Expression;
/**
* Represents an {@link AuthorizationDecision} based on a {@link Expression}
*
* @author Marcus Da Coregio
* @since 5.6
*/
public class ExpressionAuthorizationDecision extends AuthorizationDecision {
private final Expression expression;
public ExpressionAuthorizationDecision(boolean granted, Expression expressionAttribute) {
super(granted);
this.expression = expressionAttribute;
}
public Expression getExpression() {
return this.expression;
}
@Override
public String toString() {
return getClass().getSimpleName() + " [" + "granted=" + isGranted() + ", expressionAttribute=" + this.expression
+ ']';
}
}

View File

@ -16,6 +16,72 @@
package org.springframework.security.authorization.method;
public class MethodExpressionAuthorizationManager {
import java.util.function.Supplier;
import org.aopalliance.intercept.MethodInvocation;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.Expression;
import org.springframework.security.access.expression.ExpressionUtils;
import org.springframework.security.access.expression.SecurityExpressionHandler;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
import org.springframework.security.core.Authentication;
import org.springframework.util.Assert;
/**
* An expression-based {@link AuthorizationManager} that determines the access by
* evaluating the provided expression against the {@link MethodInvocation}.
*
* @author Josh Cummings
* @since 5.8
*/
public final class MethodExpressionAuthorizationManager implements AuthorizationManager<MethodInvocation> {
private SecurityExpressionHandler<MethodInvocation> expressionHandler = new DefaultMethodSecurityExpressionHandler();
private Expression expression;
/**
* Creates an instance.
* @param expressionString the raw expression string to parse
*/
public MethodExpressionAuthorizationManager(String expressionString) {
Assert.hasText(expressionString, "expressionString cannot be empty");
this.expression = this.expressionHandler.getExpressionParser().parseExpression(expressionString);
}
/**
* Sets the {@link SecurityExpressionHandler} to be used. The default is
* {@link DefaultMethodSecurityExpressionHandler}.
* @param expressionHandler the {@link SecurityExpressionHandler} to use
*/
public void setExpressionHandler(SecurityExpressionHandler<MethodInvocation> expressionHandler) {
Assert.notNull(expressionHandler, "expressionHandler cannot be null");
this.expressionHandler = expressionHandler;
this.expression = expressionHandler.getExpressionParser()
.parseExpression(this.expression.getExpressionString());
}
/**
* Determines the access by evaluating the provided expression.
* @param authentication the {@link Supplier} of the {@link Authentication} to check
* @param context the {@link MethodInvocation} to check
* @return an {@link ExpressionAuthorizationDecision} based on the evaluated
* expression
*/
@Override
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation context) {
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context);
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
return new ExpressionAuthorizationDecision(granted, this.expression);
}
@Override
public String toString() {
return "WebExpressionAuthorizationManager[expression='" + this.expression + "']";
}
}

View File

@ -0,0 +1,104 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.authorization.method;
import org.junit.jupiter.api.Test;
import org.junit.platform.commons.util.ReflectionUtils;
import org.springframework.expression.Expression;
import org.springframework.expression.ExpressionParser;
import org.springframework.security.access.annotation.BusinessService;
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.util.SimpleMethodInvocation;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
class MethodExpressionAuthorizationManagerTests {
@Test
void instantiateWhenExpressionStringNullThenIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(null))
.withMessage("expressionString cannot be empty");
}
@Test
void instantiateWhenExpressionStringEmptyThenIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(""))
.withMessage("expressionString cannot be empty");
}
@Test
void instantiateWhenExpressionStringBlankThenIllegalArgumentException() {
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(" "))
.withMessage("expressionString cannot be empty");
}
@Test
void instantiateWhenExpressionHandlerNotSetThenDefaultUsed() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
assertThat(manager).extracting("expressionHandler").isInstanceOf(DefaultMethodSecurityExpressionHandler.class);
}
@Test
void setExpressionHandlerWhenNullThenIllegalArgumentException() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
assertThatIllegalArgumentException().isThrownBy(() -> manager.setExpressionHandler(null))
.withMessage("expressionHandler cannot be null");
}
@Test
void setExpressionHandlerWhenNotNullThenVerifyExpressionHandler() {
String expressionString = "hasRole('ADMIN')";
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager(expressionString);
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
ExpressionParser mockExpressionParser = mock(ExpressionParser.class);
Expression mockExpression = mock(Expression.class);
given(mockExpressionParser.parseExpression(expressionString)).willReturn(mockExpression);
expressionHandler.setExpressionParser(mockExpressionParser);
manager.setExpressionHandler(expressionHandler);
assertThat(manager).extracting("expressionHandler").isEqualTo(expressionHandler);
assertThat(manager).extracting("expression").isEqualTo(mockExpression);
verify(mockExpressionParser).parseExpression(expressionString);
}
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleAdminThenGrantedDecision() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin,
new SimpleMethodInvocation(new Object(),
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isTrue();
}
@Test
void checkWhenExpressionHasRoleAdminConfiguredAndRoleUserThenDeniedDecision() {
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser,
new SimpleMethodInvocation(new Object(),
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
assertThat(decision).isNotNull();
assertThat(decision.isGranted()).isFalse();
}
}