|
@@ -16,8 +16,6 @@
|
|
|
|
|
|
|
|
package org.springframework.security.web.access;
|
|
package org.springframework.security.web.access;
|
|
|
|
|
|
|
|
-import java.util.Arrays;
|
|
|
|
|
-import java.util.Collections;
|
|
|
|
|
import java.util.List;
|
|
import java.util.List;
|
|
|
|
|
|
|
|
import jakarta.servlet.http.HttpServletRequest;
|
|
import jakarta.servlet.http.HttpServletRequest;
|
|
@@ -70,50 +68,41 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenDelegatesEmptyThenAllowed() {
|
|
void isAllowedWhenDelegatesEmptyThenAllowed() {
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.emptyList());
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator();
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenNotMatchThenAllowed() {
|
|
void isAllowedWhenNotMatchThenAllowed() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> notMatch = new RequestMatcherEntry<>(this.alwaysDeny,
|
|
|
|
|
- Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysAllow()));
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(notMatch));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> notMatch = entry(this.alwaysDeny,
|
|
|
|
|
+ TestWebInvocationPrivilegeEvaluator.alwaysAllow());
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(notMatch);
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
|
verify(notMatch.getRequestMatcher()).matches(any());
|
|
verify(notMatch.getRequestMatcher()).matches(any());
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenPrivilegeEvaluatorAllowThenAllowedTrue() {
|
|
void isAllowedWhenPrivilegeEvaluatorAllowThenAllowedTrue() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysAllow()));
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(allow(this.alwaysMatch));
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenPrivilegeEvaluatorDenyThenAllowedFalse() {
|
|
void isAllowedWhenPrivilegeEvaluatorDenyThenAllowedFalse() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysDeny()));
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(deny(this.alwaysMatch));
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenNotMatchThenMatchThenOnlySecondDelegateInvoked() {
|
|
void isAllowedWhenNotMatchThenMatchThenOnlySecondDelegateInvoked() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> notMatchDelegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysDeny, Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysAllow()));
|
|
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> matchDelegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysAllow()));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> notMatchDelegate = entry(this.alwaysDeny,
|
|
|
|
|
+ TestWebInvocationPrivilegeEvaluator.alwaysAllow());
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> matchDelegate = entry(this.alwaysMatch,
|
|
|
|
|
+ TestWebInvocationPrivilegeEvaluator.alwaysAllow());
|
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> spyNotMatchDelegate = spy(notMatchDelegate);
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> spyNotMatchDelegate = spy(notMatchDelegate);
|
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> spyMatchDelegate = spy(matchDelegate);
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> spyMatchDelegate = spy(matchDelegate);
|
|
|
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Arrays.asList(notMatchDelegate, spyMatchDelegate));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(notMatchDelegate, spyMatchDelegate);
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
|
verify(spyNotMatchDelegate.getRequestMatcher()).matches(any());
|
|
verify(spyNotMatchDelegate.getRequestMatcher()).matches(any());
|
|
|
verify(spyNotMatchDelegate, never()).getEntry();
|
|
verify(spyNotMatchDelegate, never()).getEntry();
|
|
@@ -124,10 +113,8 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void isAllowedWhenDelegatePrivilegeEvaluatorsEmptyThenAllowedTrue() {
|
|
void isAllowedWhenDelegatePrivilegeEvaluatorsEmptyThenAllowedTrue() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Collections.emptyList());
