AuthenticationAuditListenerTests.java

/*
 * Copyright 2012-2017 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package org.springframework.boot.actuate.security;

import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;

import org.springframework.boot.actuate.audit.listener.AuditApplicationEvent;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.event.AbstractAuthenticationEvent;
import org.springframework.security.authentication.event.AuthenticationFailureExpiredEvent;
import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.authentication.switchuser.AuthenticationSwitchUserEvent;

import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;

/**
 * Tests for {@link AuthenticationAuditListener}.
 */
public class AuthenticationAuditListenerTests {

	private final AuthenticationAuditListener listener = new AuthenticationAuditListener();

	private final ApplicationEventPublisher publisher = mock(
			ApplicationEventPublisher.class);

	@Before
	public void init() {
		this.listener.setApplicationEventPublisher(this.publisher);
	}

	@Test
	public void testAuthenticationSuccess() {
		AuditApplicationEvent event = handleAuthenticationEvent(
				new AuthenticationSuccessEvent(
						new UsernamePasswordAuthenticationToken("user", "password")));
		assertThat(event.getAuditEvent().getType())
				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SUCCESS);
	}

	@Test
	public void testOtherAuthenticationSuccess() {
		this.listener.onApplicationEvent(new InteractiveAuthenticationSuccessEvent(
				new UsernamePasswordAuthenticationToken("user", "password"), getClass()));
		// No need to audit this one (it shadows a regular AuthenticationSuccessEvent)
		verify(this.publisher, never()).publishEvent((ApplicationEvent) any());
	}

	@Test
	public void testAuthenticationFailed() {
		AuditApplicationEvent event = handleAuthenticationEvent(
				new AuthenticationFailureExpiredEvent(
						new UsernamePasswordAuthenticationToken("user", "password"),
						new BadCredentialsException("Bad user")));
		assertThat(event.getAuditEvent().getType())
				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_FAILURE);
	}

	@Test
	public void testAuthenticationSwitch() {
		AuditApplicationEvent event = handleAuthenticationEvent(
				new AuthenticationSwitchUserEvent(
						new UsernamePasswordAuthenticationToken("user", "password"),
						new User("user", "password", AuthorityUtils
								.commaSeparatedStringToAuthorityList("USER"))));
		assertThat(event.getAuditEvent().getType())
				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_SWITCH);
	}

	@Test
	public void testDetailsAreIncludedInAuditEvent() throws Exception {
		Object details = new Object();
		UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
				"user", "password");
		authentication.setDetails(details);
		AuditApplicationEvent event = handleAuthenticationEvent(
				new AuthenticationFailureExpiredEvent(authentication,
						new BadCredentialsException("Bad user")));
		assertThat(event.getAuditEvent().getType())
				.isEqualTo(AuthenticationAuditListener.AUTHENTICATION_FAILURE);
		assertThat(event.getAuditEvent().getData()).containsEntry("details", details);
	}

	private AuditApplicationEvent handleAuthenticationEvent(
			AbstractAuthenticationEvent event) {
		ArgumentCaptor<AuditApplicationEvent> eventCaptor = ArgumentCaptor
				.forClass(AuditApplicationEvent.class);
		this.listener.onApplicationEvent(event);
		verify(this.publisher).publishEvent(eventCaptor.capture());
		return eventCaptor.getValue();
	}

}