2단계 - 인가(Authorization) 리뷰 요청 드립니다. (#15)

* practice - /members/me

* practice - authorization filter

* feat: AuthorizationManager, AuthorizationDecision 구현

* refactor: 기존의 AuthorizationFilter 인가 로직을 RequestAuthorizationManager로 리팩토링

* test: 테스트 코드 구조화

- testFixture 추가
- 기존 테스트 코드 구조 변경
- 사용하지 않는 테스트 클래스 제거

* refactor: 기존의 SecuredMethodInterceptor 인가 로직을 SecuredAuthorizationManager로 리팩토링

* feat: RequestMatcherRegistry와 RequestMatcher를 작성하고, RequestMatcher의 구현체를 작성

* feat: 각 요청별 인가 로직을 담당하는 AuthorizationManager들 작성

* remove: 피드백 반영 - app 패키지의 불필요한 코드 제거

* refactor: 피드백 반영 - match 메소드의 null-safe한 코드로 변경

* refactor: 피드백 반영 - 인스턴스화 -> 상수 사용으로 변경

* refactor: 피드백 반영 - 역할과 책임 분리

* refactor: 피드백 반영 check -> authorize로 변경

---------

Co-authored-by: boorownie <[email protected]>

Author: ParkSeryu

src/main/java/nextstep/app/SecurityConfig.java

@@ -1,26 +1,39 @@
 package nextstep.app;
 
+import jakarta.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
 import nextstep.security.authentication.AuthenticationException;
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
-import nextstep.security.authorization.CheckAuthenticationFilter;
-import nextstep.security.authorization.SecuredAspect;
+import nextstep.security.authorization.AuthorizationFilter;
+import nextstep.security.authorization.AuthorizationManager;
 import nextstep.security.authorization.SecuredMethodInterceptor;
+import nextstep.security.authorization.method.SecuredAuthorizationManager;
+import nextstep.security.authorization.web.AuthenticatedAuthorizationManager;
+import nextstep.security.authorization.web.AuthorityAuthorizationManager;
+import nextstep.security.authorization.web.DenyAllAuthorizationManager;
+import nextstep.security.authorization.web.RequestMatcherDelegatingAuthorizationManager;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.DelegatingFilterProxy;
 import nextstep.security.config.FilterChainProxy;
 import nextstep.security.config.SecurityFilterChain;
 import nextstep.security.context.SecurityContextHolderFilter;
 import nextstep.security.userdetails.UserDetails;
 import nextstep.security.userdetails.UserDetailsService;
+import nextstep.security.util.AnyRequestMatcher;
+import nextstep.security.util.MvcRequestMatcher;
+import nextstep.security.util.RequestMatcherEntry;
+import nextstep.security.authorization.web.PermitAllAuthorizationManager;
+import org.aopalliance.intercept.MethodInvocation;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 
 import java.util.List;
 import java.util.Set;
+import org.springframework.http.HttpMethod;
 
 @EnableAspectJAutoProxy
 @Configuration
@@ -44,12 +57,26 @@ public FilterChainProxy filterChainProxy(List<SecurityFilterChain> securityFilte
 
     @Bean
     public SecuredMethodInterceptor securedMethodInterceptor() {
-        return new SecuredMethodInterceptor();
+        return new SecuredMethodInterceptor(securedAuthorizationManager());
+    }
+
+    @Bean
+    public AuthorizationManager<MethodInvocation> securedAuthorizationManager() {
+         return new SecuredAuthorizationManager();
+    }
+
+    @Bean
+    public AuthorizationManager<HttpServletRequest> requestAuthorizationManager() {
+        List<RequestMatcherEntry<AuthorizationManager>> mappings = new ArrayList<>();
+        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members"),
+                new AuthorityAuthorizationManager<HttpServletRequest>(Set.of("ADMIN"))));
+        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members/me"),
+                new AuthenticatedAuthorizationManager()));
+        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/search"),
+                new PermitAllAuthorizationManager()));
+        mappings.add(new RequestMatcherEntry<>(AnyRequestMatcher.INSTANCE, new DenyAllAuthorizationManager()));
+        return new RequestMatcherDelegatingAuthorizationManager(mappings);
     }
-//    @Bean
-//    public SecuredAspect securedAspect() {
-//        return new SecuredAspect();
-//    }
 
