Instrumenting Spring Security (#2011)

* First draft of instrumenting Spring Security

* Create events based on Authentication not SecurityContext

* Simplifying security config

* Checkstyle reformat

* Create DocumentedSpan and EventValue for Spring Security instrumentation

* Adding spring-security-bom to ensure the right dependencies are used.

* TracingSecurityContextChangedListenerTests

* Adding integration tests

* Deleting spring-cloud-sleuth-sample-security

* Checkstyle, license, javadoc

* Inlining SleuthSecuritySpan methods

* Deleting javadoc links from DocumentedSpan

* Updating auto-generated docs

Author: jonatan-ivanov

docs/src/main/asciidoc/_spans.adoc

@@ -532,6 +532,22 @@ Fully qualified name of the enclosing class `org.springframework.cloud.sleuth.in
 |method|Method name that got annotated with @Scheduled.
 |===
 
+=== Security Context Change
+
+> Indicates that a SecurityContextChangedEvent happened during the current span.
+
+**Span name** `Security Context Change`.
+
+Fully qualified name of the enclosing class `org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan`
+
+.Event Values
+|===
+|Name | Description
+|Authentication cleared %s|Event created when an Authentication object is removed from the SecurityContext. (since the name contains `%s` the final value will be resolved at runtime)
+|Authentication replaced %s|Event created when an Authentication object is replaced with a new one in the SecurityContext. (since the name contains `%s` the final value will be resolved at runtime)
+|Authentication set %s|Event created when an Authentication object is added to the SecurityContext. (since the name contains `%s` the final value will be resolved at runtime)
+|===
+
 === Session Create Span
 
 > Span created when a new session has to be created.

pom.xml

@@ -76,14 +76,15 @@
 		<brave.version>5.13.2</brave.version>
 		<opentracing.version>0.32.0</opentracing.version>
 		<spring-security-boot-autoconfigure.version>2.3.4.RELEASE</spring-security-boot-autoconfigure.version>
+		<spring-security-oauth2.version>2.2.0.RELEASE</spring-security-oauth2.version>
+		<spring-security-version>5.6.0-M2</spring-security-version>
 		<disable.nohttp.checks>false</disable.nohttp.checks>
 		<okhttp.version>4.9.0</okhttp.version>
 		<mockwebserver.version>4.8.0</mockwebserver.version>
 		<guava.version>20.0</guava.version>
 		<javax.resource-api.version>1.7.1</javax.resource-api.version>
 		<cglib-nodep.version>3.3.0</cglib-nodep.version>
 		<objenesis.version>3.0.1</objenesis.version>
-		<spring-security-oauth2.version>2.2.0.RELEASE</spring-security-oauth2.version>
 		<p6spy.version>3.9.1</p6spy.version>
 		<datasource-proxy.version>1.7</datasource-proxy.version>
 		<tomcat-jdbc.version>10.0.6</tomcat-jdbc.version>
@@ -267,11 +268,22 @@
 				<scope>import</scope>
 				<type>pom</type>
 			</dependency>
+			<dependency>
+				<groupId>org.springframework.security</groupId>
+				<artifactId>spring-security-bom</artifactId>
+				<version>${spring-security-version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
 			<dependency>
 				<groupId>org.springframework.security.oauth.boot</groupId>
 				<artifactId>spring-security-oauth2-autoconfigure</artifactId>
 				<version>${spring-security-boot-autoconfigure.version}</version>
-				<optional>true</optional>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.security.oauth</groupId>
+				<artifactId>spring-security-oauth2</artifactId>
+				<version>${spring-security-oauth2.version}</version>
 			</dependency>
 			<dependency>
 				<groupId>cglib</groupId>
@@ -289,11 +301,6 @@
 				<artifactId>mockwebserver</artifactId>
 				<version>${mockwebserver.version}</version>
 			</dependency>
-			<dependency>
-				<groupId>org.springframework.security.oauth</groupId>
-				<artifactId>spring-security-oauth2</artifactId>
-				<version>${spring-security-oauth2.version}</version>
-			</dependency>
 			<dependency>
 				<groupId>io.zipkin.aws</groupId>
 				<artifactId>brave-propagation-aws</artifactId>

spring-cloud-sleuth-autoconfigure/src/main/java/org/springframework/cloud/sleuth/autoconfig/instrument/security/TraceSecurityAutoConfiguration.java

