feat: any user who accesses the system has the anonymous role (#2443)

#### What type of PR is this? /kind improvement /area core /milestone 2.0 #### What this PR does / why we need it: - 未认证用户在系统中被定义为匿名用户(username=anonymousUser)，它在授权系统中具有 principle=anonymousUser 且 role=anonymous，key=[secure randomly generated key] - 未认证用户和已认证用户都将被赋予一个匿名用户角色参考： - [Spring security#ServerHttpSecurity.AnonymousSpec](70460ca009/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java (L4387)) - [Spring security reactive AnonymousAuthenticationWebFilter](70460ca009/web/src/main/java/org/springframework/security/web/server/authentication/AnonymousAuthenticationWebFilter.java (L46)) #### Which issue(s) this PR fixes: Fixes # #### Special notes for your reviewer: /cc @halo-dev/sig-halo #### Does this PR introduce a user-facing change? ```release-note None ```
2022-09-22 14:58:12 +08:00 · 2022-09-22 14:58:12 +08:00 · cda6402780
parent bfbc4ec70a
commit cda6402780
6 changed files with 100 additions and 12 deletions
--- a/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -34,6 +34,7 @@ import org.springframework.web.reactive.function.server.ServerResponse;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.core.extension.service.UserService;
 import run.halo.app.extension.ReactiveExtensionClient;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.properties.HaloProperties;
 import run.halo.app.infra.properties.JwtProperties;
 import run.halo.app.security.DefaultUserDetailService;
@ -68,6 +69,10 @@ public class WebServerSecurityConfig {
            .securityMatcher(pathMatchers("/api/**", "/apis/**", "/login", "/logout"))
            .authorizeExchange(exchanges ->
                exchanges.anyExchange().access(new RequestInfoAuthorizationManager(roleService)))
            .anonymous(anonymousSpec -> {
                anonymousSpec.authorities(AnonymousUserConst.Role);
                anonymousSpec.principal(AnonymousUserConst.PRINCIPAL);
            })
            .httpBasic(withDefaults())
            .formLogin(withDefaults())
            .logout(withDefaults())
--- a/src/main/java/run/halo/app/infra/AnonymousUserConst.java
+++ b/src/main/java/run/halo/app/infra/AnonymousUserConst.java
@ -0,0 +1,7 @@
 package run.halo.app.infra;
 public interface AnonymousUserConst {
    String PRINCIPAL = "anonymousUser";
    String Role = "anonymous";
 }
--- a/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
+++ b/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
@ -19,6 +19,7 @@ import run.halo.app.core.extension.service.DefaultRoleBindingService;
 import run.halo.app.core.extension.service.RoleBindingService;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.extension.MetadataOperator;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.infra.utils.JsonUtils;
 /**
@ -56,7 +57,10 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
        Set<String> roleNamesImmutable =
            roleBindingService.listBoundRoleNames(user.getAuthorities());
        Set<String> roleNames = new HashSet<>(roleNamesImmutable);
-        roleNames.add(AUTHENTICATED_ROLE);
+        if (!AnonymousUserConst.PRINCIPAL.equals(user.getUsername())) {
            roleNames.add(AUTHENTICATED_ROLE);
            roleNames.add(AnonymousUserConst.Role);
        }
        List<Role.PolicyRule> rules = Collections.emptyList();
        for (String roleName : roleNames) {
@ -84,7 +88,10 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
    public Mono<AuthorizingVisitor> visitRules(UserDetails user, RequestInfo requestInfo) {
        var roleNamesImmutable = roleBindingService.listBoundRoleNames(user.getAuthorities());
        var roleNames = new HashSet<>(roleNamesImmutable);
-        roleNames.add(AUTHENTICATED_ROLE);
+        if (!AnonymousUserConst.PRINCIPAL.equals(user.getUsername())) {
            roleNames.add(AUTHENTICATED_ROLE);
            roleNames.add(AnonymousUserConst.Role);
        }
        var record = new AttributesRecord(user, requestInfo);
        var visitor = new AuthorizingVisitor(record);
--- a/src/main/java/run/halo/app/security/authorization/RequestInfoAuthorizationManager.java
+++ b/src/main/java/run/halo/app/security/authorization/RequestInfoAuthorizationManager.java
@ -3,8 +3,6 @@ package run.halo.app.security.authorization;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.server.reactive.ServerHttpRequest;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.authorization.AuthorizationDecision;
 import org.springframework.security.authorization.ReactiveAuthorizationManager;
 import org.springframework.security.core.Authentication;
@ -20,8 +18,6 @@ import run.halo.app.core.extension.service.RoleService;
 public class RequestInfoAuthorizationManager
    implements ReactiveAuthorizationManager<AuthorizationContext> {
    private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
    private final AuthorizationRuleResolver ruleResolver;
    public RequestInfoAuthorizationManager(RoleService roleService) {
@ -48,12 +44,7 @@ public class RequestInfoAuthorizationManager
    }
    private boolean isGranted(Authentication authentication) {
-        return authentication != null && isNotAnonymous(authentication)
+        return authentication != null && authentication.isAuthenticated();
            && authentication.isAuthenticated();
    }
    private boolean isNotAnonymous(Authentication authentication) {
        return !this.trustResolver.isAnonymous(authentication);
    }
    private UserDetails createUserDetails(Authentication authentication) {
