Add oidcLogin MockMvc Test Support

Fixes gh-7618

Author: jzheaux

samples/boot/oauth2login/src/integration-test/java/sample/OAuth2LoginApplicationTests.java

@@ -18,6 +18,7 @@
 import java.net.URI;
 import java.net.URL;
 import java.net.URLDecoder;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -40,6 +41,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -51,7 +53,9 @@
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
@@ -61,13 +65,18 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
 
 /**
  * Integration tests for the OAuth 2.0 client filters {@link OAuth2AuthorizationRequestRedirectFilter}
@@ -87,6 +96,9 @@ public class OAuth2LoginApplicationTests {
 	@Autowired
 	private WebClient webClient;
 
+	@Autowired
+	private MockMvc mvc;
+
 	@Autowired
 	private ClientRegistrationRepository clientRegistrationRepository;
 
@@ -284,6 +296,15 @@ public void requestAuthorizationCodeGrantWhenInvalidRedirectUriThenDisplayLoginP
 		assertThat(errorElement.asText()).contains("invalid_redirect_uri_parameter");
 	}
 
+	@Test
+	public void requestWhenMockOidcLoginThenIndex() throws Exception {
+		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github");
+		this.mvc.perform(get("/").with(oidcLogin().clientRegistration(clientRegistration)))
+				.andExpect(model().attribute("userName", "test-subject"))
+				.andExpect(model().attribute("clientName", "GitHub"))
+				.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+	}
+
 	private void assertLoginPage(HtmlPage page) {
 		assertThat(page.getTitleText()).isEqualTo("Please sign in");
 
@@ -397,5 +418,10 @@ private OAuth2UserService<OAuth2UserRequest, OAuth2User> mockUserService() {
 			when(userService.loadUser(any())).thenReturn(user);
 			return userService;
 		}
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
 	}
 }

samples/boot/oauth2login/src/test/java/sample/web/OAuth2LoginControllerTests.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright 2002-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.web;
+
+import java.util.Collections;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oidcLogin;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model;
+
+/**
+ * Tests for {@link OAuth2LoginController}
+ *
+ * @author Josh Cummings
+ */
+@RunWith(SpringRunner.class)
+@WebMvcTest
+@Import({OAuth2LoginController.class, OAuth2LoginControllerTests.OAuth2ClientConfig.class})
+public class OAuth2LoginControllerTests {
+
+	static ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test")
+			.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+			.clientId("my-client-id")
+			.clientName("my-client-name")
+			.tokenUri("https://token-uri.example.org")
+			.build();
+
+	@Autowired
+	MockMvc mvc;
+
+	@Test
+	public void rootWhenAuthenticatedReturnsUserAndClient() throws Exception {
+		this.mvc.perform(get("/").with(oidcLogin()))
+			.andExpect(model().attribute("userName", "test-subject"))
+			.andExpect(model().attribute("clientName", "test"))
+			.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "test-subject")));
+	}
+
+	@Test
+	public void rootWhenOverridingClientRegistrationReturnsAccordingly() throws Exception {
+		this.mvc.perform(get("/").with(oidcLogin()
+				.clientRegistration(clientRegistration)
+				.idToken(i -> i.subject("spring-security"))))
+				.andExpect(model().attribute("userName", "spring-security"))
+				.andExpect(model().attribute("clientName", "my-client-name"))
+				.andExpect(model().attribute("userAttributes", Collections.singletonMap(SUB, "spring-security")));
+	}
+
+	@Configuration
+	static class OAuth2ClientConfig {
+
+		@Bean
+		ClientRegistrationRepository clientRegistrationRepository() {
+			return new InMemoryClientRegistrationRepository(clientRegistration);
+		}
+
+		@Bean
+		OAuth2AuthorizedClientRepository authorizedClientRepository() {
+			return new HttpSessionOAuth2AuthorizedClientRepository();
+		}
+	}
+}

test/spring-security-test.gradle

@@ -7,6 +7,7 @@ dependencies {
 	compile 'org.springframework:spring-test'
 
 	optional project(':spring-security-config')
+	optional project(':spring-security-oauth2-client')
 	optional project(':spring-security-oauth2-jose')
 	optional project(':spring-security-oauth2-resource-server')
 	optional 'io.projectreactor:reactor-core'

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -25,7 +25,10 @@
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Consumer;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -46,6 +49,19 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
@@ -314,6 +330,11 @@ public static RequestPostProcessor httpBasic(String username, String password) {
 		return new HttpBasicRequestPostProcessor(username, password);
 	}
 
+	public static OidcLoginRequestPostProcessor oidcLogin() {
+		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "access-token", null, null, Collections.singleton("user"));
+		return new OidcLoginRequestPostProcessor(accessToken);
+	}
+
 	/**
 	 * Populates the X509Certificate instances onto the request
 	 */
@@ -1024,6 +1045,161 @@ public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request)
 
