mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31580 Commits
59 Branches
Tree: 05f25e35b7
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '05f25e35b7'
${ noResults }
sonarqube/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/UserSessionInitializerTest....

UserSessionInitializerTest.java 10KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2021 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.server.authentication;

  21. 

  22. import javax.servlet.http.Cookie;

  23. import javax.servlet.http.HttpServletRequest;

  24. import javax.servlet.http.HttpServletResponse;

  25. import org.junit.Before;

  26. import org.junit.Rule;

  27. import org.junit.Test;

  28. import org.mockito.ArgumentCaptor;

  29. import org.sonar.api.config.internal.MapSettings;

  30. import org.sonar.api.server.authentication.BaseIdentityProvider;

  31. import org.sonar.api.utils.System2;

  32. import org.sonar.db.DbTester;

  33. import org.sonar.server.authentication.event.AuthenticationEvent;

  34. import org.sonar.server.authentication.event.AuthenticationEvent.Method;

  35. import org.sonar.server.authentication.event.AuthenticationEvent.Source;

  36. import org.sonar.server.authentication.event.AuthenticationException;

  37. import org.sonar.server.tester.AnonymousMockUserSession;

  38. import org.sonar.server.tester.MockUserSession;

  39. import org.sonar.server.user.ThreadLocalUserSession;

  40. import org.sonar.server.user.UserSession;

  41. 

  42. import static org.assertj.core.api.Assertions.assertThat;

  43. import static org.mockito.ArgumentMatchers.eq;

  44. import static org.mockito.Mockito.doThrow;

  45. import static org.mockito.Mockito.mock;

  46. import static org.mockito.Mockito.reset;

  47. import static org.mockito.Mockito.verify;

  48. import static org.mockito.Mockito.verifyNoMoreInteractions;

  49. import static org.mockito.Mockito.when;

  50. 

  51. public class UserSessionInitializerTest {

  52. 

  53.   @Rule

  54.   public DbTester dbTester = DbTester.create(System2.INSTANCE);

  55. 

  56.   private ThreadLocalUserSession threadLocalSession = mock(ThreadLocalUserSession.class);

  57.   private HttpServletRequest request = mock(HttpServletRequest.class);

  58.   private HttpServletResponse response = mock(HttpServletResponse.class);

  59.   private RequestAuthenticator authenticator = mock(RequestAuthenticator.class);

  60.   private AuthenticationEvent authenticationEvent = mock(AuthenticationEvent.class);

  61.   private MapSettings settings = new MapSettings();

  62.   private ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);

  63. 

  64.   private UserSessionInitializer underTest = new UserSessionInitializer(settings.asConfig(), threadLocalSession, authenticationEvent, authenticator);

  65. 

  66.   @Before

  67.   public void setUp() {

  68.     when(request.getContextPath()).thenReturn("");

  69.     when(request.getRequestURI()).thenReturn("/measures");

  70.   }

  71. 

  72.   @Test

  73.   public void check_urls() {

  74.     assertPathIsNotIgnored("/");

  75.     assertPathIsNotIgnored("/foo");

  76.     assertPathIsNotIgnored("/api/server_id/show");

  77. 

  78.     assertPathIsIgnored("/api/authentication/login");

  79.     assertPathIsIgnored("/api/authentication/logout");

  80.     assertPathIsIgnored("/api/authentication/validate");

  81.     assertPathIsIgnored("/batch/index");

  82.     assertPathIsIgnored("/batch/file");

  83.     assertPathIsIgnored("/maintenance/index");

  84.     assertPathIsIgnored("/setup/index");

  85.     assertPathIsIgnored("/sessions/new");

  86.     assertPathIsIgnored("/sessions/logout");

  87.     assertPathIsIgnored("/sessions/unauthorized");

  88.     assertPathIsIgnored("/oauth2/callback/github");

  89.     assertPathIsIgnored("/oauth2/callback/foo");

  90.     assertPathIsIgnored("/api/system/db_migration_status");

  91.     assertPathIsIgnored("/api/system/status");

  92.     assertPathIsIgnored("/api/system/migrate_db");

  93.     assertPathIsIgnored("/api/server/version");

  94.     assertPathIsIgnored("/api/users/identity_providers");

  95.     assertPathIsIgnored("/api/l10n/index");

  96. 

