package org.sonar.server.authentication;
import com.google.common.collect.Sets;
+
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.function.Consumer;
import javax.annotation.CheckForNull;
import javax.annotation.Nullable;
+
import org.sonar.api.server.authentication.IdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.log.Logger;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserGroupDto;
import org.sonar.server.authentication.UserRegistration.ExistingEmailStrategy;
+import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.authentication.exception.EmailAlreadyExistsRedirectionException;
import org.sonar.server.user.ExternalIdentity;
@Override
public UserDto register(UserRegistration registration) {
try (DbSession dbSession = dbClient.openSession(false)) {
- UserDto userDto = getUser(dbSession, registration.getUserIdentity(), registration.getProvider());
+ UserDto userDto = getUser(dbSession, registration.getUserIdentity(), registration.getProvider(), registration.getSource());
if (userDto == null) {
return registerNewUser(dbSession, null, registration);
}
}
@CheckForNull
- private UserDto getUser(DbSession dbSession, UserIdentity userIdentity, IdentityProvider provider) {
+ private UserDto getUser(DbSession dbSession, UserIdentity userIdentity, IdentityProvider provider, AuthenticationEvent.Source source) {
// First, try to authenticate using the external ID
UserDto user = dbClient.userDao().selectByExternalIdAndIdentityProvider(dbSession, getProviderIdOrProviderLogin(userIdentity), provider.getKey());
if (user != null) {
return user;
}
- // Then, try with the external login, for instance when external ID has changed
- return dbClient.userDao().selectByExternalLoginAndIdentityProvider(dbSession, userIdentity.getProviderLogin(), provider.getKey());
+
+ // Then, try with the external login, for instance when external ID has changed or is not used by the provider
+ user = dbClient.userDao().selectByExternalLoginAndIdentityProvider(dbSession, userIdentity.getProviderLogin(), provider.getKey());
+ if (user == null) {
+ return null;
+ }
+ // all gitlab users have an external ID, so the other two authentication methods should never be used
+ if (provider.getKey().equals("gitlab")) {
+ throw loginAlreadyUsedException(userIdentity, source);
+ }
+
+ validateEmailToAvoidLoginRecycling(userIdentity, user, source);
+ updateUserExternalId(dbSession, user, userIdentity);
+ return user;
+ }
+
+ private void updateUserExternalId(DbSession dbSession, UserDto user, UserIdentity userIdentity) {
+ String externalId = userIdentity.getProviderId();
+ if (externalId != null) {
+ user.setExternalId(externalId);
+ dbClient.userDao().update(dbSession, user);
+ }
+ }
+
+ private static void validateEmailToAvoidLoginRecycling(UserIdentity userIdentity, UserDto user, AuthenticationEvent.Source source) {
+ String userEmail = user.getEmail();
+
+ if (userEmail == null) {
+ LOGGER.warn("User with login '{}' tried to login with email '{}' but we don't have a email on record",
+ userIdentity.getProviderLogin(), userIdentity.getEmail());
+ throw loginAlreadyUsedException(userIdentity, source);
+ }
+
+ if (!userEmail.equals(userIdentity.getEmail())) {
+ LOGGER.warn("User with login '{}' tried to login with email '{}' which doesn't match the email on record '{}'",
+ userIdentity.getProviderLogin(), userIdentity.getEmail(), userEmail);
+ throw loginAlreadyUsedException(userIdentity, source);
+ }
+ }
+
+ private static AuthenticationException loginAlreadyUsedException(UserIdentity userIdentity, AuthenticationEvent.Source source) {
+ return authException(
+ userIdentity,
+ source,
+ String.format("Login '%s' is already used", userIdentity.getProviderLogin()),
+ String.format("You can't sign up because login '%s' is already used by an existing user.", userIdentity.getProviderLogin())
+ );
+ }
+
+ private static AuthenticationException authException(UserIdentity userIdentity, AuthenticationEvent.Source source, String message, String publicMessage) {
+ return AuthenticationException.newBuilder()
+ .setSource(source)
