}
private WsUserTokens.GenerateWsResponse doHandle(GenerateWsRequest request) {
- DbSession dbSession = dbClient.openSession(false);
- try {
+ try (DbSession dbSession = dbClient.openSession(false)) {
checkWsRequest(dbSession, request);
TokenPermissionsValidator.validate(userSession, request.getLogin());
UserTokenDto userTokenDto = insertTokenInDb(dbSession, request, tokenHash);
return buildResponse(userTokenDto, token);
- } finally {
- dbClient.closeSession(dbSession);
}
}
private void doHandle(RevokeWsRequest request) {
TokenPermissionsValidator.validate(userSession, request.getLogin());
- DbSession dbSession = dbClient.openSession(false);
- try {
+ try (DbSession dbSession = dbClient.openSession(false)) {
dbClient.userTokenDao().deleteByLoginAndName(dbSession, request.getLogin(), request.getName());
dbSession.commit();
- } finally {
- dbClient.closeSession(dbSession);
}
}
private SearchWsResponse doHandle(SearchWsRequest request) {
TokenPermissionsValidator.validate(userSession, request.getLogin());
- DbSession dbSession = dbClient.openSession(false);
- try {
+ try (DbSession dbSession = dbClient.openSession(false)) {
String login = request.getLogin();
checkLoginExists(dbSession, login);
List<UserTokenDto> userTokens = dbClient.userTokenDao().selectByLogin(dbSession, login);
return buildResponse(login, userTokens);
- } finally {
- dbClient.closeSession(dbSession);
}
}
package org.sonar.server.usertoken.ws;
import javax.annotation.Nullable;
-import org.sonar.core.permission.GlobalPermissions;
import org.sonar.server.user.UserSession;
import static org.sonar.server.user.AbstractUserSession.insufficientPrivilegesException;
}
static void validate(UserSession userSession, @Nullable String requestLogin) {
- if (userSession.hasPermission(GlobalPermissions.SYSTEM_ADMIN)
- || (requestLogin != null && requestLogin.equals(userSession.getLogin()))) {
- return;
+ userSession.checkLoggedIn();
+ if (!userSession.isRoot() && !isLoggedInUser(userSession, requestLogin)) {
+ throw insufficientPrivilegesException();
}
+ }
- throw insufficientPrivilegesException();
+ private static boolean isLoggedInUser(UserSession userSession, @Nullable String requestLogin) {
+ return requestLogin != null && requestLogin.equals(userSession.getLogin());
}
}
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.sonar.api.utils.System2;
-import org.sonar.core.permission.GlobalPermissions;
import org.sonar.db.DbTester;
import org.sonar.server.exceptions.BadRequestException;
import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.ServerException;
+import org.sonar.server.exceptions.UnauthorizedException;
import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.usertoken.TokenGenerator;
import org.sonar.server.ws.TestRequest;
public void setUp() {
when(tokenGenerator.generate()).thenReturn("123456789");
when(tokenGenerator.hash(anyString())).thenReturn("987654321");
- userSession
- .logIn()
- .setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
db.users().insertUser(newUserDto().setLogin(GRACE_HOPPER));
db.users().insertUser(newUserDto().setLogin(ADA_LOVELACE));
@Test
public void json_example() {
+ userSession.logIn().setRoot();
+
String response = ws.newRequest()
.setMediaType(MediaTypes.JSON)
.setParam(PARAM_LOGIN, GRACE_HOPPER)
@Test
public void a_user_can_generate_token_for_himself() {
- userSession.logIn(GRACE_HOPPER).setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ userSession.logIn(GRACE_HOPPER);
GenerateWsResponse response = newRequest(null, TOKEN_NAME);
@Test
public void fail_if_name_is_longer_than_100_characters() {
+ userSession.logIn().setRoot();
+
expectedException.expect(IllegalArgumentException.class);
expectedException.expectMessage("Token name length (101) is longer than the maximum authorized (100)");
@Test
public void fail_if_login_does_not_exist() {
+ userSession.logIn().setRoot();
+
expectedException.expect(ForbiddenException.class);
newRequest("unknown-login", "any-name");
@Test
public void fail_if_name_is_blank() {
+ userSession.logIn().setRoot();
+
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("The 'name' parameter must not be blank");
@Test
public void fail_if_token_with_same_login_and_name_exists() {
+ userSession.logIn().setRoot();
+
newRequest(GRACE_HOPPER, TOKEN_NAME);
expectedException.expect(BadRequestException.class);
expectedException.expectMessage("A user token with login 'grace.hopper' and name 'Third Party Application' already exists");
@Test
public void fail_if_token_hash_already_exists_in_db() {
+ userSession.logIn().setRoot();
+
when(tokenGenerator.hash(anyString())).thenReturn("987654321");
db.getDbClient().userTokenDao().insert(db.getSession(), newUserToken().setTokenHash("987654321"));
db.commit();
}
@Test
- public void fail_if_insufficient_privileges() {
- userSession.logIn(ADA_LOVELACE).setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ public void throw_ForbiddenException_if_non_administrator_creates_token_for_someone_else() {
+ userSession.logIn().setNonRoot();
+
expectedException.expect(ForbiddenException.class);
newRequest(GRACE_HOPPER, TOKEN_NAME);
}
+ @Test
+ public void throw_UnauthorizedException_if_not_logged_in() {
+ userSession.anonymous();
+
+ expectedException.expect(UnauthorizedException.class);
+
+ newRequest(GRACE_HOPPER, TOKEN_NAME);
+ }
+
private GenerateWsResponse newRequest(@Nullable String login, String name) {
