Add hasScope and hasAnyScope for @PreAuthorize

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>

Author: ngocnhan-tran1996

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionOperations.java

@@ -81,6 +81,38 @@ public interface SecurityExpressionOperations {
 	 */
 	boolean hasAnyRole(String... roles);
 
+	/**
+	 * <p>
+	 * Determines if the {@link #getAuthentication()} has a particular authority within
+	 * {@link Authentication#getAuthorities()}.
+	 * </p>
+	 * <p>
+	 * This is similar to {@link #hasAuthority(String)} except that this method implies
+	 * that the String passed in is a scope. For example, if "read" is passed in the
+	 * implementation may convert it to use "SCOPE_read" instead. The way in which the
+	 * scope is converted may depend on the implementation settings.
+	 * </p>
+	 * @param scope the authority to test (i.e. "read")
+	 * @return true if the authority is found, else false
+	 */
+	boolean hasScope(String scope);
+
+	/**
+	 * <p>
+	 * Determines if the {@link #getAuthentication()} has any of the specified authorities
+	 * within {@link Authentication#getAuthorities()}.
+	 * </p>
+	 * <p>
+	 * This is similar to {@link #hasAnyAuthority(String...)} except that this method
+	 * implies that the String passed in is a scope. For example, if "read" is passed in
+	 * the implementation may convert it to use "SCOPE_read" instead. The way in which the
+	 * scope is converted may depend on the implementation settings.
+	 * </p>
+	 * @param scopes the authorities to test (i.e. "write", "read")
+	 * @return true if any of the authorities is found, else false
+	 */
+	boolean hasAnyScope(String... scopes);
+
 	/**
 	 * Always grants access.
 	 * @return true

core/src/main/java/org/springframework/security/access/expression/SecurityExpressionRoot.java

@@ -46,6 +46,8 @@ public abstract class SecurityExpressionRoot<T extends @Nullable Object> impleme
 
 	private String defaultRolePrefix = "ROLE_";
 
+	private String defaultScopePrefix = "SCOPE_";
+
 	private final T object;
 
 	private AuthorizationManagerFactory<T> authorizationManagerFactory = new DefaultAuthorizationManagerFactory<>();
@@ -165,6 +167,25 @@ public final boolean hasAllRoles(String... roles) {
 		return isGranted(manager);
 	}
 
+	@Override
+	public final boolean hasScope(String scope) {
+		return isGranted(this.authorizationManagerFactory.hasScope(scope));
+	}
+
+	@Override
+	public boolean hasAnyScope(String... scopes) {
+		if (this.authorizationManagerFactory instanceof DefaultAuthorizationManagerFactory<T>) {
+			String scopePrefix = this.defaultScopePrefix;
+			for (int index = 0; index < scopes.length; index++) {
+				String scope = scopes[index];
+				if (scope.startsWith(scopePrefix)) {
+					scopes[index] = scope.substring(scopePrefix.length());
+				}
+			}
+		}
+		return isGranted(this.authorizationManagerFactory.hasAnyScope(scopes));
+	}
+
 	@Override
 	public final Authentication getAuthentication() {
 		return this.authentication.get();

core/src/main/java/org/springframework/security/authorization/AuthorityAuthorizationManager.java

@@ -124,6 +124,58 @@ public static <T> AuthorityAuthorizationManager<T> hasAnyAuthority(String... aut
 		return new AuthorityAuthorizationManager<>(authorities);
 	}
 
+	/**
+	 * Create an {@link AuthorityAuthorizationManager} that requires an
+	 * {@link Authentication} to have a {@code SCOPE_scope} authority.
+	 *
+	 * <p>
+	 * For example, if you call {@code hasScope("read")}, then this will require that each
+	 * authentication have a {@link org.springframework.security.core.GrantedAuthority}
+	 * whose value is {@code SCOPE_read}.
+	 *
+	 * <p>
+	 * This would equivalent to calling
+	 * {@code AuthorityAuthorizationManager#hasAuthority("SCOPE_read")}.
+	 * @param scope the scope value to require
+	 * @param <T> the secure object
+	 * @return an {@link AuthorityAuthorizationManager} that requires a
+	 * {@code "SCOPE_scope"} authority
+	 */
+	public static <T> AuthorityAuthorizationManager<T> hasScope(String scope) {
+		assertScope(scope);
+		return hasAuthority("SCOPE_" + scope);
+	}
+
+	/**
+	 * Create an {@link AuthorityAuthorizationManager} that requires an
+	 * {@link Authentication} to have at least one authority among {@code SCOPE_scope1},
+	 * {@code SCOPE_scope2}, ... {@code SCOPE_scopeN}.
+	 *
+	 * <p>
+	 * For example, if you call {@code hasAnyScope("read", "write")}, then this will
+	 * require that each authentication have at least a
+	 * {@link org.springframework.security.core.GrantedAuthority} whose value is either
+	 * {@code SCOPE_read} or {@code SCOPE_write}.
+	 *
+	 * <p>
+	 * This would equivalent to calling
+	 * {@code AuthorityAuthorizationManager#hasAnyAuthority("SCOPE_read", "SCOPE_write")}.
+	 * @param scopes the scope values to allow
+	 * @param <T> the secure object
+	 * @return an {@link AuthorityAuthorizationManager} that requires at least one
+	 * authority among {@code "SCOPE_scope1"}, {@code SCOPE_scope2}, ...
+	 * {@code SCOPE_scopeN}.
+	 *
+	 */
+	public static <T> AuthorityAuthorizationManager<T> hasAnyScope(String... scopes) {
+		String[] mappedScopes = new String[scopes.length];
+		for (int i = 0; i < scopes.length; i++) {
+			assertScope(scopes[i]);
+			mappedScopes[i] = "SCOPE_" + scopes[i];
+		}
+		return hasAnyAuthority(mappedScopes);
+	}
+
 	private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 		String[] result = new String[roles.length];
 		for (int i = 0; i < roles.length; i++) {
@@ -136,6 +188,14 @@ private static String[] toNamedRolesArray(String rolePrefix, String[] roles) {
 		return result;
 	}
 