+ .setLogin(userIdentity.getProviderLogin())
+ .setMessage(message)
+ .setPublicMessage(publicMessage)
+ .build();
}
private UserDto registerNewUser(DbSession dbSession, @Nullable UserDto disabledUser, UserRegistration authenticatorParameters) {
- Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters);
+ Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters, disabledUser != null ? disabledUser.getUuid() : null);
NewUser newUser = createNewUser(authenticatorParameters);
if (disabledUser == null) {
return userUpdater.createAndCommit(dbSession, newUser, beforeCommit(dbSession, authenticatorParameters), toArray(otherUserToIndex));
authenticatorParameters.getProvider().getKey(),
authenticatorParameters.getUserIdentity().getProviderLogin(),
authenticatorParameters.getUserIdentity().getProviderId()));
- Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters);
+ Optional<UserDto> otherUserToIndex = detectEmailUpdate(dbSession, authenticatorParameters, userDto.getUuid());
userUpdater.updateAndCommit(dbSession, userDto, update, beforeCommit(dbSession, authenticatorParameters), toArray(otherUserToIndex));
return userDto;
}
return user -> syncGroups(dbSession, authenticatorParameters.getUserIdentity(), user);
}
- private Optional<UserDto> detectEmailUpdate(DbSession dbSession, UserRegistration authenticatorParameters) {
+ private Optional<UserDto> detectEmailUpdate(DbSession dbSession, UserRegistration authenticatorParameters, @Nullable String authenticatingUserUuid) {
String email = authenticatorParameters.getUserIdentity().getEmail();
if (email == null) {
return Optional.empty();
}
UserDto existingUser = existingUsers.get(0);
- if (existingUser == null || isSameUser(existingUser, authenticatorParameters)) {
+ if (existingUser == null || existingUser.getUuid().equals(authenticatingUserUuid)) {
return Optional.empty();
}
ExistingEmailStrategy existingEmailStrategy = authenticatorParameters.getExistingEmailStrategy();
}
}
- private static boolean isSameUser(UserDto existingUser, UserRegistration authenticatorParameters) {
- // Check if same identity provider and same provider id or provider login
- return (Objects.equals(existingUser.getExternalIdentityProvider(), authenticatorParameters.getProvider().getKey()) &&
- (Objects.equals(existingUser.getExternalId(), getProviderIdOrProviderLogin(authenticatorParameters.getUserIdentity()))
- || Objects.equals(existingUser.getExternalLogin(), authenticatorParameters.getUserIdentity().getProviderLogin())));
- }
-
private void syncGroups(DbSession dbSession, UserIdentity userIdentity, UserDto userDto) {
if (!userIdentity.shouldSyncGroups()) {
return;
package org.sonar.server.authentication;
import java.util.Optional;
+import java.util.Set;
import java.util.stream.Collectors;
+import javax.annotation.Nullable;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.sonar.api.config.internal.MapSettings;
import org.sonar.api.impl.utils.AlwaysIncreasingSystem2;
import org.sonar.api.server.authentication.UserIdentity;
-import org.sonar.core.util.stream.MoreCollectors;
+import org.sonar.api.utils.log.LogTester;
import org.sonar.db.DbTester;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.UserRegistration.ExistingEmailStrategy;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationEvent.Source;
+import org.sonar.server.authentication.event.AuthenticationException;
import org.sonar.server.authentication.exception.EmailAlreadyExistsRedirectionException;
import org.sonar.server.es.EsTester;
import org.sonar.server.user.NewUserNotifier;
import static java.util.Arrays.stream;
import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.Mockito.mock;
import static org.sonar.db.user.UserTesting.newUserDto;
import static org.sonar.process.ProcessProperties.Property.ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS;
private static final UserIdentity USER_IDENTITY = UserIdentity.builder()
.setProviderId("ABCD")
- .setProviderLogin("johndoo")
+ .setProviderLogin(USER_LOGIN)
.setName("John")
.setEmail("john@email.com")
.build();
