mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29003 Commits
59 Branches
Tree: 274c9faaf5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '274c9faaf5'
${ noResults }
sonarqube/server/sonar-auth-saml/src/test/java/org/sonar/auth/saml/SamlIdentityProviderTest.java

SamlIdentityProviderTest.java 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2019 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.saml;

  21. 

  22. import java.io.IOException;

  23. import java.io.InputStream;

  24. import java.nio.charset.StandardCharsets;

  25. import java.util.HashMap;

  26. import java.util.Map;

  27. import java.util.concurrent.atomic.AtomicBoolean;

  28. import javax.servlet.http.HttpServletRequest;

  29. import javax.servlet.http.HttpServletResponse;

  30. import org.junit.Rule;

  31. import org.junit.Test;

  32. import org.junit.rules.ExpectedException;

  33. import org.sonar.api.config.PropertyDefinitions;

  34. import org.sonar.api.config.internal.MapSettings;

  35. import org.sonar.api.internal.apachecommons.io.IOUtils;

  36. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  37. import org.sonar.api.server.authentication.UnauthorizedException;

  38. import org.sonar.api.server.authentication.UserIdentity;

  39. 

  40. import static org.assertj.core.api.Assertions.assertThat;

  41. import static org.mockito.ArgumentMatchers.anyString;

  42. import static org.mockito.Mockito.mock;

  43. import static org.mockito.Mockito.verify;

  44. import static org.mockito.Mockito.when;

  45. 

  46. public class SamlIdentityProviderTest {

  47. 

  48.   @Rule

  49.   public ExpectedException expectedException = ExpectedException.none();

  50. 

  51.   private MapSettings settings = new MapSettings(new PropertyDefinitions(SamlSettings.definitions()));

  52. 

  53.   private SamlIdentityProvider underTest = new SamlIdentityProvider(new SamlSettings(settings.asConfig()));

  54. 

  55.   @Test

  56.   public void check_fields() {

  57.     setSettings(true);

  58.     assertThat(underTest.getKey()).isEqualTo("saml");

  59.     assertThat(underTest.getName()).isEqualTo("SAML");

  60.     assertThat(underTest.getDisplay().getIconPath()).isEqualTo("/images/saml.png");

  61.     assertThat(underTest.getDisplay().getBackgroundColor()).isEqualTo("#444444");

  62.     assertThat(underTest.allowsUsersToSignUp()).isTrue();

  63.   }

  64. 

  65.   @Test

  66.   public void provider_name_is_provided_by_setting() {

  67.     // Default value

  68.     assertThat(underTest.getName()).isEqualTo("SAML");

  69. 

  70.     settings.setProperty("sonar.auth.saml.providerName", "My Provider");

  71.     assertThat(underTest.getName()).isEqualTo("My Provider");

  72.   }

  73. 

  74.   @Test

  75.   public void is_enabled() {

  76.     setSettings(true);

  77.     assertThat(underTest.isEnabled()).isTrue();

  78. 

  79.     setSettings(false);

  80.     assertThat(underTest.isEnabled()).isFalse();

  81.   }

  82. 

  83.   @Test

  84.   public void init() throws IOException {

  85.     setSettings(true);

  86.     DumbInitContext context = new DumbInitContext();

  87. 

  88.     underTest.init(context);

  89. 

  90.     verify(context.response).sendRedirect(anyString());

  91.     assertThat(context.generateCsrfState.get()).isTrue();

  92.   }

  93. 

  94.   @Test

  95.   public void fail_to_init_when_login_url_is_invalid() {

  96.     setSettings(true);

  97.     settings.setProperty("sonar.auth.saml.loginUrl", "invalid");

  98.     DumbInitContext context = new DumbInitContext();

  99. 

  100.     expectedException.expect(IllegalStateException.class);

  101.     expectedException.expectMessage("Fail to create Auth");

  102. 

  103.     underTest.init(context);

  104.   }

  105. 

  106.   @Test

  107.   public void callback() {

  108.     setSettings(true);

  109.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  110. 

  111.     underTest.callback(callbackContext);

  112. 

  113.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  114.     assertThat(callbackContext.userIdentity.getLogin()).isEqualTo("johndoe");

  115.     assertThat(callbackContext.verifyState.get()).isTrue();

  116.   }

  117. 

  118.   @Test

  119.   public void callback_on_full_response() {

  120.     setSettings(true);

  121.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  122. 

