Auto-configure security for Spring GraphQL

bclozel · bclozel · commit 6dbcd0e95e6e · 2021-12-21T08:33:50.000+01:00
This commit configures security features for Spring GraphQL. In the case of both MVC and WebFlux, this contributes `DataFetcherExceptionResolver` instances to resolve security exceptions and expose them as proper errors in the GraphQL response. For MVC only, this also configures a `SecurityContextThreadLocalAccessor`. This component ensures that the security context is propagated between `ThreadLocal` and the Reactor asynchronous execution. See gh-29140
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebFluxSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebFluxSecurityAutoConfiguration.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.graphql.security;
+
+import graphql.GraphQL;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.graphql.reactive.GraphQlWebFluxAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.graphql.security.ReactiveSecurityDataFetcherExceptionResolver;
+import org.springframework.graphql.web.webflux.GraphQlHttpHandler;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+
+/**
+ * {@link EnableAutoConfiguration Auto-configuration} for enabling Security support for
+ * Spring GraphQL with WebFlux.
+ *
+ * @author Brian Clozel
+ * @since 2.7.0
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
+@ConditionalOnClass({ GraphQL.class, GraphQlHttpHandler.class, EnableWebFluxSecurity.class })
+@ConditionalOnBean(GraphQlHttpHandler.class)
+@AutoConfigureAfter(GraphQlWebFluxAutoConfiguration.class)
+public class GraphQlWebFluxSecurityAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public ReactiveSecurityDataFetcherExceptionResolver reactiveSecurityDataFetcherExceptionResolver() {
+		return new ReactiveSecurityDataFetcherExceptionResolver();
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebMvcSecurityAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebMvcSecurityAutoConfiguration.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.graphql.security;
+
+import graphql.GraphQL;
+
+import org.springframework.boot.autoconfigure.AutoConfigureAfter;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
+import org.springframework.boot.autoconfigure.graphql.servlet.GraphQlWebMvcAutoConfiguration;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.graphql.security.SecurityContextThreadLocalAccessor;
+import org.springframework.graphql.security.SecurityDataFetcherExceptionResolver;
+import org.springframework.graphql.web.webmvc.GraphQlHttpHandler;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+
+/**
+ * {@link EnableAutoConfiguration Auto-configuration} for enabling Security support for
+ * Spring GraphQL with MVC.
+ *
+ * @author Brian Clozel
+ * @since 2.7.0
+ */
+@Configuration(proxyBeanMethods = false)
+@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+@ConditionalOnClass({ GraphQL.class, GraphQlHttpHandler.class, EnableWebSecurity.class })
+@ConditionalOnBean(GraphQlHttpHandler.class)
+@AutoConfigureAfter(GraphQlWebMvcAutoConfiguration.class)
+public class GraphQlWebMvcSecurityAutoConfiguration {
+
+	@Bean
+	@ConditionalOnMissingBean
+	public SecurityDataFetcherExceptionResolver securityDataFetcherExceptionResolver() {
+		return new SecurityDataFetcherExceptionResolver();
+	}
+
+	@Bean
+	@ConditionalOnMissingBean
+	public SecurityContextThreadLocalAccessor securityContextThreadLocalAccessor() {
+		return new SecurityContextThreadLocalAccessor();
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/package-info.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/graphql/security/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Auto-configuration classes for Security support in Spring GraphQL.
+ */
+package org.springframework.boot.autoconfigure.graphql.security;
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories b/spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories
@@ -75,6 +75,8 @@ org.springframework.boot.autoconfigure.graphql.data.GraphQlQueryByExampleAutoCon
 org.springframework.boot.autoconfigure.graphql.data.GraphQlQuerydslAutoConfiguration,\
 org.springframework.boot.autoconfigure.graphql.reactive.GraphQlWebFluxAutoConfiguration,\
 org.springframework.boot.autoconfigure.graphql.servlet.GraphQlWebMvcAutoConfiguration,\
+org.springframework.boot.autoconfigure.graphql.security.GraphQlWebFluxSecurityAutoConfiguration,\
+org.springframework.boot.autoconfigure.graphql.security.GraphQlWebMvcSecurityAutoConfiguration,\
 org.springframework.boot.autoconfigure.groovy.template.GroovyTemplateAutoConfiguration,\
 org.springframework.boot.autoconfigure.gson.GsonAutoConfiguration,\
 org.springframework.boot.autoconfigure.h2.H2ConsoleAutoConfiguration,\
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebFluxSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebFluxSecurityAutoConfigurationTests.java
@@ -0,0 +1,163 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.autoconfigure.graphql.security;
+
+import java.util.Collections;
+import java.util.function.Consumer;
+
+import graphql.schema.idl.TypeRuntimeWiring;
+import org.junit.jupiter.api.Test;
+import reactor.core.publisher.Mono;
+
+import org.springframework.boot.autoconfigure.AutoConfigurations;
+import org.springframework.boot.autoconfigure.graphql.Book;
+import org.springframework.boot.autoconfigure.graphql.GraphQlAutoConfiguration;
+import org.springframework.boot.autoconfigure.graphql.GraphQlTestDataFetchers;
+import org.springframework.boot.autoconfigure.graphql.reactive.GraphQlWebFluxAutoConfiguration;
+import org.springframework.boot.autoconfigure.http.codec.CodecsAutoConfiguration;
+import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
+import org.springframework.boot.autoconfigure.security.reactive.ReactiveSecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.reactive.HttpHandlerAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.reactive.WebFluxAutoConfiguration;
+import org.springframework.boot.test.context.runner.ReactiveWebApplicationContextRunner;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.graphql.execution.ErrorType;
+import org.springframework.graphql.execution.RuntimeWiringConfigurer;
+import org.springframework.graphql.security.ReactiveSecurityDataFetcherExceptionResolver;
+import org.springframework.http.MediaType;
+import org.springframework.lang.Nullable;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.security.config.Customizer.withDefaults;
+
+/**
+ * Tests for {@link GraphQlWebFluxSecurityAutoConfiguration}.
