From: Eric Hartmann Date: Fri, 8 Jun 2018 16:01:52 +0000 (+0200) Subject: SONAR-10830 Allow passcode even if forceAuthentication is true X-Git-Tag: 6.7.5~25 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=98e454d15bb1d51dae72470f46e1626f979038e7;p=sonarqube.git SONAR-10830 Allow passcode even if forceAuthentication is true --- diff --git a/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java b/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java index 0046c09510f..d5729f2b6d0 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java +++ b/server/sonar-server/src/main/java/org/sonar/server/authentication/UserSessionInitializer.java @@ -65,12 +65,20 @@ public class UserSessionInitializer { "/api/users/identity_providers", "/api/l10n/index", LOGIN_URL, LOGOUT_URL, VALIDATE_URL); + private static final Set URL_USING_PASSCODE = ImmutableSet.of( + "/api/system/health" + ); + private static final UrlPattern URL_PATTERN = UrlPattern.builder() .includes("/*") .excludes(staticResourcePatterns()) .excludes(SKIPPED_URLS) .build(); + private static final UrlPattern PASSCODE_URLS = UrlPattern.builder() + .includes(URL_USING_PASSCODE) + .build(); + private final Configuration config; private final ThreadLocalUserSession threadLocalSession; private final AuthenticationEvent authenticationEvent; @@ -91,7 +99,7 @@ public class UserSessionInitializer { try { // Do not set user session when url is excluded if (URL_PATTERN.matches(path)) { - loadUserSession(request, response); + loadUserSession(request, response, PASSCODE_URLS.matches(path)); } return true; } catch (AuthenticationException e) { @@ -115,13 +123,15 @@ public class UserSessionInitializer { return provider != AuthenticationEvent.Provider.LOCAL && provider != AuthenticationEvent.Provider.JWT; } - private void loadUserSession(HttpServletRequest request, HttpServletResponse response) { + private void loadUserSession(HttpServletRequest request, HttpServletResponse response, boolean usingPasscode) { UserSession session; Optional user = authenticators.authenticate(request, response); if (user.isPresent()) { session = userSessionFactory.create(user.get()); } else { - failIfAuthenticationIsRequired(); + if (!usingPasscode) { + failIfAuthenticationIsRequired(); + } session = userSessionFactory.createAnonymous(); } threadLocalSession.set(session); diff --git a/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java b/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java index 318046092e9..900751ccea9 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest.java @@ -105,6 +105,9 @@ public class UserSessionInitializerTest { assertPathIsIgnored("/api/users/identity_providers"); assertPathIsIgnored("/api/l10n/index"); + // WS with Passcode + assertPathIsIgnoredWithAnonymousAccess("/api/system/health"); + // exclude static resources assertPathIsIgnored("/css/style.css"); assertPathIsIgnored("/fonts/font.ttf"); @@ -186,6 +189,16 @@ public class UserSessionInitializerTest { reset(userSession, authenticators); } + private void assertPathIsIgnoredWithAnonymousAccess(String path) { + when(request.getRequestURI()).thenReturn(path); + when(authenticators.authenticate(request, response)).thenReturn(Optional.empty()); + + assertThat(underTest.initUserSession(request, response)).isTrue(); + + verify(userSession).set(any(UserSession.class)); + reset(userSession, authenticators); + } + private void assertPathIsNotIgnored(String path) { when(request.getRequestURI()).thenReturn(path); when(authenticators.authenticate(request, response)).thenReturn(Optional.of(user)); diff --git a/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java index 32fa0cba328..c74a26d413e 100644 --- a/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java +++ b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java @@ -21,6 +21,7 @@ package org.sonarqube.tests.authorisation; import com.sonar.orchestrator.Orchestrator; import com.sonar.orchestrator.OrchestratorBuilder; +import java.util.Arrays; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.Rule; @@ -88,6 +89,22 @@ public class SystemPasscodeTest { assertThat(response.code()).isEqualTo(401); } + @Test + public void system_access_is_granted_even_with_forceAuthentication_is_set_to_true() { + tester.settings().setGlobalSetting("sonar.forceAuthentication", "true"); + Arrays.asList("/api/system/health") + .forEach(url -> { + WsRequest request = new GetRequest("api/system/health") + .setHeader(PASSCODE_HEADER, VALID_PASSCODE); + + WsResponse response = tester.asAnonymous().wsClient().wsConnector().call(request); + assertThat(response.code()).isEqualTo(200); + } + ); + tester.settings().setGlobalSetting("sonar.forceAuthentication", "false"); + } + + private static GetRequest newRequest() { return new GetRequest("api/system_passcode/check"); }