Add AuthorizeReturnObject Hints

Closes gh-15709
2026-05-22 21:33:16 +00:00 · 2024-09-09 14:49:22 -06:00
parent da38b13a17
commit fd5d03d384
11 changed files with 908 additions and 5 deletions
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.aot.hint;
+
+import java.lang.reflect.Method;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
+import org.springframework.util.Assert;
+
+/**
+ * A {@link SecurityHintsRegistrar} that scans all beans for methods that use
+ * {@link AuthorizeReturnObject} and registers those return objects as
+ * {@link org.springframework.aot.hint.TypeHint}s.
+ *
+ * <p>
+ * It also traverses those found types for other return values.
+ *
+ * <p>
+ * An instance of this class is published as an infrastructural bean by the
+ * {@code spring-security-config} module. However, in the event you need to publish it
+ * yourself, remember to publish it as an infrastructural bean like so:
+ *
+ * <pre>
+ *	&#064;Bean
+ *	&#064;Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+ *	static SecurityHintsRegistrar proxyThese(AuthorizationProxyFactory proxyFactory) {
+ *		return new AuthorizeReturnObjectHintsRegistrar(proxyFactory);
+ *	}
+ * </pre>
+ *
+ * @author Josh Cummings
+ * @since 6.4
+ * @see AuthorizeReturnObjectHintsRegistrar
+ * @see SecurityHintsAotProcessor
+ */
+public final class AuthorizeReturnObjectCoreHintsRegistrar implements SecurityHintsRegistrar {
+
+	private final AuthorizationProxyFactory proxyFactory;
+
+	private final SecurityAnnotationScanner<AuthorizeReturnObject> scanner = SecurityAnnotationScanners
+		.requireUnique(AuthorizeReturnObject.class);
+
+	private final Set<Class<?>> visitedClasses = new HashSet<>();
+
+	public AuthorizeReturnObjectCoreHintsRegistrar(AuthorizationProxyFactory proxyFactory) {
+		Assert.notNull(proxyFactory, "proxyFactory cannot be null");
+		this.proxyFactory = proxyFactory;
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void registerHints(RuntimeHints hints, ConfigurableListableBeanFactory beanFactory) {
+		List<Class<?>> toProxy = new ArrayList<>();
+		for (String name : beanFactory.getBeanDefinitionNames()) {
+			Class<?> clazz = beanFactory.getType(name, false);
+			if (clazz == null) {
+				continue;
+			}
+			for (Method method : clazz.getDeclaredMethods()) {
+				AuthorizeReturnObject annotation = this.scanner.scan(method, clazz);
+				if (annotation == null) {
+					continue;
+				}
+				toProxy.add(method.getReturnType());
+			}
+		}
+		new AuthorizeReturnObjectHintsRegistrar(this.proxyFactory, toProxy).registerHints(hints, beanFactory);
+	}
+
+}
@@ -0,0 +1,143 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.aot.hint;
+
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.springframework.aop.SpringProxy;
+import org.springframework.aot.hint.MemberCategory;
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizeReturnObject;
+import org.springframework.security.core.annotation.SecurityAnnotationScanner;
+import org.springframework.security.core.annotation.SecurityAnnotationScanners;
+import org.springframework.util.Assert;
+
+/**
+ * A {@link SecurityHintsRegistrar} implementation that registers only the classes
+ * provided in the constructor.
+ *
+ * <p>
+ * It also traverses those found types for other return values.
+ *
+ * <p>
+ * This may be used by an application to register specific Security-adjacent classes that
+ * were otherwise missed by Spring Security's reachability scans.
+ *
+ * <p>
+ * Remember to register this as an infrastructural bean like so:
+ *
+ * <pre>
+ *	&#064;Bean
+ *	&#064;Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+ *	static SecurityHintsRegistrar proxyThese(AuthorizationProxyFactory proxyFactory) {
+ *		return new AuthorizationProxyFactoryHintsRegistrar(proxyFactory, MyClass.class);
+ *	}
+ * </pre>
+ *
+ * <p>
+ * Note that no object graph traversal is performed in this class. As such, any classes
+ * that need an authorization proxy that are missed by Security's default registrars
+ * should be listed exhaustively in the constructor.
