Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Reactive SwitchUserWebFilter for user impersonation 

Closes gh-8599
This commit is contained in:
Artur Otrzonsek 2020-06-12 13:19:10 +02:00 committed by Eleftheria Stein
parent 0a2006ebec
commit b22c50c4a8
2 changed files with 1041 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

385
web/src/main/java/org/springframework/security/web/server/authentication/SwitchUserWebFilter.java Normal file
View File

@ -0,0 +1,385 @@
/*
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpMethod;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
/**
* Switch User processing filter responsible for user context switching.
* A common use-case for this feature is the ability to allow
* higher-authority users (e.g. ROLE_ADMIN) to switch to a regular user (e.g. ROLE_USER).
* <p>
* This filter assumes that the user performing the switch will be required to be logged
* in as normal user (i.e. with a ROLE_ADMIN role). The user will then access a page/controller
* that enables the administrator to specify who they wish to become (see <code>switchUserUrl</code>).
* <p>
* <b>Note: This URL will be required to have appropriate security constraints configured
* so that only users of that role can access it (e.g. ROLE_ADMIN).</b>
* <p>
* On a successful switch, the user's <code>SecurityContext</code> will be updated to
* reflect the specified user and will also contain an additional
* {@link org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority}
* which contains the original user. Before switching, a check will be made on whether the
* user is already currently switched, and any current switch will be exited to prevent
* "nested" switches.
* <p>
* To 'exit' from a user context, the user needs to access a URL (see <code>exitUserUrl</code>)
* that will switch back to the original user as identified by the <code>ROLE_PREVIOUS_ADMINISTRATOR</code>.
* <p>
* To configure the Switch User Processing Filter, create a bean definition for the Switch
* User processing filter and add to the filterChainProxy. Note that the filter must come
* <b>after</b> the {@link org.springframework.security.config.web.server.SecurityWebFiltersOrder#AUTHORIZATION}
* in the chain, in order to apply the correct constraints to the <tt>switchUserUrl</tt>. Example:
* <pre>
* SwitchUserWebFilter filter = new SwitchUserWebFilter(userDetailsService, loginSuccessHandler, failureHandler);
* http.addFilterAfter(filter, SecurityWebFiltersOrder.AUTHORIZATION);
* </pre>
*
* @author Artur Otrzonsek
* @see SwitchUserGrantedAuthority
* @since 5.4
*/
public class SwitchUserWebFilter implements WebFilter {
private final Log logger = LogFactory.getLog(getClass());
public static final String SPRING_SECURITY_SWITCH_USERNAME_KEY = "username";
public static final String ROLE_PREVIOUS_ADMINISTRATOR = "ROLE_PREVIOUS_ADMINISTRATOR";
private final ServerAuthenticationSuccessHandler successHandler;
private final ServerAuthenticationFailureHandler failureHandler;
private final ReactiveUserDetailsService userDetailsService;
private final UserDetailsChecker userDetailsChecker;
private ServerSecurityContextRepository securityContextRepository;
private ServerWebExchangeMatcher switchUserMatcher = createMatcher("/login/impersonate");
private ServerWebExchangeMatcher exitUserMatcher = createMatcher("/logout/impersonate");
/**
* Creates a filter for the user context switching
*
* @param userDetailsService The <tt>UserDetailService</tt> which will be used to load
* information for the user that is being switched to.
* @param successHandler Used to define custom behaviour on a successful switch or exit user.
* @param failureHandler Used to define custom behaviour when a switch fails.
*/
public SwitchUserWebFilter(ReactiveUserDetailsService userDetailsService,
ServerAuthenticationSuccessHandler successHandler,
@Nullable ServerAuthenticationFailureHandler failureHandler) {
Assert.notNull(userDetailsService, "userDetailsService must be specified");
Assert.notNull(successHandler, "successHandler must be specified");
this.userDetailsService = userDetailsService;
this.successHandler = successHandler;
this.failureHandler = failureHandler;
this.securityContextRepository = new WebSessionServerSecurityContextRepository();
this.userDetailsChecker = new AccountStatusUserDetailsChecker();
}
/**
* Creates a filter for the user context switching
*
* @param userDetailsService The <tt>UserDetailService</tt> which will be used to load
* information for the user that is being switched to.
