WebTestUtilsTests.java

/*
 * Copyright 2002-2014 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.security.test.web.support;

import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;

import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.security.config.BeanIds;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.security.web.csrf.CsrfTokenRepository;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;

import static org.assertj.core.api.Assertions.assertThat;
import static org.springframework.security.test.web.support.WebTestUtils.getCsrfTokenRepository;
import static org.springframework.security.test.web.support.WebTestUtils.getSecurityContextRepository;

@RunWith(MockitoJUnitRunner.class)
public class WebTestUtilsTests {
	@Mock
	private SecurityContextRepository contextRepo;
	@Mock
	private CsrfTokenRepository csrfRepo;

	private MockHttpServletRequest request;
	private ConfigurableApplicationContext context;

	@Before
	public void setup() {
		this.request = new MockHttpServletRequest();
	}

	@After
	public void cleanup() {
		if (this.context != null) {
			this.context.close();
		}
	}

	@Test
	public void getCsrfTokenRepositorytNoWac() {
		assertThat(getCsrfTokenRepository(this.request))
				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
	}

	@Test
	public void getCsrfTokenRepositorytNoSecurity() {
		loadConfig(Config.class);
		assertThat(getCsrfTokenRepository(this.request))
				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
	}

	@Test
	public void getCsrfTokenRepositorytSecurityNoCsrf() {
		loadConfig(SecurityNoCsrfConfig.class);
		assertThat(getCsrfTokenRepository(this.request))
				.isInstanceOf(HttpSessionCsrfTokenRepository.class);
	}

	@Test
	public void getCsrfTokenRepositorytSecurityCustomRepo() {
		CustomSecurityConfig.CONTEXT_REPO = this.contextRepo;
		CustomSecurityConfig.CSRF_REPO = this.csrfRepo;
		loadConfig(CustomSecurityConfig.class);
		assertThat(getCsrfTokenRepository(this.request)).isSameAs(this.csrfRepo);
	}

	// getSecurityContextRepository

	@Test
	public void getSecurityContextRepositoryNoWac() {
		assertThat(getSecurityContextRepository(this.request))
				.isInstanceOf(HttpSessionSecurityContextRepository.class);
	}

	@Test
	public void getSecurityContextRepositoryNoSecurity() {
		loadConfig(Config.class);
		assertThat(getSecurityContextRepository(this.request))
				.isInstanceOf(HttpSessionSecurityContextRepository.class);
	}

	@Test
	public void getSecurityContextRepositorySecurityNoCsrf() {
		loadConfig(SecurityNoCsrfConfig.class);
		assertThat(getSecurityContextRepository(this.request))
				.isInstanceOf(HttpSessionSecurityContextRepository.class);
	}

	@Test
	public void getSecurityContextRepositorySecurityCustomRepo() {
		CustomSecurityConfig.CONTEXT_REPO = this.contextRepo;
		CustomSecurityConfig.CSRF_REPO = this.csrfRepo;
		loadConfig(CustomSecurityConfig.class);
		assertThat(getSecurityContextRepository(this.request)).isSameAs(this.contextRepo);
	}

	// gh-3343
	@Test
	public void findFilterNoMatchingFilters() {
		loadConfig(PartialSecurityConfig.class);

		assertThat(WebTestUtils.findFilter(this.request,
				SecurityContextPersistenceFilter.class)).isNull();
	}

	@Test
	public void findFilterNoSpringSecurityFilterChainInContext() {
		loadConfig(NoSecurityConfig.class);

		CsrfFilter toFind = new CsrfFilter(new HttpSessionCsrfTokenRepository());
		FilterChainProxy springSecurityFilterChain = new FilterChainProxy(
				new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, toFind));
		this.request.getServletContext().setAttribute(
				BeanIds.SPRING_SECURITY_FILTER_CHAIN, springSecurityFilterChain);

		assertThat(WebTestUtils.findFilter(this.request, toFind.getClass()))
				.isEqualTo(toFind);
	}

	@Test
	public void findFilterExplicitWithSecurityFilterInContext() {
		loadConfig(SecurityConfigWithDefaults.class);

		CsrfFilter toFind = new CsrfFilter(new HttpSessionCsrfTokenRepository());
		FilterChainProxy springSecurityFilterChain = new FilterChainProxy(
				new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, toFind));
		this.request.getServletContext().setAttribute(
				BeanIds.SPRING_SECURITY_FILTER_CHAIN, springSecurityFilterChain);

		assertThat(WebTestUtils.findFilter(this.request, toFind.getClass()))
				.isSameAs(toFind);
	}

	private void loadConfig(Class<?> config) {
		AnnotationConfigWebApplicationContext context = new AnnotationConfigWebApplicationContext();
		context.register(config);
		context.refresh();
		this.context = context;
		this.request.getServletContext().setAttribute(
				WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE, context);
	}

	@Configuration
	static class Config {
	}

	@EnableWebSecurity
	static class SecurityNoCsrfConfig extends WebSecurityConfigurerAdapter {

		@Override
		protected void configure(HttpSecurity http) throws Exception {
			http.csrf().disable();
		}
	}

	@EnableWebSecurity
	static class CustomSecurityConfig extends WebSecurityConfigurerAdapter {
		static CsrfTokenRepository CSRF_REPO;
		static SecurityContextRepository CONTEXT_REPO;

		// @formatter:off
		@Override
		protected void configure(HttpSecurity http) throws Exception {
			http
				.csrf()
					.csrfTokenRepository(CSRF_REPO)
					.and()
				.securityContext()
					.securityContextRepository(CONTEXT_REPO);
		}
		// @formatter:on
	}

	@EnableWebSecurity
	static class PartialSecurityConfig extends WebSecurityConfigurerAdapter {

		// @formatter:off
		@Override
		public void configure(HttpSecurity http) throws Exception {
			http
				.antMatcher("/willnotmatchthis");
		}
		// @formatter:on
	}

	@Configuration
	static class NoSecurityConfig {
	}

	@EnableWebSecurity
	static class SecurityConfigWithDefaults extends WebSecurityConfigurerAdapter {

	}
}