parent
9b43316f4d
commit
8d0084842b
|
@ -0,0 +1,46 @@
|
|||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authorization;
|
||||
|
||||
import org.springframework.expression.Expression;
|
||||
|
||||
/**
|
||||
* Represents an {@link AuthorizationDecision} based on a {@link Expression}
|
||||
*
|
||||
* @author Marcus Da Coregio
|
||||
* @since 5.6
|
||||
*/
|
||||
public class ExpressionAuthorizationDecision extends AuthorizationDecision {
|
||||
|
||||
private final Expression expression;
|
||||
|
||||
public ExpressionAuthorizationDecision(boolean granted, Expression expressionAttribute) {
|
||||
super(granted);
|
||||
this.expression = expressionAttribute;
|
||||
}
|
||||
|
||||
public Expression getExpression() {
|
||||
return this.expression;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return getClass().getSimpleName() + " [" + "granted=" + isGranted() + ", expressionAttribute=" + this.expression
|
||||
+ ']';
|
||||
}
|
||||
|
||||
}
|
|
@ -16,6 +16,72 @@
|
|||
|
||||
package org.springframework.security.authorization.method;
|
||||
|
||||
public class MethodExpressionAuthorizationManager {
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import org.aopalliance.intercept.MethodInvocation;
|
||||
|
||||
import org.springframework.expression.EvaluationContext;
|
||||
import org.springframework.expression.Expression;
|
||||
import org.springframework.security.access.expression.ExpressionUtils;
|
||||
import org.springframework.security.access.expression.SecurityExpressionHandler;
|
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.authorization.AuthorizationManager;
|
||||
import org.springframework.security.authorization.ExpressionAuthorizationDecision;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* An expression-based {@link AuthorizationManager} that determines the access by
|
||||
* evaluating the provided expression against the {@link MethodInvocation}.
|
||||
*
|
||||
* @author Josh Cummings
|
||||
* @since 5.8
|
||||
*/
|
||||
public final class MethodExpressionAuthorizationManager implements AuthorizationManager<MethodInvocation> {
|
||||
|
||||
private SecurityExpressionHandler<MethodInvocation> expressionHandler = new DefaultMethodSecurityExpressionHandler();
|
||||
|
||||
private Expression expression;
|
||||
|
||||
/**
|
||||
* Creates an instance.
|
||||
* @param expressionString the raw expression string to parse
|
||||
*/
|
||||
public MethodExpressionAuthorizationManager(String expressionString) {
|
||||
Assert.hasText(expressionString, "expressionString cannot be empty");
|
||||
this.expression = this.expressionHandler.getExpressionParser().parseExpression(expressionString);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the {@link SecurityExpressionHandler} to be used. The default is
|
||||
* {@link DefaultMethodSecurityExpressionHandler}.
|
||||
* @param expressionHandler the {@link SecurityExpressionHandler} to use
|
||||
*/
|
||||
public void setExpressionHandler(SecurityExpressionHandler<MethodInvocation> expressionHandler) {
|
||||
Assert.notNull(expressionHandler, "expressionHandler cannot be null");
|
||||
this.expressionHandler = expressionHandler;
|
||||
this.expression = expressionHandler.getExpressionParser()
|
||||
.parseExpression(this.expression.getExpressionString());
|
||||
}
|
||||
|
||||
/**
|
||||
* Determines the access by evaluating the provided expression.
|
||||
* @param authentication the {@link Supplier} of the {@link Authentication} to check
|
||||
* @param context the {@link MethodInvocation} to check
|
||||
* @return an {@link ExpressionAuthorizationDecision} based on the evaluated
|
||||
* expression
|
||||
*/
|
||||
@Override
|
||||
public AuthorizationDecision check(Supplier<Authentication> authentication, MethodInvocation context) {
|
||||
EvaluationContext ctx = this.expressionHandler.createEvaluationContext(authentication, context);
|
||||
boolean granted = ExpressionUtils.evaluateAsBoolean(this.expression, ctx);
|
||||
return new ExpressionAuthorizationDecision(granted, this.expression);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "WebExpressionAuthorizationManager[expression='" + this.expression + "']";
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,104 @@
|
|||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.authorization.method;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.platform.commons.util.ReflectionUtils;
|
||||
|
||||
import org.springframework.expression.Expression;
|
||||
import org.springframework.expression.ExpressionParser;
|
||||
import org.springframework.security.access.annotation.BusinessService;
|
||||
import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
|
||||
import org.springframework.security.authentication.TestAuthentication;
|
||||
import org.springframework.security.authorization.AuthorizationDecision;
|
||||
import org.springframework.security.util.SimpleMethodInvocation;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
class MethodExpressionAuthorizationManagerTests {
|
||||
|
||||
@Test
|
||||
void instantiateWhenExpressionStringNullThenIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(null))
|
||||
.withMessage("expressionString cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
void instantiateWhenExpressionStringEmptyThenIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(""))
|
||||
.withMessage("expressionString cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
void instantiateWhenExpressionStringBlankThenIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> new MethodExpressionAuthorizationManager(" "))
|
||||
.withMessage("expressionString cannot be empty");
|
||||
}
|
||||
|
||||
@Test
|
||||
void instantiateWhenExpressionHandlerNotSetThenDefaultUsed() {
|
||||
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
|
||||
assertThat(manager).extracting("expressionHandler").isInstanceOf(DefaultMethodSecurityExpressionHandler.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
void setExpressionHandlerWhenNullThenIllegalArgumentException() {
|
||||
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> manager.setExpressionHandler(null))
|
||||
.withMessage("expressionHandler cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
void setExpressionHandlerWhenNotNullThenVerifyExpressionHandler() {
|
||||
String expressionString = "hasRole('ADMIN')";
|
||||
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager(expressionString);
|
||||
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
|
||||
ExpressionParser mockExpressionParser = mock(ExpressionParser.class);
|
||||
Expression mockExpression = mock(Expression.class);
|
||||
given(mockExpressionParser.parseExpression(expressionString)).willReturn(mockExpression);
|
||||
expressionHandler.setExpressionParser(mockExpressionParser);
|
||||
manager.setExpressionHandler(expressionHandler);
|
||||
assertThat(manager).extracting("expressionHandler").isEqualTo(expressionHandler);
|
||||
assertThat(manager).extracting("expression").isEqualTo(mockExpression);
|
||||
verify(mockExpressionParser).parseExpression(expressionString);
|
||||
}
|
||||
|
||||
@Test
|
||||
void checkWhenExpressionHasRoleAdminConfiguredAndRoleAdminThenGrantedDecision() {
|
||||
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
|
||||
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedAdmin,
|
||||
new SimpleMethodInvocation(new Object(),
|
||||
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
|
||||
assertThat(decision).isNotNull();
|
||||
assertThat(decision.isGranted()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void checkWhenExpressionHasRoleAdminConfiguredAndRoleUserThenDeniedDecision() {
|
||||
MethodExpressionAuthorizationManager manager = new MethodExpressionAuthorizationManager("hasRole('ADMIN')");
|
||||
AuthorizationDecision decision = manager.check(TestAuthentication::authenticatedUser,
|
||||
new SimpleMethodInvocation(new Object(),
|
||||
ReflectionUtils.getRequiredMethod(BusinessService.class, "someAdminMethod")));
|
||||
assertThat(decision).isNotNull();
|
||||
assertThat(decision.isGranted()).isFalse();
|
||||
}
|
||||
|
||||
}
|
Loading…
Reference in New Issue