Propagate Previous Factor to Next One

This commit allows looking up the current authentication and applying
it to the latest authentication. This is specifically handy when
collecting authorities gained from each authentication factor.

Author: jzheaux

core/src/main/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManager.java

@@ -27,6 +27,7 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.util.Assert;
 
 /**
@@ -57,11 +58,24 @@ public DelegatingReactiveAuthenticationManager(List<ReactiveAuthenticationManage
 
 	@Override
 	public Mono<Authentication> authenticate(Authentication authentication) {
+		return ReactiveSecurityContextHolder.getContext().flatMap((context) -> {
+			Mono<Authentication> result = doAuthenticate(authentication);
+			Authentication current = context.getAuthentication();
+			if (current == null) {
+				return result;
+			}
+			if (!current.isAuthenticated()) {
+				return result;
+			}
+			return doAuthenticate(current).map((r) -> r.toBuilder().apply(current).build());
+		}).switchIfEmpty(doAuthenticate(authentication));
+	}
+
+	private Mono<Authentication> doAuthenticate(Authentication authentication) {
 		Flux<ReactiveAuthenticationManager> result = Flux.fromIterable(this.delegates);
 		Function<ReactiveAuthenticationManager, Mono<Authentication>> logging = (m) -> m.authenticate(authentication)
 			.doOnError(AuthenticationException.class, (ex) -> ex.setAuthenticationRequest(authentication))
 			.doOnError(this.logger::debug);
-
 		return ((this.continueOnError) ? result.concatMapDelayError(logging) : result.concatMap(logging)).next();
 	}
 

core/src/main/java/org/springframework/security/authentication/ProviderManager.java

@@ -33,6 +33,8 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.CredentialsContainer;
 import org.springframework.security.core.SpringSecurityMessageSource;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
@@ -92,6 +94,9 @@ public class ProviderManager implements AuthenticationManager, MessageSourceAwar
 
 	private static final Log logger = LogFactory.getLog(ProviderManager.class);
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+		.getContextHolderStrategy();
+
 	private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();
 
 	private List<AuthenticationProvider> providers = Collections.emptyList();
@@ -209,6 +214,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				lastException = ex;
 			}
 		}
+		result = applyPreviousAuthentication(result);
 		if (result == null && this.parent != null) {
 			// Allow the parent to try.
 			try {
@@ -265,6 +271,20 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		throw lastException;
 	}
 
+	private @Nullable Authentication applyPreviousAuthentication(@Nullable Authentication result) {
+		if (result == null) {
+			return null;
+		}
+		Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
+		if (current == null) {
+			return result;
+		}
+		if (!current.isAuthenticated()) {
+			return result;
+		}
+		return result.toBuilder().apply(current).build();
+	}
+
 	@SuppressWarnings("deprecation")
 	private void prepareException(AuthenticationException ex, Authentication auth) {
 		ex.setAuthenticationRequest(auth);
@@ -287,6 +307,11 @@ public List<AuthenticationProvider> getProviders() {
 		return this.providers;
 	}
 
+	public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	@Override
 	public void setMessageSource(MessageSource messageSource) {
 		this.messages = new MessageSourceAccessor(messageSource);

core/src/test/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManagerTests.java

@@ -27,10 +27,13 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
 
 /**
  * @author Rob Winch
@@ -118,6 +121,24 @@ void whenAccountStatusExceptionThenAuthenticationRequestIsIncluded() {
 		assertThat(expected.getAuthenticationRequest()).isEqualTo(this.authentication);
 	}
 
+	@Test
+	void authenticateWhenPreviousAuthenticationThenApplies() {
+		Authentication factorOne = new TestingAuthenticationToken("user", "pass", "FACTOR_ONE");
+		Authentication factorTwo = new TestingAuthenticationToken("user", "pass", "FACTOR_TWO");
+		ReactiveAuthenticationManager provider = mock(ReactiveAuthenticationManager.class);
+		given(provider.authenticate(any())).willReturn(Mono.just(factorTwo));
+		ReactiveAuthenticationManager manager = new DelegatingReactiveAuthenticationManager(provider);
+		Authentication request = new TestingAuthenticationToken("user", "password");
+		StepVerifier
+			.create(manager.authenticate(request)
+				.flatMapIterable(Authentication::getAuthorities)
+				.map(GrantedAuthority::getAuthority)
+				.contextWrite(ReactiveSecurityContextHolder.withAuthentication(factorOne)))
+			.expectNext("FACTOR_TWO")
+			.expectNext("FACTOR_ONE")
+			.verifyComplete();
+	}
+
 	private DelegatingReactiveAuthenticationManager managerWithContinueOnError() {
 		DelegatingReactiveAuthenticationManager manager = new DelegatingReactiveAuthenticationManager(this.delegate1,
 				this.delegate2);

core/src/test/java/org/springframework/security/authentication/ProviderManagerTests.java

@@ -19,12 +19,16 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Set;
 
 import org.junit.jupiter.api.Test;
 
 import org.springframework.context.MessageSource;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.core.context.SecurityContextImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -310,6 +314,22 @@ void authenticateWhenFailsInParentAndPublishesThenChildDoesNotPublish() {
 		verifyNoMoreInteractions(publisher); // Child should not publish (duplicate event)
 	}
 
+	@Test
+	void authenticateWhenPreviousAuthenticationThenApplies() {
+		Authentication factorOne = new TestingAuthenticationToken("user", "pass", "FACTOR_ONE");
+		Authentication factorTwo = new TestingAuthenticationToken("user", "pass", "FACTOR_TWO");
+		SecurityContextHolderStrategy securityContextHolderStrategy = mock(SecurityContextHolderStrategy.class);
+		given(securityContextHolderStrategy.getContext()).willReturn(new SecurityContextImpl(factorOne));
+		AuthenticationProvider provider = mock(AuthenticationProvider.class);
+		given(provider.authenticate(any())).willReturn(factorTwo);
+		given(provider.supports(any())).willReturn(true);
+		ProviderManager manager = new ProviderManager(provider);
+		manager.setSecurityContextHolderStrategy(securityContextHolderStrategy);
+		Authentication request = new TestingAuthenticationToken("user", "password");
+		Set<String> authorities = AuthorityUtils.authorityListToSet(manager.authenticate(request).getAuthorities());
+		assertThat(authorities).containsExactlyInAnyOrder("FACTOR_ONE", "FACTOR_TWO");
+	}
+
 	private AuthenticationProvider createProviderWhichThrows(final AuthenticationException ex) {
 		AuthenticationProvider provider = mock(AuthenticationProvider.class);
 		given(provider.supports(any(Class.class))).willReturn(true);