     @Bean
     public SecurityFilterChain securityFilterChain() {
@@ -58,7 +85,7 @@ public SecurityFilterChain securityFilterChain() {
                         new SecurityContextHolderFilter(),
                         new UsernamePasswordAuthenticationFilter(userDetailsService()),
                         new BasicAuthenticationFilter(userDetailsService()),
-                        new CheckAuthenticationFilter()
+                        new AuthorizationFilter(requestAuthorizationManager())
                 )
         );
     }

src/main/java/nextstep/app/ui/MemberController.java

@@ -2,7 +2,10 @@
 
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.AuthenticationException;
 import nextstep.security.authorization.Secured;
+import nextstep.security.context.SecurityContextHolder;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -30,4 +33,15 @@ public ResponseEntity<List<Member>> search() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
+
+    @GetMapping("/members/me")
+    public ResponseEntity<Member> me() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+        String email = authentication.getPrincipal().toString();
+        Member member = memberRepository.findByEmail(email)
+                .orElseThrow(RuntimeException::new);
+
+        return ResponseEntity.ok(member);
+    }
 }

src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java

@@ -3,6 +3,7 @@
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import nextstep.security.authorization.ForbiddenException;
 import nextstep.security.context.SecurityContext;
 import nextstep.security.context.SecurityContextHolder;
 import nextstep.security.userdetails.UserDetailsService;
@@ -40,8 +41,12 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             SecurityContextHolder.setContext(context);
 
             filterChain.doFilter(request, response);
-        } catch (Exception e) {
+        } catch (AuthenticationException e) {
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+        } catch (ForbiddenException e) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+        } catch (Exception e) {
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
         }
     }
 

src/main/java/nextstep/security/authorization/AuthorizationDecision.java

@@ -0,0 +1,22 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authorization.web.AuthorizationResult;
+
+public class AuthorizationDecision implements AuthorizationResult {
+    public static final AuthorizationDecision ALLOW = new AuthorizationDecision(true);
+    public static final AuthorizationDecision DENY = new AuthorizationDecision(false);
+
+    private final boolean granted;
+
+    public AuthorizationDecision(boolean granted) {
+        this.granted = granted;
+    }
+
+    public boolean isGranted() {
+        return granted;
+    }
+
+    public static AuthorizationDecision of(boolean granted) {
+        return granted ? ALLOW : DENY;
+    }
+}

src/main/java/nextstep/security/authorization/AuthorizationFilter.java

@@ -0,0 +1,34 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authorization.web.AuthorizationResult;
+import nextstep.security.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthorizationFilter extends OncePerRequestFilter {
+
+    private final AuthorizationManager<HttpServletRequest> authorizationManager;
+
+    public AuthorizationFilter(AuthorizationManager<HttpServletRequest> authorizationManager) {
+        this.authorizationManager = authorizationManager;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        AuthorizationResult authorizeResult = authorizationManager.authorize(authentication, request);
+
+        if (!authorizeResult.isGranted()) {
+            throw new ForbiddenException();
+        }
+
+        filterChain.doFilter(request, response);
+    }
+}

src/main/java/nextstep/security/authorization/AuthorizationManager.java

@@ -0,0 +1,14 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authorization.web.AuthorizationResult;
+
+@FunctionalInterface
+public interface AuthorizationManager<T> {
+    @Deprecated
+    AuthorizationDecision check(Authentication authentication, T object);
+
+    default AuthorizationResult authorize(Authentication authentication, T object) {
+        return check(authentication, object);
+    }
+}

src/main/java/nextstep/security/authorization/CheckAuthenticationFilter.java

@@ -1,7 +1,7 @@
 package nextstep.security.authorization;
 
 import nextstep.security.authentication.Authentication;
-import nextstep.security.authentication.AuthenticationException;
+import nextstep.security.authorization.web.AuthorizationResult;
 import nextstep.security.context.SecurityContextHolder;
 import org.aopalliance.aop.Advice;
 import org.aopalliance.intercept.MethodInterceptor;
@@ -11,29 +11,25 @@
 import org.springframework.aop.framework.AopInfrastructureBean;
 import org.springframework.aop.support.annotation.AnnotationMatchingPointcut;
 
