From 3cd5d9fcd1413d87dc00f5dc59c49388416135fc Mon Sep 17 00:00:00 2001
From: Filip Hanik <fhanik@pivotal.io>
Date: Thu, 10 Dec 2020 10:50:32 -0800
Subject: [PATCH] LdapAuthoritiesPopulator should be postProcessed

to enable customizations, just like other objects
in the LdapAuthenticationProviderConfigurer class
---
 .../LdapAuthenticationProviderConfigurer.java |  2 +-
 ...AuthenticationProviderConfigurerTests.java | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java
index ac956837b73..5102e79c3ae 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurer.java
@@ -140,7 +140,7 @@ private LdapAuthoritiesPopulator getLdapAuthoritiesPopulator() {
 		defaultAuthoritiesPopulator.setGroupSearchFilter(this.groupSearchFilter);
 		defaultAuthoritiesPopulator.setSearchSubtree(this.groupSearchSubtree);
 		defaultAuthoritiesPopulator.setRolePrefix(this.rolePrefix);
-		this.ldapAuthoritiesPopulator = defaultAuthoritiesPopulator;
+		this.ldapAuthoritiesPopulator = postProcess(defaultAuthoritiesPopulator);
 		return defaultAuthoritiesPopulator;
 	}
 
diff --git a/config/src/test/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurerTests.java
index 40e9f8e149e..e515e57b9be 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/authentication/configurers/ldap/LdapAuthenticationProviderConfigurerTests.java
@@ -19,11 +19,23 @@
 import org.junit.Before;
 import org.junit.Test;
 
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
 import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.ldap.DefaultSpringSecurityContextSource;
+import org.springframework.security.ldap.authentication.NullLdapAuthoritiesPopulator;
+import org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
+import org.springframework.test.util.ReflectionTestUtils;
+
+import java.util.Collection;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.springframework.test.util.ReflectionTestUtils.getField;
+import static org.springframework.test.util.ReflectionTestUtils.invokeMethod;
 
 public class LdapAuthenticationProviderConfigurerTests {
 
@@ -42,4 +54,41 @@ public void getAuthoritiesMapper() throws Exception {
 		assertThat(this.configurer.getAuthoritiesMapper()).isInstanceOf(NullAuthoritiesMapper.class);
 	}
 
+	@Test
+	public void customAuthoritiesPopulator() throws Exception {
+		assertThat(getField(this.configurer, "ldapAuthoritiesPopulator")).isNull();
+		this.configurer.ldapAuthoritiesPopulator(new NullLdapAuthoritiesPopulator());
+		assertThat(getField(this.configurer, "ldapAuthoritiesPopulator")).isInstanceOf(NullLdapAuthoritiesPopulator.class);
+	}
+
+	@Test
+	public void authoritiesPopulatorIsPostProcessed() throws Exception {
+		assertThat(getField(this.configurer, "ldapAuthoritiesPopulator")).isNull();
+		this.configurer.contextSource(new DefaultSpringSecurityContextSource("ldap://localhost:389"));
+		this.configurer.addObjectPostProcessor(
+				new ObjectPostProcessor<LdapAuthoritiesPopulator>() {
+					@Override
+					public <O extends LdapAuthoritiesPopulator> O postProcess(O object) {
+						if (object instanceof DefaultLdapAuthoritiesPopulator) {
+							return (O)new TestPostProcessLdapAuthoritiesPopulator();
+						}
+						else {
+							return object;
+						}
+					}
+				}
+		);
+		invokeMethod(this.configurer, "getLdapAuthoritiesPopulator");
+		assertThat(getField(this.configurer, "ldapAuthoritiesPopulator"))
+				.isInstanceOf(TestPostProcessLdapAuthoritiesPopulator.class);
+	}
+
+	private static class TestPostProcessLdapAuthoritiesPopulator implements LdapAuthoritiesPopulator {
+		@Override
+		public Collection<? extends GrantedAuthority> getGrantedAuthorities(
+				DirContextOperations userData, String username) {
+			return null;
+		}
+	}
+
 }