Merge pull request #1 from ahunigel/pre-token

emulate full oauth2 process

Author: ahunigel

README.md

@@ -19,6 +19,9 @@ _Note: Most code came from the open network. I refactor and enhanced the code, t
 - @WithMockUserAndClaims
     - enhanced @WithMockUser, attach Map-based claims as authentication details
     - equal to @WithMockUser + @AttachClaims
+- @WithToken
+    - add `bearer` token to request header to extract a `PreAuthenticatedAuthenticationToken`,
+    load existing OAuth2Authentication from SecurityContext
 
 ## How to use
 
@@ -65,9 +68,7 @@ Refer to https://jitpack.io/#ahunigel/spring-security-oauth2-test for details.
 
 ## TODOs
 
-1. Mock full oauth2 process, add `bearer` token to request header to extract a `PreAuthenticatedAuthenticationToken`
-
-2. For oauth2 request, add ability to set ResourceServerSecurityConfigurer.stateless to false, maybe an 
+- For oauth2 request, add ability to set ResourceServerSecurityConfigurer.stateless to false, maybe add an 
 annotation like `@ResourceStateLess(false)`
 
-3. Add support for `RestTemplate`
+- Add support for `RestTemplate`

build.gradle

@@ -17,7 +17,7 @@ apply plugin: 'java'
 apply plugin: "jacoco"
 
 group 'com.github.ahunigel'
-version '1.0-SNAPSHOT'
+version '1.1-SNAPSHOT'
 
 sourceCompatibility = 1.8
 
@@ -26,6 +26,7 @@ dependencies {
     implementation "org.springframework.security.oauth:spring-security-oauth2:2.2.1.RELEASE"
     implementation "org.springframework.security:spring-security-test:5.0.6.RELEASE"
     implementation group: 'commons-beanutils', name: 'commons-beanutils', version: '1.9.3'
+    compileOnly group: 'javax.servlet', name: 'javax.servlet-api', version: '4.0.1'
 }
 
 repositories {

src/main/java/com/github/ahunigel/test/security/AttachClaims.java

@@ -6,6 +6,8 @@
  * Created by Nigel Zheng on 8/3/2018.
  * <p>
  * Attach claims as map to current authentication details
+ *
+ * @author nigel
  */
 @Target({ElementType.METHOD, ElementType.TYPE})
 @Retention(RetentionPolicy.RUNTIME)

src/main/java/com/github/ahunigel/test/security/AttachClaimsTestExecutionListener.java

@@ -15,10 +15,12 @@
 import java.util.Map;
 
 /**
- * Created by Nigel.Zheng on 8/3/2018.
+ * Created by Nigel Zheng on 8/3/2018.
+ *
+ * @author nigel
  */
 public class AttachClaimsTestExecutionListener extends AbstractTestExecutionListener {
-  private static final Logger logger = LoggerFactory.getLogger(AttachClaimsTestExecutionListener.class);
+  private static final Logger log = LoggerFactory.getLogger(AttachClaimsTestExecutionListener.class);
 
   @Override
   public void beforeTestClass(TestContext testContext) throws Exception {
@@ -52,7 +54,7 @@ public void attachClaimsToAuthentication(AttachClaims annotation) {
         ((AbstractAuthenticationToken) authentication).setDetails(claims);
       }
     } else {
-      logger.warn("No authentication found, do not attach claims");
+      log.warn("No authentication found, do not attach claims");
     }
   }
 

src/main/java/com/github/ahunigel/test/security/WithMockUserAndClaims.java

@@ -18,6 +18,8 @@
  * <p>
  * Emulate running with a mocked user,
  * attach claims as map to mocked authentication details
+ *
+ * @author nigel
  */
 @Target({ElementType.METHOD, ElementType.TYPE})
 @Retention(RetentionPolicy.RUNTIME)

src/main/java/com/github/ahunigel/test/security/oauth2/MockTokenServices.java

@@ -0,0 +1,16 @@
+package com.github.ahunigel.test.security.oauth2;
+
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.boot.test.mock.mockito.MockReset;
+import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ * Created by Nigel Zheng on 8/7/2018.
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@MockBean(value = {ResourceServerTokenServices.class}, reset = MockReset.AFTER)
+public @interface MockTokenServices {
+}

