source.dussan.org Git - sonarqube.git/blob

   1 /*
   2  * SonarQube
   3  * Copyright (C) 2009-2024 SonarSource SA
   4  * mailto:info AT sonarsource DOT com
   5  *
   6  * This program is free software; you can redistribute it and/or
   7  * modify it under the terms of the GNU Lesser General Public
   8  * License as published by the Free Software Foundation; either
   9  * version 3 of the License, or (at your option) any later version.
  10  *
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * Lesser General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU Lesser General Public License
  17  * along with this program; if not, write to the Free Software Foundation,
  18  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  19  */
  20 package org.sonar.server.authentication;
  21
  22 import com.tngtech.java.junit.dataprovider.DataProvider;
  23 import com.tngtech.java.junit.dataprovider.DataProviderRunner;
  24 import com.tngtech.java.junit.dataprovider.UseDataProvider;
  25 import java.util.Optional;
  26 import javax.annotation.Nullable;
  27 import org.junit.Before;
  28 import org.junit.Test;
  29 import org.junit.runner.RunWith;
  30 import org.mockito.ArgumentCaptor;
  31 import org.sonar.api.server.http.Cookie;
  32 import org.sonar.api.server.http.HttpRequest;
  33 import org.sonar.api.server.http.HttpResponse;
  34 import org.sonar.server.http.JavaxHttpRequest;
  35
  36 import static org.assertj.core.api.Assertions.assertThat;
  37 import static org.mockito.ArgumentMatchers.any;
  38 import static org.mockito.Mockito.mock;
  39 import static org.mockito.Mockito.never;
  40 import static org.mockito.Mockito.verify;
  41 import static org.mockito.Mockito.when;
  42
  43 @RunWith(DataProviderRunner.class)
  44 public class OAuth2AuthenticationParametersImplTest {
  45
  46   private static final String AUTHENTICATION_COOKIE_NAME = "AUTH-PARAMS";
  47   private final ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);
  48   private final HttpResponse response = mock(HttpResponse.class);
  49   private final HttpRequest request = mock(HttpRequest.class);
  50
  51   private final OAuth2AuthenticationParameters underTest = new OAuth2AuthenticationParametersImpl();
  52
  53   @Before
  54   public void setUp() {
  55     when(request.getContextPath()).thenReturn("");
  56   }
  57
  58   @Test
  59   public void init_create_cookie() {
  60     when(request.getParameter("return_to")).thenReturn("/admin/settings");
  61
  62     underTest.init(request, response);
  63
  64     verify(response).addCookie(cookieArgumentCaptor.capture());
  65     Cookie cookie = cookieArgumentCaptor.getValue();
  66     assertThat(cookie.getName()).isEqualTo(AUTHENTICATION_COOKIE_NAME);
  67     assertThat(cookie.getValue()).isNotEmpty();
  68     assertThat(cookie.getPath()).isEqualTo("/");
  69     assertThat(cookie.isHttpOnly()).isTrue();
  70     assertThat(cookie.getMaxAge()).isEqualTo(300);
  71     assertThat(cookie.isSecure()).isFalse();
  72   }
  73
  74   @Test
  75   public void init_does_not_create_cookie_when_no_parameter() {
  76     underTest.init(request, response);
  77
  78     verify(response, never()).addCookie(any(Cookie.class));
  79   }
  80
  81   @Test
  82   public void init_does_not_create_cookie_when_parameters_are_empty() {
  83     when(request.getParameter("return_to")).thenReturn("");
  84     when(request.getParameter("allowEmailShift")).thenReturn("");
  85
  86     underTest.init(request, response);
  87
  88     verify(response, never()).addCookie(any(Cookie.class));
  89   }
  90
  91   @Test
  92   public void init_does_not_create_cookie_when_parameters_are_null() {
