summaryrefslogtreecommitdiffstats
path: root/src/test
diff options
context:
space:
mode:
authorJames Moger <james.moger@gitblit.com>2014-03-18 21:10:48 -0400
committerJames Moger <james.moger@gitblit.com>2014-03-18 21:10:48 -0400
commitb4a63aad7f56486c164a15ae2477bcd251b0bb1b (patch)
tree0a7c309566d1422feb544dbd6f5cf15afea8b879 /src/test
parent8da53958ed0980a327ec50738aafd588304b9c73 (diff)
downloadgitblit-b4a63aad7f56486c164a15ae2477bcd251b0bb1b.tar.gz
gitblit-b4a63aad7f56486c164a15ae2477bcd251b0bb1b.zip
Fix authentication security hole with external providers
Diffstat (limited to 'src/test')
-rw-r--r--src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java116
-rw-r--r--src/test/java/com/gitblit/tests/LdapAuthenticationTest.java36
-rw-r--r--src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java27
3 files changed, 168 insertions, 11 deletions
diff --git a/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java b/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
index 3b1d51e1..4e1c3ac1 100644
--- a/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/HtpasswdAuthenticationTest.java
@@ -27,6 +27,7 @@ import org.junit.Test;
import com.gitblit.IStoredSettings;
import com.gitblit.auth.HtpasswdAuthProvider;
+import com.gitblit.manager.AuthenticationManager;
import com.gitblit.manager.RuntimeManager;
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
@@ -47,6 +48,7 @@ public class HtpasswdAuthenticationTest extends GitblitUnitTest {
private HtpasswdAuthProvider htpasswd;
+ private AuthenticationManager auth;
private MemorySettings getSettings(String userfile, String groupfile, Boolean overrideLA)
{
@@ -68,6 +70,7 @@ public class HtpasswdAuthenticationTest extends GitblitUnitTest {
private void setupUS()
{
htpasswd = newHtpasswdAuthentication(getSettings());
+ auth = newAuthenticationManager(getSettings());
}
private HtpasswdAuthProvider newHtpasswdAuthentication(IStoredSettings settings) {
@@ -77,6 +80,16 @@ public class HtpasswdAuthenticationTest extends GitblitUnitTest {
htpasswd.setup(runtime, users);
return htpasswd;
}
+
+ private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
+ RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ UserManager users = new UserManager(runtime).start();
+ HtpasswdAuthProvider htpasswd = new HtpasswdAuthProvider();
+ htpasswd.setup(runtime, users);
+ AuthenticationManager auth = new AuthenticationManager(runtime, users);
+ auth.addAuthenticationProvider(htpasswd);
+ return auth;
+ }
private void copyInFiles() throws IOException
@@ -178,6 +191,52 @@ public class HtpasswdAuthenticationTest extends GitblitUnitTest {
assertEquals("leading", user.username);
}
+
+ @Test
+ public void testAuthenticationManager()
+ {
+ MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");
+ UserModel user = auth.authenticate("user1", "pass1".toCharArray());
+ assertNotNull(user);
+ assertEquals("user1", user.username);
+
+ user = auth.authenticate("user2", "pass2".toCharArray());
+ assertNotNull(user);
+ assertEquals("user2", user.username);
+
+ // Test different encryptions
+ user = auth.authenticate("plain", "passWord".toCharArray());
+ assertNotNull(user);
+ assertEquals("plain", user.username);
+
+ MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");
+ user = auth.authenticate("crypt", "password".toCharArray());
+ assertNotNull(user);
+ assertEquals("crypt", user.username);
+
+ user = auth.authenticate("md5", "password".toCharArray());
+ assertNotNull(user);
+ assertEquals("md5", user.username);
+
+ user = auth.authenticate("sha", "password".toCharArray());
+ assertNotNull(user);
+ assertEquals("sha", user.username);
+
+
+ // Test leading and trailing whitespace
+ user = auth.authenticate("trailing", "whitespace".toCharArray());
+ assertNotNull(user);
+ assertEquals("trailing", user.username);
+
+ user = auth.authenticate("tabbed", "frontAndBack".toCharArray());
+ assertNotNull(user);
+ assertEquals("tabbed", user.username);
+
+ user = auth.authenticate("leading", "whitespace".toCharArray());
+ assertNotNull(user);
+ assertEquals("leading", user.username);
