mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36370 Commits
59 Branches
Tree: d42e73cd8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd42e73cd8a'
${ noResults }
sonarqube/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest....

GitLabIdentityProviderTest.java 11KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2024 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.gitlab;

  21. 

  22. import com.github.scribejava.core.model.OAuth2AccessToken;

  23. import com.github.scribejava.core.model.OAuthConstants;

  24. import com.github.scribejava.core.oauth.OAuth20Service;

  25. import com.tngtech.java.junit.dataprovider.DataProvider;

  26. import com.tngtech.java.junit.dataprovider.DataProviderRunner;

  27. import com.tngtech.java.junit.dataprovider.UseDataProvider;

  28. import java.io.IOException;

  29. import java.util.List;

  30. import java.util.Set;

  31. import java.util.concurrent.ExecutionException;

  32. import org.junit.Before;

  33. import org.junit.Test;

  34. import org.junit.runner.RunWith;

  35. import org.mockito.Answers;

  36. import org.mockito.ArgumentCaptor;

  37. import org.mockito.Mock;

  38. import org.sonar.api.server.authentication.Display;

  39. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  40. import org.sonar.api.server.authentication.UnauthorizedException;

  41. import org.sonar.api.server.authentication.UserIdentity;

  42. 

  43. import static java.util.stream.Collectors.toSet;

  44. import static org.assertj.core.api.Assertions.assertThat;

  45. import static org.assertj.core.api.Assertions.assertThatExceptionOfType;

  46. import static org.assertj.core.api.Assertions.assertThatIllegalStateException;

  47. import static org.mockito.Mockito.any;

  48. import static org.mockito.Mockito.mock;

  49. import static org.mockito.Mockito.never;

  50. import static org.mockito.Mockito.verify;

  51. import static org.mockito.Mockito.when;

  52. import static org.mockito.MockitoAnnotations.openMocks;

  53. 

  54. @RunWith(DataProviderRunner.class)

  55. public class GitLabIdentityProviderTest {

  56. 

  57.   private static final String OAUTH_CODE = "code fdsojfsjodfg";

  58.   private static final String AUTHORIZATION_URL = "AUTHORIZATION_URL";

  59.   private static final String CALLBACK_URL = "CALLBACK_URL";

  60.   private static final String STATE = "State request";

  61. 

  62.   @Mock

  63.   private GitLabRestClient gitLabRestClient;

  64.   @Mock

  65.   private GitLabSettings gitLabSettings;

  66.   @Mock(answer = Answers.RETURNS_DEEP_STUBS)

  67.   private GitLabIdentityProvider.ScribeFactory scribeFactory;

  68.   @Mock

  69.   private OAuth2IdentityProvider.InitContext initContext;

  70.   @Mock(answer = Answers.RETURNS_DEEP_STUBS)

  71.   private OAuth2IdentityProvider.CallbackContext callbackContext;

  72.   @Mock

  73.   private OAuth20Service scribe;

  74.   @Mock

  75.   private ScribeGitLabOauth2Api scribeApi;

  76.   @Mock

  77.   private OAuth2AccessToken accessToken;

  78. 

  79.   private GitLabIdentityProvider gitLabIdentityProvider;

  80. 

  81.   @Before

  82.   public void setup() throws IOException, ExecutionException, InterruptedException {

  83.     openMocks(this);

  84.     gitLabIdentityProvider = new GitLabIdentityProvider(gitLabSettings, gitLabRestClient, scribeApi, scribeFactory);

  85. 

  86.     when(initContext.generateCsrfState()).thenReturn(STATE);

  87.     when(initContext.getCallbackUrl()).thenReturn(CALLBACK_URL);

  88. 

  89.     when(callbackContext.getCallbackUrl()).thenReturn(CALLBACK_URL);

  90.     when(callbackContext.getHttpRequest().getParameter(OAuthConstants.CODE)).thenReturn(OAUTH_CODE);

  91. 

  92.     when(scribeFactory.newScribe(gitLabSettings, CALLBACK_URL, scribeApi)).thenReturn(scribe);

  93.     when(scribe.getAccessToken(OAUTH_CODE)).thenReturn(accessToken);

  94.     when(scribe.getAuthorizationUrl(STATE)).thenReturn(AUTHORIZATION_URL);

  95.   }

  96. 

  97.   @Test

  98.   public void test_identity_provider() {

  99.     when(gitLabSettings.isEnabled()).thenReturn(true);

  100.     when(gitLabSettings.allowUsersToSignUp()).thenReturn(true);

  101. 

