Merge branch '5.8.x'
# Conflicts: # config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt # docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
This commit is contained in:
Steve Riesenberg
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -23,12 +23,8 @@ import java.util.Set;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.HttpMethod;
|
||||
import org.springframework.http.HttpStatus;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.codec.multipart.FormFieldPart;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.security.crypto.codec.Utf8;
|
||||
import org.springframework.security.web.server.authorization.HttpStatusServerAccessDeniedHandler;
|
||||
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
|
||||
@@ -63,6 +59,7 @@ import org.springframework.web.server.WebFilterChain;
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @author Parikshit Dutta
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.0
|
||||
*/
|
||||
public class CsrfWebFilter implements WebFilter {
|
||||
@@ -86,7 +83,7 @@ public class CsrfWebFilter implements WebFilter {
|
||||
private ServerAccessDeniedHandler accessDeniedHandler = new HttpStatusServerAccessDeniedHandler(
|
||||
HttpStatus.FORBIDDEN);
|
||||
|
||||
private boolean isTokenFromMultipartDataEnabled;
|
||||
private ServerCsrfTokenRequestHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
|
||||
public void setAccessDeniedHandler(ServerAccessDeniedHandler accessDeniedHandler) {
|
||||
Assert.notNull(accessDeniedHandler, "accessDeniedHandler");
|
||||
@@ -103,14 +100,34 @@ public class CsrfWebFilter implements WebFilter {
|
||||
this.requireCsrfProtectionMatcher = requireCsrfProtectionMatcher;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies a {@link ServerCsrfTokenRequestHandler} that is used to make the
|
||||
* {@code CsrfToken} available as an exchange attribute.
|
||||
* <p>
|
||||
* The default is {@link ServerCsrfTokenRequestAttributeHandler}.
|
||||
* @param requestHandler the {@link ServerCsrfTokenRequestHandler} to use
|
||||
* @since 5.8
|
||||
*/
|
||||
public void setRequestHandler(ServerCsrfTokenRequestHandler requestHandler) {
|
||||
Assert.notNull(requestHandler, "requestHandler cannot be null");
|
||||
this.requestHandler = requestHandler;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies if the {@code CsrfWebFilter} should try to resolve the actual CSRF token
|
||||
* from the body of multipart data requests.
|
||||
* @param tokenFromMultipartDataEnabled true if should read from multipart form body,
|
||||
* else false. Default is false
|
||||
* @deprecated Use
|
||||
* {@link ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled(boolean)}
|
||||
* instead
|
||||
*/
|
||||
@Deprecated
|
||||
public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled) {
|
||||
this.isTokenFromMultipartDataEnabled = tokenFromMultipartDataEnabled;
|
||||
if (this.requestHandler instanceof ServerCsrfTokenRequestAttributeHandler) {
|
||||
((ServerCsrfTokenRequestAttributeHandler) this.requestHandler)
|
||||
.setTokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
@@ -138,30 +155,14 @@ public class CsrfWebFilter implements WebFilter {
|
||||
}
|
||||
|
||||
private Mono<Boolean> containsValidCsrfToken(ServerWebExchange exchange, CsrfToken expected) {
|
||||
return exchange.getFormData().flatMap((data) -> Mono.justOrEmpty(data.getFirst(expected.getParameterName())))
|
||||
.switchIfEmpty(Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(expected.getHeaderName())))
|
||||
.switchIfEmpty(tokenFromMultipartData(exchange, expected))
|
||||
return this.requestHandler.resolveCsrfTokenValue(exchange, expected)
|
||||
.map((actual) -> equalsConstantTime(actual, expected.getToken()));
|
||||
}
|
||||
|
||||
private Mono<String> tokenFromMultipartData(ServerWebExchange exchange, CsrfToken expected) {
|
||||
if (!this.isTokenFromMultipartDataEnabled) {
|
||||
return Mono.empty();
|
||||
