我很难让我的控制器单元测试工作,因为IMO,如果使用OAuth,Spring doc中的内容是不够的。就我而言,它是与JWT的Oauth2。
我尝试使用@WithMockUser
,@WithUserDetails
,甚至用@WithSecurityContext
和自定义UserSecurityContextFactory
定义我自己的注释,但在安全表达式所在的时候,UserSecurityContext中总是有匿名用户评估,无论我在我的工厂设置测试环境......
我提出了我刚才提出的解决方案,但由于我不确定嘲笑TokenService是最有效/最干净的方式,请随时提供更好的解决方案。
答案 0 :(得分:4)
[编辑于2019年5月]
此解决方案特定于spring-security-oauth2,现已弃用
我写了a lib to achieve the same goal with Spring5
我迭代的解决方案是将请求中的虚拟“Authorization”标头与拦截它的模拟令牌服务相结合(如果你看一下编辑堆栈,经过几次尝试)。
我在lib on Github中提供了完整的帮助来源,您可以找到示例OAuth2控制器测试there。
简化:没有授权标题 - >未触发ResourceServerTokenServices - > SecurityContext在OAuth堆栈中将是匿名的(无论您尝试将其设置为@WithMockUser或类似)。
这里有两个案例:
我已经描述了一种类似的方法,我将头发拉了几天并从头开始构建,我已经了解过here。我只是进一步模拟了@WebMvcTest
的Oauth2Authentication配置和工具。
示例用法
由于这篇文章很长,暴露了涉及相当多代码的解决方案,让我们开始使用结果,以便您可以决定是否值得阅读;)
@WebMvcTest(MyController.class) // Controller to unit-test
@Import(WebSecurityConfig.class) // your class extending WebSecurityConfigurerAdapter
public class MyControllerTest extends OAuth2ControllerTest {
@Test
public void testWithUnauthenticatedClient() throws Exception {
api.post(payload, "/endpoint")
.andExpect(...);
}
@Test
@WithMockOAuth2Client
public void testWithDefaultClient() throws Exception {
api.get("/endpoint")
.andExpect(...);
}
@Test
@WithMockOAuth2User
public void testWithDefaultClientOnBehalfDefaultUser() throws Exception {
MockHttpServletRequestBuilder req = api.postRequestBuilder(null, "/uaa/refresh")
.header("refresh_token", JWT_REFRESH_TOKEN);
api.perform(req)
.andExpect(status().isOk())
.andExpect(...)
}
@Test
@WithMockOAuth2User(
client = @WithMockOAuth2Client(
clientId = "custom-client",
scope = {"custom-scope", "other-scope"},
authorities = {"custom-authority", "ROLE_CUSTOM_CLIENT"}),
user = @WithMockUser(
username = "custom-username",
authorities = {"custom-user-authority"}))
public void testWithCustomClientOnBehalfCustomUser() throws Exception {
api.get(MediaType.APPLICATION_ATOM_XML, "/endpoint")
.andExpect(status().isOk())
.andExpect(xpath(...));
}
}
时髦,不是吗?
P.S。 api
是MockMvcHelper
的一个实例,是MockMvc
我自己的包装器,在本文末尾提供。
@ WithMockOAuth2Client 模拟仅客户端身份验证(不涉及最终用户)
@Retention(RetentionPolicy.RUNTIME)
@WithSecurityContext(factory = WithMockOAuth2Client.WithMockOAuth2ClientSecurityContextFactory.class)
public @interface WithMockOAuth2Client {
String clientId() default "web-client";
String[] scope() default {"openid"};
String[] authorities() default {};
boolean approved() default true;
class WithMockOAuth2ClientSecurityContextFactory implements WithSecurityContextFactory<WithMockOAuth2Client> {
public static OAuth2Request getOAuth2Request(final WithMockOAuth2Client annotation) {
final Set<? extends GrantedAuthority> authorities = Stream.of(annotation.authorities())
.map(auth -> new SimpleGrantedAuthority(auth))
.collect(Collectors.toSet());
final Set<String> scope = Stream.of(annotation.scope())
.collect(Collectors.toSet());
return new OAuth2Request(
null,
annotation.clientId(),
authorities,
annotation.approved(),
scope,
null,
null,
null,
null);
}
@Override
public SecurityContext createSecurityContext(final WithMockOAuth2Client annotation) {
final SecurityContext ctx = SecurityContextHolder.createEmptyContext();
ctx.setAuthentication(new OAuth2Authentication(getOAuth2Request(annotation), null));
SecurityContextHolder.setContext(ctx);
return ctx;
}
}
}
@ WithMockOAuth2User 模拟客户端代表最终用户进行身份验证
@Retention(RetentionPolicy.RUNTIME)
@WithSecurityContext(factory = WithMockOAuth2User.WithMockOAuth2UserSecurityContextFactory.class)
public @interface WithMockOAuth2User {
WithMockOAuth2Client client() default @WithMockOAuth2Client();
WithMockUser user() default @WithMockUser();
class WithMockOAuth2UserSecurityContextFactory implements WithSecurityContextFactory<WithMockOAuth2User> {
/**
* Sadly, #WithMockUserSecurityContextFactory is not public,
* so re-implement mock user authentication creation
*
* @param user
* @return an Authentication with provided user details
*/
public static UsernamePasswordAuthenticationToken getUserAuthentication(final WithMockUser user) {
final String principal = user.username().isEmpty() ? user.value() : user.username();
final Stream<String> grants = user.authorities().length == 0 ?