 	}
 
+	/**
+	 * @author Josh Cummings
+	 * @since 5.3
+	 */
+	public final static class OidcLoginRequestPostProcessor implements RequestPostProcessor {
+		private ClientRegistration clientRegistration;
+		private OAuth2AccessToken accessToken;
+		private OidcIdToken idToken;
+		private OidcUserInfo userInfo;
+		private OidcUser oidcUser;
+		private Collection<GrantedAuthority> authorities;
+
+		private OidcLoginRequestPostProcessor(OAuth2AccessToken accessToken) {
+			this.accessToken = accessToken;
+			this.clientRegistration = clientRegistrationBuilder().build();
+		}
+
+		/**
+		 * Use the provided authorities in the {@link Authentication}
+		 *
+		 * @param authorities the authorities to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor authorities(Collection<GrantedAuthority> authorities) {
+			Assert.notNull(authorities, "authorities cannot be null");
+			this.authorities = authorities;
+			return this;
+		}
+
+		/**
+		 * Use the provided authorities in the {@link Authentication}
+		 *
+		 * @param authorities the authorities to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor authorities(GrantedAuthority... authorities) {
+			Assert.notNull(authorities, "authorities cannot be null");
+			this.authorities = Arrays.asList(authorities);
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcIdToken} when constructing the authenticated user
+		 *
+		 * @param idTokenBuilderConsumer a {@link Consumer} of a {@link OidcIdToken.Builder}
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor idToken(Consumer<OidcIdToken.Builder> idTokenBuilderConsumer) {
+			OidcIdToken.Builder builder = OidcIdToken.withTokenValue("id-token");
+			builder.subject("test-subject");
+			idTokenBuilderConsumer.accept(builder);
+			this.idToken = builder.build();
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcUserInfo} when constructing the authenticated user
+		 *
+		 * @param userInfoBuilderConsumer a {@link Consumer} of a {@link OidcUserInfo.Builder}
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor userInfoToken(Consumer<OidcUserInfo.Builder> userInfoBuilderConsumer) {
+			OidcUserInfo.Builder builder = OidcUserInfo.builder();
+			userInfoBuilderConsumer.accept(builder);
+			this.userInfo = builder.build();
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link OidcUser} as the authenticated user.
+		 *
+		 * Supplying an {@link OidcUser} will take precedence over {@link #idToken}, {@link #userInfo},
+		 * and list of {@link GrantedAuthority}s to use.
+		 *
+		 * @param oidcUser the {@link OidcUser} to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor oidcUser(OidcUser oidcUser) {
+			this.oidcUser = oidcUser;
+			return this;
+		}
+
+		/**
+		 * Use the provided {@link ClientRegistration} as the client to authorize.
+		 *
+		 * The supplied {@link ClientRegistration} will be registered into an
+		 * {@link HttpSessionOAuth2AuthorizedClientRepository}. Tests relying on
+		 * {@link org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient}
+		 * annotations should register a {@link HttpSessionOAuth2AuthorizedClientRepository} bean
+		 * to the application context.
+		 *
+		 * The client registration must be a valid {@link ClientRegistration} from the
+		 * {@link org.springframework.security.oauth2.client.registration.ClientRegistrationRepository}
+		 * in the application context.
+		 *
+		 * @param clientRegistration the {@link ClientRegistration} to use
+		 * @return the {@link OidcLoginRequestPostProcessor} for further configuration
+		 */
+		public OidcLoginRequestPostProcessor clientRegistration(ClientRegistration clientRegistration) {
+			this.clientRegistration = clientRegistration;
+			return this;
+		}
+
+		@Override
+		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
+			OidcUser oidcUser = getOidcUser();
+			OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(oidcUser, oidcUser.getAuthorities(), this.clientRegistration.getRegistrationId());
+			OAuth2AuthorizedClient client = new OAuth2AuthorizedClient(this.clientRegistration, token.getName(), this.accessToken);
+			OAuth2AuthorizedClientRepository authorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository();
+			authorizedClientRepository.saveAuthorizedClient(client, token, request, new MockHttpServletResponse());
+
+			return new AuthenticationRequestPostProcessor(token).postProcessRequest(request);
+		}
+
+		private ClientRegistration.Builder clientRegistrationBuilder() {
+			return ClientRegistration.withRegistrationId("test")
+					.authorizationGrantType(AuthorizationGrantType.PASSWORD)
+					.clientId("test-client")
+					.tokenUri("https://token-uri.example.org");
+		}
+
+		private Collection<GrantedAuthority> getAuthorities() {
+			if (this.authorities == null) {
+				Set<GrantedAuthority> authorities = new LinkedHashSet<>();
+				authorities.add(new OidcUserAuthority(getOidcIdToken(), getOidcUserInfo()));
+				for (String authority : this.accessToken.getScopes()) {
+					authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority));
+				}
+				return authorities;
+			} else {
+				return this.authorities;
+			}
+		}
+
+		private OidcIdToken getOidcIdToken() {
+			if (this.idToken == null) {
+				return new OidcIdToken("id-token", null, null, Collections.singletonMap(IdTokenClaimNames.SUB, "test-subject"));
+			} else {
+				return this.idToken;
+			}
+		}
+
+		private OidcUserInfo getOidcUserInfo() {
+			return this.userInfo;
+		}
+
+		private OidcUser getOidcUser() {
+			if (this.oidcUser == null) {
+				return new DefaultOidcUser(getAuthorities(), getOidcIdToken(), this.userInfo);
+			} else {
+				return this.oidcUser;
+			}
+		}
+	}
+
 	private SecurityMockMvcRequestPostProcessors() {
 	}
 }