* @param successTargetUrl Sets the URL to go to after a successful switch / exit user request
* @param failureTargetUrl The URL to which a user should be redirected if the switch fails
*/
public SwitchUserWebFilter(ReactiveUserDetailsService userDetailsService,
String successTargetUrl, @Nullable String failureTargetUrl) {
Assert.notNull(userDetailsService, "userDetailsService must be specified");
Assert.notNull(successTargetUrl, "successTargetUrl must be specified");
this.userDetailsService = userDetailsService;
this.successHandler = new RedirectServerAuthenticationSuccessHandler(successTargetUrl);
if (failureTargetUrl != null) {
this.failureHandler = new RedirectServerAuthenticationFailureHandler(failureTargetUrl);
} else {
this.failureHandler = null;
}
this.securityContextRepository = new WebSessionServerSecurityContextRepository();
this.userDetailsChecker = new AccountStatusUserDetailsChecker();
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
final WebFilterExchange webFilterExchange = new WebFilterExchange(exchange, chain);
return switchUser(webFilterExchange)
.switchIfEmpty(Mono.defer(() -> exitSwitchUser(webFilterExchange)))
.switchIfEmpty(Mono.defer(() -> chain.filter(exchange).then(Mono.empty())))
.flatMap(authentication -> onAuthenticationSuccess(authentication, webFilterExchange))
.onErrorResume(SwitchUserAuthenticationException.class, exception -> Mono.empty());
}
/**
* Attempt to switch to another user.
*
* @param webFilterExchange The web filter exchange
* @return The new <code>Authentication</code> object if successfully switched to
* another user, <code>Mono.empty()</code> otherwise.
* @throws AuthenticationCredentialsNotFoundException If the target user can not be found by username
*/
protected Mono<Authentication> switchUser(WebFilterExchange webFilterExchange) {
return switchUserMatcher.matches(webFilterExchange.getExchange())
.filter(ServerWebExchangeMatcher.MatchResult::isMatch)
.flatMap(matchResult -> ReactiveSecurityContextHolder.getContext())
.map(SecurityContext::getAuthentication)
.flatMap(currentAuthentication -> {
final String username = getUsername(webFilterExchange.getExchange());
return attemptSwitchUser(currentAuthentication, username);
})
.onErrorResume(AuthenticationException.class, e ->
onAuthenticationFailure(e, webFilterExchange)
.then(Mono.error(new SwitchUserAuthenticationException(e)))
);
}
/**
* Attempt to exit from an already switched user.
*
* @param webFilterExchange The web filter exchange
* @return The original <code>Authentication</code> object.
* @throws AuthenticationCredentialsNotFoundException If there is no <code>Authentication</code> associated
* with this request or the user is not switched.
*/
protected Mono<Authentication> exitSwitchUser(WebFilterExchange webFilterExchange) {
return exitUserMatcher.matches(webFilterExchange.getExchange())
.filter(ServerWebExchangeMatcher.MatchResult::isMatch)
.flatMap(matchResult ->
ReactiveSecurityContextHolder.getContext()
.map(SecurityContext::getAuthentication)
.switchIfEmpty(Mono.error(this::noCurrentUserException))
)
.map(this::attemptExitUser);
}
/**
* Returns the name of the target user.
*
* @param exchange The server web exchange
* @return the name of the target user.
