Add SecurityAssertions

This commit introduces a simple, internal test API for
verifying aspects of an Authentication, like its name
and authorities.

Closes gh-17844

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/authentication/AuthenticationManagerBuilderTests.java

@@ -32,6 +32,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.ObjectPostProcessor;
@@ -44,7 +45,6 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
@@ -107,8 +107,7 @@ public void getAuthenticationManagerWhenGlobalPasswordEncoderBeanThenUsed() thro
 			.getAuthenticationManager();
 		Authentication auth = manager
 			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
-		assertThat(auth.getName()).isEqualTo("user");
-		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
+		SecurityAssertions.assertThat(auth).name("user").hasAuthority("ROLE_USER");
 	}
 
 	@Test
@@ -119,8 +118,7 @@ public void getAuthenticationManagerWhenProtectedPasswordEncoderBeanThenUsed() t
 			.getAuthenticationManager();
 		Authentication auth = manager
 			.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));
-		assertThat(auth.getName()).isEqualTo("user");
-		assertThat(auth.getAuthorities()).extracting(GrantedAuthority::getAuthority).containsOnly("ROLE_USER");
+		SecurityAssertions.assertThat(auth).name("user").hasAuthority("ROLE_USER");
 	}
 
 	@Test

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

@@ -45,6 +45,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.ObjectPostProcessor;
@@ -217,10 +218,9 @@ public void oauth2Login() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OAuth2UserAuthority.class)
-			.hasToString("OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication)
+			.hasAuthority("OAUTH2_USER")
+			.isInstanceOf(OAuth2UserAuthority.class);
 	}
 
 	@Test
@@ -234,10 +234,9 @@ public void requestWhenCustomSecurityContextHolderStrategyThenUses() throws Exce
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OAuth2UserAuthority.class)
-			.hasToString("OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication)
+			.hasAuthority("OAUTH2_USER")
+			.isInstanceOf(OAuth2UserAuthority.class);
 		SecurityContextHolderStrategy strategy = this.context.getBean(SecurityContextHolderStrategy.class);
 		verify(strategy, atLeastOnce()).getDeferredContext();
 		SecurityContextChangedListener listener = this.context.getBean(SecurityContextChangedListener.class);
@@ -255,10 +254,9 @@ public void requestWhenOauth2LoginInLambdaThenAuthenticationContainsOauth2UserAu
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OAuth2UserAuthority.class)
-			.hasToString("OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication)
+			.hasAuthority("OAUTH2_USER")
+			.isInstanceOf(OAuth2UserAuthority.class);
 	}
 
 	// gh-6009
@@ -296,9 +294,7 @@ public void oauth2LoginCustomWithConfigurer() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(2);
-		assertThat(authentication.getAuthorities()).first().hasToString("OAUTH2_USER");
-		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthorities("OAUTH2_USER", "ROLE_OAUTH2_USER");
 	}
 
 	@Test
@@ -317,9 +313,7 @@ public void oauth2LoginCustomWithBeanRegistration() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(2);
-		assertThat(authentication.getAuthorities()).first().hasToString("OAUTH2_USER");
-		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthorities("OAUTH2_USER", "ROLE_OAUTH2_USER");
 	}
 
 	@Test
@@ -338,9 +332,7 @@ public void oauth2LoginCustomWithUserServiceBeanRegistration() throws Exception
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(2);
-		assertThat(authentication.getAuthorities()).first().hasToString("OAUTH2_USER");
-		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthorities("OAUTH2_USER", "ROLE_OAUTH2_USER");
 	}
 
 	// gh-5488
@@ -361,10 +353,9 @@ public void oauth2LoginConfigLoginProcessingUrl() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OAuth2UserAuthority.class)
-			.hasToString("OAUTH2_USER");
+		SecurityAssertions.assertThat(authentication)
+			.hasAuthority("OAUTH2_USER")
+			.isInstanceOf(OAuth2UserAuthority.class);
 	}
 
 	// gh-5521
@@ -570,10 +561,7 @@ public void oidcLogin() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OidcUserAuthority.class)
-			.hasToString("OIDC_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthority("OIDC_USER").isInstanceOf(OidcUserAuthority.class);
 	}
 
 	@Test
@@ -593,9 +581,7 @@ public void requestWhenOauth2LoginInLambdaAndOidcThenAuthenticationContainsOidcU
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
 		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OidcUserAuthority.class)
-			.hasToString("OIDC_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthority("OIDC_USER").isInstanceOf(OidcUserAuthority.class);
 	}
 
