formLogin() does not work with REST Docs

dadikovi · dadikovi · commit 4a7413640c54 · 2020-05-09T21:56:15.000+02:00
This commit adds a new test which fails right now, and also suggest a change. Fixes spring-projectsgh-7572
diff --git a/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuilders.java b/test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuilders.java
@@ -15,16 +15,21 @@
  */
 package org.springframework.security.test.web.servlet.request;
 
-import javax.servlet.ServletContext;
-
+import org.springframework.beans.Mergeable;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.RequestBuilder;
+import org.springframework.test.web.servlet.request.ConfigurableSmartRequestBuilder;
 import org.springframework.test.web.servlet.request.RequestPostProcessor;
 import org.springframework.web.util.UriComponentsBuilder;
 
+import javax.servlet.ServletContext;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
@@ -132,23 +137,25 @@ private LogoutRequestBuilder() {
 	 * @author Rob Winch
 	 * @since 4.0
 	 */
-	public static final class FormLoginRequestBuilder implements RequestBuilder {
+	public static final class FormLoginRequestBuilder implements RequestBuilder,
+			ConfigurableSmartRequestBuilder<FormLoginRequestBuilder>, Mergeable {
 		private String usernameParam = "username";
 		private String passwordParam = "password";
 		private String username = "user";
 		private String password = "password";
 		private String loginProcessingUrl = "/login";
 		private MediaType acceptMediaType = MediaType.APPLICATION_FORM_URLENCODED;
 
-		private RequestPostProcessor postProcessor = csrf();
+		private List<RequestPostProcessor> postProcessors = new ArrayList<>(Collections.singletonList(csrf()));
 
 		@Override
 		public MockHttpServletRequest buildRequest(ServletContext servletContext) {
 			MockHttpServletRequest request = post(this.loginProcessingUrl)
 					.accept(this.acceptMediaType).param(this.usernameParam, this.username)
 					.param(this.passwordParam, this.password)
 					.buildRequest(servletContext);
-			return this.postProcessor.postProcessRequest(request);
+
+			return postProcessRequest(request);
 		}
 
 		/**
@@ -260,6 +267,34 @@ public FormLoginRequestBuilder acceptMediaType(MediaType acceptMediaType) {
 
 		private FormLoginRequestBuilder() {
 		}
+
+		@Override public boolean isMergeEnabled() {
+			return false;
+		}
+
+		@Override
+		public Object merge( Object parent ) {
+			// Step 1: Get parent's postprocessors
+			if (parent instanceof ConfigurableSmartRequestBuilder) {
+				// We cannot do that because on ConfigurableSmartRequestBuilder interface there is no getter method
+				// for the postprocessors.
+			}
+			// Step 2: add parent's postprocessors to this instance.
+			return this;
+		}
+
+		@Override
+		public FormLoginRequestBuilder with( RequestPostProcessor requestPostProcessor ) {
+			this.postProcessors.add(requestPostProcessor);
+			return this;
+		}
+
+		@Override public MockHttpServletRequest postProcessRequest( MockHttpServletRequest request ) {
+			for(RequestPostProcessor postProcessor: postProcessors) {
+				request = postProcessor.postProcessRequest(request);
+			}
+			return request;
+		}
 	}
 
 	private SecurityMockMvcRequestBuilders() {
diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuildersFormLoginTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestBuildersFormLoginTests.java
@@ -18,11 +18,23 @@
 import org.junit.Before;
 import org.junit.Test;
 
+import org.springframework.beans.Mergeable;
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockServletContext;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.CsrfRequestPostProcessor;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.test.web.servlet.RequestBuilder;
+import org.springframework.test.web.servlet.SmartRequestBuilder;
+import org.springframework.test.web.servlet.request.ConfigurableSmartRequestBuilder;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.request.RequestPostProcessor;
+import org.springframework.test.web.servlet.setup.AbstractMockMvcBuilder;
+import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
+import org.springframework.util.Assert;
+import org.springframework.web.context.support.GenericWebApplicationContext;
+
+import javax.servlet.ServletContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestBuilders.formLogin;
@@ -82,6 +94,46 @@ public void customWithUriVars() {
 		assertThat(request.getRequestURI()).isEqualTo("/uri-login/val1/val2");
 	}
 
+	@Test
+	public void postProcessorsAreMergedDuringMockMvcPerform() throws Exception {
+
+		RequestBuilder requestBuilder = formLogin()
+				.user("my-user")
+				.password("my-password")
+				.loginProcessingUrl("/my-path");
+
+		// spring-restdocs project creates request postprocessors using this hook:
+		// 		org.springframework.test.web.servlet.setup.MockMvcConfigurer.beforeMockMvcCreated
+		// The postprocessors are bound to the defaultRequestBuilder instance (with urlTemplate "/") here:
+		//		org.springframework.test.web.servlet.setup.AbstractMockMvcBuilder.build
+		// The bind happens only if the default builder implements the ConfigurableSmartRequestBuilder interface.
+
+		RequestBuilder defaultRequestBuilder = MockMvcRequestBuilders.get("/");
+		if (defaultRequestBuilder instanceof ConfigurableSmartRequestBuilder) {
+			((ConfigurableSmartRequestBuilder) defaultRequestBuilder).with(new MockPostProcessor());
+		}
+
+		// In the following method:
+		// 		org.springframework.test.web.servlet.MockMvc.perform
+		// the RequestBuilder is normally merged with the defaultRequestBuilder, so the spring-restdocs postprocessor
+		// can be executed and it can generate nice documentations.
+		// The problem is, that this merge happens only if the RequestBuilder implements Mergeable interface.
+
+		if (defaultRequestBuilder != null && requestBuilder instanceof Mergeable ) {
+			requestBuilder = (RequestBuilder) ((Mergeable) requestBuilder).merge(defaultRequestBuilder);
+		}
+
+		// Currently, none of SecurityMockMvcRequestBuilders implements this interface.
+		// They should implement ConfigurableSmartRequestBuilder interface also to be able to take over
+		// the postprocessors (and execute them).
+
+		MockHttpServletRequest request = requestBuilder.buildRequest(this.servletContext);
+
+		Assert.isInstanceOf(ConfigurableSmartRequestBuilder.class, requestBuilder);
+		Assert.isTrue(request.equals(((SmartRequestBuilder) requestBuilder).postProcessRequest(request)),
+				"Postprocessing failed.");
+	}
+
 	// gh-3920
 	@Test
 	public void usesAcceptMediaForContentNegotiation() {
@@ -91,4 +143,12 @@ public void usesAcceptMediaForContentNegotiation() {
 		assertThat(request.getHeader("Accept"))
 				.isEqualTo(MediaType.APPLICATION_FORM_URLENCODED_VALUE);
 	}
+
+	private class MockPostProcessor implements RequestPostProcessor {
+
+		@Override
+		public MockHttpServletRequest postProcessRequest( MockHttpServletRequest request ) {
+			return request;
+		}
+	}
 }