*/
protected String getUsername(ServerWebExchange exchange) {
return exchange.getRequest().getQueryParams().getFirst(SPRING_SECURITY_SWITCH_USERNAME_KEY);
}
@NonNull
private Mono<Authentication> attemptSwitchUser(Authentication currentAuthentication, String userName) {
Assert.notNull(userName, "The userName can not be null.");
if (this.logger.isDebugEnabled()) {
this.logger.debug("Attempt to switch to user [" + userName + "]");
}
return userDetailsService.findByUsername(userName)
.switchIfEmpty(Mono.error(this::noTargetAuthenticationException))
.doOnNext(userDetailsChecker::check)
.map(userDetails -> createSwitchUserToken(userDetails, currentAuthentication));
}
@NonNull
private Authentication attemptExitUser(Authentication currentAuthentication) {
final Optional<Authentication> sourceAuthentication = extractSourceAuthentication(currentAuthentication);
if (!sourceAuthentication.isPresent()) {
this.logger.debug("Could not find original user Authentication object!");
throw noOriginalAuthenticationException();
}
return sourceAuthentication.get();
}
private Mono<Void> onAuthenticationSuccess(Authentication authentication, WebFilterExchange webFilterExchange) {
final ServerWebExchange exchange = webFilterExchange.getExchange();
final SecurityContextImpl securityContext = new SecurityContextImpl(authentication);
return securityContextRepository.save(exchange, securityContext)
.then(this.successHandler.onAuthenticationSuccess(webFilterExchange, authentication))
.subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext)));
}
private Mono<Void> onAuthenticationFailure(AuthenticationException exception,
WebFilterExchange webFilterExchange) {
return Mono.justOrEmpty(failureHandler)
.switchIfEmpty(Mono.defer(() -> {
logger.error("Switch User failed", exception);
return Mono.error(exception);
}))
.flatMap(failureHandler -> failureHandler.onAuthenticationFailure(webFilterExchange, exception));
}
private Authentication createSwitchUserToken(UserDetails targetUser, Authentication currentAuthentication) {
final Optional<Authentication> sourceAuthentication = extractSourceAuthentication(currentAuthentication);
if (sourceAuthentication.isPresent()) {
// SEC-1763. Check first if we are already switched.
logger.info("Found original switch user granted authority [" + sourceAuthentication.get() + "]");
currentAuthentication = sourceAuthentication.get();
}
final GrantedAuthority switchAuthority =
new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, currentAuthentication);
final Collection<? extends GrantedAuthority> targetUserAuthorities = targetUser.getAuthorities();
final List<GrantedAuthority> extendedTargetUserAuthorities = new ArrayList<>(targetUserAuthorities);
extendedTargetUserAuthorities.add(switchAuthority);
return new UsernamePasswordAuthenticationToken(
targetUser, targetUser.getPassword(), extendedTargetUserAuthorities
);
}
/**
* Find the original <code>Authentication</code> object from the current user's
* granted authorities. A successfully switched user should have a
* <code>SwitchUserGrantedAuthority</code> that contains the original source user
* <code>Authentication</code> object.
*
* @param currentAuthentication The current <code>Authentication</code> object
* @return The source user <code>Authentication</code> object or <code>Optional.empty</code>
* otherwise.
*/
private Optional<Authentication> extractSourceAuthentication(Authentication currentAuthentication) {
// iterate over granted authorities and find the 'switch user' authority
for (GrantedAuthority authority : currentAuthentication.getAuthorities()) {
if (authority instanceof SwitchUserGrantedAuthority) {
final SwitchUserGrantedAuthority switchAuthority = (SwitchUserGrantedAuthority) authority;
return Optional.of(switchAuthority.getSource());
}
}
return Optional.empty();
}
private static ServerWebExchangeMatcher createMatcher(String pattern) {
return ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, pattern);
}
private AuthenticationCredentialsNotFoundException noCurrentUserException() {
return new AuthenticationCredentialsNotFoundException(
"No current user associated with this request"
);
}
private AuthenticationCredentialsNotFoundException noOriginalAuthenticationException() {
return new AuthenticationCredentialsNotFoundException(
"Could not find original Authentication object"
);
}
private AuthenticationCredentialsNotFoundException noTargetAuthenticationException() {
return new AuthenticationCredentialsNotFoundException(
"No target user for the given username"
);
}
private static class SwitchUserAuthenticationException extends RuntimeException {
SwitchUserAuthenticationException(AuthenticationException exception) {
super(exception);
}
}
/**
* Sets the repository for persisting the SecurityContext. Default is {@link WebSessionServerSecurityContextRepository}
*
* @param securityContextRepository the repository to use
*/
public void setSecurityContextRepository(
ServerSecurityContextRepository securityContextRepository) {
Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
this.securityContextRepository = securityContextRepository;
}
/**
* Set the URL to respond to exit user processing. This is a shortcut for
* * {@link #setExitUserMatcher(ServerWebExchangeMatcher)}
*
* @param exitUserUrl The exit user URL.