  123.     underTest.callback(callbackContext);

  124. 

  125.     assertThat(callbackContext.userIdentity.getLogin()).isEqualTo("johndoe");

  126.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("John Doe");

  127.     assertThat(callbackContext.userIdentity.getEmail()).isEqualTo("johndoe@email.com");

  128.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  129.     assertThat(callbackContext.userIdentity.getGroups()).containsExactlyInAnyOrder("developer", "product-manager");

  130.   }

  131. 

  132.   @Test

  133.   public void callback_on_minimal_response() {

  134.     setSettings(true);

  135.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_minimal_response.txt");

  136. 

  137.     underTest.callback(callbackContext);

  138. 

  139.     assertThat(callbackContext.userIdentity.getLogin()).isEqualTo("johndoe");

  140.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("John Doe");

  141.     assertThat(callbackContext.userIdentity.getEmail()).isNull();

  142.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  143.     assertThat(callbackContext.userIdentity.getGroups()).isEmpty();

  144.   }

  145. 

  146.   @Test

  147.   public void callback_does_not_sync_group_when_group_setting_is_not_set() {

  148.     setSettings(true);

  149.     settings.setProperty("sonar.auth.saml.group.name", (String) null);

  150.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  151. 

  152.     underTest.callback(callbackContext);

  153. 

  154.     assertThat(callbackContext.userIdentity.getLogin()).isEqualTo("johndoe");

  155.     assertThat(callbackContext.userIdentity.getGroups()).isEmpty();

  156.   }

  157. 

  158.   @Test

  159.   public void fail_to_callback_when_login_is_missing() {

  160.     setSettings(true);

  161.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_response_without_login.txt");

  162. 

  163.     expectedException.expect(NullPointerException.class);

  164.     expectedException.expectMessage("login is missing");

  165. 

  166.     underTest.callback(callbackContext);

  167.   }

  168. 

  169.   @Test

  170.   public void fail_to_callback_when_name_is_missing() {

  171.     setSettings(true);

  172.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_response_without_name.txt");

  173. 

  174.     expectedException.expect(NullPointerException.class);

  175.     expectedException.expectMessage("name is missing");

  176. 

  177.     underTest.callback(callbackContext);

  178.   }

  179. 

  180.   @Test

  181.   public void fail_to_callback_when_certificate_is_invalid() {

  182.     setSettings(true);

  183.     settings.setProperty("sonar.auth.saml.certificate.secured", "invalid");

  184.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  185. 

  186.     expectedException.expect(IllegalStateException.class);

  187.     expectedException.expectMessage("Fail to create Auth");

  188. 

  189.     underTest.callback(callbackContext);

  190.   }

  191. 

  192.   @Test

  193.   public void fail_to_callback_when_using_wrong_certificate() {

  194.     setSettings(true);

  195.     settings.setProperty("sonar.auth.saml.certificate.secured", "-----BEGIN CERTIFICATE-----\n" +

  196.       "MIIEIzCCAwugAwIBAgIUHUzPjy5E2TmnsmTRT2sIUBRXFF8wDQYJKoZIhvcNAQEF\n" +

  197.       "BQAwXDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1NvbmFyU291cmNlMRUwEwYDVQQL\n" +

  198.       "DAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTMxMTkx\n" +

  199.       "MB4XDTE4MDcxOTA4NDUwNVoXDTIzMDcxOTA4NDUwNVowXDELMAkGA1UEBhMCVVMx\n" +

  200.       "FDASBgNVBAoMC1NvbmFyU291cmNlMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAe\n" +

  201.       "BgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTMxMTkxMIIBIjANBgkqhkiG9w0BAQEF\n" +

  202.       "AAOCAQ8AMIIBCgKCAQEArlpKHm4EkJiQyy+4GtZBixcy7fWnreB96T7cOoWLmWkK\n" +

  203.       "05FM5M/boWHZsvaNAuHsoCAMzIY3/l+55WbORzAxsloH7rvDaDrdPYQN+sU9bzsD\n" +

  204.       "ZkmDGDmA3QBSm/h/p5SiMkWU5Jg34toDdM0rmzUStIOMq6Gh/Ykx3fRRSjswy48x\n" +

  205.       "wfZLy+0wU7lasHqdfk54dVbb7mCm9J3iHZizvOt2lbtzGbP6vrrjpzvZm43ZRgP8\n" +