+ *
+ * @author Josh Cummings
+ * @since 6.4
+ * @see AuthorizeReturnObjectCoreHintsRegistrar
+ */
+public final class AuthorizeReturnObjectHintsRegistrar implements SecurityHintsRegistrar {
+
+	private final AuthorizationProxyFactory proxyFactory;
+
+	private final SecurityAnnotationScanner<AuthorizeReturnObject> scanner = SecurityAnnotationScanners
+		.requireUnique(AuthorizeReturnObject.class);
+
+	private final Set<Class<?>> visitedClasses = new HashSet<>();
+
+	private final List<Class<?>> classesToProxy;
+
+	public AuthorizeReturnObjectHintsRegistrar(AuthorizationProxyFactory proxyFactory, Class<?>... classes) {
+		Assert.notNull(proxyFactory, "proxyFactory cannot be null");
+		Assert.noNullElements(classes, "classes cannot contain null elements");
+		this.proxyFactory = proxyFactory;
+		this.classesToProxy = new ArrayList(List.of(classes));
+	}
+
+	/**
+	 * Construct this registrar
+	 * @param proxyFactory the proxy factory to use to produce the proxy class
+	 * implementations to be registered
+	 * @param classes the classes to proxy
+	 */
+	public AuthorizeReturnObjectHintsRegistrar(AuthorizationProxyFactory proxyFactory, List<Class<?>> classes) {
+		this.proxyFactory = proxyFactory;
+		this.classesToProxy = new ArrayList<>(classes);
+	}
+
+	/**
+	 * {@inheritDoc}
+	 */
+	@Override
+	public void registerHints(RuntimeHints hints, ConfigurableListableBeanFactory beanFactory) {
+		List<Class<?>> toProxy = new ArrayList<>();
+		for (Class<?> clazz : this.classesToProxy) {
+			toProxy.add(clazz);
+			traverseType(toProxy, clazz);
+		}
+		for (Class<?> clazz : toProxy) {
+			registerProxy(hints, clazz);
+		}
+	}
+
+	private void registerProxy(RuntimeHints hints, Class<?> clazz) {
+		Class<?> proxied = (Class<?>) this.proxyFactory.proxy(clazz);
+		if (proxied == null) {
+			return;
+		}
+		if (Proxy.isProxyClass(proxied)) {
+			hints.proxies().registerJdkProxy(proxied.getInterfaces());
+			return;
+		}
+		if (SpringProxy.class.isAssignableFrom(proxied)) {
+			hints.reflection()
+				.registerType(proxied, MemberCategory.INVOKE_PUBLIC_METHODS, MemberCategory.PUBLIC_FIELDS,
+						MemberCategory.DECLARED_FIELDS);
+		}
+	}
+
+	private void traverseType(List<Class<?>> toProxy, Class<?> clazz) {
+		if (clazz == Object.class || this.visitedClasses.contains(clazz)) {
+			return;
+		}
+		this.visitedClasses.add(clazz);
+		for (Method m : clazz.getDeclaredMethods()) {
+			AuthorizeReturnObject object = this.scanner.scan(m, clazz);
+			if (object == null) {
+				continue;
+			}
+			Class<?> returnType = m.getReturnType();
+			toProxy.add(returnType);
+			traverseType(toProxy, returnType);
+		}
+	}
+
+}
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.aot.hint;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.context.support.GenericApplicationContext;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+import org.springframework.security.authorization.method.AuthorizeReturnObject;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.spy;
+
+/**
+ * Tests for {@link AuthorizeReturnObjectCoreHintsRegistrar}
+ */
+public class AuthorizeReturnObjectCoreHintsRegistrarTests {
+
+	private final AuthorizationProxyFactory proxyFactory = spy(AuthorizationAdvisorProxyFactory.withDefaults());
+
+	private final AuthorizeReturnObjectCoreHintsRegistrar registrar = new AuthorizeReturnObjectCoreHintsRegistrar(
+			this.proxyFactory);
+
+	@Test
+	public void registerHintsWhenUsingAuthorizeReturnObjectThenRegisters() {
+		GenericApplicationContext context = new GenericApplicationContext();
+		context.registerBean(MyService.class, MyService::new);
+		context.registerBean(MyInterface.class, MyImplementation::new);
+		context.refresh();
+		RuntimeHints hints = new RuntimeHints();
+		this.registrar.registerHints(hints, context.getBeanFactory());
+		assertThat(hints.reflection().typeHints().map((hint) -> hint.getType().getName()))
+			.containsOnly(cglibClassName(MyObject.class), cglibClassName(MySubObject.class));
+		assertThat(hints.proxies()
+			.jdkProxyHints()
+			.flatMap((hint) -> hint.getProxiedInterfaces().stream())
+			.map(TypeReference::getName)).contains(MyInterface.class.getName());
+	}
+
+	private static String cglibClassName(Class<?> clazz) {
+		return clazz.getName() + "$$SpringCGLIB$$0";
+	}
+
+	public static class MyService {
+
+		@AuthorizeReturnObject
+		MyObject get() {
+			return new MyObject();
+		}
+
+	}
+
+	public interface MyInterface {
+
+		MyObject get();
+
+	}
+
+	@AuthorizeReturnObject
+	public static class MyImplementation implements MyInterface {
+
+		@Override
+		public MyObject get() {
+			return new MyObject();
+		}
+
+	}
+
+	public static class MyObject {
+
+		@AuthorizeReturnObject
+		public MySubObject get() {
+			return new MySubObject();
+		}
+
+		@AuthorizeReturnObject
+		public MyInterface getInterface() {
+			return new MyImplementation();
+		}
+
+	}
+
+	public static class MySubObject {
+
+	}
+
+}
@@ -0,0 +1,64 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.aot.hint;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.aot.hint.RuntimeHints;
+import org.springframework.aot.hint.TypeReference;
+import org.springframework.security.authorization.AuthorizationProxyFactory;
+import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.spy;
+
+/**
+ * Tests for {@link AuthorizeReturnObjectHintsRegistrar}
+ */
+public class AuthorizeReturnObjectHintsRegistrarTests {
+
+	private final AuthorizationProxyFactory proxyFactory = spy(AuthorizationAdvisorProxyFactory.withDefaults());
+
+	@Test
+	public void registerHintsWhenSpecifiedThenRegisters() {
+		AuthorizeReturnObjectHintsRegistrar registrar = new AuthorizeReturnObjectHintsRegistrar(this.proxyFactory,
+				MyObject.class, MyInterface.class);
+		RuntimeHints hints = new RuntimeHints();
+		registrar.registerHints(hints, null);
+		assertThat(hints.reflection().typeHints().map((hint) -> hint.getType().getName()))
+			.containsOnly(cglibClassName(MyObject.class));
+		assertThat(hints.proxies()
+			.jdkProxyHints()
+			.flatMap((hint) -> hint.getProxiedInterfaces().stream())
+			.map(TypeReference::getName)).contains(MyInterface.class.getName());
+	}
+
+	private static String cglibClassName(Class<?> clazz) {
+		return clazz.getName() + "$$SpringCGLIB$$0";
+	}
+
+	public interface MyInterface {
+
+		MyObject get();
+
+	}
+
+	public static class MyObject {
+
+	}
+
+}