}
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
HttpHeaders headers = request.getHeaders();
|
||||
MediaType contentType = headers.getContentType();
|
||||
if (!MediaType.MULTIPART_FORM_DATA.isCompatibleWith(contentType)) {
|
||||
return Mono.empty();
|
||||
}
|
||||
return exchange.getMultipartData().map((d) -> d.getFirst(expected.getParameterName())).cast(FormFieldPart.class)
|
||||
.map(FormFieldPart::value);
|
||||
}
|
||||
|
||||
private Mono<Void> continueFilterChain(ServerWebExchange exchange, WebFilterChain chain) {
|
||||
return Mono.defer(() -> {
|
||||
Mono<CsrfToken> csrfToken = csrfToken(exchange);
|
||||
exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken);
|
||||
this.requestHandler.handle(exchange, csrfToken);
|
||||
return chain.filter(exchange);
|
||||
});
|
||||
}
|
||||
|
||||
+77
@@ -0,0 +1,77 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.http.codec.multipart.FormFieldPart;
|
||||
import org.springframework.http.server.reactive.ServerHttpRequest;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* An implementation of the {@link ServerCsrfTokenRequestHandler} interface that is
|
||||
* capable of making the {@link CsrfToken} available as an exchange attribute and
|
||||
* resolving the token value as either a form data value or header of the request.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
*/
|
||||
public class ServerCsrfTokenRequestAttributeHandler implements ServerCsrfTokenRequestHandler {
|
||||
|
||||
private boolean isTokenFromMultipartDataEnabled;
|
||||
|
||||
@Override
|
||||
public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
|
||||
Assert.notNull(exchange, "exchange cannot be null");
|
||||
Assert.notNull(csrfToken, "csrfToken cannot be null");
|
||||
exchange.getAttributes().put(CsrfToken.class.getName(), csrfToken);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
|
||||
return ServerCsrfTokenRequestHandler.super.resolveCsrfTokenValue(exchange, csrfToken)
|
||||
.switchIfEmpty(tokenFromMultipartData(exchange, csrfToken));
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies if the {@code ServerCsrfTokenRequestResolver} should try to resolve the
|
||||
* actual CSRF token from the body of multipart data requests.
|
||||
* @param tokenFromMultipartDataEnabled true if should read from multipart form body,
|
||||
* else false. Default is false
|
||||
*/
|
||||
public void setTokenFromMultipartDataEnabled(boolean tokenFromMultipartDataEnabled) {
|
||||
this.isTokenFromMultipartDataEnabled = tokenFromMultipartDataEnabled;
|
||||
}
|
||||
|
||||
private Mono<String> tokenFromMultipartData(ServerWebExchange exchange, CsrfToken expected) {
|
||||
if (!this.isTokenFromMultipartDataEnabled) {
|
||||
return Mono.empty();
|
||||
}
|
||||
ServerHttpRequest request = exchange.getRequest();
|
||||
HttpHeaders headers = request.getHeaders();
|
||||
MediaType contentType = headers.getContentType();
|
||||
if (!MediaType.MULTIPART_FORM_DATA.isCompatibleWith(contentType)) {
|
||||
return Mono.empty();
|
||||
}
|
||||
return exchange.getMultipartData().map((d) -> d.getFirst(expected.getParameterName())).cast(FormFieldPart.class)
|
||||
.map(FormFieldPart::value);
|
||||
}
|
||||
|
||||
}
|
||||
+54
@@ -0,0 +1,54 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* A callback interface that is used to make the {@link CsrfToken} created by the
|
||||
* {@link ServerCsrfTokenRepository} available as an exchange attribute. Implementations
|
||||
* of this interface may choose to perform additional tasks or customize how the token is
|
||||
* made available to the application through exchange attributes.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
* @see ServerCsrfTokenRequestAttributeHandler
|
||||
*/
|
||||
@FunctionalInterface
|
||||
public interface ServerCsrfTokenRequestHandler extends ServerCsrfTokenRequestResolver {
|
||||
|
||||
/**
|
||||
* Handles a request using a {@link CsrfToken}.
