diff --git a/core/src/main/java/org/springframework/security/core/context/ObservationSecurityContextChangedListener.java b/core/src/main/java/org/springframework/security/core/context/ObservationSecurityContextChangedListener.java new file mode 100644 index 0000000000..a8c141e7f8 --- /dev/null +++ b/core/src/main/java/org/springframework/security/core/context/ObservationSecurityContextChangedListener.java @@ -0,0 +1,96 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.core.context; + +import io.micrometer.observation.Observation; +import io.micrometer.observation.ObservationRegistry; + +import org.springframework.security.core.Authentication; + +/** + * A {@link SecurityContextChangedListener} that adds events to an existing + * {@link Observation} + * + * If no {@link Observation} is present when an event is fired, then the event is + * unrecorded. + * + * @author Josh Cummings + * @since 6.0 + */ +public final class ObservationSecurityContextChangedListener implements SecurityContextChangedListener { + + private static final String SECURITY_CONTEXT_CREATED = "security.context.created"; + + private static final String SECURITY_CONTEXT_CHANGED = "security.context.changed"; + + private static final String SECURITY_CONTEXT_CLEARED = "security.context.cleared"; + + private final ObservationRegistry registry; + + /** + * Create a {@link ObservationSecurityContextChangedListener} + * @param registry the {@link ObservationRegistry} for looking up the surrounding + * {@link Observation} + */ + public ObservationSecurityContextChangedListener(ObservationRegistry registry) { + this.registry = registry; + } + + /** + * {@inheritDoc} + */ + @Override + public void securityContextChanged(SecurityContextChangedEvent event) { + Observation observation = this.registry.getCurrentObservation(); + if (observation == null) { + return; + } + if (event.isCleared()) { + observation.event(Observation.Event.of("security.context.cleared")); + return; + } + Authentication oldAuthentication = getAuthentication(event.getOldContext()); + Authentication newAuthentication = getAuthentication(event.getNewContext()); + if (oldAuthentication == null && newAuthentication == null) { + return; + } + if (oldAuthentication == null) { + observation.event(Observation.Event.of(SECURITY_CONTEXT_CREATED, "%s [%s]").format(SECURITY_CONTEXT_CREATED, + newAuthentication.getClass().getSimpleName())); + return; + } + if (newAuthentication == null) { + observation.event(Observation.Event.of(SECURITY_CONTEXT_CLEARED, "%s [%s]").format(SECURITY_CONTEXT_CLEARED, + oldAuthentication.getClass().getSimpleName())); + return; + } + if (oldAuthentication.equals(newAuthentication)) { + return; + } + observation.event( + Observation.Event.of(SECURITY_CONTEXT_CHANGED, "%s [%s] -> [%s]").format(SECURITY_CONTEXT_CHANGED, + oldAuthentication.getClass().getSimpleName(), newAuthentication.getClass().getSimpleName())); + } + + private static Authentication getAuthentication(SecurityContext context) { + if (context == null) { + return null; + } + return context.getAuthentication(); + } + +} diff --git a/core/src/test/java/org/springframework/security/core/context/ObservationSecurityContextChangedListenerTests.java b/core/src/test/java/org/springframework/security/core/context/ObservationSecurityContextChangedListenerTests.java new file mode 100644 index 0000000000..750a352b64 --- /dev/null +++ b/core/src/test/java/org/springframework/security/core/context/ObservationSecurityContextChangedListenerTests.java @@ -0,0 +1,101 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.core.context; + +import java.util.function.Supplier; + +import io.micrometer.observation.Observation; +import io.micrometer.observation.ObservationRegistry; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.ArgumentCaptor; + +import org.springframework.security.authentication.TestingAuthenticationToken; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; + +/** + * Tests for {@link ObservationSecurityContextChangedListener} + */ +public class ObservationSecurityContextChangedListenerTests { + + private SecurityContext one = new SecurityContextImpl(new TestingAuthenticationToken("user", "pass")); + + private SecurityContext two = new SecurityContextImpl(new TestingAuthenticationToken("admin", "pass")); + + private ObservationRegistry observationRegistry; + + private ObservationSecurityContextChangedListener tested; + + @BeforeEach + void setup() { + this.observationRegistry = mock(ObservationRegistry.class); + this.tested = new ObservationSecurityContextChangedListener(this.observationRegistry); + } + + @Test + void securityContextChangedWhenNoObservationThenNoEvents() { + given(this.observationRegistry.getCurrentObservation()).willReturn(null); + this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.two)); + } + + @Test + void securityContextChangedWhenClearedEventThenAddsClearEventToObservation() { + Observation observation = mock(Observation.class); + given(this.observationRegistry.getCurrentObservation()).willReturn(observation); + Supplier<SecurityContext> one = mock(Supplier.class); + this.tested + .securityContextChanged(new SecurityContextChangedEvent(one, SecurityContextChangedEvent.NO_CONTEXT)); + ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class); + verify(observation).event(event.capture()); + assertThat(event.getValue().getName()).isEqualTo("security.context.cleared"); + verifyNoInteractions(one); + } + + @Test + void securityContextChangedWhenNoChangeThenNoEventAddedToObservation() { + Observation observation = mock(Observation.class); + given(this.observationRegistry.getCurrentObservation()).willReturn(observation); + this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.one)); + verifyNoInteractions(observation); + } + + @Test + void securityContextChangedWhenChangedEventThenAddsChangeEventToObservation() { + Observation observation = mock(Observation.class); + given(this.observationRegistry.getCurrentObservation()).willReturn(observation); + this.tested.securityContextChanged(new SecurityContextChangedEvent(this.one, this.two)); + ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class); + verify(observation).event(event.capture()); + assertThat(event.getValue().getName()).isEqualTo("security.context.changed"); + } + + @Test + void securityContextChangedWhenCreatedEventThenAddsCreatedEventToObservation() { + Observation observation = mock(Observation.class); + given(this.observationRegistry.getCurrentObservation()).willReturn(observation); + this.tested.securityContextChanged(new SecurityContextChangedEvent(null, this.one)); + ArgumentCaptor<Observation.Event> event = ArgumentCaptor.forClass(Observation.Event.class); + verify(observation).event(event.capture()); + assertThat(event.getValue().getName()).isEqualTo("security.context.created"); + } + +}