+ }
+
@Test
public void testAttributes()
@@ -256,6 +315,63 @@ public class HtpasswdAuthenticationTest extends GitblitUnitTest {
@Test
+ public void testAuthenticationMangerDenied()
+ {
+ UserModel user = null;
+ MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");
+ user = auth.authenticate("user1", "".toCharArray());
+ assertNull("User 'user1' falsely authenticated.", user);
+
+ user = auth.authenticate("user1", "pass2".toCharArray());
+ assertNull("User 'user1' falsely authenticated.", user);
+
+ user = auth.authenticate("user2", "lalala".toCharArray());
+ assertNull("User 'user2' falsely authenticated.", user);
+
+
+ user = auth.authenticate("user3", "disabled".toCharArray());
+ assertNull("User 'user3' falsely authenticated.", user);
+
+ user = auth.authenticate("user4", "disabled".toCharArray());
+ assertNull("User 'user4' falsely authenticated.", user);
+
+
+ user = auth.authenticate("plain", "text".toCharArray());
+ assertNull("User 'plain' falsely authenticated.", user);
+
+ user = auth.authenticate("plain", "password".toCharArray());
+ assertNull("User 'plain' falsely authenticated.", user);
+
+
+ MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "false");
+
+ user = auth.authenticate("crypt", "".toCharArray());
+ assertNull("User 'cyrpt' falsely authenticated.", user);
+
+ user = auth.authenticate("crypt", "passwd".toCharArray());
+ assertNull("User 'crypt' falsely authenticated.", user);
+
+ user = auth.authenticate("md5", "".toCharArray());
+ assertNull("User 'md5' falsely authenticated.", user);
+
+ user = auth.authenticate("md5", "pwd".toCharArray());
+ assertNull("User 'md5' falsely authenticated.", user);
+
+ user = auth.authenticate("sha", "".toCharArray());
+ assertNull("User 'sha' falsely authenticated.", user);
+
+ user = auth.authenticate("sha", "letmein".toCharArray());
+ assertNull("User 'sha' falsely authenticated.", user);
+
+
+ user = auth.authenticate(" tabbed", "frontAndBack".toCharArray());
+ assertNull("User 'tabbed' falsely authenticated.", user);
+
+ user = auth.authenticate(" leading", "whitespace".toCharArray());
+ assertNull("User 'leading' falsely authenticated.", user);
+ }
+
+ @Test
public void testCleartextIntrusion()
{
MS.put(KEY_SUPPORT_PLAINTEXT_PWD, "true");
diff --git a/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java b/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
index e4dc2db2..b037754c 100644
--- a/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/LdapAuthenticationTest.java
@@ -32,6 +32,7 @@ import com.gitblit.Constants.AccountType;
import com.gitblit.IStoredSettings;
import com.gitblit.Keys;
import com.gitblit.auth.LdapAuthProvider;
+import com.gitblit.manager.AuthenticationManager;
import com.gitblit.manager.IUserManager;
import com.gitblit.manager.RuntimeManager;
import com.gitblit.manager.UserManager;
@@ -67,6 +68,8 @@ public class LdapAuthenticationTest extends GitblitUnitTest {
private static InMemoryDirectoryServer ds;
private IUserManager userManager;
+
+ private AuthenticationManager auth;
private MemorySettings settings;
@@ -89,6 +92,7 @@ public class LdapAuthenticationTest extends GitblitUnitTest {
FileUtils.copyFile(new File(RESOURCE_DIR + "users.conf"), usersConf);
settings = getSettings();
ldap = newLdapAuthentication(settings);
+ auth = newAuthenticationManager(settings);
}
private LdapAuthProvider newLdapAuthentication(IStoredSettings settings) {
@@ -98,6 +102,13 @@ public class LdapAuthenticationTest extends GitblitUnitTest {
ldap.setup(runtime, userManager);
return ldap;
}
+
+ private AuthenticationManager newAuthenticationManager(IStoredSettings settings) {
+ RuntimeManager runtime = new RuntimeManager(settings, GitBlitSuite.BASEFOLDER).start();
+ AuthenticationManager auth = new AuthenticationManager(runtime, userManager);
+ auth.addAuthenticationProvider(newLdapAuthentication(settings));
+ return auth;
+ }
private MemorySettings getSettings() {
Map<String, Object> backingMap = new HashMap<String, Object>();
@@ -223,6 +234,31 @@ public class LdapAuthenticationTest extends GitblitUnitTest {