*/
public void setExitUserUrl(String exitUserUrl) {
Assert.isTrue(UrlUtils.isValidRedirectUrl(exitUserUrl),
"exitUserUrl cannot be empty and must be a valid redirect URL");
this.exitUserMatcher = createMatcher(exitUserUrl);
}
/**
* Set the matcher to respond to exit user processing.
*
* @param exitUserMatcher The exit matcher to use
*/
public void setExitUserMatcher(ServerWebExchangeMatcher exitUserMatcher) {
Assert.notNull(exitUserMatcher, "exitUserMatcher cannot be null");
this.exitUserMatcher = exitUserMatcher;
}
/**
* Set the URL to respond to switch user processing. This is a shortcut for
* {@link #setSwitchUserMatcher(ServerWebExchangeMatcher)}
*
* @param switchUserUrl The switch user URL.
*/
public void setSwitchUserUrl(String switchUserUrl) {
Assert.isTrue(UrlUtils.isValidRedirectUrl(switchUserUrl),
"switchUserUrl cannot be empty and must be a valid redirect URL");
this.switchUserMatcher = createMatcher(switchUserUrl);
}
/**
* Set the matcher to respond to switch user processing.
*
* @param switchUserMatcher The switch user matcher.
*/
public void setSwitchUserMatcher(ServerWebExchangeMatcher switchUserMatcher) {
Assert.notNull(switchUserMatcher, "switchUserMatcher cannot be null");
this.switchUserMatcher = switchUserMatcher;
}
}

656
web/src/test/java/org/springframework/security/web/server/authentication/SwitchUserWebFilterTests.java Normal file
View File

@ -0,0 +1,656 @@
/*
* Copyright 2002-2020 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.server.authentication;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
import org.springframework.http.HttpMethod;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.DisabledException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.test.util.ReflectionTestUtils;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
import java.security.Principal;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.Assert.*;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.*;
import static org.springframework.security.core.context.ReactiveSecurityContextHolder.withSecurityContext;
import static org.springframework.security.web.server.authentication.SwitchUserWebFilter.ROLE_PREVIOUS_ADMINISTRATOR;
/**
* @author Artur Otrzonsek
*/
@RunWith(MockitoJUnitRunner.class)
public class SwitchUserWebFilterTests {
private SwitchUserWebFilter switchUserWebFilter;
@Mock
private ReactiveUserDetailsService userDetailsService;
@Mock
ServerAuthenticationSuccessHandler successHandler;
@Mock
private ServerAuthenticationFailureHandler failureHandler;
@Mock
private ServerSecurityContextRepository serverSecurityContextRepository;
@Rule
public ExpectedException exceptionRule = ExpectedException.none();
@Before
public void setUp() {
switchUserWebFilter = new SwitchUserWebFilter(userDetailsService, successHandler, failureHandler);
switchUserWebFilter.setSecurityContextRepository(serverSecurityContextRepository);
}
@Test
public void switchUserWhenRequestNotMatchThenDoesNothing() {
// given
MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/not/existing"));
WebFilterChain chain = mock(WebFilterChain.class);
when(chain.filter(exchange)).thenReturn(Mono.empty());
// when
switchUserWebFilter.filter(exchange, chain).block();
// then
verifyNoInteractions(userDetailsService);
verifyNoInteractions(successHandler);
verifyNoInteractions(failureHandler);
verifyNoInteractions(serverSecurityContextRepository);
verify(chain).filter(exchange);
}
@Test
public void switchUser() {
// given
final String targetUsername = "TEST_USERNAME";
final UserDetails switchUserDetails = switchUserDetails(targetUsername, true);
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate?username={targetUser}", targetUsername));
final WebFilterChain chain = mock(WebFilterChain.class);
final Authentication originalAuthentication =
new UsernamePasswordAuthenticationToken("principal", "credentials");
final SecurityContextImpl securityContext = new SecurityContextImpl(originalAuthentication);
when(userDetailsService.findByUsername(targetUsername))
.thenReturn(Mono.just(switchUserDetails));
when(serverSecurityContextRepository.save(eq(exchange), any(SecurityContext.class)))
.thenReturn(Mono.empty());
when(successHandler.onAuthenticationSuccess(any(WebFilterExchange.class), any(Authentication.class)))
