Mock Jwt Disables CSRF

jzheaux · jzheaux · commit b55b2914c2bd · 2019-09-13T19:04:05.000+01:00
Fixes gh-7170
diff --git a/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java b/samples/boot/oauth2resourceserver/src/test/java/sample/OAuth2ResourceServerControllerTests.java
@@ -25,16 +25,13 @@
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
-import org.springframework.security.oauth2.jwt.Jwt;
 
 import static org.hamcrest.CoreMatchers.is;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.jwt;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.mockito.Mockito.when;
 
 /**
  *
@@ -77,41 +74,26 @@ public void messageCanNotBeReadWithoutScopeMessageReadAuthority() throws Excepti
 
 	@Test
 	public void messageCanNotBeCreatedWithoutAnyScope() throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
 				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt()))
 				.andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void messageCanNotBeCreatedWithScopeMessageReadAuthority() throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "message:read")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
 				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt(jwt -> jwt.claim("scope", "message:read"))))
 				.andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void messageCanBeCreatedWithScopeMessageWriteAuthority()
 			throws Exception {
-		Jwt jwt = Jwt.withTokenValue("token")
-				.header("alg", "none")
-				.claim("scope", "message:write")
-				.build();
-		when(jwtDecoder.decode(anyString())).thenReturn(jwt);
 		mockMvc.perform(post("/message")
 				.content("Hello message")
-				.header("Authorization", "Bearer " + jwt.getTokenValue()))
+				.with(jwt(jwt -> jwt.claim("scope", "message:write"))))
 				.andExpect(status().isOk())
 				.andExpect(content().string(is("Message was created. Content: Hello message")));
 	}
diff --git a/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java b/test/src/main/java/org/springframework/security/test/web/reactive/server/SecurityMockServerConfigurers.java
@@ -419,6 +419,10 @@ public void afterConfigurerAdded(
 				WebTestClient.Builder builder,
 				@Nullable WebHttpHandlerBuilder httpHandlerBuilder,
 				@Nullable ClientHttpConnector connector) {
+			httpHandlerBuilder.filter((exchange, chain) -> {
+				CsrfWebFilter.skipExchange(exchange);
+				return chain.filter(exchange);
+			});
 			configurer().afterConfigurerAdded(builder, httpHandlerBuilder, connector);
 		}
 
diff --git a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java
@@ -55,6 +55,7 @@
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
@@ -63,6 +64,7 @@
 import org.springframework.util.Assert;
 import org.springframework.util.DigestUtils;
 
+import static java.lang.Boolean.TRUE;
 import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB;
 
 /**
@@ -502,11 +504,11 @@ public CsrfToken loadToken(HttpServletRequest request) {
 			}
 
 			public static void enable(HttpServletRequest request) {
-				request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE);
+				request.setAttribute(ENABLED_ATTR_NAME, TRUE);
 			}
 
 			public boolean isEnabled(HttpServletRequest request) {
-				return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
+				return TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));
 			}
 		}
 	}
@@ -1043,6 +1045,7 @@ public JwtRequestPostProcessor authorities(Converter<Jwt, Collection<GrantedAuth
 
 		@Override
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+			CsrfFilter.skipRequest(request);
 			JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities);
 			return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
 		}

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@`
`55`	`55`	`import org.springframework.security.web.context.HttpRequestResponseHolder;`
`56`	`56`	`import org.springframework.security.web.context.SecurityContextPersistenceFilter;`
`57`	`57`	`import org.springframework.security.web.context.SecurityContextRepository;`
	`58`	`+import org.springframework.security.web.csrf.CsrfFilter;`
`58`	`59`	`import org.springframework.security.web.csrf.CsrfToken;`
`59`	`60`	`import org.springframework.security.web.csrf.CsrfTokenRepository;`
`60`	`61`	`import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;`
`@@ -63,6 +64,7 @@`
`63`	`64`	`import org.springframework.util.Assert;`
`64`	`65`	`import org.springframework.util.DigestUtils;`
`65`	`66`
	`67`	`+import static java.lang.Boolean.TRUE;`
`66`	`68`	`import static org.springframework.security.oauth2.jwt.JwtClaimNames.SUB;`
`67`	`69`
`68`	`70`	`/**`
`@@ -502,11 +504,11 @@ public CsrfToken loadToken(HttpServletRequest request) {`
`502`	`504`	`}`
`503`	`505`
`504`	`506`	`public static void enable(HttpServletRequest request) {`
`505`		`- request.setAttribute(ENABLED_ATTR_NAME, Boolean.TRUE);`
	`507`	`+ request.setAttribute(ENABLED_ATTR_NAME, TRUE);`
`506`	`508`	`}`
`507`	`509`
`508`	`510`	`public boolean isEnabled(HttpServletRequest request) {`
`509`		`- return Boolean.TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));`
	`511`	`+ return TRUE.equals(request.getAttribute(ENABLED_ATTR_NAME));`
`510`	`512`	`}`
`511`	`513`	`}`
`512`	`514`	`}`
`@@ -1043,6 +1045,7 @@ public JwtRequestPostProcessor authorities(Converter<Jwt, Collection<GrantedAuth`
`1043`	`1045`
`1044`	`1046`	`@Override`
`1045`	`1047`	`public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {`
	`1048`	`+ CsrfFilter.skipRequest(request);`
`1046`	`1049`	`JwtAuthenticationToken token = new JwtAuthenticationToken(this.jwt, this.authorities);`
`1047`	`1050`	`return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);`
`1048`	`1051`	`}`