--- a/src/test/java/run/halo/app/security/authentication/jwt/JwtAuthenticationTest.java
+++ b/src/test/java/run/halo/app/security/authentication/jwt/JwtAuthenticationTest.java
@ -2,9 +2,12 @@ package run.halo.app.security.authentication.jwt;
 import static org.hamcrest.Matchers.containsString;
 import static org.mockito.ArgumentMatchers.anyString;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.lenient;
 import static org.mockito.Mockito.when;
 import java.util.List;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
@ -18,6 +21,7 @@ import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.Role;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.extension.Metadata;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.security.LoginUtils;
@SpringBootTest
@ -33,6 +37,12 @@ class JwtAuthenticationTest {
    @MockBean
    RoleService roleService;
    @BeforeEach
    void setUp() {
        lenient().when(roleService.getMonoRole(eq(AnonymousUserConst.Role)))
            .thenReturn(Mono.empty());
    }
    @Test
    void accessProtectedApiWithoutToken() {
        webClient.get().uri("/api/v1/test/hello").exchange().expectStatus().isUnauthorized();
--- a/src/test/java/run/halo/app/security/authorization/AuthorizationTest.java
+++ b/src/test/java/run/halo/app/security/authorization/AuthorizationTest.java
@ -10,6 +10,7 @@ import static org.springframework.web.reactive.function.server.RequestPredicates
 import static org.springframework.web.reactive.function.server.RequestPredicates.accept;
 import static org.springframework.web.reactive.function.server.RouterFunctions.route;
 import java.util.ArrayList;
 import java.util.List;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@ -24,6 +25,7 @@ import org.springframework.http.MediaType;
 import org.springframework.lang.NonNull;
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.web.reactive.function.server.RouterFunction;
 import org.springframework.web.reactive.function.server.ServerRequest;
@ -32,7 +34,9 @@ import reactor.core.publisher.Mono;
 import run.halo.app.core.extension.Role;
 import run.halo.app.core.extension.Role.PolicyRule;
 import run.halo.app.core.extension.service.RoleService;
 import run.halo.app.extension.Metadata;
 import run.halo.app.extension.exception.ExtensionNotFoundException;
 import run.halo.app.infra.AnonymousUserConst;
 import run.halo.app.security.LoginUtils;
@SpringBootTest
@ -69,6 +73,8 @@ class AuthorizationTest {
        when(userDetailsService.findByUsername(eq("user"))).thenReturn(Mono.just(
            User.withDefaultPasswordEncoder().username("user").password("password")
                .roles("post.read").build()));
        when(roleService.getMonoRole(eq(AnonymousUserConst.Role)))
            .thenReturn(Mono.empty());
        var role = new Role();
        role.setRules(List.of(
@ -94,6 +100,68 @@ class AuthorizationTest {
        verify(roleService, times(2)).getMonoRole("post.read");
    }
    @Test
    void anonymousUserAccessProtectedApi() {
        when(userDetailsService.findByUsername(eq(AnonymousUserConst.PRINCIPAL)))
            .thenReturn(Mono.empty());
        when(roleService.getMonoRole(AnonymousUserConst.Role))
            .thenReturn(Mono.empty());
        webClient.get().uri("/apis/fake.halo.run/v1/posts").exchange().expectStatus()
            .isUnauthorized();
        verify(roleService, times(1)).getMonoRole(AnonymousUserConst.Role);
    }
    @Test
    void anonymousUserAccessAuthenticationFreeApi() {
        when(userDetailsService.findByUsername(eq(AnonymousUserConst.PRINCIPAL)))
            .thenReturn(Mono.empty());
        Role role = new Role();
        role.setMetadata(new Metadata());
        role.getMetadata().setName(AnonymousUserConst.Role);
        role.setRules(new ArrayList<>());
        PolicyRule policyRule = new PolicyRule.Builder()
            .apiGroups("fake.halo.run")
            .verbs("list")
            .resources("posts")
            .build();
        role.getRules().add(policyRule);
        when(roleService.getMonoRole(AnonymousUserConst.Role))
            .thenReturn(Mono.just(role));
        webClient.get().uri("/apis/fake.halo.run/v1/posts").exchange().expectStatus()
            .isOk()
            .expectBody(String.class).isEqualTo("returned posts");
        verify(roleService, times(1)).getMonoRole(AnonymousUserConst.Role);
        webClient.get().uri("/apis/fake.halo.run/v1/posts/hello-halo").exchange()
            .expectStatus()
            .isUnauthorized();
        verify(roleService, times(2)).getMonoRole(AnonymousUserConst.Role);
    }
    @Test
    @WithMockUser(username = "user", roles = "post.read")
    void authenticatedUserAccessAuthenticationFreeApi() {
        when(roleService.getMonoRole("authenticated")).thenReturn(Mono.empty());
        when(roleService.getMonoRole("post.read")).thenReturn(Mono.empty());
        Role role = new Role();
        role.setMetadata(new Metadata());
        role.getMetadata().setName(AnonymousUserConst.Role);
        role.setRules(new ArrayList<>());
        PolicyRule policyRule = new PolicyRule.Builder()
            .apiGroups("fake.halo.run")
            .verbs("list")
            .resources("posts")
            .build();
        role.getRules().add(policyRule);
        when(roleService.getMonoRole(AnonymousUserConst.Role))
            .thenReturn(Mono.just(role));
        webClient.get().uri("/apis/fake.halo.run/v1/posts").exchange().expectStatus()
            .isOk()
            .expectBody(String.class).isEqualTo("returned posts");
    }
    @TestConfiguration
    static class TestConfig {