SONAR-8423 Properly fail on invalid basic header

diff --git a/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java b/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java
index 9808d57b8f3d9b987b8b0c0a753d0363d8e5303d..d87da6dcca46fb2b22b05096652a801e56ebaac0 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/authentication/BasicAuthenticator.java
@@ -65,7 +65,7 @@ public class BasicAuthenticator {
 
   private static String[] getCredentials(String authorizationHeader) {
     String basicAuthEncoded = authorizationHeader.substring(6);
-    String basicAuthDecoded = new String(BASE64_DECODER.decode(basicAuthEncoded.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
+    String basicAuthDecoded = getDecodedBasicAuth(basicAuthEncoded);
 
     int semiColonPos = basicAuthDecoded.indexOf(':');
     if (semiColonPos <= 0) {
@@ -76,6 +76,14 @@ public class BasicAuthenticator {
     return new String[] {login, password};
   }
 
+  private static String getDecodedBasicAuth(String basicAuthEncoded) {
+    try {
+      return new String(BASE64_DECODER.decode(basicAuthEncoded.getBytes(Charsets.UTF_8)), Charsets.UTF_8);
+    } catch (Exception e) {
+      throw new UnauthorizedException("Invalid basic header");
+    }
+  }
+
   private UserDto authenticate(String login, String password, HttpServletRequest request) {
     if (isEmpty(password)) {
       return authenticateFromUserToken(login);

diff --git a/server/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java b/server/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java
index 692db7ea601d2b2461f281b41ae8cff6c89ddb0e..a5098b5a942107fd2036e2f7212f9e1c30b9b308 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/authentication/BasicAuthenticatorTest.java
@@ -20,14 +20,6 @@
 
 package org.sonar.server.authentication;
 
-import static com.google.common.base.Charsets.UTF_8;
-import static org.assertj.core.api.Java6Assertions.assertThat;
-import static org.junit.rules.ExpectedException.none;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.verifyZeroInteractions;
-import static org.mockito.Mockito.when;
-
 import java.util.Base64;
 import java.util.Optional;
 import javax.servlet.http.HttpServletRequest;
@@ -44,6 +36,14 @@ import org.sonar.db.user.UserTesting;
 import org.sonar.server.exceptions.UnauthorizedException;
 import org.sonar.server.usertoken.UserTokenAuthenticator;
 
+import static com.google.common.base.Charsets.UTF_8;
+import static org.assertj.core.api.Java6Assertions.assertThat;
+import static org.junit.rules.ExpectedException.none;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyZeroInteractions;
+import static org.mockito.Mockito.when;
+
 public class BasicAuthenticatorTest {
 
   private static final Base64.Encoder BASE64_ENCODER = Base64.getEncoder();
@@ -117,6 +117,15 @@ public class BasicAuthenticatorTest {
     underTest.authenticate(request);
   }
 
+  @Test
+  public void fail_to_authenticate_when_invalid_header() throws Exception {
+    when(request.getHeader("Authorization")).thenReturn("Basic Invàlid");
+
+    expectedException.expect(UnauthorizedException.class);
+    expectedException.expectMessage("Invalid basic header");
+    underTest.authenticate(request);
+  }
+
   @Test
   public void authenticate_from_user_token() throws Exception {
     insertUser(UserTesting.newUserDto().setLogin(LOGIN));