Added filtering optionals to DefaultMethodSecurityExpressionHandler

markbanierink · markbanierink · commit 3cc245c6ce20 · 2021-07-18T15:22:39.000+02:00
diff --git a/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java b/core/src/main/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandler.java
@@ -23,6 +23,7 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Stream;
 
 import org.aopalliance.intercept.MethodInvocation;
@@ -94,7 +95,7 @@ protected MethodSecurityExpressionOperations createSecurityExpressionRoot(Authen
 
 	/**
 	 * Filters the {@code filterTarget} object (which must be either a collection, array,
-	 * map or stream), by evaluating the supplied expression.
+	 * map, stream or optional), by evaluating the supplied expression.
 	 * <p>
 	 * If a {@code Collection} or {@code Map} is used, the original instance will be
 	 * modified to contain the elements for which the permission expression evaluates to
@@ -117,8 +118,11 @@ public Object filter(Object filterTarget, Expression filterExpression, Evaluatio
 		if (filterTarget instanceof Stream) {
 			return filterStream((Stream<?>) filterTarget, filterExpression, ctx, rootObject);
 		}
+		if (filterTarget instanceof Optional) {
+			return filterOptional((Optional<?>) filterTarget, filterExpression, ctx, rootObject);
+		}
 		throw new IllegalArgumentException(
-				"Filter target must be a collection, array, map or stream type, but was " + filterTarget);
+				"Filter target must be a collection, array, map, stream or optional type, but was " + filterTarget);
 	}
 
 	private <T> Object filterCollection(Collection<T> filterTarget, Expression filterExpression, EvaluationContext ctx,
@@ -186,6 +190,14 @@ private Object filterStream(final Stream<?> filterTarget, Expression filterExpre
 		}).onClose(filterTarget::close);
 	}
 
+	private Object filterOptional(final Optional<?> filterTarget, Expression filterExpression, EvaluationContext ctx,
+			MethodSecurityExpressionOperations rootObject) {
+		return filterTarget.filter(filterObject -> {
+			rootObject.setFilterObject(filterObject);
+			return ExpressionUtils.evaluateAsBoolean(filterExpression, ctx);
+		});
+	}
+
 	/**
 	 * Sets the {@link AuthenticationTrustResolver} to be used. The default is
 	 * {@link AuthenticationTrustResolverImpl}.
diff --git a/core/src/test/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandlerTests.java b/core/src/test/java/org/springframework/security/access/expression/method/DefaultMethodSecurityExpressionHandlerTests.java
@@ -19,6 +19,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -167,6 +168,39 @@ public void filterStreamWhenClosedThenUpstreamGetsClosed() {
 		verify(upstream).close();
 	}
 
+	@Test
+	@SuppressWarnings("unchecked")
+	public void filterMatchingOptional() {
+		final Optional<String> optional = Optional.of("1");
+		Expression expression = this.handler.getExpressionParser().parseExpression("filterObject ne '2'");
+		EvaluationContext context = this.handler.createEvaluationContext(this.authentication, this.methodInvocation);
+		Object filtered = this.handler.filter(optional, expression, context);
+		Optional<String> result = ((Optional<String>) filtered);
+		assertThat(result).isPresent().get().isEqualTo("1");
+	}
+
+	@Test
+	@SuppressWarnings("unchecked")
+	public void filterNotMatchingOptional() {
+		final Optional<String> optional = Optional.of("2");
+		Expression expression = this.handler.getExpressionParser().parseExpression("filterObject ne '2'");
+		EvaluationContext context = this.handler.createEvaluationContext(this.authentication, this.methodInvocation);
+		Object filtered = this.handler.filter(optional, expression, context);
+		Optional<String> result = ((Optional<String>) filtered);
+		assertThat(result).isNotPresent();
+	}
+
+	@Test
+	@SuppressWarnings("unchecked")
+	public void filterEmptyOptional() {
+		final Optional<String> optional = Optional.empty();
+		Expression expression = this.handler.getExpressionParser().parseExpression("filterObject ne '2'");
+		EvaluationContext context = this.handler.createEvaluationContext(this.authentication, this.methodInvocation);
+		Object filtered = this.handler.filter(optional, expression, context);
+		Optional<String> result = ((Optional<String>) filtered);
+		assertThat(result).isNotPresent();
+	}
+
 	static class Foo {
 
 		void bar() {