assertEquals("Number of ldap groups in gitblit team model", 1, countLdapTeamsInUserManager());
}
+ @Test
+ public void testAuthenticationManager() {
+ UserModel userOneModel = auth.authenticate("UserOne", "userOnePassword".toCharArray());
+ assertNotNull(userOneModel);
+ assertNotNull(userOneModel.getTeam("git_admins"));
+ assertNotNull(userOneModel.getTeam("git_users"));
+ assertTrue(userOneModel.canAdmin);
+
+ UserModel userOneModelFailedAuth = auth.authenticate("UserOne", "userTwoPassword".toCharArray());
+ assertNull(userOneModelFailedAuth);
+
+ UserModel userTwoModel = auth.authenticate("UserTwo", "userTwoPassword".toCharArray());
+ assertNotNull(userTwoModel);
+ assertNotNull(userTwoModel.getTeam("git_users"));
+ assertNull(userTwoModel.getTeam("git_admins"));
+ assertNotNull(userTwoModel.getTeam("git admins"));
+ assertTrue(userTwoModel.canAdmin);
+
+ UserModel userThreeModel = auth.authenticate("UserThree", "userThreePassword".toCharArray());
+ assertNotNull(userThreeModel);
+ assertNotNull(userThreeModel.getTeam("git_users"));
+ assertNull(userThreeModel.getTeam("git_admins"));
+ assertTrue(userThreeModel.canAdmin);
+ }
+
private int countLdapUsersInUserManager() {
int ldapAccountCount = 0;
for (UserModel userModel : userManager.getAllUsers()) {
diff --git a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
index 1fe8459f..6ede8313 100644
--- a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
@@ -8,6 +8,7 @@ import org.junit.Test;
import com.gitblit.IStoredSettings;
import com.gitblit.auth.RedmineAuthProvider;
+import com.gitblit.manager.AuthenticationManager;
import com.gitblit.manager.RuntimeManager;
import com.gitblit.manager.UserManager;
import com.gitblit.models.UserModel;
@@ -19,10 +20,6 @@ public class RedmineAuthenticationTest extends GitblitUnitTest {
+ "\"last_login_on\":\"2012-09-06T23:59:26Z\",\"firstname\":\"baz\","
+ "\"id\":4,\"login\":\"RedmineUserId\",\"mail\":\"baz@example.com\"}}";
- private static final String NOT_ADMIN_JSON = "{\"user\":{\"lastname\":\"foo\","
- + "\"last_login_on\":\"2012-09-08T13:59:01Z\",\"created_on\":\"2009-03-17T14:25:50Z\","
- + "\"mail\":\"baz@example.com\",\"id\":5,\"firstname\":\"baz\"}}";
-
MemorySettings getSettings() {
return new MemorySettings(new HashMap<String, Object>());
}
@@ -38,6 +35,17 @@ public class RedmineAuthenticationTest extends GitblitUnitTest {
RedmineAuthProvider newRedmineAuthentication() {
return newRedmineAuthentication(getSettings());
}
+
+ AuthenticationManager newAuthenticationManager() {
+ RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
+ UserManager users = new UserManager(runtime).start();
+ RedmineAuthProvider redmine = new RedmineAuthProvider();
+ redmine.setup(runtime, users);
+ redmine.setTestingCurrentUserAsJson(JSON);
+ AuthenticationManager auth = new AuthenticationManager(runtime, users);
+ auth.addAuthenticationProvider(redmine);
+ return auth;
+ }
@Test
public void testAuthenticate() throws Exception {
@@ -48,18 +56,15 @@ public class RedmineAuthenticationTest extends GitblitUnitTest {
assertThat(userModel.getDisplayName(), is("baz foo"));
assertThat(userModel.emailAddress, is("baz@example.com"));
assertNotNull(userModel.cookie);
- assertThat(userModel.canAdmin, is(true));
}
@Test
- public void testAuthenticateNotAdminUser() throws Exception {
- RedmineAuthProvider redmine = newRedmineAuthentication();
- redmine.setTestingCurrentUserAsJson(NOT_ADMIN_JSON);
- UserModel userModel = redmine.authenticate("RedmineUserId", "RedmineAPIKey".toCharArray());
- assertThat(userModel.getName(), is("redmineuserid"));
+ public void testAuthenticationManager() throws Exception {
+ AuthenticationManager auth = newAuthenticationManager();
+ UserModel userModel = auth.authenticate("RedmineAdminId", "RedmineAPIKey".toCharArray());
+ assertThat(userModel.getName(), is("redmineadminid"));
assertThat(userModel.getDisplayName(), is("baz foo"));
assertThat(userModel.emailAddress, is("baz@example.com"));
assertNotNull(userModel.cookie);
- assertThat(userModel.canAdmin, is(false));
}
}