SONAR-10830 Allow passcode even if forceAuthentication is true

diff --git a/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java b/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java
index 0046c09510f25c3c8ea6558ef7033aa11ace191c..d5729f2b6d09d447070f2fc8e38e3079b29c8a09 100644 (file)
--- a/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java
+++ b/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java
@@ -65,12 +65,20 @@ public class UserSessionInitializer {
     "/api/users/identity_providers", "/api/l10n/index",
     LOGIN_URL, LOGOUT_URL, VALIDATE_URL);
 
+  private static final Set<String> URL_USING_PASSCODE = ImmutableSet.of(
+    "/api/system/health"
+  );
+
   private static final UrlPattern URL_PATTERN = UrlPattern.builder()
     .includes("/*")
     .excludes(staticResourcePatterns())
     .excludes(SKIPPED_URLS)
     .build();
 
+  private static final UrlPattern PASSCODE_URLS = UrlPattern.builder()
+    .includes(URL_USING_PASSCODE)
+    .build();
+
   private final Configuration config;
   private final ThreadLocalUserSession threadLocalSession;
   private final AuthenticationEvent authenticationEvent;
@@ -91,7 +99,7 @@ public class UserSessionInitializer {
     try {
       // Do not set user session when url is excluded
       if (URL_PATTERN.matches(path)) {
-        loadUserSession(request, response);
+        loadUserSession(request, response, PASSCODE_URLS.matches(path));
       }
       return true;
     } catch (AuthenticationException e) {
@@ -115,13 +123,15 @@ public class UserSessionInitializer {
     return provider != AuthenticationEvent.Provider.LOCAL && provider != AuthenticationEvent.Provider.JWT;
   }
 
-  private void loadUserSession(HttpServletRequest request, HttpServletResponse response) {
+  private void loadUserSession(HttpServletRequest request, HttpServletResponse response, boolean usingPasscode) {
     UserSession session;
     Optional<UserDto> user = authenticators.authenticate(request, response);
     if (user.isPresent()) {
       session = userSessionFactory.create(user.get());
     } else {
-      failIfAuthenticationIsRequired();
+      if (!usingPasscode) {
+        failIfAuthenticationIsRequired();
+      }
       session = userSessionFactory.createAnonymous();
     }
     threadLocalSession.set(session);

diff --git a/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java b/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java
index 318046092e94b28379170c54acc8e0abf02d73f3..900751ccea9a1038adbf16fcf372a77edb112e1c 100644 (file)
--- a/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java
+++ b/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java
@@ -105,6 +105,9 @@ public class UserSessionInitializerTest {
     assertPathIsIgnored("/api/users/identity_providers");
     assertPathIsIgnored("/api/l10n/index");
 
+    // WS with Passcode
+    assertPathIsIgnoredWithAnonymousAccess("/api/system/health");
+
     // exclude static resources
     assertPathIsIgnored("/css/style.css");
     assertPathIsIgnored("/fonts/font.ttf");
@@ -186,6 +189,16 @@ public class UserSessionInitializerTest {
     reset(userSession, authenticators);
   }
 
+  private void assertPathIsIgnoredWithAnonymousAccess(String path) {
+    when(request.getRequestURI()).thenReturn(path);
+    when(authenticators.authenticate(request, response)).thenReturn(Optional.empty());
+
+    assertThat(underTest.initUserSession(request, response)).isTrue();
+
+    verify(userSession).set(any(UserSession.class));
+    reset(userSession, authenticators);
+  }
+
   private void assertPathIsNotIgnored(String path) {
     when(request.getRequestURI()).thenReturn(path);
     when(authenticators.authenticate(request, response)).thenReturn(Optional.of(user));

diff --git a/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java
index 32fa0cba328392a413b3abd6f4ff96b055dd5dc3..c74a26d413e64b176535e316349546392d9b0cb7 100644 (file)
--- a/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java
+++ b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java
@@ -21,6 +21,7 @@ package org.sonarqube.tests.authorisation;
 
 import com.sonar.orchestrator.Orchestrator;
 import com.sonar.orchestrator.OrchestratorBuilder;
+import java.util.Arrays;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
 import org.junit.Rule;
@@ -88,6 +89,22 @@ public class SystemPasscodeTest {
     assertThat(response.code()).isEqualTo(401);
   }
 
+  @Test
+  public void system_access_is_granted_even_with_forceAuthentication_is_set_to_true() {
+    tester.settings().setGlobalSetting("sonar.forceAuthentication", "true");
+    Arrays.asList("/api/system/health")
+      .forEach(url -> {
+          WsRequest request = new GetRequest("api/system/health")
+            .setHeader(PASSCODE_HEADER, VALID_PASSCODE);
+
+          WsResponse response = tester.asAnonymous().wsClient().wsConnector().call(request);
+          assertThat(response.code()).isEqualTo(200);
+        }
+      );
+    tester.settings().setGlobalSetting("sonar.forceAuthentication", "false");
+  }
+
+
   private static GetRequest newRequest() {
     return new GetRequest("api/system_passcode/check");
   }