mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
29543 Commits
59 Branches
Tree: 73d64c8823
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '73d64c8823'
${ noResults }
sonarqube/server/sonar-auth-saml/src/test/java/org/sonar/auth/saml/SamlIdentityProviderTest.java

SamlIdentityProviderTest.java 13KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2020 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.saml;

  21. 

  22. import java.io.IOException;

  23. import java.io.InputStream;

  24. import java.nio.charset.StandardCharsets;

  25. import java.util.HashMap;

  26. import java.util.Map;

  27. import java.util.concurrent.atomic.AtomicBoolean;

  28. import javax.servlet.http.HttpServletRequest;

  29. import javax.servlet.http.HttpServletResponse;

  30. import org.junit.Rule;

  31. import org.junit.Test;

  32. import org.junit.rules.ExpectedException;

  33. import org.sonar.api.config.PropertyDefinitions;

  34. import org.sonar.api.config.internal.MapSettings;

  35. import org.apache.commons.io.IOUtils;

  36. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  37. import org.sonar.api.server.authentication.UnauthorizedException;

  38. import org.sonar.api.server.authentication.UserIdentity;

  39. 

  40. import static org.assertj.core.api.Assertions.assertThat;

  41. import static org.mockito.ArgumentMatchers.anyString;

  42. import static org.mockito.Mockito.mock;

  43. import static org.mockito.Mockito.verify;

  44. import static org.mockito.Mockito.when;

  45. 

  46. public class SamlIdentityProviderTest {

  47. 

  48.   @Rule

  49.   public ExpectedException expectedException = ExpectedException.none();

  50. 

  51.   private MapSettings settings = new MapSettings(new PropertyDefinitions(SamlSettings.definitions()));

  52. 

  53.   private SamlIdentityProvider underTest = new SamlIdentityProvider(new SamlSettings(settings.asConfig()));

  54. 

  55.   @Test

  56.   public void check_fields() {

  57.     setSettings(true);

  58.     assertThat(underTest.getKey()).isEqualTo("saml");

  59.     assertThat(underTest.getName()).isEqualTo("SAML");

  60.     assertThat(underTest.getDisplay().getIconPath()).isEqualTo("/images/saml.png");

  61.     assertThat(underTest.getDisplay().getBackgroundColor()).isEqualTo("#444444");

  62.     assertThat(underTest.allowsUsersToSignUp()).isTrue();

  63.   }

  64. 

  65.   @Test

  66.   public void provider_name_is_provided_by_setting() {

  67.     // Default value

  68.     assertThat(underTest.getName()).isEqualTo("SAML");

  69. 

  70.     settings.setProperty("sonar.auth.saml.providerName", "My Provider");

  71.     assertThat(underTest.getName()).isEqualTo("My Provider");

  72.   }

  73. 

  74.   @Test

  75.   public void is_enabled() {

  76.     setSettings(true);

  77.     assertThat(underTest.isEnabled()).isTrue();

  78. 

  79.     setSettings(false);

  80.     assertThat(underTest.isEnabled()).isFalse();

  81.   }

  82. 

  83.   @Test

  84.   public void init() throws IOException {

  85.     setSettings(true);

  86.     DumbInitContext context = new DumbInitContext();

  87. 

  88.     underTest.init(context);

  89. 

  90.     verify(context.response).sendRedirect(anyString());

  91.     assertThat(context.generateCsrfState.get()).isTrue();

  92.   }

  93. 

  94.   @Test

  95.   public void fail_to_init_when_login_url_is_invalid() {

  96.     setSettings(true);

  97.     settings.setProperty("sonar.auth.saml.loginUrl", "invalid");

  98.     DumbInitContext context = new DumbInitContext();

  99. 

  100.     expectedException.expect(IllegalStateException.class);

  101.     expectedException.expectMessage("Fail to create Auth");

  102. 

  103.     underTest.init(context);

  104.   }

  105. 

  106.   @Test

  107.   public void callback() {

  108.     setSettings(true);

  109.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  110. 

  111.     underTest.callback(callbackContext);

  112. 

  113.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  114.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  115.     assertThat(callbackContext.verifyState.get()).isTrue();

  116.   }

  117. 

  118.   @Test

  119.   public void callback_on_full_response() {

  120.     setSettings(true);

  121.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  122. 

  123.     underTest.callback(callbackContext);

  124. 