Stream.of(user.roles()).map(r -> "ROLE_" + r) :
Stream.of(user.authorities());
final Set<? extends GrantedAuthority> userAuthorities = grants
.map(auth -> new SimpleGrantedAuthority(auth))
.collect(Collectors.toSet());
return new UsernamePasswordAuthenticationToken(
new User(principal, user.password(), userAuthorities),
principal + ":" + user.password(),
userAuthorities);
}
@Override
public SecurityContext createSecurityContext(final WithMockOAuth2User annotation) {
final SecurityContext ctx = SecurityContextHolder.createEmptyContext();
ctx.setAuthentication(new OAuth2Authentication(
WithMockOAuth2Client.WithMockOAuth2ClientSecurityContextFactory.getOAuth2Request(annotation.client()),
getUserAuthentication(annotation.user())));
SecurityContextHolder.setContext(ctx);
return ctx;
}
}
}
OAuth2MockMvcHelper 有助于使用预期的授权标头构建测试请求
public class OAuth2MockMvcHelper extends MockMvcHelper {
public static final String VALID_TEST_TOKEN_VALUE = "test.fake.jwt";
public OAuth2MockMvcHelper(
final MockMvc mockMvc,
final ObjectFactory<HttpMessageConverters> messageConverters,
final MediaType defaultMediaType) {
super(mockMvc, messageConverters, defaultMediaType);
}
/**
* Adds OAuth2 support: adds an Authorisation header to all request builders
* if there is an OAuth2Authentication in test security context.
*
* /!\ Make sure your token services recognize this dummy "VALID_TEST_TOKEN_VALUE" token as valid during your tests /!\
*
* @param contentType should be not-null when issuing request with body (POST, PUT, PATCH), null otherwise
* @param accept should be not-null when issuing response with body (GET, POST, OPTION), null otherwise
* @param method
* @param urlTemplate
* @param uriVars
* @return a request builder with minimal info you can tweak further (add headers, cookies, etc.)
*/
@Override
public MockHttpServletRequestBuilder requestBuilder(
Optional<MediaType> contentType,
Optional<MediaType> accept,
HttpMethod method,
String urlTemplate,
Object... uriVars) {
final MockHttpServletRequestBuilder builder = super.requestBuilder(contentType, accept, method, urlTemplate, uriVars);
if (SecurityContextHolder.getContext().getAuthentication() instanceof OAuth2Authentication) {
builder.header("Authorization", "Bearer " + VALID_TEST_TOKEN_VALUE);
}
return builder;
}
}
OAuth2ControllerTest 控制器单元测试的父级
@RunWith(SpringRunner.class)
@Import(OAuth2MockMvcConfig.class)
public class OAuth2ControllerTest {
@MockBean
private ResourceServerTokenServices tokenService;
@Autowired
protected OAuth2MockMvcHelper api;
@Autowired
protected SerializationHelper conv;
@Before
public void setUpTokenService() {
when(tokenService.loadAuthentication(api.VALID_TEST_TOKEN_VALUE))
.thenAnswer(invocation -> SecurityContextHolder.getContext().getAuthentication());
}
}
@TestConfiguration
class OAuth2MockMvcConfig {
@Bean
public SerializationHelper serializationHelper(ObjectFactory<HttpMessageConverters> messageConverters) {
return new SerializationHelper(messageConverters);
}
@Bean
public OAuth2MockMvcHelper mockMvcHelper(
MockMvc mockMvc,
ObjectFactory<HttpMessageConverters> messageConverters,
@Value("${controllers.default-media-type:application/json;charset=UTF-8}") MediaType defaultMediaType) {
return new OAuth2MockMvcHelper(mockMvc, messageConverters, defaultMediaType);
}
}
上面引用但与OAuth2测试没有直接关系的工具
/**
* Wraps MockMvc to further ease interaction with tested API:
* provides with:<ul>
* <li>many request shortcuts for simple cases (see get, post, put, patch, delete methods)</li>
* <li>perfom method along with request builder initialisation shortcuts (see getRequestBuilder, etc.) when more control is required (additional headers, ...)</li>
* </ul>
*/
public class MockMvcHelper {
private final MockMvc mockMvc;
private final MediaType defaultMediaType;
protected final SerializationHelper conv;
public MockMvcHelper(MockMvc mockMvc, ObjectFactory<HttpMessageConverters> messageConverters, MediaType defaultMediaType) {
this.mockMvc = mockMvc;
this.conv = new SerializationHelper(messageConverters);
this.defaultMediaType = defaultMediaType;
}
/**
* Generic request builder which adds relevant "Accept" and "Content-Type" headers