src/main/java/com/github/ahunigel/test/security/oauth2/WithMockOAuth2Client.java

@@ -20,6 +20,7 @@
  * <p>
  * Emulate running with a mocked oauth2 client
  */
+@WithToken
 @Retention(RetentionPolicy.RUNTIME)
 @WithSecurityContext(factory = WithMockOAuth2Client.WithMockOAuth2ClientSecurityContextFactory.class)
 public @interface WithMockOAuth2Client {

src/main/java/com/github/ahunigel/test/security/oauth2/WithMockOAuth2User.java

@@ -20,6 +20,7 @@
  * Emulate running with a mocked oauth2 client on behalf of user,
  * attach claims as map to mocked oauth2 authentication details
  */
+@WithToken
 @Retention(RetentionPolicy.RUNTIME)
 @WithSecurityContext(factory = WithMockOAuth2User.WithMockOAuth2UserSecurityContextFactory.class)
 public @interface WithMockOAuth2User {

src/main/java/com/github/ahunigel/test/security/oauth2/WithToken.java

@@ -0,0 +1,24 @@
+package com.github.ahunigel.test.security.oauth2;
+
+import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ * Created by Nigel Zheng on 2018/8/7.
+ * <p>
+ * Emulate an OAuth2 token request, would extract an {@link PreAuthenticatedAuthenticationToken}
+ * <p>
+ * require annotation {@link MockTokenServices} on test class level or {@link ResourceServerTokenServices} @MockBean exists
+ *
+ * @author nigel
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface WithToken {
+
+  String FAKE_BEARER_TOKEN = "fake.bearer.token";
+
+  String value() default FAKE_BEARER_TOKEN;
+}

src/main/java/com/github/ahunigel/test/security/oauth2/WithTokenTestExecutionListener.java