public DbTester db = DbTester.create(new AlwaysIncreasingSystem2());
@Rule
public EsTester es = EsTester.create();
+ @Rule
+ public LogTester logTester = new LogTester();
+
private final UserIndexer userIndexer = new UserIndexer(db.getDbClient(), es.client());
private final CredentialsLocalAuthentication localAuthentication = new CredentialsLocalAuthentication(db.getDbClient(), settings.asConfig());
private final DefaultGroupFinder groupFinder = new DefaultGroupFinder(db.getDbClient());
- private final UserUpdater userUpdater = new UserUpdater(
- mock(NewUserNotifier.class),
- db.getDbClient(),
- userIndexer,
- groupFinder,
- settings.asConfig(),
- localAuthentication);
+ private final UserUpdater userUpdater = new UserUpdater(mock(NewUserNotifier.class), db.getDbClient(), userIndexer, groupFinder, settings.asConfig(), localAuthentication);
private final UserRegistrarImpl underTest = new UserRegistrarImpl(db.getDbClient(), userUpdater, groupFinder);
private GroupDto defaultGroup;
@Test
public void authenticate_new_user() {
- UserDto createdUser = underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.realm(BASIC, IDENTITY_PROVIDER.getName()))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ UserDto createdUser = underTest.register(newUserRegistration());
UserDto user = db.users().selectUserByLogin(createdUser.getLogin()).get();
assertThat(user).isNotNull();
assertThat(user.isActive()).isTrue();
assertThat(user.getName()).isEqualTo("John");
assertThat(user.getEmail()).isEqualTo("john@email.com");
- assertThat(user.getExternalLogin()).isEqualTo("johndoo");
+ assertThat(user.getExternalLogin()).isEqualTo(USER_LOGIN);
assertThat(user.getExternalIdentityProvider()).isEqualTo("github");
assertThat(user.getExternalId()).isEqualTo("ABCD");
assertThat(user.isRoot()).isFalse();
UserDto user = db.users().selectUserByLogin(createdUser.getLogin()).get();
assertThat(user).isNotNull();
assertThat(user.isActive()).isTrue();
- assertThat(user.getLogin()).isEqualTo("johndoo");
+ assertThat(user.getLogin()).isEqualTo(USER_LOGIN);
assertThat(user.getName()).isEqualTo("John");
assertThat(user.getEmail()).isEqualTo("john@email.com");
- assertThat(user.getExternalLogin()).isEqualTo("johndoo");
+ assertThat(user.getExternalLogin()).isEqualTo(USER_LOGIN);
assertThat(user.getExternalIdentityProvider()).isEqualTo("sonarqube");
assertThat(user.getExternalId()).isEqualTo("ABCD");
assertThat(user.isLocal()).isFalse();
}
@Test
- public void authenticate_new_user_generate_login_when_no_login_provided() {
- underTest.register(UserRegistration.builder()
- .setUserIdentity(UserIdentity.builder()
- .setProviderId("ABCD")
- .setProviderLogin("johndoo")
- .setName("John Doe")
- .setEmail("john@email.com")
- .build())
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.realm(BASIC, IDENTITY_PROVIDER.getName()))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ public void authenticate_new_user_generates_login() {
+ underTest.register(newUserRegistration(UserIdentity.builder()
+ .setProviderId("ABCD")
+ .setProviderLogin(USER_LOGIN)
+ .setName("John Doe")
+ .setEmail("john@email.com")
+ .build()));
UserDto user = db.getDbClient().userDao().selectByEmail(db.getSession(), "john@email.com").get(0);
assertThat(user).isNotNull();
assertThat(user.isActive()).isTrue();
assertThat(user.getLogin()).isNotEqualTo("John Doe").startsWith("john-doe");
assertThat(user.getEmail()).isEqualTo("john@email.com");
- assertThat(user.getExternalLogin()).isEqualTo("johndoo");
+ assertThat(user.getExternalLogin()).isEqualTo(USER_LOGIN);
assertThat(user.getExternalIdentityProvider()).isEqualTo("github");
assertThat(user.getExternalId()).isEqualTo("ABCD");
}
@Test
- public void authenticate_new_user_with_groups() {
+ public void authenticate_new_user_assigns_user_to_groups() {
GroupDto group1 = db.users().insertGroup("group1");
GroupDto group2 = db.users().insertGroup("group2");
- UserDto loggedInUser = authenticate(USER_LOGIN, "group1", "group2", "group3");
+ UserDto loggedInUser = authenticate(USER_LOGIN, USER_IDENTITY.getEmail(), "group1", "group2", "group3");
