Add Authorization Proxy Support

Closes gh-14596

Author: jzheaux

core/src/main/java/org/springframework/security/authorization/object/AuthorizationProxyFactory.java

@@ -0,0 +1,211 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.object;
+
+import java.lang.reflect.Array;
+import java.lang.reflect.Modifier;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Stream;
+
+import org.springframework.aop.Advisor;
+import org.springframework.aop.framework.ProxyFactory;
+import org.springframework.core.annotation.AnnotationAwareOrderComparator;
+import org.springframework.security.authorization.method.AuthorizationAdvisor;
+import org.springframework.util.ClassUtils;
+
+/**
+ * A proxy factory for applying authorization advice to an arbitrary object.
+ *
+ * <p>
+ * For example, consider a non-Spring-managed object {@code Foo}: <pre>
+ *     class Foo {
+ *         &#064;PreAuthorize("hasAuthority('bar:read')")
+ *         String bar() { ... }
+ *     }
+ * </pre>
+ *
+ * Use {@link AuthorizationProxyFactory} to wrap the instance in Spring Security's
+ * {@link org.springframework.security.access.prepost.PreAuthorize} method interceptor
+ * like so:
+ *
+ * <pre>
+ *     AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor.preAuthorize();
+ *     AuthorizationProxyFactory proxyFactory = new AuthorizationProxyFactory(preAuthorize);
+ *     Foo foo = new Foo();
+ *     foo.bar(); // passes
+ *     Foo securedFoo = proxyFactory.proxy(foo);
+ *     securedFoo.bar(); // access denied!
+ * </pre>
+ *
+ * @author Josh Cummings
+ * @since 6.3
+ */
+public final class AuthorizationProxyFactory {
+
+	private final Collection<AuthorizationAdvisor> advisors;
+
+	public AuthorizationProxyFactory(AuthorizationAdvisor... advisors) {
+		this.advisors = List.of(advisors);
+	}
+
+	public AuthorizationProxyFactory(Collection<AuthorizationAdvisor> advisors) {
+		this.advisors = List.copyOf(advisors);
+	}
+
+	/**
+	 * Create a new {@link AuthorizationProxyFactory} that includes the given advisors in
+	 * addition to any advisors {@code this} instance already has.
+	 *
+	 * <p>
+	 * All advisors are re-sorted by their advisor order.
+	 * @param advisors the advisors to add
+	 * @return a new {@link AuthorizationProxyFactory} instance
+	 */
+	public AuthorizationProxyFactory withAdvisors(AuthorizationAdvisor... advisors) {
+		List<AuthorizationAdvisor> merged = new ArrayList<>(this.advisors.size() + 1);
+		merged.addAll(this.advisors);
+		merged.addAll(List.of(advisors));
+		AnnotationAwareOrderComparator.sort(merged);
+		return new AuthorizationProxyFactory(merged);
+	}
+
+	/**
+	 * Proxy an object to enforce authorization advice.
+	 *
+	 * <p>
+	 * Proxies any instance of a non-final class or a class that implements more than one
+	 * interface.
+	 *
+	 * <p>
+	 * If {@code target} is an {@link Iterator}, {@link Collection}, {@link Array},
+	 * {@link Map}, {@link Stream}, or {@link Optional}, then the element or value type is
+	 * proxied.
+	 *
+	 * <p>
+	 * If {@code target} is a {@link Class}, then {@link ProxyFactory#getProxyClass} is
+	 * invoked instead.
+	 * @param target the instance to proxy
+	 * @return the proxied instance
+	 */
+	public Object proxy(Object target) {
+		if (target == null) {
+			return null;
+		}
+		if (target instanceof Class<?> targetClass) {
+			return (targetClass.isInterface()) ? targetClass : proxyClass(targetClass);
+		}
+		if (ClassUtils.isSimpleValueType(target.getClass())) {
+			return target;
+		}
+		if (target instanceof Iterator<?> iterator) {
+			return proxyIterator(iterator);
+		}
+		if (target instanceof Collection<?> collection) {
+			return proxyCollection(collection);
+		}
+		if (target.getClass().isArray()) {
+			return proxyArray((Object[]) target);
+		}
+		if (target instanceof Map<?, ?> map) {
+			return proxyMap(map);
+		}
+		if (target instanceof Stream<?> stream) {
+			return proxyStream(stream);
+		}
+		if (target instanceof Optional<?> optional) {
+			return proxyOptional(optional);
+		}
+		ProxyFactory factory = new ProxyFactory(target);
+		for (Advisor advisor : this.advisors) {
+			factory.addAdvisors(advisor);
+		}
+		factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));
+		return factory.getProxy();
+	}
+
+	private Class<?> proxyClass(Class<?> targetClass) {
+		ProxyFactory factory = new ProxyFactory();
+		factory.setTargetClass(targetClass);
+		factory.setInterfaces(ClassUtils.getAllInterfacesForClass(targetClass));
+		factory.setProxyTargetClass(!Modifier.isFinal(targetClass.getModifiers()));
+		for (Advisor advisor : this.advisors) {
+			factory.addAdvisors(advisor);
+		}
+		return factory.getProxyClass(getClass().getClassLoader());
+	}
+
+	private Iterator<?> proxyIterator(Iterator<?> iterator) {
+		return new Iterator<>() {
+			@Override
+			public boolean hasNext() {
+				return iterator.hasNext();
+			}
+
+			@Override
+			public Object next() {
+				return proxy(iterator.next());
+			}
+		};
+	}
+
+	private <T> Collection<T> proxyCollection(Collection<T> collection) {
+		Collection<T> proxies = new ArrayList<>(collection.size());
+		for (T toProxy : collection) {
+			proxies.add((T) proxy(toProxy));
+		}
+		collection.clear();
+		collection.addAll(proxies);
+		return proxies;
+	}
+
+	private Object[] proxyArray(Object[] objects) {
+		List<Object> retain = new ArrayList<>(objects.length);
+		for (Object object : objects) {
+			retain.add(proxy(object));
+		}
+		Object[] proxies = (Object[]) Array.newInstance(objects.getClass().getComponentType(), retain.size());
+		for (int i = 0; i < retain.size(); i++) {
+			proxies[i] = retain.get(i);
+		}
+		return proxies;
+	}
+
+	private <K, V> Map<K, V> proxyMap(Map<K, V> entries) {
+		Map<K, V> proxies = new LinkedHashMap<>(entries.size());
+		for (Map.Entry<K, V> entry : entries.entrySet()) {
+			proxies.put(entry.getKey(), (V) proxy(entry.getValue()));
+		}
+		entries.clear();
+		entries.putAll(proxies);
+		return entries;
+	}
+
+	private Stream<?> proxyStream(Stream<?> stream) {
+		return stream.map(this::proxy).onClose(stream::close);
+	}
+
+	private Optional<?> proxyOptional(Optional<?> optional) {
+		return optional.map(this::proxy);
+	}
+
+}