@@ -0,0 +1,147 @@
+package com.github.ahunigel.test.security.oauth2;
+
+import org.mockito.Mockito;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.annotation.AnnotatedElementUtils;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
+import org.springframework.security.test.context.TestSecurityContextHolder;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.test.context.TestContext;
+import org.springframework.test.context.support.AbstractTestExecutionListener;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.RequestBuilder;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.request.RequestPostProcessor;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import java.lang.annotation.Annotation;
+import java.lang.reflect.AnnotatedElement;
+import java.lang.reflect.Method;
+
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.testSecurityContext;
+
+/**
+ * Created by Nigel Zheng on 2018/8/6.
+ * <p>
+ * Add <code>Authorization</code> header to token request, extract an {@link PreAuthenticatedAuthenticationToken},
+ * and then load an existing {@link OAuth2Authentication} from {@link SecurityContext}
+ *
+ * @author nigel
+ */
+public class WithTokenTestExecutionListener extends AbstractTestExecutionListener {
+  private static final Logger log = LoggerFactory.getLogger(WithTokenTestExecutionListener.class);
+
+  private static final String ORIGINAL_REQUEST_BUILDER = "originalRequestBuilder";
+
+  @Override
+  public void beforeTestClass(TestContext testContext) throws Exception {
+    Annotation annotation = AnnotatedElementUtils.findMergedAnnotation(testContext.getTestClass(), WithToken.class);
+    if (annotation != null) {
+      verifyTokenServicesMocked(testContext.getTestClass());
+      addAuthHeader(testContext.getTestClass(), testContext, (WithToken) annotation);
+    }
+  }
+
+  @Override
+  public void beforeTestMethod(TestContext testContext) throws Exception {
+    Annotation annotation = AnnotatedElementUtils.findMergedAnnotation(testContext.getTestMethod(), WithToken.class);
+    if (annotation != null) {
+      verifyTokenServicesMocked(testContext.getTestClass());
+      addAuthHeader(testContext.getTestMethod(), testContext, (WithToken) annotation);
+    }
+  }
+
+  @Override
+  public void afterTestMethod(TestContext testContext) throws Exception {
+    Annotation annotation = AnnotatedElementUtils.findMergedAnnotation(testContext.getTestMethod(), WithToken.class);
+    if (annotation != null) {
+      removeAuthHeader(testContext.getTestMethod(), testContext);
+    }
+  }
+
+  @Override
+  public void afterTestClass(TestContext testContext) throws Exception {
+    Annotation annotation = AnnotatedElementUtils.findMergedAnnotation(testContext.getTestClass(), WithToken.class);
+    if (annotation != null) {
+      removeAuthHeader(testContext.getTestClass(), testContext);
+    }
+  }
+
+  private void verifyTokenServicesMocked(Class<?> testClass) {
+    MockTokenServices annotation = AnnotatedElementUtils.findMergedAnnotation(testClass, MockTokenServices.class);
+    Assert.state(annotation != null, "Missing @MockTokenServices on class level");
+  }
+
+  private void addAuthHeader(AnnotatedElement annotated, TestContext testContext, WithToken withToken) {
+    Assert.state(withToken != null, "No @WithToken exists!!!");
+    MockMvc mockMvc = testContext.getApplicationContext().getBean(MockMvc.class);
+    MockHttpServletRequestBuilder requestBuilder = MockMvcRequestBuilders.get("/")
+        .with(testSecurityContext()).with(bearerAuthPostProcessor(withToken.value()));
+    // stash original default request builder
+    RequestBuilder originalRequestBuilder = (RequestBuilder) ReflectionTestUtils.getField(mockMvc, MockMvc.class,
+        "defaultRequestBuilder");
+    testContext.setAttribute(attributeName(annotated), originalRequestBuilder);
+    setDefaultRequestBuilder(mockMvc, requestBuilder);
+    ResourceServerTokenServices tokenServices = testContext.getApplicationContext().getBean(ResourceServerTokenServices.class);
+    when(tokenServices.loadAuthentication(withToken.value())).thenAnswer(invocation -> {
+      Authentication authentication = TestSecurityContextHolder.getContext().getAuthentication();
+      if (authentication instanceof OAuth2Authentication) {
+        return (OAuth2Authentication) authentication;
+      }
+      return null;
+    });
+  }
+
+  private void removeAuthHeader(AnnotatedElement annotated, TestContext testContext) {
+    MockMvc mockMvc = testContext.getApplicationContext().getBean(MockMvc.class);
+    Object originalRequestBuilder = testContext.getAttribute(attributeName(annotated));
+    if (originalRequestBuilder instanceof RequestBuilder) {
+      // reset default request builder
+      setDefaultRequestBuilder(mockMvc, (RequestBuilder) originalRequestBuilder);
+    }
+    Mockito.reset(new ResourceServerTokenServices[]{
+        testContext.getApplicationContext().getBean(ResourceServerTokenServices.class)
+    });
+  }
+
+  private String attributeName(AnnotatedElement annotated) {
+    return ORIGINAL_REQUEST_BUILDER + annotated.getClass().getSimpleName()
+        + (annotated instanceof Method ? ((Method) annotated).getName() : "");
+  }
+
+  private void setDefaultRequestBuilder(MockMvc mockMvc, RequestBuilder requestBuilder) {
+    ReflectionTestUtils.invokeSetterMethod(mockMvc, "setDefaultRequest", requestBuilder, RequestBuilder.class);
+  }
+
+  private RequestPostProcessor bearerAuthPostProcessor(String token) {
+    return new BearerAuthPostProcessor(token);
+  }
+
+  class BearerAuthPostProcessor implements RequestPostProcessor {
+    private final String token;
+
+    BearerAuthPostProcessor(String token) {
+      this.token = token;
+    }
+
+    @Override
+    public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+      String authHeader = request.getHeader("Authorization");
+      if (!StringUtils.hasText(authHeader)) {
+        request.addHeader("Authorization", "Bearer " + token);
+      } else {
+        log.warn("DO NOT OVERRIDE existing authorization header: {}", authHeader);
+      }
+      return request;
+    }
+  }
+}