diff --git a/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java b/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java index 108479968d..9a40919d49 100644 --- a/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java +++ b/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java @@ -11,6 +11,8 @@ import java.util.List; import java.util.Objects; import java.util.function.Predicate; +import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.ReactiveSecurityContextHolder; @@ -64,6 +66,9 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler { private Clock clock; + private final AuthenticationTrustResolver authTrustResolver = + new AuthenticationTrustResolverImpl(); + public UserScopedPatHandlerImpl(ReactiveExtensionClient client, CryptoService cryptoService, ExternalUrlSupplier externalUrl, @@ -84,8 +89,8 @@ public void setClock(Clock clock) { this.clock = clock; } - private static Mono mustBeRealUser(Mono authentication) { - return authentication.filter(AuthorityUtils::isRealUser) + private Mono mustBeAuthenticated(Mono authentication) { + return authentication.filter(authTrustResolver::isAuthenticated) // Non-username-password authentication could not access the API at any time. .switchIfEmpty(Mono.error(AccessDeniedException::new)); } @@ -94,7 +99,7 @@ private static Mono mustBeRealUser(Mono authenti public Mono create(ServerRequest request) { return ReactiveSecurityContextHolder.getContext() .map(SecurityContext::getAuthentication) - .transform(UserScopedPatHandlerImpl::mustBeRealUser) + .transform(this::mustBeAuthenticated) .flatMap(auth -> request.bodyToMono(PersonalAccessToken.class) .switchIfEmpty( Mono.error(() -> new ServerWebInputException("Missing request body."))) @@ -222,7 +227,7 @@ public Mono delete(ServerRequest request) { public Mono restore(ServerRequest request) { var restoredPat = ReactiveSecurityContextHolder.getContext() .map(SecurityContext::getAuthentication) - .transform(UserScopedPatHandlerImpl::mustBeRealUser) + .transform(this::mustBeAuthenticated) .flatMap(auth -> { var name = request.pathVariable("name"); return getPat(name, auth.getName()); diff --git a/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java b/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java index 75605e35f2..846830aa0d 100644 --- a/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java +++ b/application/src/main/java/run/halo/app/security/authorization/AuthorityUtils.java @@ -4,9 +4,6 @@ import java.util.Set; import java.util.stream.Collectors; import org.apache.commons.lang3.StringUtils; -import org.springframework.security.authentication.RememberMeAuthenticationToken; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; -import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; /** @@ -51,14 +48,4 @@ public static boolean containsSuperRole(Collection roles) { return roles.contains(SUPER_ROLE_NAME); } - /** - * Check if the authentication is a real user. - * - * @param authentication current authentication - * @return true if the authentication is a real user; false otherwise - */ - public static boolean isRealUser(Authentication authentication) { - return authentication instanceof UsernamePasswordAuthenticationToken - || authentication instanceof RememberMeAuthenticationToken; - } } diff --git a/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java b/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java index 4ac5082d3d..1d9052a340 100644 --- a/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java +++ b/application/src/test/java/run/halo/app/security/authorization/AuthorityUtilsTest.java @@ -3,16 +3,12 @@ import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.mockito.Mockito.mock; import static run.halo.app.security.authorization.AuthorityUtils.authoritiesToRoles; import static run.halo.app.security.authorization.AuthorityUtils.containsSuperRole; -import static run.halo.app.security.authorization.AuthorityUtils.isRealUser; import java.util.List; import java.util.Set; import org.junit.jupiter.api.Test; -import org.springframework.security.authentication.RememberMeAuthenticationToken; -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.authority.SimpleGrantedAuthority; class AuthorityUtilsTest { @@ -39,9 +35,4 @@ void containsSuperRoleTest() { assertFalse(containsSuperRole(Set.of("admin"))); } - @Test - void shouldReturnTrueWhenAuthenticationIsRealUser() { - assertTrue(isRealUser(mock(UsernamePasswordAuthenticationToken.class))); - assertTrue(isRealUser(mock(RememberMeAuthenticationToken.class))); - } } \ No newline at end of file