.thenReturn(Mono.empty());
// when
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
// then
verifyNoInteractions(chain);
verify(userDetailsService).findByUsername(targetUsername);
final ArgumentCaptor<SecurityContext> securityContextCaptor = ArgumentCaptor.forClass(SecurityContext.class);
verify(serverSecurityContextRepository).save(eq(exchange), securityContextCaptor.capture());
final SecurityContext savedSecurityContext = securityContextCaptor.getValue();
final ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
verify(successHandler).onAuthenticationSuccess(any(WebFilterExchange.class), authenticationCaptor.capture());
final Authentication switchUserAuthentication = authenticationCaptor.getValue();
assertSame(savedSecurityContext.getAuthentication(), switchUserAuthentication);
assertEquals("username should point to the switched user",
targetUsername, switchUserAuthentication.getName());
assertTrue("switchAuthentication should contain SwitchUserGrantedAuthority",
switchUserAuthentication.getAuthorities().stream()
.anyMatch(a -> a instanceof SwitchUserGrantedAuthority)
);
assertTrue("new authentication should get new role ",
switchUserAuthentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.anyMatch(a -> a.equals(ROLE_PREVIOUS_ADMINISTRATOR))
);
assertEquals(
"SwitchUserGrantedAuthority should contain the original authentication",
originalAuthentication.getName(),
switchUserAuthentication.getAuthorities().stream()
.filter(a -> a instanceof SwitchUserGrantedAuthority)
.map(a -> ((SwitchUserGrantedAuthority) a).getSource())
.map(Principal::getName)
.findFirst()
.orElse(null)
);
}
@Test
public void switchUserWhenUserAlreadySwitchedThenExitSwitchAndSwitchAgain() {
// given
final Authentication originalAuthentication =
new UsernamePasswordAuthenticationToken("origPrincipal", "origCredentials");
final GrantedAuthority switchAuthority =
new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, originalAuthentication);
final Authentication switchUserAuthentication =
new UsernamePasswordAuthenticationToken("switchPrincipal", "switchCredentials",
Collections.singleton(switchAuthority));
final SecurityContextImpl securityContext = new SecurityContextImpl(switchUserAuthentication);
final String targetUsername = "newSwitchPrincipal";
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate?username={targetUser}", targetUsername));
final WebFilterChain chain = mock(WebFilterChain.class);
when(serverSecurityContextRepository.save(eq(exchange), any(SecurityContext.class)))
.thenReturn(Mono.empty());
when(successHandler.onAuthenticationSuccess(any(WebFilterExchange.class), any(Authentication.class)))
.thenReturn(Mono.empty());
when(userDetailsService.findByUsername(targetUsername))
.thenReturn(Mono.just(switchUserDetails(targetUsername, true)));
// when
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
// then
final ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
verify(successHandler).onAuthenticationSuccess(any(WebFilterExchange.class), authenticationCaptor.capture());
final Authentication secondSwitchUserAuthentication = authenticationCaptor.getValue();
assertEquals("username should point to the switched user",
targetUsername, secondSwitchUserAuthentication.getName());
assertEquals(
"SwitchUserGrantedAuthority should contain the original authentication",
originalAuthentication.getName(),
secondSwitchUserAuthentication.getAuthorities().stream()
.filter(a -> a instanceof SwitchUserGrantedAuthority)
.map(a -> ((SwitchUserGrantedAuthority) a).getSource())
.map(Principal::getName)
.findFirst()
.orElse(null)
);
}
@Test
public void switchUserWhenUsernameIsMissingThenThrowException() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate"));
final WebFilterChain chain = mock(WebFilterChain.class);
final SecurityContextImpl securityContext = new SecurityContextImpl(mock(Authentication.class));
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("The userName can not be null.");
// when
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
verifyNoInteractions(chain);
}
@Test
public void switchUserWhenExceptionThenCallFailureHandler() {
final String targetUsername = "TEST_USERNAME";
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate?username={targetUser}", targetUsername));