  102.     assertThat(gitLabIdentityProvider.getKey()).isEqualTo("gitlab");

  103.     assertThat(gitLabIdentityProvider.getName()).isEqualTo("GitLab");

  104.     Display display = gitLabIdentityProvider.getDisplay();

  105.     assertThat(display.getIconPath()).isEqualTo("/images/alm/gitlab.svg");

  106.     assertThat(display.getBackgroundColor()).isEqualTo("#6a4fbb");

  107.     assertThat(gitLabIdentityProvider.isEnabled()).isTrue();

  108.     assertThat(gitLabIdentityProvider.allowsUsersToSignUp()).isTrue();

  109.   }

  110. 

  111.   @Test

  112.   public void init_whenSuccessful_redirectsToUrl() {

  113.     gitLabIdentityProvider.init(initContext);

  114. 

  115.     verify(initContext).generateCsrfState();

  116.     verify(initContext).redirectTo(AUTHORIZATION_URL);

  117.   }

  118. 

  119.   @Test

  120.   public void init_whenErrorWhileBuildingScribe_shouldReThrow() {

  121.     IllegalStateException exception = new IllegalStateException("GitLab authentication is disabled");

  122.     when(scribeFactory.newScribe(any(), any(), any())).thenThrow(exception);

  123. 

  124.     OAuth2IdentityProvider.InitContext initContext = mock(OAuth2IdentityProvider.InitContext.class);

  125.     when(initContext.getCallbackUrl()).thenReturn("http://server/callback");

  126. 

  127.     assertThatIllegalStateException()

  128.       .isThrownBy(() -> gitLabIdentityProvider.init(initContext))

  129.       .isEqualTo(exception);

  130.   }

  131. 

  132.   @Test

  133.   public void onCallback_withGroupSyncDisabledAndNoAllowedGroups_redirectsToRequestedPage() {

  134.     GsonUser gsonUser = mockGsonUser();

  135. 

  136.     gitLabIdentityProvider.callback(callbackContext);

  137. 

  138.     verifyAuthenticateIsCalledWithExpectedIdentity(callbackContext, gsonUser, Set.of());

  139.     verify(callbackContext).redirectToRequestedPage();

  140.     verify(gitLabRestClient, never()).getGroups(any(), any());

  141.   }

  142. 

  143.   @Test

  144.   public void onCallback_withGroupSyncDisabledAndAllowedGroups_redirectsToRequestedPage() {

  145.     when(gitLabSettings.syncUserGroups()).thenReturn(false);

  146. 

  147.     GsonUser gsonUser = mockGsonUser();

  148. 

  149.     gitLabIdentityProvider.callback(callbackContext);

  150. 

  151.     verifyAuthenticateIsCalledWithExpectedIdentity(callbackContext, gsonUser, Set.of());

  152.     verify(callbackContext).redirectToRequestedPage();

  153.     verify(gitLabRestClient, never()).getGroups(any(), any());

  154.   }

  155. 

  156.   @Test

  157.   @UseDataProvider("allowedGroups")

  158.   public void onCallback_withGroupSyncAndAllowedGroupsMatching_redirectsToRequestedPage(Set<String> allowedGroups) {

  159.     when(gitLabSettings.syncUserGroups()).thenReturn(true);

  160.     when(gitLabSettings.allowedGroups()).thenReturn(allowedGroups);

  161. 

  162.     GsonUser gsonUser = mockGsonUser();

  163.     Set<GsonGroup> gsonGroups = mockGitlabGroups();

  164. 

  165.     gitLabIdentityProvider.callback(callbackContext);

  166. 

  167.     verifyAuthenticateIsCalledWithExpectedIdentity(callbackContext, gsonUser, gsonGroups);

  168.     verify(callbackContext).redirectToRequestedPage();

  169.   }

  170. 

  171.   @DataProvider

  172.   public static Object[][] allowedGroups() {

  173.     return new Object[][]{

  174.       {Set.of()},

  175.       {Set.of("path")}

  176.     };

  177.   }

  178. 

  179.   @Test

  180.   public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow() {

  181.     when(gitLabSettings.syncUserGroups()).thenReturn(true);

  182.     when(gitLabSettings.allowedGroups()).thenReturn(Set.of("path2"));

  183. 

  184.     mockGsonUser();

  185.     mockGitlabGroups();

  186. 

  187.     assertThatExceptionOfType(UnauthorizedException.class)

  188.       .isThrownBy(() -> gitLabIdentityProvider.callback(callbackContext))

  189.       .withMessage("You are not allowed to authenticate");

  190.   }

  191. 

  192.   @Test

  193.   public void onCallback_ifScribeFactoryFails_shouldThrow() {

  194.     IllegalStateException exception = new IllegalStateException("message");

  195.     when(scribeFactory.newScribe(any(), any(), any())).thenThrow(exception);

  196. 