  97.     // exclude project_badge url, as they can be auth. by a token as queryparam

  98.     assertPathIsIgnored("/api/project_badges/measure");

  99.     assertPathIsIgnored("/api/project_badges/quality_gate");

  100. 

  101.     // exlude passcode urls

  102.     assertPathIsIgnoredWithAnonymousAccess("/api/ce/info");

  103.     assertPathIsIgnoredWithAnonymousAccess("/api/ce/pause");

  104.     assertPathIsIgnoredWithAnonymousAccess("/api/ce/resume");

  105.     assertPathIsIgnoredWithAnonymousAccess("/api/system/health");

  106.     assertPathIsIgnoredWithAnonymousAccess("/api/system/liveness");

  107.     assertPathIsIgnoredWithAnonymousAccess("/api/monitoring/metrics");

  108. 

  109.     // exclude static resources

  110.     assertPathIsIgnored("/css/style.css");

  111.     assertPathIsIgnored("/images/logo.png");

  112.     assertPathIsIgnored("/js/jquery.js");

  113.   }

  114. 

  115.   @Test

  116.   public void return_code_401_when_not_authenticated_and_with_force_authentication() {

  117.     ArgumentCaptor<AuthenticationException> exceptionArgumentCaptor = ArgumentCaptor.forClass(AuthenticationException.class);

  118.     when(threadLocalSession.isLoggedIn()).thenReturn(false);

  119.     when(authenticator.authenticate(request, response)).thenReturn(new AnonymousMockUserSession());

  120. 

  121.     assertThat(underTest.initUserSession(request, response)).isTrue();

  122. 

  123.     verifyNoMoreInteractions(response);

  124.     verify(authenticationEvent).loginFailure(eq(request), exceptionArgumentCaptor.capture());

  125.     verifyNoMoreInteractions(threadLocalSession);

  126.     AuthenticationException authenticationException = exceptionArgumentCaptor.getValue();

  127.     assertThat(authenticationException.getSource()).isEqualTo(Source.local(Method.BASIC));

  128.     assertThat(authenticationException.getLogin()).isNull();

  129.     assertThat(authenticationException.getMessage()).isEqualTo("User must be authenticated");

  130.     assertThat(authenticationException.getPublicMessage()).isNull();

  131.   }

  132. 

  133.   @Test

  134.   public void does_not_return_code_401_when_not_authenticated_and_with_force_authentication_off() {

  135.     when(threadLocalSession.isLoggedIn()).thenReturn(false);

  136.     when(authenticator.authenticate(request, response)).thenReturn(new AnonymousMockUserSession());

  137.     settings.setProperty("sonar.forceAuthentication", false);

  138. 

  139.     assertThat(underTest.initUserSession(request, response)).isTrue();

  140. 

  141.     verifyNoMoreInteractions(response);

  142.   }

  143. 

  144.   @Test

  145.   public void return_401_and_stop_on_ws() {

  146.     when(request.getRequestURI()).thenReturn("/api/issues");

  147.     AuthenticationException authenticationException = AuthenticationException.newBuilder().setSource(Source.jwt()).setMessage("Token id hasn't been found").build();

  148.     doThrow(authenticationException).when(authenticator).authenticate(request, response);

  149. 

  150.     assertThat(underTest.initUserSession(request, response)).isFalse();

  151. 

  152.     verify(response).setStatus(401);

  153.     verify(authenticationEvent).loginFailure(request, authenticationException);

  154.     verifyNoMoreInteractions(threadLocalSession);

  155.   }

  156. 