  206.       "FapYA8G3lczdIaG4IaLW6kYIRORd0UwI7IAwkao3uIo12rh1T6DLVyzjOs9PdIkb\n" +

  207.       "HbICN2EehB/ut3wohuPwmwp2UmqopIMVVaBSsmSlYwIDAQABo4HcMIHZMAwGA1Ud\n" +

  208.       "EwEB/wQCMAAwHQYDVR0OBBYEFAXGFMKYgtpzCpfpBUPQ1H/9AeDrMIGZBgNVHSME\n" +

  209.       "gZEwgY6AFAXGFMKYgtpzCpfpBUPQ1H/9AeDroWCkXjBcMQswCQYDVQQGEwJVUzEU\n" +

  210.       "MBIGA1UECgwLU29uYXJTb3VyY2UxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4G\n" +

  211.       "A1UEAwwXT25lTG9naW4gQWNjb3VudCAxMzExOTGCFB1Mz48uRNk5p7Jk0U9rCFAU\n" +

  212.       "VxRfMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAPHgi9IdDaTxD\n" +

  213.       "R5R8KHMdt385Uq8XC5pd0Li6y5RR2k6SKjThCt+eQU7D0Y2CyYU27vfCa2DQV4hJ\n" +

  214.       "4v4UfQv3NR/fYfkVSsNpxjBXBI3YWouxt2yg7uwdZBdgGYd37Yv3g9PdIZenjOhr\n" +

  215.       "Ck6WjdleMAWHRgJpocmB4IOESSyTfUul3jFupWnkbnn8c0ue6zwXd7LA1/yjVT2l\n" +

  216.       "Yh45+lz25aIOlyyo7OUw2TD15LIl8OOIuWRS4+UWy5+VdhXMbmpSEQH+Byod90g6\n" +

  217.       "A1bKpOFhRBzcxaZ6B2hB4SqjTBzS9zdmJyyFs/WNJxHri3aorcdqG9oUakjJJqqX\n" +

  218.       "E13skIMV2g==\n" +

  219.       "-----END CERTIFICATE-----\n");

  220.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  221. 

  222.     expectedException.expect(UnauthorizedException.class);

  223.     expectedException.expectMessage("Signature validation failed. SAML Response rejected");

  224. 

  225.     underTest.callback(callbackContext);

  226.   }

  227. 

  228.   private void setSettings(boolean enabled) {

  229.     if (enabled) {

  230.       settings.setProperty("sonar.auth.saml.applicationId", "MyApp");

  231.       settings.setProperty("sonar.auth.saml.providerId", "http://localhost:8080/auth/realms/sonarqube");

  232.       settings.setProperty("sonar.auth.saml.loginUrl", "http://localhost:8080/auth/realms/sonarqube/protocol/saml");

  233.       settings.setProperty("sonar.auth.saml.certificate.secured",

  234.         "MIICoTCCAYkCBgFksusMzTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlzb25hcnF1YmUwHhcNMTgwNzE5MTQyMDA2WhcNMjgwNzE5MTQyMTQ2WjAUMRIwEAYDVQQDDAlzb25hcnF1YmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEOth5gxpTs1f3bFGUD8hO97eMIsDZvvE3PZeKoeTRG7mOLu6rfLXphG3fE3E6/xqUhPP5p9hJl9DwgaMewhdZhfHqtOw6/SPMCQNFVNw9FQ7lprWKg8cZygYLDxhObEvCWPek8KcMb/vlKD8c8ha374O9qET51CVogDM5ropp02q0ELxoUKXqphKH4+sGXRVnDHaEsFHxse1HnciZT5mF1G45vxDItdAnWKkXYKVHC+Et52tCieqM0ygpQF1lWVJFXVOqsi03YkMu7IkWvSSfAw+uEcfmquT7FbxJ2n5gp94odAkQB0HK3fABrHr+G+n2QvWG6WwQPJTL0Ov0w+tNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACQfOrJF98nunKz6CN+YZXXMYhzQiqTD0MlzCg+Rdhir+WC/ru3Kz8omv52W/sXEMNQbEZBksVLl8W/1xeBS41Sf1nfutU560v/j3/OmOcnCw4qebqFH7nB8RL8vA4rGx430W/PeeUMikY1mSjlwhnJGiICQ3Y8I2qM6QWEr/Df2/gFCW2YnHbnS6Q/OwRQi+UFIzKklSQQa0gAnqfM4oSKU2OMhzScinWg1buMYfJSXgd4qIhPvRsZpqBsdt/OSrU2D5Y2YfSu8oIcxBRgJoERH5BV9GdOID4fS+TYw0M0QO/ORetNw1mA/8Npsy8okF8Cn7fDgbnWC8uz+/xDc14I=");