Optional<UserDto> user = db.users().selectUserByLogin(loggedInUser.getLogin());
checkGroupMembership(user.get(), group1, group2, defaultGroup);
}
- @Test
- public void authenticate_new_user_and_force_default_group() {
- UserDto user = db.users().insertUser();
- GroupDto group1 = db.users().insertGroup("group1");
- db.users().insertMember(group1, user);
- db.users().insertMember(defaultGroup, user);
-
- authenticate(user.getLogin(), "group1");
-
- checkGroupMembership(user, group1, defaultGroup);
- }
-
@Test
public void authenticate_new_user_sets_onboarded_flag_to_false_when_onboarding_setting_is_set_to_true() {
settings.setProperty(ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS.getKey(), true);
- UserDto user = underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ UserDto user = underTest.register(newUserRegistration());
assertThat(db.users().selectUserByLogin(user.getLogin()).get().isOnboarded()).isFalse();
}
public void authenticate_new_user_sets_onboarded_flag_to_true_when_onboarding_setting_is_set_to_false() {
settings.setProperty(ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS.getKey(), false);
- UserDto user = underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ UserDto user = underTest.register(newUserRegistration());
assertThat(db.users().selectUserByLogin(user.getLogin()).get().isOnboarded()).isTrue();
}
@Test
- public void external_id_is_set_to_provider_login_when_null() {
+ public void authenticate_new_user_sets_external_id_to_provider_login_when_id_is_null() {
UserIdentity newUser = UserIdentity.builder()
.setProviderId(null)
.setProviderLogin("johndoo")
.setName("JOhn")
.build();
- UserDto user = underTest.register(UserRegistration.builder()
- .setUserIdentity(newUser)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ UserDto user = underTest.register(newUserRegistration(newUser));
assertThat(db.users().selectUserByLogin(user.getLogin()).get())
.extracting(UserDto::getLogin, UserDto::getExternalId, UserDto::getExternalLogin)
.contains(user.getLogin(), "johndoo", "johndoo");
}
+ @Test
+ public void authenticate_new_user_with_gitlab_provider() {
+ UserRegistration registration = UserRegistration.builder()
+ .setUserIdentity(USER_IDENTITY)
+ .setProvider(new TestIdentityProvider()
+ .setKey("gitlab")
+ .setName("name of gitlab")
+ .setEnabled(true)
+ .setAllowsUsersToSignUp(true))
+ .setSource(Source.local(BASIC))
+ .setExistingEmailStrategy(FORBID)
+ .build();
+
+ UserDto newUser = underTest.register(registration);
+ assertThat(newUser)
+ .extracting(UserDto::getExternalIdentityProvider, UserDto::getExternalLogin)
+ .containsExactly("gitlab", USER_IDENTITY.getProviderLogin());
+ }
+
@Test
public void authenticate_new_user_update_existing_user_email_when_strategy_is_ALLOW() {
UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
}
@Test
- public void throw_EmailAlreadyExistException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_WARN() {
+ public void authenticate_new_user_throws_EmailAlreadyExistException_when_email_already_exists_and_strategy_is_WARN() {
UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
UserIdentity newUser = UserIdentity.builder()
.setProviderLogin("johndoo")
}
@Test
- public void throw_AuthenticationException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_FORBID() {
+ public void authenticate_new_user_throws_AuthenticationException_when_when_email_already_exists_and_strategy_is_FORBID() {
db.users().insertUser(u -> u.setEmail("john@email.com"));
- Source source = Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName());
+ Source source = Source.local(BASIC);
expectedException.expect(authenticationException().from(source)
.withLogin(USER_IDENTITY.getProviderLogin())
"This means that you probably already registered with another account."));
expectedException.expectMessage("Email 'john@email.com' is already used");
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(source)
- .setExistingEmailStrategy(FORBID)
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
}
@Test