  157.   @Test

  158.   public void return_401_and_stop_on_batch_ws() {

  159.     when(request.getRequestURI()).thenReturn("/batch/global");

  160.     doThrow(AuthenticationException.newBuilder().setSource(Source.jwt()).setMessage("Token id hasn't been found").build())

  161.       .when(authenticator).authenticate(request, response);

  162. 

  163.     assertThat(underTest.initUserSession(request, response)).isFalse();

  164. 

  165.     verify(response).setStatus(401);

  166.     verifyNoMoreInteractions(threadLocalSession);

  167.   }

  168. 

  169.   @Test

  170.   public void return_to_session_unauthorized_when_error_on_from_external_provider() throws Exception {

  171.     doThrow(AuthenticationException.newBuilder().setSource(Source.external(newBasicIdentityProvider("failing"))).setPublicMessage("Token id hasn't been found").build())

  172.       .when(authenticator).authenticate(request, response);

  173. 

  174.     assertThat(underTest.initUserSession(request, response)).isFalse();

  175. 

  176.     verify(response).sendRedirect("/sessions/unauthorized");

  177.     verify(response).addCookie(cookieArgumentCaptor.capture());

  178.     Cookie cookie = cookieArgumentCaptor.getValue();

  179.     assertThat(cookie.getName()).isEqualTo("AUTHENTICATION-ERROR");

  180.     assertThat(cookie.getValue()).isEqualTo("Token%20id%20hasn%27t%20been%20found");

  181.     assertThat(cookie.getPath()).isEqualTo("/");

  182.     assertThat(cookie.isHttpOnly()).isFalse();

  183.     assertThat(cookie.getMaxAge()).isEqualTo(300);

  184.     assertThat(cookie.getSecure()).isFalse();

  185.   }

  186. 

  187.   @Test

  188.   public void return_to_session_unauthorized_when_error_on_from_external_provider_with_context_path() throws Exception {

  189.     when(request.getContextPath()).thenReturn("/sonarqube");

  190.     doThrow(AuthenticationException.newBuilder().setSource(Source.external(newBasicIdentityProvider("failing"))).setPublicMessage("Token id hasn't been found").build())

  191.       .when(authenticator).authenticate(request, response);

  192. 

  193.     assertThat(underTest.initUserSession(request, response)).isFalse();

  194. 

  195.     verify(response).sendRedirect("/sonarqube/sessions/unauthorized");

  196.   }

  197. 

  198.   private void assertPathIsIgnored(String path) {

  199.     when(request.getRequestURI()).thenReturn(path);

  200. 

  201.     assertThat(underTest.initUserSession(request, response)).isTrue();

  202. 

  203.     verifyNoMoreInteractions(threadLocalSession, authenticator);

  204.     reset(threadLocalSession, authenticator);

  205.   }

  206. 

  207.   private void assertPathIsIgnoredWithAnonymousAccess(String path) {

  208.     when(request.getRequestURI()).thenReturn(path);

  209.     UserSession session = new AnonymousMockUserSession();

  210.     when(authenticator.authenticate(request, response)).thenReturn(session);

  211. 

  212.     assertThat(underTest.initUserSession(request, response)).isTrue();

  213. 

  214.     verify(threadLocalSession).set(session);

  215.     reset(threadLocalSession, authenticator);

  216.   }

  217. 

  218.   private void assertPathIsNotIgnored(String path) {

  219.     when(request.getRequestURI()).thenReturn(path);

  220.     UserSession session = new MockUserSession("foo");

  221.     when(authenticator.authenticate(request, response)).thenReturn(session);

  222. 

  223.     assertThat(underTest.initUserSession(request, response)).isTrue();

  224. 

  225.     verify(threadLocalSession).set(session);

  226.     reset(threadLocalSession, authenticator);

  227.   }

  228. 

  229.   private static BaseIdentityProvider newBasicIdentityProvider(String name) {

  230.     BaseIdentityProvider mock = mock(BaseIdentityProvider.class);

  231.     when(mock.getName()).thenReturn(name);

  232.     return mock;

  233.   }

  234. }