|
||||
* @param exchange the {@code ServerWebExchange} with the request being handled
|
||||
* @param csrfToken the {@code Mono<CsrfToken>} created by the
|
||||
* {@link ServerCsrfTokenRepository}
|
||||
*/
|
||||
void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken);
|
||||
|
||||
@Override
|
||||
default Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
|
||||
Assert.notNull(exchange, "exchange cannot be null");
|
||||
Assert.notNull(csrfToken, "csrfToken cannot be null");
|
||||
return exchange.getFormData().flatMap((data) -> Mono.justOrEmpty(data.getFirst(csrfToken.getParameterName())))
|
||||
.switchIfEmpty(
|
||||
Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName())));
|
||||
}
|
||||
|
||||
}
|
||||
+45
@@ -0,0 +1,45 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* Implementations of this interface are capable of resolving the token value of a
|
||||
* {@link CsrfToken} from the provided {@code ServerWebExchange}. Used by the
|
||||
* {@link CsrfWebFilter}.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
* @see ServerCsrfTokenRequestAttributeHandler
|
||||
*/
|
||||
@FunctionalInterface
|
||||
public interface ServerCsrfTokenRequestResolver {
|
||||
|
||||
/**
|
||||
* Returns the token value resolved from the provided {@code ServerWebExchange} and
|
||||
* {@link CsrfToken} or {@code Mono.empty()} if not available.
|
||||
* @param exchange the {@code ServerWebExchange} with the request being processed
|
||||
* @param csrfToken the {@link CsrfToken} created by the
|
||||
* {@link ServerCsrfTokenRepository}
|
||||
* @return the token value resolved from the request
|
||||
*/
|
||||
Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken);
|
||||
|
||||
}
|
||||
+116
@@ -0,0 +1,116 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import java.security.SecureRandom;
|
||||
import java.util.Base64;
|
||||
|
||||
import reactor.core.publisher.Mono;
|
||||
|
||||
import org.springframework.security.crypto.codec.Utf8;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
|
||||
/**
|
||||
* An implementation of the {@link ServerCsrfTokenRequestAttributeHandler} and
|
||||
* {@link ServerCsrfTokenRequestResolver} interfaces that is capable of masking the value
|
||||
* of the {@link CsrfToken} on each request and resolving the raw token value from the
|
||||
* masked value as either a form data value or header of the request.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
*/
|
||||
public final class XorServerCsrfTokenRequestAttributeHandler extends ServerCsrfTokenRequestAttributeHandler {
|
||||
|
||||
private SecureRandom secureRandom = new SecureRandom();
|
||||
|
||||
/**
|
||||
* Specifies the {@code SecureRandom} used to generate random bytes that are used to
|
||||
* mask the value of the {@link CsrfToken} on each request.
|
||||
* @param secureRandom the {@code SecureRandom} to use to generate random bytes
|
||||
*/
|
||||
public void setSecureRandom(SecureRandom secureRandom) {
|
||||
Assert.notNull(secureRandom, "secureRandom cannot be null");
|
||||
this.secureRandom = secureRandom;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
|
||||
Assert.notNull(exchange, "exchange cannot be null");
|
||||
Assert.notNull(csrfToken, "csrfToken cannot be null");
|
||||
Mono<CsrfToken> updatedCsrfToken = csrfToken.map((token) -> new DefaultCsrfToken(token.getHeaderName(),
|
||||
token.getParameterName(), createXoredCsrfToken(this.secureRandom, token.getToken())));
|
||||
super.handle(exchange, updatedCsrfToken);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
|
||||
return super.resolveCsrfTokenValue(exchange, csrfToken)
|
||||
.flatMap((actualToken) -> Mono.justOrEmpty(getTokenValue(actualToken, csrfToken.getToken())));
|
||||
}
|
||||
|
||||
private static String getTokenValue(String actualToken, String token) {
|
||||
byte[] actualBytes;
|
||||
try {
|
||||
actualBytes = Base64.getUrlDecoder().decode(actualToken);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
return null;
|
||||
}
|
||||
|
||||