  125.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("John Doe");

  126.     assertThat(callbackContext.userIdentity.getEmail()).isEqualTo("johndoe@email.com");

  127.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  128.     assertThat(callbackContext.userIdentity.getGroups()).containsExactlyInAnyOrder("developer", "product-manager");

  129.   }

  130. 

  131.   @Test

  132.   public void callback_on_minimal_response() {

  133.     setSettings(true);

  134.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_minimal_response.txt");

  135. 

  136.     underTest.callback(callbackContext);

  137. 

  138.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("John Doe");

  139.     assertThat(callbackContext.userIdentity.getEmail()).isNull();

  140.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  141.     assertThat(callbackContext.userIdentity.getGroups()).isEmpty();

  142.   }

  143. 

  144.   @Test

  145.   public void callback_does_not_sync_group_when_group_setting_is_not_set() {

  146.     setSettings(true);

  147.     settings.setProperty("sonar.auth.saml.group.name", (String) null);

  148.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  149. 

  150.     underTest.callback(callbackContext);

  151. 

  152.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("johndoe");

  153.     assertThat(callbackContext.userIdentity.getGroups()).isEmpty();

  154.   }

  155. 

  156.   @Test

  157.   public void fail_to_callback_when_login_is_missing() {

  158.     setSettings(true);

  159.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_response_without_login.txt");

  160. 

  161.     expectedException.expect(NullPointerException.class);

  162.     expectedException.expectMessage("login is missing");

  163. 

  164.     underTest.callback(callbackContext);

  165.   }

  166. 

  167.   @Test

  168.   public void fail_to_callback_when_name_is_missing() {

  169.     setSettings(true);

  170.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_response_without_name.txt");

  171. 

  172.     expectedException.expect(NullPointerException.class);

  173.     expectedException.expectMessage("name is missing");

  174. 

  175.     underTest.callback(callbackContext);

  176.   }

  177. 

  178.   @Test

  179.   public void fail_to_callback_when_certificate_is_invalid() {

  180.     setSettings(true);

  181.     settings.setProperty("sonar.auth.saml.certificate.secured", "invalid");

  182.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  183. 

  184.     expectedException.expect(IllegalStateException.class);

  185.     expectedException.expectMessage("Fail to create Auth");

  186. 

  187.     underTest.callback(callbackContext);

  188.   }

  189. 

  190.   @Test

  191.   public void fail_to_callback_when_using_wrong_certificate() {

  192.     setSettings(true);

  193.     settings.setProperty("sonar.auth.saml.certificate.secured", "-----BEGIN CERTIFICATE-----\n" +

  194.       "MIIEIzCCAwugAwIBAgIUHUzPjy5E2TmnsmTRT2sIUBRXFF8wDQYJKoZIhvcNAQEF\n" +

  195.       "BQAwXDELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1NvbmFyU291cmNlMRUwEwYDVQQL\n" +

  196.       "DAxPbmVMb2dpbiBJZFAxIDAeBgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTMxMTkx\n" +

  197.       "MB4XDTE4MDcxOTA4NDUwNVoXDTIzMDcxOTA4NDUwNVowXDELMAkGA1UEBhMCVVMx\n" +

  198.       "FDASBgNVBAoMC1NvbmFyU291cmNlMRUwEwYDVQQLDAxPbmVMb2dpbiBJZFAxIDAe\n" +

  199.       "BgNVBAMMF09uZUxvZ2luIEFjY291bnQgMTMxMTkxMIIBIjANBgkqhkiG9w0BAQEF\n" +

  200.       "AAOCAQ8AMIIBCgKCAQEArlpKHm4EkJiQyy+4GtZBixcy7fWnreB96T7cOoWLmWkK\n" +

  201.       "05FM5M/boWHZsvaNAuHsoCAMzIY3/l+55WbORzAxsloH7rvDaDrdPYQN+sU9bzsD\n" +

  202.       "ZkmDGDmA3QBSm/h/p5SiMkWU5Jg34toDdM0rmzUStIOMq6Gh/Ykx3fRRSjswy48x\n" +

  203.       "wfZLy+0wU7lasHqdfk54dVbb7mCm9J3iHZizvOt2lbtzGbP6vrrjpzvZm43ZRgP8\n" +

  204.       "FapYA8G3lczdIaG4IaLW6kYIRORd0UwI7IAwkao3uIo12rh1T6DLVyzjOs9PdIkb\n" +