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = entry(this.alwaysMatch);
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(delegate);
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isTrue();
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -137,11 +124,10 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
WebInvocationPrivilegeEvaluator allow = TestWebInvocationPrivilegeEvaluator.alwaysAllow();
|
|
WebInvocationPrivilegeEvaluator allow = TestWebInvocationPrivilegeEvaluator.alwaysAllow();
|
|
|
WebInvocationPrivilegeEvaluator spyDeny = spy(deny);
|
|
WebInvocationPrivilegeEvaluator spyDeny = spy(deny);
|
|
|
WebInvocationPrivilegeEvaluator spyAllow = spy(allow);
|
|
WebInvocationPrivilegeEvaluator spyAllow = spy(allow);
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Arrays.asList(spyDeny, spyAllow));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = entry(this.alwaysMatch, spyDeny,
|
|
|
|
|
+ spyAllow);
|
|
|
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(delegate);
|
|
|
|
|
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
|
verify(spyDeny).isAllowed(any(), any());
|
|
verify(spyDeny).isAllowed(any(), any());
|
|
@@ -152,11 +138,9 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
void isAllowedWhenDifferentArgumentsThenCallSpecificIsAllowedInDelegate() {
|
|
void isAllowedWhenDifferentArgumentsThenCallSpecificIsAllowedInDelegate() {
|
|
|
WebInvocationPrivilegeEvaluator deny = TestWebInvocationPrivilegeEvaluator.alwaysDeny();
|
|
WebInvocationPrivilegeEvaluator deny = TestWebInvocationPrivilegeEvaluator.alwaysDeny();
|
|
|
WebInvocationPrivilegeEvaluator spyDeny = spy(deny);
|
|
WebInvocationPrivilegeEvaluator spyDeny = spy(deny);
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(
|
|
|
|
|
- this.alwaysMatch, Collections.singletonList(spyDeny));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = entry(this.alwaysMatch, spyDeny);
|
|
|
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(delegate);
|
|
|
|
|
|
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
assertThat(delegating.isAllowed(this.uri, this.authentication)).isFalse();
|
|
|
assertThat(delegating.isAllowed("/cp", this.uri, "GET", this.authentication)).isFalse();
|
|
assertThat(delegating.isAllowed("/cp", this.uri, "GET", this.authentication)).isFalse();
|
|
@@ -172,10 +156,8 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
ArgumentCaptor<HttpServletRequest> argumentCaptor = ArgumentCaptor.forClass(HttpServletRequest.class);
|
|
ArgumentCaptor<HttpServletRequest> argumentCaptor = ArgumentCaptor.forClass(HttpServletRequest.class);
|
|
|
RequestMatcher requestMatcher = mock(RequestMatcher.class);
|
|
RequestMatcher requestMatcher = mock(RequestMatcher.class);
|
|
|
WebInvocationPrivilegeEvaluator wipe = mock(WebInvocationPrivilegeEvaluator.class);
|
|
WebInvocationPrivilegeEvaluator wipe = mock(WebInvocationPrivilegeEvaluator.class);
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = new RequestMatcherEntry<>(requestMatcher,
|
|
|
|
|
- Collections.singletonList(wipe));
|
|
|
|
|
- RequestMatcherDelegatingWebInvocationPrivilegeEvaluator requestMatcherWipe = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- Collections.singletonList(delegate));
|
|
|
|
|
|
|
+ RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> delegate = entry(requestMatcher, wipe);
|
|
|
|
|
+ RequestMatcherDelegatingWebInvocationPrivilegeEvaluator requestMatcherWipe = evaluator(delegate);
|
|
|
requestMatcherWipe.setServletContext(servletContext);
|
|
requestMatcherWipe.setServletContext(servletContext);
|
|
|
requestMatcherWipe.isAllowed("/foo/index.jsp", token);
|
|
requestMatcherWipe.isAllowed("/foo/index.jsp", token);
|
|
|
verify(requestMatcher).matches(argumentCaptor.capture());
|
|
verify(requestMatcher).matches(argumentCaptor.capture());
|
|
@@ -186,19 +168,13 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
void constructorWhenPrivilegeEvaluatorsNullThenException() {
|
|
void constructorWhenPrivilegeEvaluatorsNullThenException() {
|
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> entry = new RequestMatcherEntry<>(this.alwaysMatch,