- public void throw_AuthenticationException_when_authenticating_new_user_and_email_already_exists_multiple_times() {
+ public void authenticate_new_user_throws_AuthenticationException_when_email_already_exists_multiple_times() {
db.users().insertUser(u -> u.setEmail("john@email.com"));
db.users().insertUser(u -> u.setEmail("john@email.com"));
Source source = Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName());
"This means that you probably already registered with another account."));
expectedException.expectMessage("Email 'john@email.com' is already used");
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(source)
- .setExistingEmailStrategy(FORBID)
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration(source));
}
@Test
- public void fail_to_authenticate_new_user_when_allow_users_to_signup_is_false() {
+ public void authenticate_new_user_fails_when_allow_users_to_signup_is_false() {
TestIdentityProvider identityProvider = new TestIdentityProvider()
.setKey("github")
.setName("Github")
}
@Test
- public void authenticate_and_update_existing_user_matching_login() {
- db.users().insertUser(u -> u
- .setName("Old name")
- .setEmail("Old email")
- .setExternalId("old id")
- .setExternalLogin("old identity")
- .setExternalIdentityProvider("old provide"));
+ public void authenticate_existing_user_doesnt_change_group_membership() {
+ UserDto user = db.users().insertUser(u -> u.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
+ GroupDto group1 = db.users().insertGroup("group1");
+ db.users().insertMember(group1, user);
+ db.users().insertMember(defaultGroup, user);
- UserDto user = underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ authenticate(user.getExternalLogin(), user.getEmail(), "group1");
- assertThat(db.users().selectUserByLogin(user.getLogin()).get())
- .extracting(UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider, UserDto::isActive)
- .contains("John", "john@email.com", "ABCD", "johndoo", "github", true);
+ checkGroupMembership(user, group1, defaultGroup);
}
@Test
.setExternalLogin("old identity")
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
.extracting(UserDto::getLogin, UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider,
}
@Test
- public void authenticate_and_update_existing_user_matching_external_login() {
+ public void authenticate_and_update_existing_user_matching_external_login_and_email() {
UserDto user = db.users().insertUser(u -> u
.setLogin("Old login")
.setName("Old name")
.setExternalLogin(USER_IDENTITY.getProviderLogin())
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
.extracting(UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider,
}
@Test
- public void authenticate_existing_user_and_login_should_not_be_updated() {
+ public void authenticate_existing_user_should_not_update_login() {
UserDto user = db.users().insertUser(u -> u
.setLogin("old login")
.setName(USER_IDENTITY.getName())
.setExternalLogin("old identity")
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
// no new user should be created
assertThat(db.countRowsOfTable(db.getSession(), "users")).isEqualTo(1);
assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
.extracting(UserDto::getLogin, UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider,
UserDto::isActive)
- .containsExactlyInAnyOrder("old login", USER_IDENTITY.getName(), USER_IDENTITY.getEmail(), USER_IDENTITY.getProviderId(), USER_IDENTITY.getProviderLogin(),
- IDENTITY_PROVIDER.getKey(),
- true);
+ .containsExactly("old login", USER_IDENTITY.getName(), USER_IDENTITY.getEmail(), USER_IDENTITY.getProviderId(), USER_IDENTITY.getProviderLogin(),
+ IDENTITY_PROVIDER.getKey(), true);
}
@Test
- public void authenticate_existing_user_matching_external_login_when_external_id_is_null() {
+ public void authenticate_existing_user_matching_external_login_and_email_when_external_id_is_null() {
UserDto user = db.users().insertUser(u -> u
.setName("Old name")
- .setEmail("Old email")
.setExternalId("Old id")
+ .setEmail("john@email.com")
.setExternalLogin("johndoo")
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(UserIdentity.builder()
