Add hasIpAddress to Kotlin DSL

brunodmartins · jzheaux · commit ea7c720ce7a7 · 2023-12-15T16:54:58.000-07:00
Closes gh-10577
diff --git a/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt b/config/src/main/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDsl.kt
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -26,6 +26,7 @@ import org.springframework.security.config.annotation.web.configurers.AuthorizeH
 import org.springframework.security.core.Authentication
 import org.springframework.security.web.access.intercept.AuthorizationFilter
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext
+import org.springframework.security.web.server.authorization.IpAddressAuthorizationManager
 import org.springframework.security.web.servlet.util.matcher.MvcRequestMatcher
 import org.springframework.security.web.util.matcher.AnyRequestMatcher
 import org.springframework.security.web.util.matcher.RequestMatcher
@@ -222,6 +223,13 @@ class AuthorizeHttpRequestsDsl : AbstractRequestMatcherDsl() {
         return AuthorityAuthorizationManager.hasAnyRole(*roles)
     }
 
+    /**
+     * Require a specific IP or range of IP addresses.
+     * @since 6.3
+     */
+    fun hasIpAddress(ipAddress: String): AuthorizationManager<RequestAuthorizationContext> =
+        IpAddressAuthorizationManager.hasIpAddress(ipAddress)
+
     /**
      * Specify that URLs are allowed by anyone.
      */
diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/AuthorizeHttpRequestsDslTests.kt
@@ -816,4 +816,41 @@ class AuthorizeHttpRequestsDslTests {
         }
 
     }
+
+    @Test
+    fun `request when ip address does not match then responds with forbidden`() {
+        this.spring.register(HasIpAddressConfig::class.java).autowire()
+
+        this.mockMvc.perform(get("/path")
+            .with { request ->
+                request.setAttribute(WebUtils.ERROR_REQUEST_URI_ATTRIBUTE, "/error")
+                request.apply {
+                    dispatcherType = DispatcherType.ERROR
+                }
+            })
+            .andExpect(status().isForbidden)
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    @EnableWebMvc
+    open class HasIpAddressConfig {
+
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http {
+                authorizeHttpRequests {
+                    authorize(anyRequest, hasIpAddress("10.0.0.0/24"))
+                }
+            }
+            return http.build()
+        }
+
+        @RestController
+        internal class PathController {
+            @RequestMapping("/path")
+            fun path() {
+            }
+        }
+    }
 }
diff --git a/web/src/main/java/org/springframework/security/web/server/authorization/IpAddressAuthorizationManager.java b/web/src/main/java/org/springframework/security/web/server/authorization/IpAddressAuthorizationManager.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2002-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.server.authorization;
+
+import java.util.function.Supplier;
+
+import org.springframework.security.authorization.AuthorizationDecision;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.security.web.util.matcher.IpAddressMatcher;
+import org.springframework.util.Assert;
+
+/**
+ * A {@link AuthorizationManager}, that determines if the current request contains the
+ * specified address or range of addresses
+ *
+ * @author brunodmartins
+ * @since 6.3
+ */
+public final class IpAddressAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
+
+	private final IpAddressMatcher ipAddressMatcher;
+
+	IpAddressAuthorizationManager(String ipAddress) {
+		this.ipAddressMatcher = new IpAddressMatcher(ipAddress);
+	}
+
+	/**
+	 * Creates an instance of {@link IpAddressAuthorizationManager} with the provided IP
+	 * address.
+	 * @param ipAddress the address or range of addresses from which the request must
+	 * @return the new instance
+	 */
+	public static IpAddressAuthorizationManager hasIpAddress(String ipAddress) {
+		Assert.notNull(ipAddress, "ipAddress cannot be null");
+		return new IpAddressAuthorizationManager(ipAddress);
+	}
+
+	@Override
+	public AuthorizationDecision check(Supplier<Authentication> authentication,
+			RequestAuthorizationContext requestAuthorizationContext) {
+		return new AuthorizationDecision(
+				this.ipAddressMatcher.matcher(requestAuthorizationContext.getRequest()).isMatch());
+	}
+
+}