final WebFilterChain chain = mock(WebFilterChain.class);
final SecurityContextImpl securityContext = new SecurityContextImpl(mock(Authentication.class));
final UserDetails switchUserDetails = switchUserDetails(targetUsername, false);
when(userDetailsService.findByUsername(any(String.class))).thenReturn(Mono.just(switchUserDetails));
when(failureHandler.onAuthenticationFailure(any(WebFilterExchange.class), any(DisabledException.class)))
.thenReturn(Mono.empty());
// when
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
verify(failureHandler).onAuthenticationFailure(any(WebFilterExchange.class), any(DisabledException.class));
verifyNoInteractions(chain);
}
@Test
public void switchUserWhenFailureHandlerNotDefinedThenReturnError() {
// given
switchUserWebFilter = new SwitchUserWebFilter(userDetailsService, successHandler, null);
final String targetUsername = "TEST_USERNAME";
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate?username={targetUser}", targetUsername));
final WebFilterChain chain = mock(WebFilterChain.class);
final SecurityContextImpl securityContext = new SecurityContextImpl(mock(Authentication.class));
final UserDetails switchUserDetails = switchUserDetails(targetUsername, false);
when(userDetailsService.findByUsername(any(String.class))).thenReturn(Mono.just(switchUserDetails));
exceptionRule.expect(DisabledException.class);
// when then
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
verifyNoInteractions(chain);
}
@Test
public void exitSwitchThenReturnToOriginalAuthentication() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/logout/impersonate"));
final Authentication originalAuthentication =
new UsernamePasswordAuthenticationToken("origPrincipal", "origCredentials");
final GrantedAuthority switchAuthority =
new SwitchUserGrantedAuthority(ROLE_PREVIOUS_ADMINISTRATOR, originalAuthentication);
final Authentication switchUserAuthentication =
new UsernamePasswordAuthenticationToken("switchPrincipal", "switchCredentials",
Collections.singleton(switchAuthority));
final WebFilterChain chain = mock(WebFilterChain.class);
final SecurityContextImpl securityContext = new SecurityContextImpl(switchUserAuthentication);
when(serverSecurityContextRepository.save(eq(exchange), any(SecurityContext.class)))
.thenReturn(Mono.empty());
when(successHandler.onAuthenticationSuccess(any(WebFilterExchange.class), any(Authentication.class)))
.thenReturn(Mono.empty());
// when
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
// then
final ArgumentCaptor<SecurityContext> securityContextCaptor = ArgumentCaptor.forClass(SecurityContext.class);
verify(serverSecurityContextRepository).save(eq(exchange), securityContextCaptor.capture());
final SecurityContext savedSecurityContext = securityContextCaptor.getValue();
final ArgumentCaptor<Authentication> authenticationCaptor = ArgumentCaptor.forClass(Authentication.class);
verify(successHandler).onAuthenticationSuccess(any(WebFilterExchange.class), authenticationCaptor.capture());
final Authentication originalAuthenticationValue = authenticationCaptor.getValue();
assertSame(originalAuthentication, savedSecurityContext.getAuthentication());
assertSame(originalAuthentication, originalAuthenticationValue);
verifyNoInteractions(chain);
}
@Test
public void exitSwitchWhenUserNotSwitchedThenThrowError() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/logout/impersonate"));
final Authentication originalAuthentication =
new UsernamePasswordAuthenticationToken("origPrincipal", "origCredentials");
final WebFilterChain chain = mock(WebFilterChain.class);
final SecurityContextImpl securityContext = new SecurityContextImpl(originalAuthentication);
exceptionRule.expect(AuthenticationCredentialsNotFoundException.class);
exceptionRule.expectMessage("Could not find original Authentication object");
// when then
switchUserWebFilter.filter(exchange, chain)
.subscriberContext(withSecurityContext(Mono.just(securityContext)))
.block();
verifyNoInteractions(chain);
}
@Test
public void exitSwitchWhenNoCurrentUserThenThrowError() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/logout/impersonate"));
final WebFilterChain chain = mock(WebFilterChain.class);
exceptionRule.expect(AuthenticationCredentialsNotFoundException.class);
