From 117ebd78768388d7a131ac27eeb90c96e75833d1 Mon Sep 17 00:00:00 2001 From: Evgeniy Cheban Date: Thu, 16 Jun 2022 04:53:56 +0300 Subject: [PATCH] Consider adding PermissionAuthorizationManager Closes gh-11361 --- .../PermissionAuthorizationManager.java | 71 ++++++++++++ .../PermissionAuthorizationManagerTests.java | 101 ++++++++++++++++++ 2 files changed, 172 insertions(+) create mode 100644 core/src/main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java create mode 100644 core/src/test/java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java diff --git a/core/src/main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java new file mode 100644 index 00000000000..0a041ee710f --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/PermissionAuthorizationManager.java @@ -0,0 +1,71 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization; + +import java.util.function.Supplier; + +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.access.expression.DenyAllPermissionEvaluator; +import org.springframework.security.core.Authentication; +import org.springframework.util.Assert; + +/** + * An {@link AuthorizationManager} that can determine access to the {@link T} object by + * evaluating if user has required permission using provided {@link PermissionEvaluator}. + * + * @param the type of object being authorized + * @author Evgeniy Cheban + * @since 5.8 + */ +public final class PermissionAuthorizationManager implements AuthorizationManager { + + private PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator(); + + private final Object permission; + + /** + * Creates an instance. + * @param permission the permission to use + */ + public PermissionAuthorizationManager(Object permission) { + Assert.notNull(permission, "permission cannot be empty"); + this.permission = permission; + } + + /** + * Sets the {@link PermissionEvaluator} to be used. Default is + * {@link DenyAllPermissionEvaluator}. Cannot be null. + */ + public void setPermissionEvaluator(PermissionEvaluator permissionEvaluator) { + Assert.notNull(permissionEvaluator, "permissionEvaluator cannot be null"); + this.permissionEvaluator = permissionEvaluator; + } + + /** + * Determines access to the {@link T} object by evaluating if user has required + * permission using provided {@link PermissionEvaluator}. + * @param authentication the {@link Supplier} of the {@link Authentication} to check + * @param object the {@link T} object to check + * @return an {@link AuthorizationDecision} + */ + @Override + public AuthorizationDecision check(Supplier authentication, T object) { + boolean granted = this.permissionEvaluator.hasPermission(authentication.get(), object, this.permission); + return new AuthorizationDecision(granted); + } + +} diff --git a/core/src/test/java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java b/core/src/test/java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java new file mode 100644 index 00000000000..ab0e2626ee3 --- /dev/null +++ b/core/src/test/java/org/springframework/security/authorization/PermissionAuthorizationManagerTests.java @@ -0,0 +1,101 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization; + +import java.io.Serializable; +import java.util.function.Supplier; + +import org.junit.jupiter.api.Test; + +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.access.expression.DenyAllPermissionEvaluator; +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.core.Authentication; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; + +/** + * Tests for {@link PermissionAuthorizationManager}. + * + * @author Evgeniy Cheban + */ +class PermissionAuthorizationManagerTests { + + @Test + void instantiateWhenPermissionNullThenException() { + assertThatIllegalArgumentException().isThrownBy(() -> new PermissionAuthorizationManager<>(null)) + .withMessage("permission cannot be empty"); + } + + @Test + void setPermissionEvaluatorWhenNullThenException() { + PermissionAuthorizationManager manager = new PermissionAuthorizationManager<>("read"); + assertThatIllegalArgumentException().isThrownBy(() -> manager.setPermissionEvaluator(null)) + .withMessage("permissionEvaluator cannot be null"); + } + + @Test + void setPermissionEvaluatorWhenNotNullThenVerifyPermissionEvaluator() { + PermissionAuthorizationManager manager = new PermissionAuthorizationManager<>("read"); + PermissionEvaluator permissionEvaluator = new DenyAllPermissionEvaluator(); + manager.setPermissionEvaluator(permissionEvaluator); + assertThat(manager).extracting("permissionEvaluator").isEqualTo(permissionEvaluator); + } + + @Test + void whenPermissionEvaluatorNotSetThenDefaultsToDenyAllPermissionEvaluator() { + PermissionAuthorizationManager manager = new PermissionAuthorizationManager<>("read"); + assertThat(manager).extracting("permissionEvaluator").isInstanceOf(DenyAllPermissionEvaluator.class); + } + + @Test + void checkWhenUserHasPermissionThenGrantedDecision() { + PermissionAuthorizationManager manager = new PermissionAuthorizationManager<>("read"); + manager.setPermissionEvaluator(new TestPermissionEvaluator()); + Supplier authentication = () -> new TestingAuthenticationToken("read", "password"); + Object object = new Object(); + AuthorizationDecision decision = manager.check(authentication, object); + assertThat(decision.isGranted()).isTrue(); + } + + @Test + void checkWhenUserHasNotPermissionThenDeniedDecision() { + PermissionAuthorizationManager manager = new PermissionAuthorizationManager<>("read"); + manager.setPermissionEvaluator(new TestPermissionEvaluator()); + Supplier authentication = () -> new TestingAuthenticationToken("user", "password"); + Object object = new Object(); + AuthorizationDecision decision = manager.check(authentication, object); + assertThat(decision.isGranted()).isFalse(); + } + + private static final class TestPermissionEvaluator implements PermissionEvaluator { + + @Override + public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { + return authentication.getName().equals(permission); + } + + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, + Object permission) { + return authentication.getName().equals(permission); + } + + } + +}