TestRequest testRequest = ws.newRequest()
.setMediaType(MediaTypes.PROTOBUF)
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.sonar.api.utils.System2;
-import org.sonar.core.permission.GlobalPermissions;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.DbTester;
import org.sonar.db.user.UserTokenDto;
import org.sonar.server.exceptions.ForbiddenException;
+import org.sonar.server.exceptions.UnauthorizedException;
import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.ws.TestRequest;
import org.sonar.server.ws.WsActionTester;
public class RevokeActionTest {
- static final String GRACE_HOPPER = "grace.hopper";
- static final String ADA_LOVELACE = "ada.lovelace";
- static final String TOKEN_NAME = "token-name";
+ private static final String GRACE_HOPPER = "grace.hopper";
+ private static final String ADA_LOVELACE = "ada.lovelace";
+ private static final String TOKEN_NAME = "token-name";
@Rule
public DbTester db = DbTester.create(System2.INSTANCE);
- DbClient dbClient = db.getDbClient();
- final DbSession dbSession = db.getSession();
@Rule
public UserSessionRule userSession = UserSessionRule.standalone();
@Rule
public ExpectedException expectedException = ExpectedException.none();
- WsActionTester ws;
+ private DbClient dbClient = db.getDbClient();
+ private final DbSession dbSession = db.getSession();
+ private WsActionTester ws;
@Before
public void setUp() {
- userSession
- .logIn()
- .setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
-
ws = new WsActionTester(
new RevokeAction(dbClient, userSession));
}
@Test
public void delete_token_in_db() {
+ userSession.logIn().setRoot();
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName("token-to-delete"));
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName("token-to-keep-1"));
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName("token-to-keep-2"));
@Test
public void user_can_delete_its_own_tokens() {
- userSession.logIn(GRACE_HOPPER).setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ userSession.logIn(GRACE_HOPPER);
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName("token-to-delete"));
String response = newRequest(null, "token-to-delete");
@Test
public void does_not_fail_when_incorrect_login_or_name() {
+ userSession.logIn().setRoot();
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName(TOKEN_NAME));
newRequest(ADA_LOVELACE, "another-token-name");
}
@Test
- public void fail_if_insufficient_privileges() {
- userSession.logIn().setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ public void throw_ForbiddenException_if_non_administrator_revokes_token_of_someone_else() {
+ userSession.logIn();
insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName(TOKEN_NAME));
+
expectedException.expect(ForbiddenException.class);
newRequest(GRACE_HOPPER, TOKEN_NAME);
}
+ @Test
+ public void throw_UnauthorizedException_if_not_logged_in() {
+ userSession.anonymous();
+ insertUserToken(newUserToken().setLogin(GRACE_HOPPER).setName(TOKEN_NAME));
+
+ expectedException.expect(UnauthorizedException.class);
+
+ newRequest(GRACE_HOPPER, TOKEN_NAME);
+ }
+
private String newRequest(@Nullable String login, String name) {
TestRequest testRequest = ws.newRequest()
.setParam(PARAM_NAME, name);
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.sonar.api.utils.System2;
-import org.sonar.core.permission.GlobalPermissions;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.DbTester;
import org.sonar.server.exceptions.ForbiddenException;
import org.sonar.server.exceptions.NotFoundException;
+import org.sonar.server.exceptions.UnauthorizedException;
import org.sonar.server.tester.UserSessionRule;
import org.sonar.server.ws.TestRequest;
import org.sonar.server.ws.TestResponse;
@Before
public void setUp() {
- userSession.logIn().setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN);
db.users().insertUser(newUserDto().setLogin(GRACE_HOPPER));
db.users().insertUser(newUserDto().setLogin(ADA_LOVELACE));
}
@Test
public void search_json_example() {
+ userSession.logIn().setRoot();
+
dbClient.userTokenDao().insert(dbSession, newUserToken()
.setCreatedAt(1448523067221L)
.setName("Project scan on Travis")
@Test
public void a_user_can_search_its_own_token() {
- userSession.logIn(GRACE_HOPPER).setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ userSession.logIn(GRACE_HOPPER);
dbClient.userTokenDao().insert(dbSession, newUserToken()
.setCreatedAt(1448523067221L)
.setName("Project scan on Travis")
@Test
public void fail_when_login_does_not_exist() {
+ userSession.logIn().setRoot();
+
expectedException.expect(NotFoundException.class);
expectedException.expectMessage("User with login 'unknown-login' not found");
}
@Test
- public void fail_when_insufficient_privileges() {
- userSession.logIn().setGlobalPermissions(GlobalPermissions.SCAN_EXECUTION);
+ public void throw_ForbiddenException_if_a_non_root_administrator_searches_for_tokens_of_someone_else() {
+ userSession.logIn();
+
expectedException.expect(ForbiddenException.class);
newRequest(GRACE_HOPPER);
}
+ @Test
+ public void throw_UnauthorizedException_if_not_logged_in() {
+ userSession.anonymous();
+
+ expectedException.expect(UnauthorizedException.class);
+
+ newRequest(GRACE_HOPPER);
+ }
+
private SearchWsResponse newRequest(@Nullable String login) {
TestRequest testRequest = ws.newRequest()
.setMediaType(MediaTypes.PROTOBUF);