  235.       settings.setProperty("sonar.auth.saml.user.login", "login");

  236.       settings.setProperty("sonar.auth.saml.user.name", "name");

  237.       settings.setProperty("sonar.auth.saml.user.email", "email");

  238.       settings.setProperty("sonar.auth.saml.group.name", "groups");

  239.       settings.setProperty("sonar.auth.saml.enabled", true);

  240.     } else {

  241.       settings.setProperty("sonar.auth.saml.enabled", false);

  242.     }

  243.   }

  244. 

  245.   private static class DumbInitContext implements OAuth2IdentityProvider.InitContext {

  246. 

  247.     private HttpServletResponse response = mock(HttpServletResponse.class);

  248.     private final AtomicBoolean generateCsrfState = new AtomicBoolean(false);

  249. 

  250.     @Override

  251.     public String generateCsrfState() {

  252.       generateCsrfState.set(true);

  253.       return null;

  254.     }

  255. 

  256.     @Override

  257.     public void redirectTo(String url) {

  258.     }

  259. 

  260.     @Override

  261.     public String getCallbackUrl() {

  262.       return "http://localhost/oauth/callback/saml";

  263.     }

  264. 

  265.     @Override

  266.     public HttpServletRequest getRequest() {

  267.       return mock(HttpServletRequest.class);

  268.     }

  269. 

  270.     @Override

  271.     public HttpServletResponse getResponse() {

  272.       return response;

  273.     }

  274.   }

  275. 

  276.   private static class DumbCallbackContext implements OAuth2IdentityProvider.CallbackContext {

  277. 

  278.     private HttpServletResponse response = mock(HttpServletResponse.class);

  279.     private HttpServletRequest request = mock(HttpServletRequest.class);

  280. 

  281.     private final AtomicBoolean redirectedToRequestedPage = new AtomicBoolean(false);

  282.     private final AtomicBoolean verifyState = new AtomicBoolean(false);

  283. 

  284.     private UserIdentity userIdentity = null;

  285. 

  286.     public DumbCallbackContext(String encodedResponseFile) {

  287.       when(getRequest().getRequestURL()).thenReturn(new StringBuffer("http://localhost/oauth/callback/saml"));

  288.       Map<String, String[]> parameterMap = new HashMap<>();

  289.       parameterMap.put("SAMLResponse", new String[] {loadResponse(encodedResponseFile)});

  290.       when(getRequest().getParameterMap()).thenReturn(parameterMap);

  291.     }

  292. 

  293.     private String loadResponse(String file) {

  294.       try (InputStream json = getClass().getResourceAsStream("SamlIdentityProviderTest/" + file)) {

  295.         return IOUtils.toString(json, StandardCharsets.UTF_8.name());

  296.       } catch (IOException e) {

  297.         throw new IllegalStateException(e);

  298.       }

  299.     }

  300. 

  301.     @Override

  302.     public void verifyCsrfState() {

  303.       throw new IllegalStateException("This method should not be called !");

  304.     }

  305. 

  306.     @Override

  307.     public void verifyCsrfState(String parameterName) {

  308.       assertThat(parameterName).isEqualTo("RelayState");

  309.       verifyState.set(true);

  310.     }

  311. 

  312.     @Override

  313.     public void redirectToRequestedPage() {

  314.       redirectedToRequestedPage.set(true);

  315.     }

  316. 

  317.     @Override

  318.     public void authenticate(UserIdentity userIdentity) {

  319.       this.userIdentity = userIdentity;

  320.     }

  321. 

  322.     @Override

  323.     public String getCallbackUrl() {

  324.       return "http://localhost/oauth/callback/saml";

  325.     }

  326. 

  327.     @Override

  328.     public HttpServletRequest getRequest() {

  329.       return request;

  330.     }

  331. 

  332.     @Override

  333.     public HttpServletResponse getResponse() {

  334.       return response;

  335.     }

  336.   }

  337. }