Mark Observations with Security Context Events

Closes gh-11992

core/src/main/java/org/springframework/security/core/context/ObservationSecurityContextChangedListener.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.context;
+
+import io.micrometer.observation.Observation;
+import io.micrometer.observation.ObservationRegistry;
+
+import org.springframework.security.core.Authentication;
+
+/**
+ * A {@link SecurityContextChangedListener} that adds events to an existing
+ * {@link Observation}
+ *
+ * If no {@link Observation} is present when an event is fired, then the event is
+ * unrecorded.
+ *
+ * @author Josh Cummings
+ * @since 6.0
+ */
+public final class ObservationSecurityContextChangedListener implements SecurityContextChangedListener {
+
+	private static final String SECURITY_CONTEXT_CREATED = "security.context.created";
+
+	private static final String SECURITY_CONTEXT_CHANGED = "security.context.changed";
+
+	private static final String SECURITY_CONTEXT_CLEARED = "security.context.cleared";
+
+	private final ObservationRegistry registry;
+
+	/**
+	 * Create a {@link ObservationSecurityContextChangedListener}
+	 * @param registry the {@link ObservationRegistry} for looking up the surrounding
+	 * {@link Observation}
+	 */
+	public ObservationSecurityContextChangedListener(ObservationRegistry registry) {
+		this.registry = registry;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void securityContextChanged(SecurityContextChangedEvent event) {
+		Observation observation = this.registry.getCurrentObservation();
+		if (observation == null) {
+			return;
+		}
+		if (event.isCleared()) {
+			observation.event(Observation.Event.of("security.context.cleared"));
+			return;
+		}
+		Authentication oldAuthentication = getAuthentication(event.getOldContext());
+		Authentication newAuthentication = getAuthentication(event.getNewContext());
+		if (oldAuthentication == null && newAuthentication == null) {
+			return;
+		}
+		if (oldAuthentication == null) {
+			observation.event(Observation.Event.of(SECURITY_CONTEXT_CREATED, "%s [%s]").format(SECURITY_CONTEXT_CREATED,
+					newAuthentication.getClass().getSimpleName()));
+			return;
+		}
+		if (newAuthentication == null) {
+			observation.event(Observation.Event.of(SECURITY_CONTEXT_CLEARED, "%s [%s]").format(SECURITY_CONTEXT_CLEARED,
+					oldAuthentication.getClass().getSimpleName()));
+			return;
+		}
+		if (oldAuthentication.equals(newAuthentication)) {
+			return;
+		}
+		observation.event(
+				Observation.Event.of(SECURITY_CONTEXT_CHANGED, "%s [%s] -> [%s]").format(SECURITY_CONTEXT_CHANGED,
+						oldAuthentication.getClass().getSimpleName(), newAuthentication.getClass().getSimpleName()));
+	}
+
+	private static Authentication getAuthentication(SecurityContext context) {
+		if (context == null) {
+			return null;
+		}
+		return context.getAuthentication();
+	}
+
+}

core/src/test/java/org/springframework/security/core/context/ObservationSecurityContextChangedListenerTests.java

@@ -0,0 +1,101 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.context;
+
+import java.util.function.Supplier;
+
+import io.micrometer.observation.Observation;
+import io.micrometer.observation.ObservationRegistry;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
+
+import org.springframework.security.authentication.TestingAuthenticationToken;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoInteractions;
+
+/**
+ * Tests for {@link ObservationSecurityContextChangedListener}
+ */
+public class ObservationSecurityContextChangedListenerTests {
+
+	private SecurityContext one = new SecurityContextImpl(new TestingAuthenticationToken("user", "pass"));
+
+	private SecurityContext two = new SecurityContextImpl(new TestingAuthenticationToken("admin", "pass"));
+
+	private ObservationRegistry observationRegistry;
+
+	private ObservationSecurityContextChangedListener tested;
+
+	@BeforeEach
+	void setup() {
+		this.observationRegistry = mock(ObservationRegistry.class);
+		this.tested = new ObservationSecurityContextChangedListener(this.observationRegistry);
+	}
+
+	@Test
+	void securityContextChangedWhenNoObservationThenNoEvents() {
+		given(this.observationRegistry.getCurrentObservation()).willReturn(null);
+		this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.two));
+	}
+
+	@Test
+	void securityContextChangedWhenClearedEventThenAddsClearEventToObservation() {
+		Observation observation = mock(Observation.class);
+		given(this.observationRegistry.getCurrentObservation()).willReturn(observation);
+		Supplier<SecurityContext> one = mock(Supplier.class);
+		this.tested
+				.securityContextChanged(new SecurityContextChangedEvent(one, SecurityContextChangedEvent.NO_CONTEXT));
+		ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class);
+		verify(observation).event(event.capture());
+		assertThat(event.getValue().getName()).isEqualTo("security.context.cleared");
+		verifyNoInteractions(one);
+	}
+
+	@Test
+	void securityContextChangedWhenNoChangeThenNoEventAddedToObservation() {
+		Observation observation = mock(Observation.class);
+		given(this.observationRegistry.getCurrentObservation()).willReturn(observation);
+		this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.one));
+		verifyNoInteractions(observation);
+	}
+
+	@Test
+	void securityContextChangedWhenChangedEventThenAddsChangeEventToObservation() {
+		Observation observation = mock(Observation.class);
+		given(this.observationRegistry.getCurrentObservation()).willReturn(observation);
+		this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.two));
+		ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class);
+		verify(observation).event(event.capture());
+		assertThat(event.getValue().getName()).isEqualTo("security.context.changed");
+	}
+
+	@Test
+	void securityContextChangedWhenCreatedEventThenAddsCreatedEventToObservation() {
+		Observation observation = mock(Observation.class);
+		given(this.observationRegistry.getCurrentObservation()).willReturn(observation);
+		this.tested.securityContextChanged(new SecurityContextChangedEvent(null, this.one));
+		ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class);
+		verify(observation).event(event.capture());
+		assertThat(event.getValue().getName()).isEqualTo("security.context.created");
+	}
+
+}