From: Jean-Baptiste Lievremont Date: Fri, 22 May 2015 09:25:06 +0000 (+0200) Subject: SONAR-6465 Require admin permission now that we send sensitive data X-Git-Tag: 5.2-RC1~1834 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=6595c3f3a3f3ae2ac4508961805ab8ef97f55098;p=sonarqube.git SONAR-6465 Require admin permission now that we send sensitive data --- diff --git a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java index 2868829d065..28a06a356a9 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/user/ws/SearchAction.java @@ -36,10 +36,12 @@ import org.sonar.api.server.ws.Response; import org.sonar.api.server.ws.WebService; import org.sonar.api.server.ws.WebService.Param; import org.sonar.api.utils.text.JsonWriter; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.core.persistence.DbSession; import org.sonar.server.db.DbClient; import org.sonar.server.es.SearchOptions; import org.sonar.server.es.SearchResult; +import org.sonar.server.user.UserSession; import org.sonar.server.user.index.UserDoc; import org.sonar.server.user.index.UserIndex; @@ -54,16 +56,18 @@ public class SearchAction implements UsersWsAction { private final UserIndex userIndex; private final DbClient dbClient; + private final UserSession userSession; - public SearchAction(UserIndex userIndex, DbClient dbClient) { + public SearchAction(UserIndex userIndex, DbClient dbClient, UserSession userSession) { this.userIndex = userIndex; this.dbClient = dbClient; + this.userSession = userSession; } @Override public void define(WebService.NewController controller) { WebService.NewAction action = controller.createAction("search") - .setDescription("Get a list of active users.") + .setDescription("Get a list of active users. Requires Administer System permission.") .setSince("3.6") .setHandler(this) .setResponseExample(getClass().getResource("example-search.json")); @@ -77,6 +81,8 @@ public class SearchAction implements UsersWsAction { @Override public void handle(Request request, Response response) throws Exception { + userSession.checkLoggedIn().checkGlobalPermission(GlobalPermissions.SYSTEM_ADMIN); + SearchOptions options = new SearchOptions() .setPage(request.mandatoryParamAsInt(Param.PAGE), request.mandatoryParamAsInt(Param.PAGE_SIZE)); List fields = request.paramAsStrings(Param.FIELDS); diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java index c5177efbcaa..2a1370d1eab 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/SearchActionTest.java @@ -26,10 +26,12 @@ import java.util.List; import org.junit.After; import org.junit.Before; import org.junit.ClassRule; +import org.junit.Rule; import org.junit.Test; import org.sonar.api.config.Settings; import org.sonar.api.server.ws.WebService; import org.sonar.api.utils.System2; +import org.sonar.core.permission.GlobalPermissions; import org.sonar.core.persistence.DbSession; import org.sonar.core.persistence.DbTester; import org.sonar.core.user.GroupDto; @@ -38,6 +40,8 @@ import org.sonar.core.user.UserDto; import org.sonar.core.user.UserGroupDto; import org.sonar.server.db.DbClient; import org.sonar.server.es.EsTester; +import org.sonar.server.exceptions.ForbiddenException; +import org.sonar.server.tester.UserSessionRule; import org.sonar.server.user.db.GroupDao; import org.sonar.server.user.db.UserDao; import org.sonar.server.user.db.UserGroupDao; @@ -56,6 +60,9 @@ public class SearchActionTest { @ClassRule public static final EsTester esTester = new EsTester().addDefinitions(new UserIndexDefinition(new Settings())); + @Rule + public UserSessionRule userSession = UserSessionRule.standalone(); + WebService.Controller controller; WsTester tester; @@ -79,7 +86,7 @@ public class SearchActionTest { session = dbClient.openSession(false); index = new UserIndex(esTester.client()); - tester = new WsTester(new UsersWs(new SearchAction(index, dbClient))); + tester = new WsTester(new UsersWs(new SearchAction(index, dbClient, userSession))); controller = tester.controller("api/users"); } @@ -90,6 +97,7 @@ public class SearchActionTest { @Test public void search_empty() throws Exception { + loginAsAdmin(); tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "empty.json"); } @@ -97,6 +105,7 @@ public class SearchActionTest { public void search_without_parameters() throws Exception { injectUsers(5); + loginAsAdmin(); tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "five_users.json"); } @@ -104,6 +113,7 @@ public class SearchActionTest { public void search_with_query() throws Exception { injectUsers(5); + loginAsAdmin(); tester.newGetRequest("api/users", "search").setParam("q", "user-1").execute().assertJson(getClass(), "user_one.json"); } @@ -111,6 +121,7 @@ public class SearchActionTest { public void search_with_paging() throws Exception { injectUsers(10); + loginAsAdmin(); tester.newGetRequest("api/users", "search").setParam("ps", "5").execute().assertJson(getClass(), "page_one.json"); tester.newGetRequest("api/users", "search").setParam("ps", "5").setParam("p", "2").execute().assertJson(getClass(), "page_two.json"); } @@ -119,6 +130,8 @@ public class SearchActionTest { public void search_with_fields() throws Exception { injectUsers(1); + loginAsAdmin(); + assertThat(tester.newGetRequest("api/users", "search").execute().outputAsString()) .contains("login") .contains("name") @@ -165,9 +178,16 @@ public class SearchActionTest { dbClient.userGroupDao().insert(session, new UserGroupDto().setGroupId(group2.getId()).setUserId(users.get(0).getId())); session.commit(); + loginAsAdmin(); tester.newGetRequest("api/users", "search").execute().assertJson(getClass(), "user_with_groups.json"); } + @Test(expected = ForbiddenException.class) + public void fail_on_missing_permission() throws Exception { + userSession.login("not-admin"); + tester.newGetRequest("api/users", "search").execute(); + } + private List injectUsers(int numberOfUsers) throws Exception { List userDtos = Lists.newArrayList(); long createdAt = System.currentTimeMillis(); @@ -200,4 +220,8 @@ public class SearchActionTest { esTester.putDocuments(UserIndexDefinition.INDEX, UserIndexDefinition.TYPE_USER, users); return userDtos; } + + private void loginAsAdmin() { + userSession.login("admin").setGlobalPermissions(GlobalPermissions.SYSTEM_ADMIN); + } } diff --git a/server/sonar-server/src/test/java/org/sonar/server/user/ws/UsersWsTest.java b/server/sonar-server/src/test/java/org/sonar/server/user/ws/UsersWsTest.java index 8a2a5f43c46..c59fa79aabe 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/user/ws/UsersWsTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/user/ws/UsersWsTest.java @@ -27,6 +27,7 @@ import org.sonar.api.i18n.I18n; import org.sonar.api.server.ws.WebService; import org.sonar.server.db.DbClient; import org.sonar.server.tester.UserSessionRule; +import org.sonar.server.user.UserSession; import org.sonar.server.user.UserUpdater; import org.sonar.server.user.index.UserIndex; import org.sonar.server.ws.WsTester; @@ -47,7 +48,7 @@ public class UsersWsTest { new CurrentAction(userSessionRule), new DeactivateAction(mock(UserIndex.class), mock(UserUpdater.class), userSessionRule), new ChangePasswordAction(mock(UserUpdater.class), userSessionRule), - new SearchAction(mock(UserIndex.class), mock(DbClient.class)))); + new SearchAction(mock(UserIndex.class), mock(DbClient.class), mock(UserSession.class)))); controller = tester.controller("api/users"); }