byte[] tokenBytes = Utf8.encode(token);
|
||||
int tokenSize = tokenBytes.length;
|
||||
if (actualBytes.length < tokenSize) {
|
||||
return null;
|
||||
}
|
||||
|
||||
// extract token and random bytes
|
||||
int randomBytesSize = actualBytes.length - tokenSize;
|
||||
byte[] xoredCsrf = new byte[tokenSize];
|
||||
byte[] randomBytes = new byte[randomBytesSize];
|
||||
|
||||
System.arraycopy(actualBytes, 0, randomBytes, 0, randomBytesSize);
|
||||
System.arraycopy(actualBytes, randomBytesSize, xoredCsrf, 0, tokenSize);
|
||||
|
||||
byte[] csrfBytes = xorCsrf(randomBytes, xoredCsrf);
|
||||
return Utf8.decode(csrfBytes);
|
||||
}
|
||||
|
||||
private static String createXoredCsrfToken(SecureRandom secureRandom, String token) {
|
||||
byte[] tokenBytes = Utf8.encode(token);
|
||||
byte[] randomBytes = new byte[tokenBytes.length];
|
||||
secureRandom.nextBytes(randomBytes);
|
||||
|
||||
byte[] xoredBytes = xorCsrf(randomBytes, tokenBytes);
|
||||
byte[] combinedBytes = new byte[tokenBytes.length + randomBytes.length];
|
||||
System.arraycopy(randomBytes, 0, combinedBytes, 0, randomBytes.length);
|
||||
System.arraycopy(xoredBytes, 0, combinedBytes, randomBytes.length, xoredBytes.length);
|
||||
|
||||
return Base64.getUrlEncoder().encodeToString(combinedBytes);
|
||||
}
|
||||
|
||||
private static byte[] xorCsrf(byte[] randomBytes, byte[] csrfBytes) {
|
||||
int len = Math.min(randomBytes.length, csrfBytes.length);
|
||||
byte[] xoredCsrf = new byte[len];
|
||||
System.arraycopy(csrfBytes, 0, xoredCsrf, 0, csrfBytes.length);
|
||||
for (int i = 0; i < len; i++) {
|
||||
xoredCsrf[i] ^= randomBytes[i];
|
||||
}
|
||||
return xoredCsrf;
|
||||
}
|
||||
|
||||
}
|
||||
+86
-5
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2021 the original author or authors.
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -34,13 +34,17 @@ import org.springframework.test.web.reactive.server.WebTestClient;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
import org.springframework.web.reactive.function.BodyInserters;
|
||||
import org.springframework.web.server.ServerWebExchange;
|
||||
import org.springframework.web.server.WebFilterChain;
|
||||
import org.springframework.web.server.WebSession;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.ArgumentMatchers.eq;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
import static org.mockito.Mockito.verifyNoMoreInteractions;
|
||||
|
||||
/**
|
||||
@@ -65,6 +69,15 @@ public class CsrfWebFilterTests {
|
||||
|
||||
private MockServerWebExchange post = MockServerWebExchange.from(MockServerHttpRequest.post("/"));
|
||||
|
||||
@Test
|
||||
public void setRequestHandlerWhenNullThenThrowsIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.csrfFilter.setRequestHandler(null))
|
||||
.withMessage("requestHandler cannot be null");
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWhenGetThenSessionNotCreatedAndChainContinues() {
|
||||
PublisherProbe<Void> chainResult = PublisherProbe.empty();
|
||||
@@ -145,6 +158,66 @@ public class CsrfWebFilterTests {
|
||||
chainResult.assertWasSubscribed();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWhenRequestHandlerSetThenUsed() {
|
||||
ServerCsrfTokenRequestHandler requestHandler = mock(ServerCsrfTokenRequestHandler.class);
|
||||
given(requestHandler.resolveCsrfTokenValue(any(ServerWebExchange.class), any(CsrfToken.class)))
|
||||
.willReturn(Mono.just(this.token.getToken()));
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
|
||||
PublisherProbe<Void> chainResult = PublisherProbe.empty();
|
||||
given(this.chain.filter(any())).willReturn(chainResult.mono());
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
|
||||
this.post = MockServerWebExchange
|
||||
.from(MockServerHttpRequest.post("/").header(this.token.getHeaderName(), this.token.getToken()));
|
||||
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
|
||||
StepVerifier.create(result).verifyComplete();
|
||||
chainResult.assertWasSubscribed();
|
||||
|
||||
verify(requestHandler).handle(eq(this.post), any());