- .setProviderId(null)
- .setProviderLogin("johndoo")
- .setName("John")
- .setEmail("john@email.com")
- .build())
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration(UserIdentity.builder()
+ .setProviderId(null)
+ .setProviderLogin("johndoo")
+ .setName("John")
+ .setEmail("john@email.com")
+ .build()));
assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
.extracting(UserDto::getLogin, UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider,
}
@Test
- public void authenticate_existing_user_when_login_is_not_provided() {
- UserDto user = db.users().insertUser(u -> u.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
+ public void do_not_authenticate_gitlab_user_matching_external_login() {
+ db.users().insertUser(u -> u
+ .setLogin("Old login")
+ .setName("Old name")
+ .setEmail(USER_IDENTITY.getEmail())
+ .setExternalId("Old id")
+ .setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setExternalIdentityProvider("gitlab"));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(UserIdentity.builder()
- .setProviderId(user.getExternalId())
- .setProviderLogin(user.getExternalLogin())
- // No login provided
- .setName(user.getName())
- .setEmail(user.getEmail())
- .build())
- .setProvider(IDENTITY_PROVIDER)
+ UserRegistration registration = UserRegistration.builder()
+ .setUserIdentity(USER_IDENTITY)
+ .setProvider(new TestIdentityProvider()
+ .setKey("gitlab")
+ .setName("name of gitlab")
+ .setEnabled(true))
.setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ .setExistingEmailStrategy(FORBID)
+ .build();
- // No new user is created
- assertThat(db.countRowsOfTable(db.getSession(), "users")).isEqualTo(1);
- assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
- .extracting(UserDto::getLogin, UserDto::getName, UserDto::getEmail, UserDto::getExternalId, UserDto::getExternalLogin, UserDto::getExternalIdentityProvider,
- UserDto::isActive)
- .contains(user.getExternalLogin(), user.getName(), user.getEmail(), user.getExternalId(), user.getExternalLogin(), user.getExternalIdentityProvider(), true);
+ assertThatThrownBy(() -> underTest.register(registration))
+ .isInstanceOf(AuthenticationException.class)
+ .hasMessage(String.format("Login '%s' is already used", USER_IDENTITY.getProviderLogin()));
+ }
+
+ @Test
+ public void do_not_authenticate_and_update_existing_user_matching_external_login_if_emails_do_not_match() {
+ db.users().insertUser(u -> u
+ .setLogin("Old login")
+ .setName("Old name")
+ .setEmail("another-email@sonarsource.com")
+ .setExternalId("Old id")
+ .setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
+
+ assertThatThrownBy(() -> underTest.register(newUserRegistration()))
+ .isInstanceOf(AuthenticationException.class)
+ .hasMessage(String.format("Login '%s' is already used", USER_IDENTITY.getProviderLogin()));
+
+ assertThat(logTester.logs()).contains(String.format("User with login '%s' tried to login with email '%s' which doesn't match the email on record '%s'",
+ USER_IDENTITY.getProviderLogin(), USER_IDENTITY.getEmail(), "another-email@sonarsource.com"));
+ }
+
+ @Test
+ public void do_not_authenticate_and_update_existing_user_matching_external_login_if_email_is_missing() {
+ db.users().insertUser(u -> u
+ .setLogin("Old login")
+ .setName("Old name")
+ .setExternalId("Old id")
+ .setEmail(null)
+ .setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
+
+ assertThatThrownBy(() -> underTest.register(newUserRegistration()))
+ .isInstanceOf(AuthenticationException.class)
+ .hasMessage(String.format("Login '%s' is already used", USER_IDENTITY.getProviderLogin()));
+
+ assertThat(logTester.logs()).contains(String.format("User with login '%s' tried to login with email '%s' but we don't have a email on record",
+ USER_IDENTITY.getProviderLogin(), USER_IDENTITY.getEmail()));
+ }
+
+ @Test
+ public void do_not_authenticate_and_update_existing_user_matching_external_id_if_external_provider_does_not_match() {
+ db.users().insertUser(u -> u
+ .setLogin("Old login")
+ .setName("Old name")
+ .setExternalId(USER_IDENTITY.getProviderId())