core/src/test/java/org/springframework/security/authorization/object/AuthorizationProxyFactoryTests.java

@@ -0,0 +1,147 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.authorization.object;
+
+import org.junit.jupiter.api.Test;
+
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.authentication.TestAuthentication;
+import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+
+public class AuthorizationProxyFactoryTests {
+
+	private final Authentication user = TestAuthentication.authenticatedUser();
+
+	private final Authentication admin = TestAuthentication.authenticatedAdmin();
+
+	@Test
+	public void proxyWhenPreAuthorizeThenHonors() {
+		SecurityContextHolder.getContext().setAuthentication(this.user);
+		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
+			.preAuthorize();
+		AuthorizationProxyFactory factory = new AuthorizationProxyFactory(preAuthorize);
+		Flight flight = new Flight();
+		assertThat(flight.getAltitude()).isEqualTo(35000d);
+		Flight secured = (Flight) factory.proxy(flight);
+		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> secured.getAltitude());
+		SecurityContextHolder.clearContext();
+	}
+
+	@Test
+	public void proxyWhenPreAuthorizeOnInterfaceThenHonors() {
+		SecurityContextHolder.getContext().setAuthentication(this.user);
+		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
+			.preAuthorize();
+		AuthorizationProxyFactory factory = new AuthorizationProxyFactory(preAuthorize);
+		User user = new User("user", "First", "Last");
+		assertThat(user.getFirstName()).isEqualTo("First");
+		User secured = (User) factory.proxy(user);
+		assertThat(secured.getFirstName()).isEqualTo("First");
+		SecurityContextHolder.getContext().setAuthentication(authenticated("wrong"));
+		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> secured.getFirstName());
+		SecurityContextHolder.getContext().setAuthentication(this.admin);
+		assertThat(secured.getFirstName()).isEqualTo("First");
+		SecurityContextHolder.clearContext();
+	}
+
+	@Test
+	public void proxyWhenPreAuthorizeOnRecordThenHonors() {
+		SecurityContextHolder.getContext().setAuthentication(this.user);
+		AuthorizationManagerBeforeMethodInterceptor preAuthorize = AuthorizationManagerBeforeMethodInterceptor
+			.preAuthorize();
+		AuthorizationProxyFactory factory = new AuthorizationProxyFactory(preAuthorize);
+		HasSecret repo = new Repository("secret");
+		assertThat(repo.secret()).isEqualTo("secret");
+		HasSecret secured = (HasSecret) factory.proxy(repo);
+		assertThatExceptionOfType(AccessDeniedException.class).isThrownBy(() -> secured.secret());
+		SecurityContextHolder.getContext().setAuthentication(this.user);
+		assertThat(repo.secret()).isEqualTo("secret");
+		SecurityContextHolder.clearContext();
+	}
+
+	private Authentication authenticated(String user, String... authorities) {
+		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
+	}
+
+	static class Flight {
+
+		@PreAuthorize("hasRole('PILOT')")
+		Double getAltitude() {
+			return 35000d;
+		}
+
+	}
+
+	interface Identifiable {
+
+		String getId();
+
+		@PreAuthorize("authentication.name == this.id || hasRole('ADMIN')")
+		String getFirstName();
+
+		@PreAuthorize("authentication.name == this.id || hasRole('ADMIN')")
+		String getLastName();
+
+	}
+
+	static class User implements Identifiable {
+
+		private final String id;
+
+		private final String firstName;
+
+		private final String lastName;
+
+		User(String id, String firstName, String lastName) {
+			this.id = id;
+			this.firstName = firstName;
+			this.lastName = lastName;
+		}
+
+		@Override
+		public String getId() {
+			return this.id;
+		}
+
+		@Override
+		public String getFirstName() {
+			return this.firstName;
+		}
+
+		@Override
+		public String getLastName() {
+			return this.lastName;
+		}
+
+	}
+
+	interface HasSecret {
+
+		String secret();
+
+	}
+
+	record Repository(@PreAuthorize("hasRole('ADMIN')") String secret) implements HasSecret {
+	}
+
+}