  205.       "HbICN2EehB/ut3wohuPwmwp2UmqopIMVVaBSsmSlYwIDAQABo4HcMIHZMAwGA1Ud\n" +

  206.       "EwEB/wQCMAAwHQYDVR0OBBYEFAXGFMKYgtpzCpfpBUPQ1H/9AeDrMIGZBgNVHSME\n" +

  207.       "gZEwgY6AFAXGFMKYgtpzCpfpBUPQ1H/9AeDroWCkXjBcMQswCQYDVQQGEwJVUzEU\n" +

  208.       "MBIGA1UECgwLU29uYXJTb3VyY2UxFTATBgNVBAsMDE9uZUxvZ2luIElkUDEgMB4G\n" +

  209.       "A1UEAwwXT25lTG9naW4gQWNjb3VudCAxMzExOTGCFB1Mz48uRNk5p7Jk0U9rCFAU\n" +

  210.       "VxRfMA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEAPHgi9IdDaTxD\n" +

  211.       "R5R8KHMdt385Uq8XC5pd0Li6y5RR2k6SKjThCt+eQU7D0Y2CyYU27vfCa2DQV4hJ\n" +

  212.       "4v4UfQv3NR/fYfkVSsNpxjBXBI3YWouxt2yg7uwdZBdgGYd37Yv3g9PdIZenjOhr\n" +

  213.       "Ck6WjdleMAWHRgJpocmB4IOESSyTfUul3jFupWnkbnn8c0ue6zwXd7LA1/yjVT2l\n" +

  214.       "Yh45+lz25aIOlyyo7OUw2TD15LIl8OOIuWRS4+UWy5+VdhXMbmpSEQH+Byod90g6\n" +

  215.       "A1bKpOFhRBzcxaZ6B2hB4SqjTBzS9zdmJyyFs/WNJxHri3aorcdqG9oUakjJJqqX\n" +

  216.       "E13skIMV2g==\n" +

  217.       "-----END CERTIFICATE-----\n");

  218.     DumbCallbackContext callbackContext = new DumbCallbackContext("encoded_full_response.txt");

  219. 

  220.     expectedException.expect(UnauthorizedException.class);

  221.     expectedException.expectMessage("Signature validation failed. SAML Response rejected");

  222. 

  223.     underTest.callback(callbackContext);

  224.   }

  225. 

  226.   private void setSettings(boolean enabled) {

  227.     if (enabled) {

  228.       settings.setProperty("sonar.auth.saml.applicationId", "MyApp");

  229.       settings.setProperty("sonar.auth.saml.providerId", "http://localhost:8080/auth/realms/sonarqube");

  230.       settings.setProperty("sonar.auth.saml.loginUrl", "http://localhost:8080/auth/realms/sonarqube/protocol/saml");

  231.       settings.setProperty("sonar.auth.saml.certificate.secured",

  232.         "MIICoTCCAYkCBgFksusMzTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlzb25hcnF1YmUwHhcNMTgwNzE5MTQyMDA2WhcNMjgwNzE5MTQyMTQ2WjAUMRIwEAYDVQQDDAlzb25hcnF1YmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEOth5gxpTs1f3bFGUD8hO97eMIsDZvvE3PZeKoeTRG7mOLu6rfLXphG3fE3E6/xqUhPP5p9hJl9DwgaMewhdZhfHqtOw6/SPMCQNFVNw9FQ7lprWKg8cZygYLDxhObEvCWPek8KcMb/vlKD8c8ha374O9qET51CVogDM5ropp02q0ELxoUKXqphKH4+sGXRVnDHaEsFHxse1HnciZT5mF1G45vxDItdAnWKkXYKVHC+Et52tCieqM0ygpQF1lWVJFXVOqsi03YkMu7IkWvSSfAw+uEcfmquT7FbxJ2n5gp94odAkQB0HK3fABrHr+G+n2QvWG6WwQPJTL0Ov0w+tNAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACQfOrJF98nunKz6CN+YZXXMYhzQiqTD0MlzCg+Rdhir+WC/ru3Kz8omv52W/sXEMNQbEZBksVLl8W/1xeBS41Sf1nfutU560v/j3/OmOcnCw4qebqFH7nB8RL8vA4rGx430W/PeeUMikY1mSjlwhnJGiICQ3Y8I2qM6QWEr/Df2/gFCW2YnHbnS6Q/OwRQi+UFIzKklSQQa0gAnqfM4oSKU2OMhzScinWg1buMYfJSXgd4qIhPvRsZpqBsdt/OSrU2D5Y2YfSu8oIcxBRgJoERH5BV9GdOID4fS+TYw0M0QO/ORetNw1mA/8Npsy8okF8Cn7fDgbnWC8uz+/xDc14I=");