exceptionRule.expectMessage("No current user associated with this request");
// when
switchUserWebFilter.filter(exchange, chain).block();
//then
verifyNoInteractions(chain);
}
@Test
public void constructorUserDetailsServiceRequired() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("userDetailsService must be specified");
// when
switchUserWebFilter = new SwitchUserWebFilter(
null,
mock(ServerAuthenticationSuccessHandler.class),
mock(ServerAuthenticationFailureHandler.class)
);
}
@Test
public void constructorServerAuthenticationSuccessHandlerRequired() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("successHandler must be specified");
// when
switchUserWebFilter = new SwitchUserWebFilter(
mock(ReactiveUserDetailsService.class),
null,
mock(ServerAuthenticationFailureHandler.class)
);
}
@Test
public void constructorSuccessTargetUrlRequired() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("successTargetUrl must be specified");
// when
switchUserWebFilter = new SwitchUserWebFilter(
mock(ReactiveUserDetailsService.class),
null,
"failure/target/url"
);
}
@Test
public void constructorFirstDefaultValues() {
// when
switchUserWebFilter = new SwitchUserWebFilter(
mock(ReactiveUserDetailsService.class),
mock(ServerAuthenticationSuccessHandler.class),
mock(ServerAuthenticationFailureHandler.class)
);
// then
final Object securityContextRepository =
ReflectionTestUtils.getField(switchUserWebFilter, "securityContextRepository");
assertTrue(securityContextRepository instanceof WebSessionServerSecurityContextRepository);
final Object userDetailsChecker =
ReflectionTestUtils.getField(switchUserWebFilter, "userDetailsChecker");
assertTrue(userDetailsChecker instanceof AccountStatusUserDetailsChecker);
}
@Test
public void constructorSecondDefaultValues() {
// when
switchUserWebFilter = new SwitchUserWebFilter(
mock(ReactiveUserDetailsService.class),
"success/target/url",
"failure/target/url"
);
// then
final Object successHandler =
ReflectionTestUtils.getField(switchUserWebFilter, "successHandler");
assertTrue(successHandler instanceof RedirectServerAuthenticationSuccessHandler);
final Object failureHandler =
ReflectionTestUtils.getField(switchUserWebFilter, "failureHandler");
assertTrue(failureHandler instanceof RedirectServerAuthenticationFailureHandler);
final Object securityContextRepository =
ReflectionTestUtils.getField(switchUserWebFilter, "securityContextRepository");
assertTrue(securityContextRepository instanceof WebSessionServerSecurityContextRepository);
final Object userDetailsChecker =
ReflectionTestUtils.getField(switchUserWebFilter, "userDetailsChecker");
assertTrue(userDetailsChecker instanceof AccountStatusUserDetailsChecker);
}
@Test
public void setSecurityContextRepositoryWhenNullThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("securityContextRepository cannot be null");
// when
switchUserWebFilter.setSecurityContextRepository(null);
// then
fail("Test should fail with exception");
}
@Test
public void setSecurityContextRepositoryWhenDefinedThenChangeDefaultValue() {
// given
final Object oldSecurityContextRepository =
ReflectionTestUtils.getField(switchUserWebFilter, "securityContextRepository");
assertSame(serverSecurityContextRepository, oldSecurityContextRepository);
final ServerSecurityContextRepository newSecurityContextRepository = mock(ServerSecurityContextRepository.class);
// when
switchUserWebFilter.setSecurityContextRepository(newSecurityContextRepository);
// then
final Object currentSecurityContextRepository =
ReflectionTestUtils.getField(switchUserWebFilter, "securityContextRepository");
assertSame(newSecurityContextRepository, currentSecurityContextRepository);
}
@Test
public void setExitUserUrlWhenNullThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("exitUserUrl cannot be empty and must be a valid redirect URL");
// when
switchUserWebFilter.setExitUserUrl(null);
// then
fail("Test should fail with exception");
}
@Test
public void setExitUserUrlWhenInvalidUrlThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("exitUserUrl cannot be empty and must be a valid redirect URL");
// when
switchUserWebFilter.setExitUserUrl("wrongUrl");
// then
fail("Test should fail with exception");
}
@Test