+ *
+ * @author Brian Clozel
+ */
+class GraphQlWebFluxSecurityAutoConfigurationTests {
+
+	private static final String BASE_URL = "https://spring.example.org/graphql";
+
+	private final ReactiveWebApplicationContextRunner contextRunner = new ReactiveWebApplicationContextRunner()
+			.withConfiguration(AutoConfigurations.of(HttpHandlerAutoConfiguration.class, WebFluxAutoConfiguration.class,
+					CodecsAutoConfiguration.class, JacksonAutoConfiguration.class, GraphQlAutoConfiguration.class,
+					GraphQlWebFluxAutoConfiguration.class, GraphQlWebFluxSecurityAutoConfiguration.class,
+					ReactiveSecurityAutoConfiguration.class))
+			.withUserConfiguration(DataFetchersConfiguration.class, SecurityConfig.class)
+			.withPropertyValues("spring.main.web-application-type=reactive");
+
+	@Test
+	void contributesExceptionResolver() {
+		this.contextRunner.run(
+				(context) -> assertThat(context).hasSingleBean(ReactiveSecurityDataFetcherExceptionResolver.class));
+	}
+
+	@Test
+	void anonymousUserShouldBeUnauthorized() {
+		testWithWebClient((client) -> {
+			String query = "{ bookById(id: \\\"book-1\\\"){ id name pageCount author }}";
+			client.post().uri("").bodyValue("{  \"query\": \"" + query + "\"}").exchange().expectStatus().isOk()
+					.expectBody().jsonPath("data.bookById.name").doesNotExist()
+					.jsonPath("errors[0].extensions.classification").isEqualTo(ErrorType.UNAUTHORIZED.toString());
+		});
+	}
+
+	@Test
+	void authenticatedUserShouldGetData() {
+		testWithWebClient((client) -> {
+			String query = "{ bookById(id: \\\"book-1\\\"){ id name pageCount author }}";
+			client.post().uri("").headers((headers) -> headers.setBasicAuth("rob", "rob"))
+					.bodyValue("{  \"query\": \"" + query + "\"}").exchange().expectStatus().isOk().expectBody()
+					.jsonPath("data.bookById.name").isEqualTo("GraphQL for beginners")
+					.jsonPath("errors[0].extensions.classification").doesNotExist();
+		});
+	}
+
+	private void testWithWebClient(Consumer<WebTestClient> consumer) {
+		this.contextRunner.run((context) -> {
+			WebTestClient client = WebTestClient.bindToApplicationContext(context).configureClient()
+					.defaultHeaders((headers) -> {
+						headers.setContentType(MediaType.APPLICATION_JSON);
+						headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
+					}).baseUrl(BASE_URL).build();
+			consumer.accept(client);
+		});
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	static class DataFetchersConfiguration {
+
+		@Bean
+		RuntimeWiringConfigurer bookDataFetcher(BookService bookService) {
+			return (builder) -> builder.type(TypeRuntimeWiring.newTypeWiring("Query").dataFetcher("bookById",
+					(env) -> bookService.getBookdById(env.getArgument("id"))));
+		}
+
+		@Bean
+		BookService bookService() {
+			return new BookService();
+		}
+
+	}
+
+	static class BookService {
+
+		@PreAuthorize("hasRole('USER')")
+		@Nullable
+		Mono<Book> getBookdById(String id) {
+			return Mono.justOrEmpty(GraphQlTestDataFetchers.getBookById(id));
+		}
+
+	}
+
+	@Configuration(proxyBeanMethods = false)
+	@EnableWebFluxSecurity
+	@EnableReactiveMethodSecurity
+	static class SecurityConfig {
+
+		@Bean
+		SecurityWebFilterChain springWebFilterChain(ServerHttpSecurity http) throws Exception {
+			return http.csrf((spec) -> spec.disable())
+					// Demonstrate that method security works
+					// Best practice to use both for defense in depth
+					.authorizeExchange((requests) -> requests.anyExchange().permitAll()).httpBasic(withDefaults())
+					.build();
+		}
+
+		@Bean
+		@SuppressWarnings("deprecation")
+		MapReactiveUserDetailsService userDetailsService() {
+			User.UserBuilder userBuilder = User.withDefaultPasswordEncoder();
+			UserDetails rob = userBuilder.username("rob").password("rob").roles("USER").build();
+			UserDetails admin = userBuilder.username("admin").password("admin").roles("USER", "ADMIN").build();
+			return new MapReactiveUserDetailsService(rob, admin);
+		}
+
+	}
+
+}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebMvcSecurityAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/graphql/security/GraphQlWebMvcSecurityAutoConfigurationTests.java