+ .setEmail(null)
+ .setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setExternalIdentityProvider("Old provider"));
+
+ underTest.register(newUserRegistration());
+ assertThat(db.countRowsOfTable("users")).isEqualTo(2);
}
@Test
- public void authenticate_existing_user_with_login_update_and_strategy_is_ALLOW() {
+ public void authenticate_existing_user_should_update_login() {
UserDto user = db.users().insertUser(u -> u
.setLogin("Old login")
.setExternalId(USER_IDENTITY.getProviderId())
.setExternalLogin("old identity")
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
assertThat(db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()))
.extracting(UserDto::getLogin, UserDto::getExternalLogin)
}
@Test
- public void authenticate_existing_disabled_user() {
+ public void authenticate_existing_disabled_user_should_reactivate_it() {
db.users().insertUser(u -> u
.setLogin(USER_LOGIN)
.setActive(false)
.setName("Old name")
- .setEmail("Old email")
+ .setEmail(USER_IDENTITY.getEmail())
.setExternalId("Old id")
.setExternalLogin(USER_IDENTITY.getProviderLogin())
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
- underTest.register(UserRegistration.builder()
- .setUserIdentity(USER_IDENTITY)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration());
UserDto userDto = db.users().selectUserByLogin(USER_LOGIN).get();
assertThat(userDto.isActive()).isTrue();
- assertThat(userDto.getName()).isEqualTo("John");
- assertThat(userDto.getEmail()).isEqualTo("john@email.com");
- assertThat(userDto.getExternalId()).isEqualTo("ABCD");
- assertThat(userDto.getExternalLogin()).isEqualTo("johndoo");
- assertThat(userDto.getExternalIdentityProvider()).isEqualTo("github");
+ assertThat(userDto.getName()).isEqualTo(USER_IDENTITY.getName());
+ assertThat(userDto.getEmail()).isEqualTo(USER_IDENTITY.getEmail());
+ assertThat(userDto.getExternalId()).isEqualTo(USER_IDENTITY.getProviderId());
+ assertThat(userDto.getExternalLogin()).isEqualTo(USER_IDENTITY.getProviderLogin());
+ assertThat(userDto.getExternalIdentityProvider()).isEqualTo(IDENTITY_PROVIDER.getKey());
assertThat(userDto.isRoot()).isFalse();
}
@Test
public void authenticate_existing_user_when_email_already_exists_and_strategy_is_ALLOW() {
UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
- UserDto currentUser = db.users().insertUser(u -> u.setExternalLogin("johndoo").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setEmail(null));
+ UserDto currentUser = db.users().insertUser(u -> u.setExternalId("id").setExternalLogin("login").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setEmail(null));
UserIdentity userIdentity = UserIdentity.builder()
.setProviderLogin(currentUser.getExternalLogin())
+ .setProviderId(currentUser.getExternalId())
.setName("John")
.setEmail("john@email.com")
.build();
}
@Test
- public void throw_EmailAlreadyExistException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_WARN() {
+ public void authenticating_existing_user_throws_EmailAlreadyExistException_when_email_already_exists_and_strategy_is_WARN() {
UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
UserDto currentUser = db.users().insertUser(u -> u.setEmail(null));
UserIdentity userIdentity = UserIdentity.builder()
}
@Test
- public void throw_AuthenticationException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_FORBID() {
+ public void authenticating_existing_user_throws_AuthenticationException_when_email_already_exists_and_strategy_is_FORBID() {
UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
UserDto currentUser = db.users().insertUser(u -> u.setEmail(null));
UserIdentity userIdentity = UserIdentity.builder()
.setEmail("john@email.com")
.build();
- expectedException.expect(authenticationException().from(Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName()))
+ Source source = Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName());
+ expectedException.expect(authenticationException().from(source)
.withLogin(userIdentity.getProviderLogin())
.andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. " +