  93     when(request.getParameter("return_to")).thenReturn(null);
  94     when(request.getParameter("allowEmailShift")).thenReturn(null);
  95
  96     underTest.init(request, response);
  97
  98     verify(response, never()).addCookie(any(Cookie.class));
  99   }
 100
 101   @Test
 102   @DataProvider({"http://example.com", "/\t/example.com", "//local_file", "/\\local_file", "something_else"})
 103   public void get_return_to_is_not_set_when_not_local(String url) {
 104     when(request.getParameter("return_to")).thenReturn(url);
 105
 106     assertThat(underTest.getReturnTo(request)).isEmpty();
 107   }
 108
 109   @Test
 110   public void get_return_to_parameter() {
 111     when(request.getCookies()).thenReturn(new Cookie[]{wrapCookie(AUTHENTICATION_COOKIE_NAME, "{\"return_to\":\"/admin/settings\"}")});
 112
 113     Optional<String> redirection = underTest.getReturnTo(request);
 114
 115     assertThat(redirection).contains("/admin/settings");
 116   }
 117
 118   @Test
 119   public void get_return_to_is_empty_when_no_cookie() {
 120     when(request.getCookies()).thenReturn(new Cookie[]{});
 121
 122     Optional<String> redirection = underTest.getReturnTo(request);
 123
 124     assertThat(redirection).isEmpty();
 125   }
 126
 127   @Test
 128   public void get_return_to_is_empty_when_no_value() {
 129     when(request.getCookies()).thenReturn(new Cookie[]{wrapCookie(AUTHENTICATION_COOKIE_NAME, "{}")});
 130
 131     Optional<String> redirection = underTest.getReturnTo(request);
 132
 133     assertThat(redirection).isEmpty();
 134   }
 135
 136   @Test
 137   public void delete() {
 138     when(request.getCookies()).thenReturn(new Cookie[]{wrapCookie(AUTHENTICATION_COOKIE_NAME, "{\"return_to\":\"/admin/settings\"}")});
 139
 140     underTest.delete(request, response);
 141
 142     verify(response).addCookie(cookieArgumentCaptor.capture());
 143     Cookie updatedCookie = cookieArgumentCaptor.getValue();
 144     assertThat(updatedCookie.getName()).isEqualTo(AUTHENTICATION_COOKIE_NAME);
 145     assertThat(updatedCookie.getValue()).isNull();
 146     assertThat(updatedCookie.getPath()).isEqualTo("/");
 147     assertThat(updatedCookie.getMaxAge()).isZero();
 148   }
 149
 150   @DataProvider
 151   public static Object[][] payloadToSanitizeAndExpectedOutcome() {
 152     return new Object[][]{
 153       {generatePath("/admin/settings"), "/admin/settings"},
 154       {generatePath("/admin/../../settings"), "/settings"},
 155       {generatePath("/admin/../settings"), "/settings"},
 156       {generatePath("/admin/settings/.."), "/admin"},
 157       {generatePath("/admin/..%2fsettings/"), "/settings"},
 158       {generatePath("/admin/%2e%2e%2fsettings/"), "/settings"},
 159       {generatePath("../admin/settings"), null},
 160     };
 161   }
 162
 163   private static String generatePath(String returnTo) {
 164     return "{\"return_to\":\"" + returnTo + "\"}";
 165   }
 166
 167   @Test
 168   @UseDataProvider("payloadToSanitizeAndExpectedOutcome")
 169   public void getReturnTo_whenContainingPathTraversalCharacters_sanitizeThem(String payload, @Nullable String expectedSanitizedUrl) {
 170     when(request.getCookies()).thenReturn(new Cookie[]{wrapCookie(AUTHENTICATION_COOKIE_NAME, payload)});
 171
 172     Optional<String> redirection = underTest.getReturnTo(request);
 173
 174     assertThat(redirection).isEqualTo(Optional.ofNullable(expectedSanitizedUrl));
 175   }
 176
 177   private JavaxHttpRequest.JavaxCookie wrapCookie(String name, String value) {
 178     return new JavaxHttpRequest.JavaxCookie(new javax.servlet.http.Cookie(name, value));
 179   }
 180 }