SONAR-23078 Fix SSF-644

author Nolwenn Cadic <98824442+nolwenn-cadic-sonarsource@users.noreply.github.com>

Wed, 18 Sep 2024 13:31:27 +0000 (15:31 +0200)

committer sonartech <sonartech@sonarsource.com>

Mon, 23 Sep 2024 20:02:43 +0000 (20:02 +0000)
author Nolwenn Cadic <98824442+nolwenn-cadic-sonarsource@users.noreply.github.com>
Wed, 18 Sep 2024 13:31:27 +0000 (15:31 +0200)
committer sonartech <sonartech@sonarsource.com>
Mon, 23 Sep 2024 20:02:43 +0000 (20:02 +0000)
diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java

index dc1311bd51a705e1674991a82159ca313350ec83..8fba174df38a2ec4ddba3e396c960f60759723a6 100644 (file)
--- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java
+++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java
@@ -148,7 +148,11 @@ public class GitLabIdentityProvider implements OAuth2IdentityProvider {
    }
  
    private static boolean isAllowedGroup(String group, Set<String> allowedGroups) {
-    return allowedGroups.stream().anyMatch(group::startsWith);
+    return allowedGroups.stream().anyMatch(allowedGroup -> isExactGroupOrParentGroup(group, allowedGroup));
+  }
+
+  private static boolean isExactGroupOrParentGroup(String group, String allowedGroup) {
+    return group.equals(allowedGroup) || group.startsWith(allowedGroup + "/");
    }
  
    private Set<String> getGroups(OAuth20Service scribe, OAuth2AccessToken accessToken) {
diff --git a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java

index 4c7a432a6de3dec1f6250a4f376fde210da9cba3..1b3b7c86f8fb6fe63bda670244d440b85253fb93 100644 (file)
--- a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java
+++ b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java
@@ -174,14 +174,16 @@ public class GitLabIdentityProviderTest {
    public static Object[][] allowedGroups() {
      return new Object[][]{
        {Set.of()},
-      {Set.of("path")}
+      {Set.of("path")},
+      {Set.of("path/to/group")},
      };
    }
  
    @Test
-  public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow() {
+  @UseDataProvider("notAllowedGroups")
+  public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow(Set<String> notAllowedGroups) {
      when(gitLabSettings.syncUserGroups()).thenReturn(true);
-    when(gitLabSettings.allowedGroups()).thenReturn(Set.of("path2"));
+    when(gitLabSettings.allowedGroups()).thenReturn(notAllowedGroups);
  
      mockGsonUser();
      mockGitlabGroups();
@@ -191,6 +193,14 @@ public class GitLabIdentityProviderTest {
        .withMessage("You are not allowed to authenticate");
    }
  
+  @DataProvider
+  public static Object[][] notAllowedGroups() {
+    return new Object[][]{
+      {Set.of("pat")},
+      {Set.of("path2")},
+    };
+  }
+
    @Test
    public void onCallback_ifScribeFactoryFails_shouldThrow() {
      IllegalStateException exception = new IllegalStateException("message");
author	Nolwenn Cadic <98824442+nolwenn-cadic-sonarsource@users.noreply.github.com>
	Wed, 18 Sep 2024 13:31:27 +0000 (15:31 +0200)
committer	sonartech <sonartech@sonarsource.com>
	Mon, 23 Sep 2024 20:02:43 +0000 (20:02 +0000)
server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java		patch \| blob \| history
server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java		patch \| blob \| history