+	private static void assertScope(String scope) {
+		Assert.notNull(scope, "role cannot be null");
+		Assert.isTrue(!scope.startsWith("SCOPE_"),
+				() -> scope + " should not start with SCOPE_ since SCOPE_"
+						+ " is automatically prepended when using hasScope and hasAnyScope. Consider using "
+						+ " AuthorityReactiveAuthorizationManager#hasAuthority or #hasAnyAuthority instead.");
+	}
+
 	/**
 	 * {@inheritDoc}
 	 */

core/src/main/java/org/springframework/security/authorization/AuthorizationManagerFactory.java

@@ -109,6 +109,28 @@ default AuthorizationManager<T> hasAllAuthorities(String... authorities) {
 		return AllAuthoritiesAuthorizationManager.hasAllAuthorities(authorities);
 	}
 
+	/**
+	 * Creates an {@link AuthorizationManager} that requires users to have the specified
+	 * scope.
+	 * @param scope the scope (automatically prepended with SCOPE_) that should be
+	 * required to allow access (i.e. write, read, etc.)
+	 * @return A new {@link AuthorizationManager} instance
+	 */
+	default AuthorizationManager<T> hasScope(String scope) {
+		return AuthorityAuthorizationManager.hasScope(scope);
+	}
+
+	/**
+	 * Creates an {@link AuthorizationManager} that requires users to have one of many
+	 * scopes.
+	 * @param scopes the scopes (automatically prepended with SCOPE_) that the user should
+	 * have at least one of to allow access (i.e. write, read, etc.)
+	 * @return A new {@link AuthorizationManager} instance
+	 */
+	default AuthorizationManager<T> hasAnyScope(String... scopes) {
+		return AuthorityAuthorizationManager.hasAnyScope(scopes);
+	}
+
 	/**
 	 * Creates an {@link AuthorizationManager} that allows any authenticated user.
 	 * @return A new {@link AuthorizationManager} instance

core/src/test/java/org/springframework/security/authorization/AuthorityAuthorizationManagerTests.java

@@ -29,6 +29,7 @@
 import org.springframework.security.core.GrantedAuthority;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
 
 /**
@@ -271,4 +272,24 @@ void hasAnyRoleWhenEmptyRolePrefixThenNoException() {
 		AuthorityAuthorizationManager.hasAnyRole("", new String[] { "USER" });
 	}
 
+	@Test
+	void hasScopes_withInvalidScope_shouldThrowIllegalArgumentException() {
+		String[] scopes = { "read", "write", "SCOPE_invalid" };
+		assertThatExceptionOfType(IllegalArgumentException.class)
+			.isThrownBy(() -> AuthorityAuthorizationManager.hasAnyScope(scopes))
+			.withMessage("Scope 'SCOPE_invalid' start with 'SCOPE_' prefix.");
+	}
+
+	@Test
+	void hasScope_withValidScope_shouldPass() {
+		String scope = "read";
+		assertThat(AuthorityAuthorizationManager.hasScope(scope)).isNotNull();
+	}
+
+	@Test
+	void hasScope_withValidScopes_shouldPass() {
+		String[] scopes = { "read", "write" };
+		assertThat(AuthorityAuthorizationManager.hasAnyScope(scopes)).isNotNull();
+	}
+
 }

core/src/test/java/org/springframework/security/authorization/method/PreAuthorizeAuthorizationManagerTests.java

@@ -89,6 +89,48 @@ public void checkDoSomethingStringWhenArgIsNotGrantThenDeniedDecision() throws E
 		assertThat(decision.isGranted()).isFalse();
 	}
 
+	@Test
+	public void checkSecuredScope() throws Exception {
+		MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
+				"securedScope");
+		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
+		AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isFalse();
+
+		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
+				"SCOPE_read");
+		decision = manager.authorize(authentication, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isFalse();
+
+		authentication = () -> new TestingAuthenticationToken("user", "password", "SCOPE_write");
+		decision = manager.authorize(authentication, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isTrue();
+	}
+
+	@Test
+	public void checkSecuredAnyScope() throws Exception {
+		MockMethodInvocation methodInvocation = new MockMethodInvocation(new TestClass(), TestClass.class,
+				"securedAnyScope");
+		PreAuthorizeAuthorizationManager manager = new PreAuthorizeAuthorizationManager();
+		AuthorizationResult decision = manager.authorize(TestAuthentication::authenticatedUser, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isFalse();
+
+		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password",
+				"SCOPE_read");
+		decision = manager.authorize(authentication, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isTrue();
+
+		authentication = () -> new TestingAuthenticationToken("user", "password", "SCOPE_write");
+		decision = manager.authorize(authentication, methodInvocation);
+		assertThat(decision).isNotNull();
+		assertThat(decision.isGranted()).isTrue();
+	}
+
 	@Test
 	public void checkRequiresAdminWhenClassAnnotationsThenMethodAnnotationsTakePrecedence() throws Exception {
 		Supplier<Authentication> authentication = () -> new TestingAuthenticationToken("user", "password", "ROLE_USER");
@@ -181,6 +223,16 @@ public void inheritedAnnotations() {
 
 		}
 
+		@PreAuthorize("hasScope('write')")
+		public void securedScope() {
+
+		}
+
+		@PreAuthorize("hasAnyScope('write', 'read')")
+		public void securedAnyScope() {
+
+		}
+
 	}
 
 	@PreAuthorize("hasRole('USER')")