  197.     assertThatIllegalStateException()

  198.       .isThrownBy(() -> gitLabIdentityProvider.callback(callbackContext))

  199.       .isEqualTo(exception);

  200.   }

  201. 

  202.   private Set<GsonGroup> mockGitlabGroups() {

  203.     GsonGroup gsonGroup = mock(GsonGroup.class);

  204.     when(gsonGroup.getFullPath()).thenReturn("path/to/group");

  205.     GsonGroup gsonGroup2 = mock(GsonGroup.class);

  206.     when(gsonGroup2.getFullPath()).thenReturn("path/to/group2");

  207.     when(gitLabRestClient.getGroups(scribe, accessToken)).thenReturn(List.of(gsonGroup, gsonGroup2));

  208.     return Set.of(gsonGroup, gsonGroup2);

  209.   }

  210. 

  211.   private static void verifyAuthenticateIsCalledWithExpectedIdentity(OAuth2IdentityProvider.CallbackContext callbackContext,

  212.     GsonUser gsonUser, Set<GsonGroup> gsonGroups) {

  213.     ArgumentCaptor<UserIdentity> userIdentityCaptor = ArgumentCaptor.forClass(UserIdentity.class);

  214.     verify(callbackContext).authenticate(userIdentityCaptor.capture());

  215. 

  216.     UserIdentity actualIdentity = userIdentityCaptor.getValue();

  217. 

  218.     assertThat(actualIdentity.getProviderId()).asLong().isEqualTo(gsonUser.getId());

  219.     assertThat(actualIdentity.getProviderLogin()).isEqualTo(gsonUser.getUsername());

  220.     assertThat(actualIdentity.getName()).isEqualTo(gsonUser.getName());

  221.     assertThat(actualIdentity.getEmail()).isEqualTo(gsonUser.getEmail());

  222.     assertThat(actualIdentity.getGroups()).isEqualTo(gsonGroups.stream().map(GsonGroup::getFullPath).collect(toSet()));

  223.   }

  224. 

  225.   private GsonUser mockGsonUser() {

  226.     GsonUser gsonUser = mock();

  227.     when(gsonUser.getId()).thenReturn(432423L);

  228.     when(gsonUser.getUsername()).thenReturn("userName");

  229.     when(gsonUser.getName()).thenReturn("name");

  230.     when(gsonUser.getEmail()).thenReturn("toto@gitlab.com");

  231.     when(gitLabRestClient.getUser(scribe, accessToken)).thenReturn(gsonUser);

  232.     return gsonUser;

  233.   }

  234. 

  235.   @Test

  236.   public void newScribe_whenGitLabAuthIsDisabled_throws() {

  237.     when(gitLabSettings.isEnabled()).thenReturn(false);

  238. 

  239.     assertThatIllegalStateException()

  240.       .isThrownBy(() -> new GitLabIdentityProvider.ScribeFactory().newScribe(gitLabSettings, CALLBACK_URL, new ScribeGitLabOauth2Api(gitLabSettings)))

  241.       .withMessage("GitLab authentication is disabled");

  242.   }

  243. 

  244.   @Test

  245.   @UseDataProvider("groupsSyncToScope")

  246.   public void newScribe_whenGitLabSettingsValid_shouldUseCorrectScopeDependingOnGroupSync(boolean groupSyncEnabled, String expectedScope) {

  247.     setupGitlabSettingsWithGroupSync(groupSyncEnabled);

  248. 

  249. 

  250.     OAuth20Service realScribe = new GitLabIdentityProvider.ScribeFactory().newScribe(gitLabSettings, CALLBACK_URL,

  251.       new ScribeGitLabOauth2Api(gitLabSettings));

  252. 

  253.     assertThat(realScribe).isNotNull();

  254.     assertThat(realScribe.getCallback()).isEqualTo(CALLBACK_URL);

  255.     assertThat(realScribe.getApiSecret()).isEqualTo(gitLabSettings.secret());

  256.     assertThat(realScribe.getDefaultScope()).isEqualTo(expectedScope);

  257.   }

  258. 

  259.   @DataProvider

  260.   public static Object[][] groupsSyncToScope() {

  261.     return new Object[][]{

  262.       {false, "read_user"},

  263.       {true, "api"}

  264.     };

  265.   }

  266. 

  267.   private void setupGitlabSettingsWithGroupSync(boolean enableGroupSync) {

  268.     when(gitLabSettings.isEnabled()).thenReturn(true);

  269.     when(gitLabSettings.applicationId()).thenReturn("123");

  270.     when(gitLabSettings.secret()).thenReturn("456");

  271.     when(gitLabSettings.syncUserGroups()).thenReturn(enableGroupSync);

  272.   }

  273. }