Consider adding PermissionAuthorizationManager

Closes spring-projectsgh-11361
evgeniycheban · Jun 16, 2022 · 117ebd7 · 117ebd7
1 parent 79c2b87
commit 117ebd7
Show file tree

Hide file tree

Showing 2 changed files with 172 additions and 0 deletions.
diff --git a/.../main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java b/.../main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import java.util.function.Supplier;
+
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.expression.DenyAllPermissionEvaluator;
+import org.springframework.security.core.Authentication;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link AuthorizationManager} that can determine access to the {@link T} object by
+ * evaluating if user has required permission using provided {@link PermissionEvaluator}.
+ *
+ * @param <T> the type of object being authorized
+ * @author Evgeniy Cheban
+ * @since 5.8
+ */
+public final class PermissionAuthorizationManager<T> implements AuthorizationManager<T> {
+
+	private PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator();
+
+	private final Object permission;
+
+	/**
+	 * Creates an instance.
+	 * @param permission the permission to use
+	 */
+	public PermissionAuthorizationManager(Object permission) {
+		Assert.notNull(permission, "permission cannot be empty");
+		this.permission = permission;
+	}
+
+	/**
+	 * Sets the {@link PermissionEvaluator} to be used. Default is
+	 * {@link DenyAllPermissionEvaluator}. Cannot be null.
+	 */
+	public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) {
+		Assert.notNull(permissionEvaluator, "permissionEvaluator cannot be null");
+		this.permissionEvaluator = permissionEvaluator;
+	}
+
+	/**
+	 * Determines access to the {@link T} object by evaluating if user has required
+	 * permission using provided {@link PermissionEvaluator}.
+	 * @param authentication the {@link Supplier} of the {@link Authentication} to check
+	 * @param object the {@link T} object to check
+	 * @return an {@link AuthorizationDecision}
+	 */
+	@Override
+	public AuthorizationDecision check(Supplier<Authentication> authentication, T object) {
+		boolean granted = this.permissionEvaluator.hasPermission(authentication.get(), object, this.permission);
+		return new AuthorizationDecision(granted);
+	}
+
+}
diff --git a/.../java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java b/.../java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization;
+
+import java.io.Serializable;
+import java.util.function.Supplier;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.access.expression.DenyAllPermissionEvaluator;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
+
+/**
+ * Tests for {@link PermissionAuthorizationManager}.
+ *
+ * @author Evgeniy Cheban
+ */
+class PermissionAuthorizationManagerTests {
+
+	@Test
+	void instantiateWhenPermissionNullThenException() {
+		assertThatIllegalArgumentException().isThrownBy(() -> new PermissionAuthorizationManager<>(null))
+				.withMessage("permission cannot be empty");
+	}
+
+	@Test
+	void setPermissionEvaluatorWhenNullThenException() {
+		PermissionAuthorizationManager<Object> manager = new PermissionAuthorizationManager<>("read");
+		assertThatIllegalArgumentException().isThrownBy(() -> manager.setPermissionEvaluator(null))
+				.withMessage("permissionEvaluator cannot be null");
+	}
+
+	@Test
+	void setPermissionEvaluatorWhenNotNullThenVerifyPermissionEvaluator() {
+		PermissionAuthorizationManager<Object> manager = new PermissionAuthorizationManager<>("read");
+		PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator();
+		manager.setPermissionEvaluator(permissionEvaluator);
+		assertThat(manager).extracting("permissionEvaluator").isEqualTo(permissionEvaluator);
+	}
+
+	@Test
+	void whenPermissionEvaluatorNotSetThenDefaultsToDenyAllPermissionEvaluator() {
+		PermissionAuthorizationManager<Object> manager = new PermissionAuthorizationManager<>("read");
+		assertThat(manager).extracting("permissionEvaluator").isInstanceOf(DenyAllPermissionEvaluator.class);
+	}
+
+	@Test
+	void checkWhenUserHasPermissionThenGrantedDecision() {
+		PermissionAuthorizationManager<Object> manager = new PermissionAuthorizationManager<>("read");
+		manager.setPermissionEvaluator(new TestPermissionEvaluator());
+		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("read", "password");
+		Object object = new Object();
+		AuthorizationDecision decision = manager.check(authentication, object);
+		assertThat(decision.isGranted()).isTrue();
+	}
+
+	@Test
+	void checkWhenUserHasNotPermissionThenDeniedDecision() {
+		PermissionAuthorizationManager<Object> manager = new PermissionAuthorizationManager<>("read");
+		manager.setPermissionEvaluator(new TestPermissionEvaluator());
+		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password");
+		Object object = new Object();
+		AuthorizationDecision decision = manager.check(authentication, object);
+		assertThat(decision.isGranted()).isFalse();
+	}
+
+	private static final class TestPermissionEvaluator implements PermissionEvaluator {
+
+		@Override
+		public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
+			return authentication.getName().equals(permission);
+		}
+
+		@Override
+		public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType,
+				Object permission) {
+			return authentication.getName().equals(permission);
+		}
+
+	}
+
+}