 	@Test
@@ -614,9 +600,7 @@ public void oidcLoginCustomWithConfigurer() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(2);
-		assertThat(authentication.getAuthorities()).first().hasToString("OIDC_USER");
-		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OIDC_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthorities("OIDC_USER", "ROLE_OIDC_USER");
 	}
 
 	@Test
@@ -635,9 +619,7 @@ public void oidcLoginCustomWithBeanRegistration() throws Exception {
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(2);
-		assertThat(authentication.getAuthorities()).first().hasToString("OIDC_USER");
-		assertThat(authentication.getAuthorities()).last().hasToString("ROLE_OIDC_USER");
+		SecurityAssertions.assertThat(authentication).hasAuthorities("OIDC_USER", "ROLE_OIDC_USER");
 	}
 
 	@Test
@@ -690,11 +672,7 @@ public void oidcLoginWhenOAuth2ClientBeansConfiguredThenNotShared() throws Excep
 		Authentication authentication = this.securityContextRepository
 			.loadContext(new HttpRequestResponseHolder(this.request, this.response))
 			.getAuthentication();
-		assertThat(authentication.getAuthorities()).hasSize(1);
-		assertThat(authentication.getAuthorities()).first()
-			.isInstanceOf(OidcUserAuthority.class)
-			.hasToString("OIDC_USER");
-
+		SecurityAssertions.assertThat(authentication).hasAuthority("OIDC_USER").isInstanceOf(OidcUserAuthority.class);
 		// Ensure shared objects set for OAuth2 Client are not used
 		ClientRegistrationRepository clientRegistrationRepository = this.spring.getContext()
 			.getBean(ClientRegistrationRepository.class);

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -2674,6 +2674,7 @@ String authenticated(Authentication authentication) {
 		String requiresReadScope(JwtAuthenticationToken token) {
 			return token.getAuthorities()
 				.stream()
+				.filter((ga) -> ga.getAuthority().startsWith("SCOPE_"))
 				.map(GrantedAuthority::getAuthority)
 				.collect(Collectors.toList())
 				.toString();

core/src/test/java/org/springframework/security/authentication/SecurityAssertions.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authentication;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Set;
+import java.util.function.Predicate;
+
+import org.assertj.core.api.AbstractObjectAssert;
+import org.assertj.core.api.Assertions;
+import org.assertj.core.api.CollectionAssert;
+import org.assertj.core.api.Condition;
+import org.assertj.core.api.ObjectAssert;
+import org.jspecify.annotations.NullMarked;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.AuthorityUtils;
+
+@NullMarked
+public final class SecurityAssertions {
+
+	private SecurityAssertions() {
+
+	}
+
+	public static AuthenticationAssert assertThat(@Nullable Authentication authentication) {
+		Assertions.assertThat(authentication).isNotNull();
+		return new AuthenticationAssert(authentication);
+	}
+
+	public static final class AuthenticationAssert extends AbstractObjectAssert<AuthenticationAssert, Authentication> {
+
+		private final Authentication authentication;
+
+		private AuthenticationAssert(Authentication authentication) {
+			super(authentication, AuthenticationAssert.class);
+			this.authentication = authentication;
+		}
+
+		public AuthenticationAssert name(String name) {
+			Assertions.assertThat(this.authentication.getName()).isEqualTo(name);
+			return this;
+		}
+
+		public ObjectAssert<GrantedAuthority> hasAuthority(String authority) {
+			Collection<? extends GrantedAuthority> actual = this.authentication.getAuthorities();
+			for (GrantedAuthority element : actual) {
+				if (element.getAuthority().equals(authority)) {
+					return new ObjectAssert<>(element);
+				}
+			}
+			throw new AssertionError(actual + " does not contain " + authority + " as expected");
+		}
+
+		public CollectionAssert<GrantedAuthority> hasAuthorities(String... authorities) {
+			HasAuthoritiesPredicate test = new HasAuthoritiesPredicate(authorities);
+			return authorities().has(new Condition<>(test, "contains %s", Arrays.toString(authorities)));
+		}
+
+		public CollectionAssert<GrantedAuthority> authorities() {
+			return new CollectionAssert<>(this.authentication.getAuthorities());
+		}
+
+	}
+
+	private static final class HasAuthoritiesPredicate implements Predicate<Collection<? extends GrantedAuthority>> {
+
+		private final Collection<String> expected;
+
+		private HasAuthoritiesPredicate(String... expected) {
+			this.expected = List.of(expected);
+		}
+
+		@Override
+		public boolean test(Collection<? extends GrantedAuthority> actual) {
+			Set<String> asString = AuthorityUtils.authorityListToSet(actual);
+			return asString.containsAll(this.expected);
+		}
+
+	}
+
+}

ldap/spring-security-ldap.gradle

@@ -19,7 +19,8 @@ dependencies {
 		exclude(group: 'org.springframework.data', module: 'spring-data-commons')
 	}
 