@@ -0,0 +1,49 @@
+/*
+ * Copyright 2021-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.sleuth.autoconfig.instrument.security;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.cloud.sleuth.Tracer;
+import org.springframework.cloud.sleuth.autoconfig.brave.BraveAutoConfiguration;
+import org.springframework.cloud.sleuth.instrument.security.TracingSecurityContextChangedListener;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.context.SecurityContextChangedListener;
+
+/**
+ * {@link org.springframework.boot.autoconfigure.EnableAutoConfiguration
+ * Auto-configuration} that registers instrumentation for Spring Security.
+ *
+ * @author Jonatan Ivanov
+ * @since 3.1.0
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnClass(SecurityContextChangedListener.class)
+@ConditionalOnProperty(value = "spring.sleuth.security.enabled", matchIfMissing = true)
+@ConditionalOnBean(Tracer.class)
+@AutoConfigureAfter(BraveAutoConfiguration.class)
+public class TraceSecurityAutoConfiguration {
+
+	@Bean
+	public TracingSecurityContextChangedListener tracingSecurityContextChangedListener(Tracer tracer) {
+		return new TracingSecurityContextChangedListener(tracer);
+	}
+
+}

spring-cloud-sleuth-autoconfigure/src/main/resources/META-INF/spring.factories

@@ -22,6 +22,7 @@ org.springframework.cloud.sleuth.autoconfig.instrument.web.client.feign.TraceFei
 org.springframework.cloud.sleuth.autoconfig.instrument.web.client.TraceWebAsyncClientAutoConfiguration,\
 org.springframework.cloud.sleuth.autoconfig.instrument.scheduling.TraceSchedulingAutoConfiguration,\
 org.springframework.cloud.sleuth.autoconfig.instrument.session.TraceSessionAutoConfiguration,\
+org.springframework.cloud.sleuth.autoconfig.instrument.security.TraceSecurityAutoConfiguration,\
 org.springframework.cloud.sleuth.autoconfig.instrument.reactor.TraceReactorAutoConfiguration,\
 org.springframework.cloud.sleuth.autoconfig.instrument.messaging.TraceFunctionAutoConfiguration,\
 org.springframework.cloud.sleuth.autoconfig.instrument.messaging.TraceSpringIntegrationAutoConfiguration,\

spring-cloud-sleuth-instrumentation/pom.xml

@@ -212,6 +212,11 @@
 			<artifactId>spring-session-data-redis</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<optional>true</optional>
+		</dependency>
 		<dependency>
 			<groupId>io.projectreactor.kotlin</groupId>
 			<artifactId>reactor-kotlin-extensions</artifactId>

spring-cloud-sleuth-instrumentation/src/main/java/org/springframework/cloud/sleuth/instrument/security/SleuthSecuritySpan.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2021-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.sleuth.instrument.security;
+
+import org.springframework.cloud.sleuth.docs.DocumentedSpan;
+import org.springframework.cloud.sleuth.docs.EventValue;
+
+/**
+ * DocumentedSpan for Spring Security Instrumentation.
+ *
+ * @author Jonatan Ivanov
+ * @since 3.1.0
+ */
+enum SleuthSecuritySpan implements DocumentedSpan {
+
+	/**
+	 * Indicates that a SecurityContextChangedEvent happened during the current span.
+	 */
+	SECURITY_CONTEXT_CHANGE {
+		@Override
+		public String getName() {
+			return "Security Context Change";
+		}
+
+		@Override
+		public EventValue[] getEvents() {
+			return SleuthSecurityEvent.values();
+		}
+	};
+
+	enum SleuthSecurityEvent implements EventValue {
+
+		/**
+		 * Event created when an Authentication object is added to the SecurityContext.
+		 */
+		AUTHENTICATION_SET {
+			@Override
+			public String getValue() {
+				return "Authentication set %s";
+			}
+		},
+
+		/**
+		 * Event created when an Authentication object is replaced with a new one in the
+		 * SecurityContext.
+		 */
+		AUTHENTICATION_REPLACED {
+			@Override
+			public String getValue() {
+				return "Authentication replaced %s";
+			}
+		},
+
+		/**
+		 * Event created when an Authentication object is removed from the
+		 * SecurityContext.
+		 */
+		AUTHENTICATION_CLEARED {
+			@Override
+			public String getValue() {
+				return "Authentication cleared %s";
+			}
+		}
+
+	}
+
+}