*
* @param contentType should be not-null when issuing request with body (POST, PUT, PATCH), null otherwise
* @param accept should be not-null when issuing response with body (GET, POST, OPTION), null otherwise
* @param method
* @param urlTemplate
* @param uriVars
* @return a request builder with minimal info you can tweak further: add headers, cookies, etc.
*/
public MockHttpServletRequestBuilder requestBuilder(
Optional<MediaType> contentType,
Optional<MediaType> accept,
HttpMethod method,
String urlTemplate,
Object... uriVars) {
final MockHttpServletRequestBuilder builder = request(method, urlTemplate, uriVars);
contentType.ifPresent(builder::contentType);
accept.ifPresent(builder::accept);
return builder;
}
public ResultActions perform(MockHttpServletRequestBuilder request) throws Exception {
return mockMvc.perform(request);
}
/* GET */
public MockHttpServletRequestBuilder getRequestBuilder(MediaType accept, String urlTemplate, Object... uriVars) {
return requestBuilder(Optional.empty(), Optional.of(accept), HttpMethod.GET, urlTemplate, uriVars);
}
public MockHttpServletRequestBuilder getRequestBuilder(String urlTemplate, Object... uriVars) {
return getRequestBuilder(defaultMediaType, urlTemplate, uriVars);
}
public ResultActions get(MediaType accept, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(getRequestBuilder(accept, urlTemplate, uriVars));
}
public ResultActions get(String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(getRequestBuilder(urlTemplate, uriVars));
}
/* POST */
public <T> MockHttpServletRequestBuilder postRequestBuilder(final T payload, MediaType contentType, MediaType accept, String urlTemplate, Object... uriVars) throws Exception {
return feed(
requestBuilder(Optional.of(contentType), Optional.of(accept), HttpMethod.POST, urlTemplate, uriVars),
payload,
contentType);
}
public <T> MockHttpServletRequestBuilder postRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return postRequestBuilder(payload, defaultMediaType, defaultMediaType, urlTemplate, uriVars);
}
public <T> ResultActions post(final T payload, MediaType contentType, MediaType accept, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(postRequestBuilder(payload, contentType, accept, urlTemplate, uriVars));
}
public <T> ResultActions post(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(postRequestBuilder(payload, urlTemplate, uriVars));
}
/* PUT */
public <T> MockHttpServletRequestBuilder putRequestBuilder(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception {
return feed(
requestBuilder(Optional.of(contentType), Optional.empty(), HttpMethod.PUT, urlTemplate, uriVars),
payload,
contentType);
}
public <T> MockHttpServletRequestBuilder putRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return putRequestBuilder(payload, defaultMediaType, urlTemplate, uriVars);
}
public <T> ResultActions put(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(putRequestBuilder(payload, contentType, urlTemplate, uriVars));
}
public <T> ResultActions put(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(putRequestBuilder(payload, urlTemplate, uriVars));
}
/* PATCH */
public <T> MockHttpServletRequestBuilder patchRequestBuilder(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception {
return feed(
requestBuilder(Optional.of(contentType), Optional.empty(), HttpMethod.PATCH, urlTemplate, uriVars),
payload,
contentType);
}
public <T> MockHttpServletRequestBuilder patchRequestBuilder(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return patchRequestBuilder(payload, defaultMediaType, urlTemplate, uriVars);
}
public <T> ResultActions patch(final T payload, MediaType contentType, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(patchRequestBuilder(payload, contentType, urlTemplate, uriVars));
}
public <T> ResultActions patch(final T payload, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(patchRequestBuilder(payload, urlTemplate, uriVars));
}
/* DELETE */
public MockHttpServletRequestBuilder deleteRequestBuilder(String urlTemplate, Object... uriVars) {
return requestBuilder(Optional.empty(), Optional.empty(), HttpMethod.DELETE, urlTemplate, uriVars);