|
||||
verify(requestHandler).resolveCsrfTokenValue(this.post, this.token);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWhenXorServerCsrfTokenRequestProcessorAndValidTokenThenSuccess() {
|
||||
PublisherProbe<Void> chainResult = PublisherProbe.empty();
|
||||
given(this.chain.filter(any())).willReturn(chainResult.mono());
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
XorServerCsrfTokenRequestAttributeHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler();
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
StepVerifier.create(this.csrfFilter.filter(this.get, this.chain)).verifyComplete();
|
||||
chainResult.assertWasSubscribed();
|
||||
|
||||
Mono<CsrfToken> csrfTokenAttribute = this.get.getAttribute(CsrfToken.class.getName());
|
||||
assertThat(csrfTokenAttribute).isNotNull();
|
||||
StepVerifier.create(csrfTokenAttribute)
|
||||
.consumeNextWith((csrfToken) -> this.post = MockServerWebExchange
|
||||
.from(MockServerHttpRequest.post("/").header(csrfToken.getHeaderName(), csrfToken.getToken())))
|
||||
.verifyComplete();
|
||||
|
||||
StepVerifier.create(this.csrfFilter.filter(this.post, this.chain)).verifyComplete();
|
||||
chainResult.assertWasSubscribed();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void filterWhenXorServerCsrfTokenRequestProcessorAndRawTokenThenAccessDeniedException() {
|
||||
PublisherProbe<Void> chainResult = PublisherProbe.empty();
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
XorServerCsrfTokenRequestAttributeHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler();
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
this.post = MockServerWebExchange
|
||||
.from(MockServerHttpRequest.post("/").header(this.token.getHeaderName(), this.token.getToken()));
|
||||
Mono<Void> result = this.csrfFilter.filter(this.post, this.chain);
|
||||
StepVerifier.create(result).verifyComplete();
|
||||
chainResult.assertWasNotSubscribed();
|
||||
assertThat(this.post.getResponse().getStatusCode()).isEqualTo(HttpStatus.FORBIDDEN);
|
||||
}
|
||||
|
||||
@Test
|
||||
// gh-8452
|
||||
public void matchesRequireCsrfProtectionWhenNonStandardHTTPMethodIsUsed() {
|
||||
@@ -180,7 +253,9 @@ public class CsrfWebFilterTests {
|
||||
@Test
|
||||
public void filterWhenMultipartFormDataAndEnabledThenGranted() {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
this.csrfFilter.setTokenFromMultipartDataEnabled(true);
|
||||
ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setTokenFromMultipartDataEnabled(true);
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
|
||||
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
|
||||
@@ -192,7 +267,9 @@ public class CsrfWebFilterTests {
|
||||
@Test
|
||||
public void filterWhenPostAndMultipartFormDataEnabledAndNoBodyProvided() {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
this.csrfFilter.setTokenFromMultipartDataEnabled(true);
|
||||
ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setTokenFromMultipartDataEnabled(true);
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
|
||||
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
|
||||
@@ -203,7 +280,9 @@ public class CsrfWebFilterTests {
|
||||
@Test
|
||||
public void filterWhenFormDataAndEnabledThenGranted() {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
this.csrfFilter.setTokenFromMultipartDataEnabled(true);
|
||||
ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setTokenFromMultipartDataEnabled(true);
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
given(this.repository.generateToken(any())).willReturn(Mono.just(this.token));
|
||||
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
|
||||
@@ -215,7 +294,9 @@ public class CsrfWebFilterTests {
|
||||
@Test
|
||||
public void filterWhenMultipartMixedAndEnabledThenNotRead() {
|
||||
this.csrfFilter.setCsrfTokenRepository(this.repository);
|
||||
this.csrfFilter.setTokenFromMultipartDataEnabled(true);
|
||||
ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
requestHandler.setTokenFromMultipartDataEnabled(true);