spring-cloud-sleuth-instrumentation/src/main/java/org/springframework/cloud/sleuth/instrument/security/TracingSecurityContextChangedListener.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2021-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.cloud.sleuth.instrument.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import org.springframework.cloud.sleuth.Span;
+import org.springframework.cloud.sleuth.Tracer;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextChangedEvent;
+import org.springframework.security.core.context.SecurityContextChangedListener;
+
+import static java.lang.String.format;
+import static org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan.SECURITY_CONTEXT_CHANGE;
+import static org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan.SleuthSecurityEvent;
+import static org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan.SleuthSecurityEvent.AUTHENTICATION_CLEARED;
+import static org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan.SleuthSecurityEvent.AUTHENTICATION_REPLACED;
+import static org.springframework.cloud.sleuth.instrument.security.SleuthSecuritySpan.SleuthSecurityEvent.AUTHENTICATION_SET;
+
+/**
+ * {@link SecurityContextChangedListener} that adds tracing support for Spring Security.
+ *
+ * @author Jonatan Ivanov
+ * @since 3.1.0
+ */
+public class TracingSecurityContextChangedListener implements SecurityContextChangedListener {
+
+	private static final Logger LOGGER = LoggerFactory.getLogger(TracingSecurityContextChangedListener.class);
+
+	private final Tracer tracer;
+
+	public TracingSecurityContextChangedListener(Tracer tracer) {
+		this.tracer = tracer;
+	}
+
+	@Override
+	public void securityContextChanged(SecurityContextChangedEvent securityContextChangedEvent) {
+		SecurityContext previousContext = securityContextChangedEvent.getPreviousContext();
+		SecurityContext currentContext = securityContextChangedEvent.getCurrentContext();
+		Authentication previousAuthentication = previousContext != null ? previousContext.getAuthentication() : null;
+		Authentication currentAuthentication = currentContext != null ? currentContext.getAuthentication() : null;
+
+		if (previousAuthentication != null) {
+			if (currentAuthentication != null) {
+				attachEvent(AUTHENTICATION_REPLACED, toString(previousAuthentication, currentAuthentication));
+			}
+			else {
+				attachEvent(AUTHENTICATION_CLEARED, toString(previousAuthentication));
+			}
+		}
+		else if (currentAuthentication != null) {
+			attachEvent(AUTHENTICATION_SET, toString(currentAuthentication));
+		}
+		// null-null is not handled since we won't create an event for that case
+	}
+
+	private String toString(Authentication previousAuthentication, Authentication currentAuthentication) {
+		return toString(previousAuthentication) + " -> " + toString(currentAuthentication);
+	}
+
+	private String toString(Authentication authentication) {
+		return authentication != null ? authentication.getClass().getSimpleName() + authentication.getAuthorities()
+				: "null";
+	}
+
+	private void attachEvent(SleuthSecurityEvent sleuthSecurityEvent, String... params) {
+		Span span = this.tracer.currentSpan();
+		if (span != null) {
+			String event = format(sleuthSecurityEvent.getValue(), (Object[]) params);
+			LOGGER.info(event);
+			SECURITY_CONTEXT_CHANGE.wrap(span).event(event);
+		}
+	}
+
+}