}
public ResultActions delete(String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(deleteRequestBuilder(urlTemplate, uriVars));
}
/* HEAD */
public MockHttpServletRequestBuilder headRequestBuilder(String urlTemplate, Object... uriVars) {
return requestBuilder(Optional.empty(), Optional.empty(), HttpMethod.HEAD, urlTemplate, uriVars);
}
public ResultActions head(String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(headRequestBuilder(urlTemplate, uriVars));
}
/* OPTION */
public MockHttpServletRequestBuilder optionRequestBuilder(MediaType accept, String urlTemplate, Object... uriVars) {
return requestBuilder(Optional.empty(), Optional.of(accept), HttpMethod.OPTIONS, urlTemplate, uriVars);
}
public MockHttpServletRequestBuilder optionRequestBuilder(String urlTemplate, Object... uriVars) {
return requestBuilder(Optional.empty(), Optional.of(defaultMediaType), HttpMethod.OPTIONS, urlTemplate, uriVars);
}
public ResultActions option(MediaType accept, String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(optionRequestBuilder(accept, urlTemplate, uriVars));
}
public ResultActions option(String urlTemplate, Object... uriVars) throws Exception {
return mockMvc.perform(optionRequestBuilder(urlTemplate, uriVars));
}
/**
* Adds serialized payload to request content
*
* @param request
* @param payload
* @param mediaType
* @param <T>
* @return the request with provided payload as content
* @throws Exception if things go wrong (no registered serializer for payload type and asked MediaType, serialization failure, ...)
*/
public <T> MockHttpServletRequestBuilder feed(
MockHttpServletRequestBuilder request,
final T payload,
final MediaType mediaType) throws Exception {
if (payload == null) {
return request;
}
final SerializationHelper.ByteArrayHttpOutputMessage msg = conv.outputMessage(payload, mediaType);
return request
.headers(msg.headers)
.content(msg.out.toByteArray());
}
}
/**
* Serialize objects to given media type using registered message converters
*/
public class SerializationHelper {
private final ObjectFactory<HttpMessageConverters> messageConverters;
public SerializationHelper(ObjectFactory<HttpMessageConverters> messageConverters) {
this.messageConverters = messageConverters;
}
public <T> ByteArrayHttpOutputMessage outputMessage(final T payload, final MediaType mediaType) throws Exception {
if (payload == null) {
return null;
}
List<HttpMessageConverter<?>> relevantConverters = messageConverters.getObject().getConverters().stream()
.filter(converter -> converter.canWrite(payload.getClass(), mediaType))
.collect(Collectors.toList());
final ByteArrayHttpOutputMessage converted = new ByteArrayHttpOutputMessage();
boolean isConverted = false;
for (HttpMessageConverter<?> converter : relevantConverters) {
try {
((HttpMessageConverter<T>) converter).write(payload, mediaType, converted);
isConverted = true; //won't be reached if a conversion error occurs
break; //stop iterating over converters after first successful conversion
} catch (IOException e) {
//swallow exception so that next converter is tried
}
}
if (!isConverted) {
throw new Exception("Could not convert " + payload.getClass() + " to " + mediaType.toString());
}
return converted;
}
/**
* Provides a String representation of provided payload
*
* @param payload
* @param mediaType
* @param <T>
* @return
* @throws Exception if things go wrong (no registered serializer for payload type and asked MediaType, serialization failure, ...)
*/
public <T> String asString(T payload, MediaType mediaType) throws Exception {
return payload == null ?
null :
outputMessage(payload, mediaType).out.toString();
}
public <T> String asJsonString(T payload) throws Exception {
return asString(payload, MediaType.APPLICATION_JSON_UTF8);
}
public static final class ByteArrayHttpOutputMessage implements HttpOutputMessage {
public final ByteArrayOutputStream out = new ByteArrayOutputStream();
public final HttpHeaders headers = new HttpHeaders();
@Override
public OutputStream getBody() {
return out;
}
@Override
public HttpHeaders getHeaders() {
return headers;
}
}
}