-	testImplementation project(':spring-security-test')
+	testImplementation project(path : ':spring-security-core', configuration : 'tests')
+	testImplementation project(":spring-security-test")
 	testImplementation 'org.slf4j:slf4j-api'
 	testImplementation "org.assertj:assertj-core"
 	testImplementation "org.junit.jupiter:junit-jupiter-api"

ldap/src/test/java/org/springframework/security/ldap/authentication/ad/ActiveDirectoryLdapAuthenticationProviderTests.java

@@ -42,6 +42,7 @@
 import org.springframework.security.authentication.DisabledException;
 import org.springframework.security.authentication.InternalAuthenticationServiceException;
 import org.springframework.security.authentication.LockedException;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.ContextFactory;
@@ -357,10 +358,10 @@ private void checkAuthentication(String rootDn, ActiveDirectoryLdapAuthenticatio
 			.willReturn(new MockNamingEnumeration(sr));
 		provider.contextFactory = createContextFactoryReturning(this.ctx);
 		Authentication result = provider.authenticate(this.joe);
-		assertThat(result.getAuthorities()).isEmpty();
+		SecurityAssertions.assertThat(result).authorities().doesNotHaveToString("Admin");
 		dca.addAttributeValue("memberOf", "CN=Admin,CN=Users,DC=mydomain,DC=eu");
 		result = provider.authenticate(this.joe);
-		assertThat(result.getAuthorities()).hasSize(1);
+		SecurityAssertions.assertThat(result).hasAuthority("Admin");
 	}
 
 	static class MockNamingEnumeration implements NamingEnumeration<SearchResult> {

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java

@@ -165,7 +165,7 @@ public void authenticateWhenLoginSuccessThenReturnAuthentication() {
 		assertThat(authentication.isAuthenticated()).isTrue();
 		assertThat(authentication.getPrincipal()).isEqualTo(principal);
 		assertThat(authentication.getCredentials()).isEqualTo("");
-		assertThat(authentication.getAuthorities()).isEqualTo(authorities);
+		assertThat(authentication.getAuthorities()).containsAll(authorities);
 		assertThat(authentication.getClientRegistration()).isEqualTo(this.clientRegistration);
 		assertThat(authentication.getAuthorizationExchange()).isEqualTo(this.authorizationExchange);
 		assertThat(authentication.getAccessToken()).isEqualTo(accessTokenResponse.getAccessToken());

oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle

@@ -14,6 +14,7 @@ dependencies {
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 
+	testImplementation project(path : ':spring-security-core', configuration : 'tests')
 	testImplementation project(path: ':spring-security-oauth2-jose', configuration: 'tests')
 	testImplementation 'com.squareup.okhttp3:mockwebserver'
 	testImplementation 'com.fasterxml.jackson.core:jackson-databind'
@@ -27,5 +28,6 @@ dependencies {
 	testImplementation "org.mockito:mockito-junit-jupiter"
 	testImplementation "org.springframework:spring-test"
 
+
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 }

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java

@@ -23,6 +23,7 @@
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -46,9 +47,7 @@ public class JwtAuthenticationConverterTests {
 	public void convertWhenDefaultGrantedAuthoritiesConverterSet() {
 		Jwt jwt = TestJwts.jwt().claim("scope", "message:read message:write").build();
 		AbstractAuthenticationToken authentication = this.jwtAuthenticationConverter.convert(jwt);
-		Collection<GrantedAuthority> authorities = authentication.getAuthorities();
-		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("SCOPE_message:read"),
-				new SimpleGrantedAuthority("SCOPE_message:write"));
+		SecurityAssertions.assertThat(authentication).hasAuthorities("SCOPE_message:read", "SCOPE_message:write");
 	}
 
 	@Test
@@ -65,8 +64,7 @@ public void convertWithOverriddenGrantedAuthoritiesConverter() {
 			.asList(new SimpleGrantedAuthority("blah"));
 		this.jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
 		AbstractAuthenticationToken authentication = this.jwtAuthenticationConverter.convert(jwt);
-		Collection<GrantedAuthority> authorities = authentication.getAuthorities();
-		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("blah"));
+		SecurityAssertions.assertThat(authentication).hasAuthority("blah");
 	}
 
 	@Test