|
||||
this.csrfFilter.setRequestHandler(requestHandler);
|
||||
given(this.repository.loadToken(any())).willReturn(Mono.just(this.token));
|
||||
WebTestClient client = WebTestClient.bindToController(new OkController()).webFilter(this.csrfFilter).build();
|
||||
client.post().uri("/").contentType(MediaType.MULTIPART_MIXED)
|
||||
|
||||
+132
@@ -0,0 +1,132 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import reactor.core.publisher.Mono;
|
||||
import reactor.test.StepVerifier;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link ServerCsrfTokenRequestAttributeHandler}.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
*/
|
||||
public class ServerCsrfTokenRequestAttributeHandlerTests {
|
||||
|
||||
private ServerCsrfTokenRequestAttributeHandler handler;
|
||||
|
||||
private MockServerWebExchange exchange;
|
||||
|
||||
private CsrfToken token;
|
||||
|
||||
@BeforeEach
|
||||
public void setUp() {
|
||||
this.handler = new ServerCsrfTokenRequestAttributeHandler();
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.get("/")).build();
|
||||
this.token = new DefaultCsrfToken("headerName", "paramName", "csrfTokenValue");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenExchangeIsNullThenThrowsIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.handler.handle(null, Mono.just(this.token)))
|
||||
.withMessage("exchange cannot be null");
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.handler.handle(this.exchange, null))
|
||||
.withMessage("csrfToken cannot be null");
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenValidParametersThenExchangeAttributeSet() {
|
||||
Mono<CsrfToken> csrfToken = Mono.just(this.token);
|
||||
this.handler.handle(this.exchange, csrfToken);
|
||||
Mono<CsrfToken> csrfTokenAttribute = this.exchange.getAttribute(CsrfToken.class.getName());
|
||||
assertThat(csrfTokenAttribute).isNotNull();
|
||||
assertThat(csrfTokenAttribute).isEqualTo(csrfToken);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenExchangeIsNullThenThrowsIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
|
||||
.withMessage("exchange cannot be null");
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
|
||||
// @formatter:off
|
||||
assertThatIllegalArgumentException()
|
||||
.isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.exchange, null))
|
||||
.withMessage("csrfToken cannot be null");
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenTokenNotSetThenReturnsEmptyMono() {
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenFormDataSetThenReturnsTokenValue() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.body(this.token.getParameterName() + "=" + this.token.getToken())).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenHeaderSetThenReturnsTokenValue() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.header(this.token.getHeaderName(), this.token.getToken())).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenHeaderAndFormDataSetThenFormDataIsPreferred() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.header(this.token.getHeaderName(), "header")
|
||||
.body(this.token.getParameterName() + "=" + this.token.getToken())).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
}
|
||||
+171
@@ -0,0 +1,171 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.server.csrf;
|
||||
|
||||
import java.security.SecureRandom;
|
||||
import java.util.Arrays;
|
||||
import java.util.Base64;
|
||||
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.mockito.stubbing.Answer;
|
||||
import reactor.core.publisher.Mono;
|
||||
import reactor.test.StepVerifier;
|
||||
|
||||
import org.springframework.http.HttpHeaders;
|
||||
import org.springframework.http.MediaType;
|
||||
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
|
||||
import org.springframework.mock.web.server.MockServerWebExchange;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.willAnswer;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Tests for {@link XorServerCsrfTokenRequestAttributeHandler}.
