From 215764c9a0c6f13d9e17071de636da7ef4659a7d Mon Sep 17 00:00:00 2001 From: Simon Brandhof Date: Thu, 2 Feb 2017 15:17:16 +0100 Subject: [PATCH] SONAR-8716 fix check of permissions in api/server/check_secret_key --- .../setting/ws/CheckSecretKeyAction.java | 3 +- .../setting/ws/CheckSecretKeyActionTest.java | 39 +++++++++++++------ 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/CheckSecretKeyAction.java b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/CheckSecretKeyAction.java index 2fc736b1746..96d9c015748 100644 --- a/server/sonar-server/src/main/java/org/sonar/server/setting/ws/CheckSecretKeyAction.java +++ b/server/sonar-server/src/main/java/org/sonar/server/setting/ws/CheckSecretKeyAction.java @@ -27,7 +27,6 @@ import org.sonar.api.server.ws.WebService; import org.sonar.server.user.UserSession; import org.sonarqube.ws.Settings.CheckSecretKeyWsResponse; -import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN; import static org.sonar.server.ws.WsUtils.writeProtobuf; public class CheckSecretKeyAction implements SettingsWsAction { @@ -52,7 +51,7 @@ public class CheckSecretKeyAction implements SettingsWsAction { @Override public void handle(Request request, Response response) throws Exception { - userSession.checkPermission(SYSTEM_ADMIN); + userSession.checkLoggedIn().checkIsRoot(); writeProtobuf(CheckSecretKeyWsResponse.newBuilder().setSecretKeyAvailable(settings.getEncryption().hasSecretKey()).build(), request, response); } diff --git a/server/sonar-server/src/test/java/org/sonar/server/setting/ws/CheckSecretKeyActionTest.java b/server/sonar-server/src/test/java/org/sonar/server/setting/ws/CheckSecretKeyActionTest.java index 16ec66b53ea..e3e2d81d45b 100644 --- a/server/sonar-server/src/test/java/org/sonar/server/setting/ws/CheckSecretKeyActionTest.java +++ b/server/sonar-server/src/test/java/org/sonar/server/setting/ws/CheckSecretKeyActionTest.java @@ -33,6 +33,7 @@ import org.sonar.api.config.MapSettings; import org.sonar.api.config.Settings; import org.sonar.api.server.ws.WebService; import org.sonar.server.exceptions.ForbiddenException; +import org.sonar.server.exceptions.UnauthorizedException; import org.sonar.server.tester.UserSessionRule; import org.sonar.server.ws.TestRequest; import org.sonar.server.ws.WsActionTester; @@ -40,27 +41,25 @@ import org.sonarqube.ws.MediaTypes; import org.sonarqube.ws.Settings.CheckSecretKeyWsResponse; import static org.assertj.core.api.Assertions.assertThat; -import static org.sonar.core.permission.GlobalPermissions.QUALITY_PROFILE_ADMIN; -import static org.sonar.core.permission.GlobalPermissions.SYSTEM_ADMIN; import static org.sonar.test.JsonAssert.assertJson; public class CheckSecretKeyActionTest { @Rule public ExpectedException expectedException = ExpectedException.none(); @Rule - public UserSessionRule userSession = UserSessionRule.standalone().setGlobalPermissions(SYSTEM_ADMIN); + public UserSessionRule userSession = UserSessionRule.standalone(); @Rule public TemporaryFolder temporaryFolder = new TemporaryFolder(); - Settings settings = new MapSettings(); - Encryption encryption = settings.getEncryption(); - - CheckSecretKeyAction underTest = new CheckSecretKeyAction(settings, userSession); - - WsActionTester ws = new WsActionTester(underTest); + private Settings settings = new MapSettings(); + private Encryption encryption = settings.getEncryption(); + private CheckSecretKeyAction underTest = new CheckSecretKeyAction(settings, userSession); + private WsActionTester ws = new WsActionTester(underTest); @Test public void json_example() throws IOException { + logInAsRoot(); + File secretKeyFile = temporaryFolder.newFile(); FileUtils.writeStringToFile(secretKeyFile, "fCVFf/JHRi8Qwu5KLNva7g=="); encryption.setPathToSecretKey(secretKeyFile.getAbsolutePath()); @@ -72,6 +71,8 @@ public class CheckSecretKeyActionTest { @Test public void false_when_no_secret_key() { + logInAsRoot(); + encryption.setPathToSecretKey("unknown/path/to_secret_key.txt"); CheckSecretKeyWsResponse result = call(); @@ -92,10 +93,21 @@ public class CheckSecretKeyActionTest { } @Test - public void fail_if_insufficient_permissions() { - expectedException.expect(ForbiddenException.class); + public void throw_UnauthorizedException_if_not_logged_in() { + userSession.anonymous(); - userSession.anonymous().setGlobalPermissions(QUALITY_PROFILE_ADMIN); + expectedException.expect(UnauthorizedException.class); + expectedException.expectMessage("Authentication is required"); + + call(); + } + + @Test + public void throw_ForbiddenException_if_not_root() { + userSession.login(); + + expectedException.expect(ForbiddenException.class); + expectedException.expectMessage("Insufficient privileges"); call(); } @@ -112,4 +124,7 @@ public class CheckSecretKeyActionTest { } } + private void logInAsRoot() { + userSession.login().setRoot(); + } } -- 2.39.5