Add RoleHierarchy to AuthorityAuthorizationManager

Added roleHierarchy field to AuthorityAuthorizationManager
that defaults to NullRoleHierarchy along with setter method to override.

Closes gh-11304
This commit is contained in:
Evgeniy Cheban 2022-06-01 01:28:28 +03:00 committed by Josh Cummings
parent 24701b547f
commit d557d2d0eb
2 changed files with 58 additions and 2 deletions

View File

@ -16,10 +16,13 @@
package org.springframework.security.authorization; package org.springframework.security.authorization;
import java.util.Collection;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.AuthorityUtils;
@ -39,10 +42,23 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
private final List<GrantedAuthority> authorities; private final List<GrantedAuthority> authorities;
private RoleHierarchy roleHierarchy = new NullRoleHierarchy();
private AuthorityAuthorizationManager(String... authorities) { private AuthorityAuthorizationManager(String... authorities) {
this.authorities = AuthorityUtils.createAuthorityList(authorities); this.authorities = AuthorityUtils.createAuthorityList(authorities);
} }
/**
* Sets the {@link RoleHierarchy} to be used. Default is {@link NullRoleHierarchy}.
* Cannot be null.
* @param roleHierarchy the {@link RoleHierarchy} to use
* @since 5.8
*/
public void setRoleHierarchy(RoleHierarchy roleHierarchy) {
Assert.notNull(roleHierarchy, "roleHierarchy cannot be null");
this.roleHierarchy = roleHierarchy;
}
/** /**
* Creates an instance of {@link AuthorityAuthorizationManager} with the provided * Creates an instance of {@link AuthorityAuthorizationManager} with the provided
* authority. * authority.
@ -133,7 +149,7 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
private boolean isAuthorized(Authentication authentication) { private boolean isAuthorized(Authentication authentication) {
Set<String> authorities = AuthorityUtils.authorityListToSet(this.authorities); Set<String> authorities = AuthorityUtils.authorityListToSet(this.authorities);
for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) { for (GrantedAuthority grantedAuthority : getGrantedAuthorities(authentication)) {
if (authorities.contains(grantedAuthority.getAuthority())) { if (authorities.contains(grantedAuthority.getAuthority())) {
return true; return true;
} }
@ -141,6 +157,10 @@ public final class AuthorityAuthorizationManager<T> implements AuthorizationMana
return false; return false;
} }
private Collection<? extends GrantedAuthority> getGrantedAuthorities(Authentication authentication) {
return this.roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
}
@Override @Override
public String toString() { public String toString() {
return "AuthorityAuthorizationManager[authorities=" + this.authorities + "]"; return "AuthorityAuthorizationManager[authorities=" + this.authorities + "]";

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -21,6 +21,9 @@ import java.util.function.Supplier;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import org.springframework.security.access.hierarchicalroles.NullRoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
@ -211,4 +214,37 @@ public class AuthorityAuthorizationManagerTests {
assertThat(manager.check(authentication, object).isGranted()).isFalse(); assertThat(manager.check(authentication, object).isGranted()).isFalse();
} }
@Test
public void setRoleHierarchyWhenNullThenIllegalArgumentException() {
AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasRole("USER");
assertThatIllegalArgumentException().isThrownBy(() -> manager.setRoleHierarchy(null))
.withMessage("roleHierarchy cannot be null");
}
@Test
public void setRoleHierarchyWhenNotNullThenVerifyRoleHierarchy() {
AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasRole("USER");
RoleHierarchy roleHierarchy = new RoleHierarchyImpl();
manager.setRoleHierarchy(roleHierarchy);
assertThat(manager).extracting("roleHierarchy").isEqualTo(roleHierarchy);
}
@Test
public void getRoleHierarchyWhenNotSetThenDefaultsToNullRoleHierarchy() {
AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasRole("USER");
assertThat(manager).extracting("roleHierarchy").isInstanceOf(NullRoleHierarchy.class);
}
@Test
public void hasRoleWhenRoleHierarchySetThenGreaterRoleTakesPrecedence() {
AuthorityAuthorizationManager<Object> manager = AuthorityAuthorizationManager.hasRole("USER");
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER");
manager.setRoleHierarchy(roleHierarchy);
Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
"ROLE_ADMIN");
Object object = new Object();
assertThat(manager.check(authentication, object).isGranted()).isTrue();
}
} }