  233.       settings.setProperty("sonar.auth.saml.user.login", "login");

  234.       settings.setProperty("sonar.auth.saml.user.name", "name");

  235.       settings.setProperty("sonar.auth.saml.user.email", "email");

  236.       settings.setProperty("sonar.auth.saml.group.name", "groups");

  237.       settings.setProperty("sonar.auth.saml.enabled", true);

  238.     } else {

  239.       settings.setProperty("sonar.auth.saml.enabled", false);

  240.     }

  241.   }

  242. 

  243.   private static class DumbInitContext implements OAuth2IdentityProvider.InitContext {

  244. 

  245.     private HttpServletResponse response = mock(HttpServletResponse.class);

  246.     private final AtomicBoolean generateCsrfState = new AtomicBoolean(false);

  247. 

  248.     @Override

  249.     public String generateCsrfState() {

  250.       generateCsrfState.set(true);

  251.       return null;

  252.     }

  253. 

  254.     @Override

  255.     public void redirectTo(String url) {

  256.     }

  257. 

  258.     @Override

  259.     public String getCallbackUrl() {

  260.       return "http://localhost/oauth/callback/saml";

  261.     }

  262. 

  263.     @Override

  264.     public HttpServletRequest getRequest() {

  265.       return mock(HttpServletRequest.class);

  266.     }

  267. 

  268.     @Override

  269.     public HttpServletResponse getResponse() {

  270.       return response;

  271.     }

  272.   }

  273. 

  274.   private static class DumbCallbackContext implements OAuth2IdentityProvider.CallbackContext {

  275. 

  276.     private HttpServletResponse response = mock(HttpServletResponse.class);

  277.     private HttpServletRequest request = mock(HttpServletRequest.class);

  278. 

  279.     private final AtomicBoolean redirectedToRequestedPage = new AtomicBoolean(false);

  280.     private final AtomicBoolean verifyState = new AtomicBoolean(false);

  281. 

  282.     private UserIdentity userIdentity = null;

  283. 

  284.     public DumbCallbackContext(String encodedResponseFile) {

  285.       when(getRequest().getRequestURL()).thenReturn(new StringBuffer("http://localhost/oauth/callback/saml"));

  286.       Map<String, String[]> parameterMap = new HashMap<>();

  287.       parameterMap.put("SAMLResponse", new String[] {loadResponse(encodedResponseFile)});

  288.       when(getRequest().getParameterMap()).thenReturn(parameterMap);

  289.     }

  290. 

  291.     private String loadResponse(String file) {

  292.       try (InputStream json = getClass().getResourceAsStream("SamlIdentityProviderTest/" + file)) {

  293.         return IOUtils.toString(json, StandardCharsets.UTF_8.name());

  294.       } catch (IOException e) {

  295.         throw new IllegalStateException(e);

  296.       }

  297.     }

  298. 

  299.     @Override

  300.     public void verifyCsrfState() {

  301.       throw new IllegalStateException("This method should not be called !");

  302.     }

  303. 

  304.     @Override

  305.     public void verifyCsrfState(String parameterName) {

  306.       assertThat(parameterName).isEqualTo("RelayState");

  307.       verifyState.set(true);

  308.     }

  309. 

  310.     @Override

  311.     public void redirectToRequestedPage() {

  312.       redirectedToRequestedPage.set(true);

  313.     }

  314. 

  315.     @Override

  316.     public void authenticate(UserIdentity userIdentity) {

  317.       this.userIdentity = userIdentity;

  318.     }

  319. 

  320.     @Override

  321.     public String getCallbackUrl() {

  322.       return "http://localhost/oauth/callback/saml";

  323.     }

  324. 

  325.     @Override

  326.     public HttpServletRequest getRequest() {

  327.       return request;

  328.     }

  329. 

  330.     @Override

  331.     public HttpServletResponse getResponse() {

  332.       return response;

  333.     }

  334.   }

  335. }