"This means that you probably already registered with another account."));
expectedException.expectMessage("Email 'john@email.com' is already used");
- underTest.register(UserRegistration.builder()
- .setUserIdentity(userIdentity)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName()))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration(userIdentity, source));
}
@Test
- public void does_not_fail_to_authenticate_user_when_email_has_not_changed_and_strategy_is_FORBID() {
+ public void authenticate_existing_user_succeeds_when_email_has_not_changed_and_strategy_is_FORBID() {
UserDto currentUser = db.users().insertUser(u -> u.setEmail("john@email.com")
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()));
UserIdentity userIdentity = UserIdentity.builder()
.setEmail("john@email.com")
.build();
- underTest.register(UserRegistration.builder()
- .setUserIdentity(userIdentity)
- .setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
- .setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ underTest.register(newUserRegistration(userIdentity));
UserDto currentUserReloaded = db.users().selectUserByLogin(currentUser.getLogin()).get();
assertThat(currentUserReloaded.getEmail()).isEqualTo("john@email.com");
UserDto user = db.users().insertUser(newUserDto()
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey())
.setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setEmail(USER_IDENTITY.getEmail())
.setActive(true)
.setName("John"));
GroupDto group1 = db.users().insertGroup("group1");
GroupDto group2 = db.users().insertGroup("group2");
- authenticate(USER_IDENTITY.getProviderLogin(), "group1", "group2", "group3");
+ authenticate(USER_IDENTITY.getProviderLogin(), USER_IDENTITY.getEmail(), "group1", "group2", "group3");
checkGroupMembership(user, group1, group2);
}
UserDto user = db.users().insertUser(newUserDto()
.setExternalIdentityProvider(IDENTITY_PROVIDER.getKey())
.setExternalLogin(USER_IDENTITY.getProviderLogin())
+ .setEmail(USER_IDENTITY.getEmail())
.setActive(true)
.setName("John"));
GroupDto group1 = db.users().insertGroup("group1");
db.users().insertMember(group1, user);
db.users().insertMember(group2, user);
- authenticate(USER_IDENTITY.getProviderLogin(), "group1");
+ authenticate(USER_IDENTITY.getProviderLogin(), USER_IDENTITY.getEmail(), "group1");
checkGroupMembership(user, group1);
}
db.users().insertMember(group2, user);
db.users().insertMember(defaultGroup, user);
- authenticate(user.getExternalLogin());
+ authenticate(user.getExternalLogin(), user.getEmail());
checkGroupMembership(user, defaultGroup);
}
- private UserDto authenticate(String providerLogin, String... groups) {
- return underTest.register(UserRegistration.builder()
- .setUserIdentity(UserIdentity.builder()
- .setProviderLogin(providerLogin)
- .setName("John")
- // No group
- .setGroups(stream(groups).collect(MoreCollectors.toSet()))
- .build())
+ private static UserRegistration newUserRegistration(UserIdentity userIdentity) {
+ return newUserRegistration(userIdentity, Source.local(BASIC));
+ }
+
+ private static UserRegistration newUserRegistration(UserIdentity userIdentity, Source source) {
+ return UserRegistration.builder()
+ .setUserIdentity(userIdentity)
.setProvider(IDENTITY_PROVIDER)
- .setSource(Source.local(BASIC))
+ .setSource(source)
.setExistingEmailStrategy(ExistingEmailStrategy.FORBID)
- .build());
+ .build();
+ }
+
+ private static UserRegistration newUserRegistration(Source source) {
+ return newUserRegistration(USER_IDENTITY, source);
+ }
+
+ private static UserRegistration newUserRegistration() {
+ return newUserRegistration(USER_IDENTITY, Source.local(BASIC));
+ }
+
+ private UserDto authenticate(String providerLogin, @Nullable String email, String... groups) {
+ return underTest.register(newUserRegistration(UserIdentity.builder()
+ .setProviderLogin(providerLogin)
+ .setName("John")
+ .setEmail(email)
+ .setGroups(Set.of(groups))
+ .build()));
}
private void checkGroupMembership(UserDto user, GroupDto... expectedGroups) {
projects / sonarqube.git / commitdiff