Fix the problem of not being able to create PAT for OAuth2 user (#6870)

#### What type of PR is this? /kind bug /area core /milestone 2.20.x #### What this PR does / why we need it: This PR refactors check of whether the current user is a real user to fix the problem of not being able to create PAT for OAuth2 user. #### Does this PR introduce a user-facing change? ```release-note 修复通过 OAuth2 登录之后无法正常创建和恢复个人令牌的问题 ```
2024-10-15 16:51:22 +08:00 · 2024-10-15 16:51:22 +08:00 · b95a83a242
parent c3020d6a85
commit b95a83a242
3 changed files with 9 additions and 26 deletions
--- a/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
+++ b/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
@ -11,6 +11,8 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Predicate;
+import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
@ -64,6 +66,9 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {

    private Clock clock;

+    private final AuthenticationTrustResolver authTrustResolver =
+        new AuthenticationTrustResolverImpl();
+
    public UserScopedPatHandlerImpl(ReactiveExtensionClient client,
        CryptoService cryptoService,
        ExternalUrlSupplier externalUrl,
@ -84,8 +89,8 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
        this.clock = clock;
    }

-    private static Mono<Authentication> mustBeRealUser(Mono<Authentication> authentication) {
-        return authentication.filter(AuthorityUtils::isRealUser)
+    private Mono<Authentication> mustBeAuthenticated(Mono<Authentication> authentication) {
+        return authentication.filter(authTrustResolver::isAuthenticated)
            // Non-username-password authentication could not access the API at any time.
            .switchIfEmpty(Mono.error(AccessDeniedException::new));
    }
@ -94,7 +99,7 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
    public Mono<ServerResponse> create(ServerRequest request) {
        return ReactiveSecurityContextHolder.getContext()
            .map(SecurityContext::getAuthentication)
-            .transform(UserScopedPatHandlerImpl::mustBeRealUser)
+            .transform(this::mustBeAuthenticated)
            .flatMap(auth -> request.bodyToMono(PersonalAccessToken.class)
                .switchIfEmpty(
                    Mono.error(() -> new ServerWebInputException("Missing request body.")))
@ -222,7 +227,7 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
    public Mono<ServerResponse> restore(ServerRequest request) {
        var restoredPat = ReactiveSecurityContextHolder.getContext()
            .map(SecurityContext::getAuthentication)
-            .transform(UserScopedPatHandlerImpl::mustBeRealUser)
+            .transform(this::mustBeAuthenticated)
            .flatMap(auth -> {
                var name = request.pathVariable("name");
                return getPat(name, auth.getName());
--- a/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java
+++ b/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java
@ -4,9 +4,6 @@ import java.util.Collection;
 import java.util.Set;
 import java.util.stream.Collectors;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.security.authentication.RememberMeAuthenticationToken;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
-import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;

 /**
@ -51,14 +48,4 @@ public enum AuthorityUtils {
        return roles.contains(SUPER_ROLE_NAME);
    }

-    /**
-     * Check if the authentication is a real user.
-     *
-     * @param authentication current authentication
-     * @return true if the authentication is a real user; false otherwise
-     */
-    public static boolean isRealUser(Authentication authentication) {
-        return authentication instanceof UsernamePasswordAuthenticationToken
-            || authentication instanceof RememberMeAuthenticationToken;
-    }
 }
--- a/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java
+++ b/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java
@ -3,16 +3,12 @@ package run.halo.app.security.authorization;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.mockito.Mockito.mock;
 import static run.halo.app.security.authorization.AuthorityUtils.authoritiesToRoles;
 import static run.halo.app.security.authorization.AuthorityUtils.containsSuperRole;
-import static run.halo.app.security.authorization.AuthorityUtils.isRealUser;

 import java.util.List;
 import java.util.Set;
 import org.junit.jupiter.api.Test;
-import org.springframework.security.authentication.RememberMeAuthenticationToken;
-import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;

 class AuthorityUtilsTest {
@ -39,9 +35,4 @@ class AuthorityUtilsTest {
        assertFalse(containsSuperRole(Set.of("admin")));
    }

-    @Test
-    void shouldReturnTrueWhenAuthenticationIsRealUser() {
-        assertTrue(isRealUser(mock(UsernamePasswordAuthenticationToken.class)));
-        assertTrue(isRealUser(mock(RememberMeAuthenticationToken.class)));
-    }
 }