|
||||
*
|
||||
* @author Steve Riesenberg
|
||||
* @since 5.8
|
||||
*/
|
||||
public class XorServerCsrfTokenRequestAttributeHandlerTests {
|
||||
|
||||
private static final byte[] XOR_CSRF_TOKEN_BYTES = new byte[] { 1, 1, 1, 96, 99, 98 };
|
||||
|
||||
private static final String XOR_CSRF_TOKEN_VALUE = Base64.getEncoder().encodeToString(XOR_CSRF_TOKEN_BYTES);
|
||||
|
||||
private XorServerCsrfTokenRequestAttributeHandler handler;
|
||||
|
||||
private MockServerWebExchange exchange;
|
||||
|
||||
private CsrfToken token;
|
||||
|
||||
private SecureRandom secureRandom;
|
||||
|
||||
@BeforeEach
|
||||
public void setUp() {
|
||||
this.handler = new XorServerCsrfTokenRequestAttributeHandler();
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.get("/")).build();
|
||||
this.token = new DefaultCsrfToken("headerName", "paramName", "abc");
|
||||
this.secureRandom = mock(SecureRandom.class);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void setSecureRandomWhenNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.setSecureRandom(null))
|
||||
.withMessage("secureRandom cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenExchangeIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.handle(null, Mono.just(this.token)))
|
||||
.withMessage("exchange cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.handle(this.exchange, null))
|
||||
.withMessage("csrfToken cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenSecureRandomSetThenUsed() {
|
||||
this.handler.setSecureRandom(this.secureRandom);
|
||||
this.handler.handle(this.exchange, Mono.just(this.token));
|
||||
Mono<CsrfToken> csrfTokenAttribute = this.exchange.getAttribute(CsrfToken.class.getName());
|
||||
assertThat(csrfTokenAttribute).isNotNull();
|
||||
StepVerifier.create(csrfTokenAttribute).expectNextCount(1).verifyComplete();
|
||||
verify(this.secureRandom).nextBytes(anyByteArray());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void handleWhenValidParametersThenExchangeAttributeSet() {
|
||||
willAnswer(fillByteArray()).given(this.secureRandom).nextBytes(anyByteArray());
|
||||
|
||||
this.handler.setSecureRandom(this.secureRandom);
|
||||
this.handler.handle(this.exchange, Mono.just(this.token));
|
||||
Mono<CsrfToken> csrfTokenAttribute = this.exchange.getAttribute(CsrfToken.class.getName());
|
||||
assertThat(csrfTokenAttribute).isNotNull();
|
||||
// @formatter:off
|
||||
StepVerifier.create(csrfTokenAttribute)
|
||||
.assertNext((csrfToken) -> assertThat(csrfToken.getToken()).isEqualTo(XOR_CSRF_TOKEN_VALUE))
|
||||
.verifyComplete();
|
||||
// @formatter:on
|
||||
verify(this.secureRandom).nextBytes(anyByteArray());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenExchangeIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(null, this.token))
|
||||
.withMessage("exchange cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenCsrfTokenIsNullThenThrowsIllegalArgumentException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.handler.resolveCsrfTokenValue(this.exchange, null))
|
||||
.withMessage("csrfToken cannot be null");
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenTokenNotSetThenReturnsEmptyMono() {
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenFormDataSetThenReturnsTokenValue() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.body(this.token.getParameterName() + "=" + XOR_CSRF_TOKEN_VALUE)).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenHeaderSetThenReturnsTokenValue() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.header(this.token.getHeaderName(), XOR_CSRF_TOKEN_VALUE)).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void resolveCsrfTokenValueWhenHeaderAndFormDataSetThenFormDataIsPreferred() {
|
||||
this.exchange = MockServerWebExchange.builder(MockServerHttpRequest.post("/")
|
||||
.header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE)
|
||||
.header(this.token.getHeaderName(), "header")
|
||||
.body(this.token.getParameterName() + "=" + XOR_CSRF_TOKEN_VALUE)).build();
|
||||
Mono<String> csrfToken = this.handler.resolveCsrfTokenValue(this.exchange, this.token);
|
||||
StepVerifier.create(csrfToken).expectNext(this.token.getToken()).verifyComplete();
|
||||
}
|
||||
|
||||
private static Answer<Void> fillByteArray() {
|
||||
return (invocation) -> {
|
||||
byte[] bytes = invocation.getArgument(0);
|
||||
Arrays.fill(bytes, (byte) 1);
|
||||
return null;
|
||||
};
|
||||
}
|
||||
|
||||
private static byte[] anyByteArray() {
|
||||
return any(byte[].class);
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user