-import java.lang.reflect.Method;
-
 public class SecuredMethodInterceptor implements MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
 
+    private final AuthorizationManager<MethodInvocation> authorizationManager;
     private final Pointcut pointcut;
 
-    public SecuredMethodInterceptor() {
+    public SecuredMethodInterceptor(AuthorizationManager<MethodInvocation> authorizationManager) {
+        this.authorizationManager = authorizationManager;
         this.pointcut = new AnnotationMatchingPointcut(null, Secured.class);
     }
 
     @Override
     public Object invoke(MethodInvocation invocation) throws Throwable {
-        Method method = invocation.getMethod();
-        if (method.isAnnotationPresent(Secured.class)) {
-            Secured secured = method.getAnnotation(Secured.class);
-            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-            if (authentication == null) {
-                throw new AuthenticationException();
-            }
-            if (!authentication.getAuthorities().contains(secured.value())) {
-                throw new ForbiddenException();
-            }
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        AuthorizationResult authorizationResult = authorizationManager.authorize(authentication, invocation);
+
+        if (!authorizationResult.isGranted()) {
+            throw new ForbiddenException();
         }
+
         return invocation.proceed();
     }
 

src/main/java/nextstep/security/authorization/SecuredMethodInterceptor.java

@@ -0,0 +1,43 @@
+package nextstep.security.authorization.method;
+
+import java.lang.reflect.Method;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Set;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authorization.AuthorizationDecision;
+import nextstep.security.authorization.AuthorizationManager;
+import nextstep.security.authorization.Secured;
+import nextstep.security.authorization.web.AuthorityAuthorizationManager;
+import org.aopalliance.intercept.MethodInvocation;
+
+public class SecuredAuthorizationManager implements AuthorizationManager<MethodInvocation> {
+
+    private AuthorityAuthorizationManager<Collection<String>> authorityAuthorizationManager;
+
+    public void setAuthorityAuthorizationManager(Collection<String> authorities) {
+        authorityAuthorizationManager = new AuthorityAuthorizationManager<>(authorities);
+    }
+
+    @Override
+    public AuthorizationDecision check(Authentication authentication, MethodInvocation invocation) {
+        Collection<String> authorities = getAuthorities(invocation);
+
+        if (authorities.isEmpty()) {
+            return null;
+        }
+        setAuthorityAuthorizationManager(authorities);
+        return authorities.isEmpty() ? null : authorityAuthorizationManager.check(authentication, authorities);
+    }
+
+    private Collection<String> getAuthorities(MethodInvocation invocation) {
+        Method method = invocation.getMethod();
+
+        if (!method.isAnnotationPresent(Secured.class)) {
+            return Collections.emptySet();
+        }
+
+        Secured secured = method.getAnnotation(Secured.class);
+        return Set.of(secured.value());
+    }
+}

src/main/java/nextstep/security/authorization/method/SecuredAuthorizationManager.java

@@ -0,0 +1,16 @@
+package nextstep.security.authorization.web;
+
+import jakarta.servlet.http.HttpServletRequest;
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authorization.AuthorizationDecision;
+import nextstep.security.authorization.AuthorizationManager;
+
+public class AuthenticatedAuthorizationManager implements AuthorizationManager<HttpServletRequest> {
+    @Override
+    public AuthorizationDecision check(Authentication authentication, HttpServletRequest object) {
+        if (authentication != null && authentication.isAuthenticated()) {
+            return AuthorizationDecision.ALLOW;
+        }
+        return AuthorizationDecision.DENY;
+    }
+}