|
|
RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> entry = new RequestMatcherEntry<>(this.alwaysMatch,
|
|
|
null);
|
|
null);
|
|
|
- assertThatIllegalArgumentException()
|
|
|
|
|
- .isThrownBy(
|
|
|
|
|
- () -> new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(Collections.singletonList(entry)))
|
|
|
|
|
|
|
+ assertThatIllegalArgumentException().isThrownBy(() -> evaluator(entry))
|
|
|
.withMessageContaining("webInvocationPrivilegeEvaluators cannot be null");
|
|
.withMessageContaining("webInvocationPrivilegeEvaluators cannot be null");
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
@Test
|
|
@Test
|
|
|
void constructorWhenRequestMatcherNullThenException() {
|
|
void constructorWhenRequestMatcherNullThenException() {
|
|
|
- RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> entry = new RequestMatcherEntry<>(null,
|
|
|
|
|
- Collections.singletonList(mock(WebInvocationPrivilegeEvaluator.class)));
|
|
|
|
|
- assertThatIllegalArgumentException()
|
|
|
|
|
- .isThrownBy(
|
|
|
|
|
- () -> new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(Collections.singletonList(entry)))
|
|
|
|
|
|
|
+ assertThatIllegalArgumentException().isThrownBy(() -> evaluator(deny(null)))
|
|
|
.withMessageContaining("requestMatcher cannot be null");
|
|
.withMessageContaining("requestMatcher cannot be null");
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -207,8 +183,7 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
void isAllowedWhenInvokesDelegateThenCachesRequestPath() {
|
|
void isAllowedWhenInvokesDelegateThenCachesRequestPath() {
|
|
|
PathPatternRequestMatcher path = PathPatternRequestMatcher.withDefaults().matcher("/path/**");
|
|
PathPatternRequestMatcher path = PathPatternRequestMatcher.withDefaults().matcher("/path/**");
|
|
|
PathPatternRequestMatcher any = PathPatternRequestMatcher.withDefaults().matcher("/**");
|
|
PathPatternRequestMatcher any = PathPatternRequestMatcher.withDefaults().matcher("/**");
|
|
|
- WebInvocationPrivilegeEvaluator delegating = new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(
|
|
|
|
|
- List.of(deny(path), deny(any)));
|
|
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator delegating = evaluator(deny(path), deny(any));
|
|
|
try (MockedStatic<ServletRequestPathUtils> utils = Mockito.mockStatic(ServletRequestPathUtils.class,
|
|
try (MockedStatic<ServletRequestPathUtils> utils = Mockito.mockStatic(ServletRequestPathUtils.class,
|
|
|
Mockito.CALLS_REAL_METHODS)) {
|
|
Mockito.CALLS_REAL_METHODS)) {
|
|
|
delegating.isAllowed("/uri", null);
|
|
delegating.isAllowed("/uri", null);
|
|
@@ -216,9 +191,22 @@ class RequestMatcherDelegatingWebInvocationPrivilegeEvaluatorTests {
|
|
|
}
|
|
}
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ @SuppressWarnings({ "rawtypes", "unchecked" })
|
|
|
|
|
+ private RequestMatcherDelegatingWebInvocationPrivilegeEvaluator evaluator(RequestMatcherEntry... entries) {
|
|
|
|
|
+ return new RequestMatcherDelegatingWebInvocationPrivilegeEvaluator(List.of(entries));
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> allow(RequestMatcher requestMatcher) {
|
|
|
|
|
+ return entry(requestMatcher, TestWebInvocationPrivilegeEvaluator.alwaysAllow());
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> deny(RequestMatcher requestMatcher) {
|
|
private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> deny(RequestMatcher requestMatcher) {
|
|
|
- return new RequestMatcherEntry<>(requestMatcher,
|
|
|
|
|
- Collections.singletonList(TestWebInvocationPrivilegeEvaluator.alwaysDeny()));
|
|
|
|
|
|
|
+ return entry(requestMatcher, TestWebInvocationPrivilegeEvaluator.alwaysDeny());
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ private RequestMatcherEntry<List<WebInvocationPrivilegeEvaluator>> entry(RequestMatcher requestMatcher,
|
|
|
|
|
+ WebInvocationPrivilegeEvaluator... evaluators) {
|
|
|
|
|
+ return new RequestMatcherEntry<>(requestMatcher, List.of(evaluators));
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
}
|
|
}
|
Josh Cummings