diff options
| author | Florian Zschocke <f.zschocke+git@gmail.com> | 2020-04-04 19:43:35 +0200 |
|---|---|---|
| committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2020-04-05 12:34:54 +0200 |
| commit | 803d4171bf24e82612c526d65de77aa580c8a62f (patch) | |
| tree | 6917807d508763d1d7f3bd824e901289af0d5ce6 /src/test/java/com | |
| parent | e47647b00d566d64d311042981e6b1798f683e4a (diff) | |
| download | gitblit-803d4171bf24e82612c526d65de77aa580c8a62f.tar.gz gitblit-803d4171bf24e82612c526d65de77aa580c8a62f.zip | |
Delete password from memory in AuthenticationManager
Zero out the password to remove it from memory after use.
This is only a first step, implementing it for one method:
`AuthenticationManager.authenticate(String, char[], String)`.
Diffstat (limited to 'src/test/java/com')
| -rw-r--r-- | src/test/java/com/gitblit/tests/AuthenticationManagerTest.java | 84 | ||||
| -rw-r--r-- | src/test/java/com/gitblit/tests/StringUtilsTest.java | 15 |
2 files changed, 87 insertions, 12 deletions
diff --git a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java index 1c6de3b2..81d68895 100644 --- a/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java +++ b/src/test/java/com/gitblit/tests/AuthenticationManagerTest.java @@ -19,13 +19,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.security.Principal; -import java.util.Collection; -import java.util.Collections; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; +import java.util.*; import javax.servlet.AsyncContext; import javax.servlet.DispatcherType; @@ -654,16 +648,84 @@ public class AuthenticationManagerTest extends GitblitUnitTest { public void testAuthenticate() throws Exception { IAuthenticationManager auth = newAuthenticationManager(); + + String password = "pass word"; UserModel user = new UserModel("sunnyjim"); - user.password = "password"; + user.password = password; users.updateUserModel(user); - assertNotNull(auth.authenticate(user.username, user.password.toCharArray(), null)); + char[] pwd = password.toCharArray(); + assertNotNull(auth.authenticate(user.username, pwd, null)); + + // validate that the passed in password has been zeroed out in memory + char[] zeroes = new char[pwd.length]; + Arrays.fill(zeroes, Character.MIN_VALUE); + assertArrayEquals(zeroes, pwd); + } + + + @Test + public void testAuthenticateDisabledUser() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; user.disabled = true; + users.updateUserModel(user); + + assertNull(auth.authenticate(user.username, password.toCharArray(), null)); + + user.disabled = false; + users.updateUserModel(user); + assertNotNull(auth.authenticate(user.username, password.toCharArray(), null)); + } + + + @Test + public void testAuthenticateEmptyPassword() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; + users.updateUserModel(user); + + assertNull(auth.authenticate(user.username, "".toCharArray(), null)); + assertNull(auth.authenticate(user.username, " ".toCharArray(), null)); + assertNull(auth.authenticate(user.username, new char[]{' ', '\u0010', '\u0015'}, null)); + } + + + + @Test + public void testAuthenticateWrongPassword() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; users.updateUserModel(user); - assertNull(auth.authenticate(user.username, user.password.toCharArray(), null)); - users.deleteUserModel(user); + + assertNull(auth.authenticate(user.username, "helloworld".toCharArray(), null)); + } + + + @Test + public void testAuthenticateNoSuchUser() throws Exception { + IAuthenticationManager auth = newAuthenticationManager(); + + + String password = "password"; + UserModel user = new UserModel("sunnyjim"); + user.password = password; + users.updateUserModel(user); + + assertNull(auth.authenticate("rainyjoe", password.toCharArray(), null)); } diff --git a/src/test/java/com/gitblit/tests/StringUtilsTest.java b/src/test/java/com/gitblit/tests/StringUtilsTest.java index 7176b88c..3dae66f4 100644 --- a/src/test/java/com/gitblit/tests/StringUtilsTest.java +++ b/src/test/java/com/gitblit/tests/StringUtilsTest.java @@ -26,13 +26,26 @@ public class StringUtilsTest extends GitblitUnitTest { @Test
public void testIsEmpty() throws Exception {
- assertTrue(StringUtils.isEmpty(null));
+ assertTrue(StringUtils.isEmpty((String)null));
assertTrue(StringUtils.isEmpty(""));
assertTrue(StringUtils.isEmpty(" "));
assertFalse(StringUtils.isEmpty("A"));
}
@Test
+ public void testIsEmptyCharArray() throws Exception {
+ assertTrue(StringUtils.isEmpty((char[])null));
+ assertTrue(StringUtils.isEmpty(new char[0]));
+ assertTrue(StringUtils.isEmpty(new char[]{ ' ' }));
+ assertTrue(StringUtils.isEmpty(new char[]{ ' '}));
+ assertTrue(StringUtils.isEmpty(new char[]{ ' ', ' ' }));
+ assertTrue(StringUtils.isEmpty(new char[]{ ' ', ' ', ' ' }));
+ assertFalse(StringUtils.isEmpty(new char[]{ '\u0020', 'f' }));
+ assertFalse(StringUtils.isEmpty(new char[]{ '\u0148', '\u0020' }));
+ assertFalse(StringUtils.isEmpty(new char[]{ 'A' }));
+ }
+
+ @Test
public void testBreakLinesForHtml() throws Exception {
String input = "this\nis\r\na\rtest\r\n\r\nof\n\nline\r\rbreaking";
String output = "this<br/>is<br/>a<br/>test<br/><br/>of<br/><br/>line<br/><br/>breaking";
|