public void setExitUserUrlWhenDefinedThenChangeDefaultValue() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/logout/impersonate"));
final ServerWebExchangeMatcher oldExitUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "exitUserMatcher");
assertThat(oldExitUserMatcher.matches(exchange).block().isMatch()).isTrue();
// when
switchUserWebFilter.setExitUserUrl("/exit-url");
// then
final MockServerWebExchange newExchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/exit-url"));
final ServerWebExchangeMatcher newExitUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "exitUserMatcher");
assertThat(newExitUserMatcher.matches(newExchange).block().isMatch()).isTrue();
}
@Test
public void setExitUserMatcherWhenNullThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("exitUserMatcher cannot be null");
// when
switchUserWebFilter.setExitUserMatcher(null);
// then
fail("Test should fail with exception");
}
@Test
public void setExitUserMatcherWhenDefinedThenChangeDefaultValue() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/logout/impersonate"));
final ServerWebExchangeMatcher oldExitUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "exitUserMatcher");
assertThat(oldExitUserMatcher.matches(exchange).block().isMatch()).isTrue();
final ServerWebExchangeMatcher newExitUserMatcher =
ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/exit-url");
// when
switchUserWebFilter.setExitUserMatcher(newExitUserMatcher);
// then
final ServerWebExchangeMatcher currentExitUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "exitUserMatcher");
assertSame(newExitUserMatcher, currentExitUserMatcher);
}
@Test
public void setSwitchUserUrlWhenNullThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("switchUserUrl cannot be empty and must be a valid redirect URL");
// when
switchUserWebFilter.setSwitchUserUrl(null);
// then
fail("Test should fail with exception");
}
@Test
public void setSwitchUserUrlWhenInvalidThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("switchUserUrl cannot be empty and must be a valid redirect URL");
// when
switchUserWebFilter.setSwitchUserUrl("wrongUrl");
// then
fail("Test should fail with exception");
}
@Test
public void setSwitchUserUrlWhenDefinedThenChangeDefaultValue() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate"));
final ServerWebExchangeMatcher oldSwitchUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "switchUserMatcher");
assertThat(oldSwitchUserMatcher.matches(exchange).block().isMatch()).isTrue();
// when
switchUserWebFilter.setSwitchUserUrl("/switch-url");
// then
final MockServerWebExchange newExchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/switch-url"));
final ServerWebExchangeMatcher newSwitchUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "switchUserMatcher");
assertThat(newSwitchUserMatcher.matches(newExchange).block().isMatch()).isTrue();
}
@Test
public void setSwitchUserMatcherWhenNullThenThrowException() {
// given
exceptionRule.expect(IllegalArgumentException.class);
exceptionRule.expectMessage("switchUserMatcher cannot be null");
// when
switchUserWebFilter.setSwitchUserMatcher(null);
// then
fail("Test should fail with exception");
}
@Test
public void setSwitchUserMatcherWhenDefinedThenChangeDefaultValue() {
// given
final MockServerWebExchange exchange = MockServerWebExchange
.from(MockServerHttpRequest.post("/login/impersonate"));
final ServerWebExchangeMatcher oldSwitchUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "switchUserMatcher");
assertThat(oldSwitchUserMatcher.matches(exchange).block().isMatch()).isTrue();
final ServerWebExchangeMatcher newSwitchUserMatcher =
ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/switch-url");
// when
switchUserWebFilter.setSwitchUserMatcher(newSwitchUserMatcher);
// then
final ServerWebExchangeMatcher currentExitUserMatcher =
(ServerWebExchangeMatcher) ReflectionTestUtils.getField(switchUserWebFilter, "switchUserMatcher");
assertSame(newSwitchUserMatcher, currentExitUserMatcher);
}
private UserDetails switchUserDetails(String username, boolean enabled) {
final SimpleGrantedAuthority authority = new SimpleGrantedAuthority("ROLE_SWITCH_TEST");
return new User(username, "NA", enabled,
true, true, true, Collections.singleton(authority));
}
}