mirrors
/
sonarqube
mirror of https://github.com/SonarSource/sonarqube.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 237 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31537 Commits
59 Branches
Tree: a3d88ea27c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a3d88ea27c'
${ noResults }
sonarqube/server/sonar-auth-github/src/test/java/org/sonar/auth/github/IntegrationTest.java

IntegrationTest.java 18KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450 
  1. /*

  2.  * SonarQube

  3.  * Copyright (C) 2009-2021 SonarSource SA

  4.  * mailto:info AT sonarsource DOT com

  5.  *

  6.  * This program is free software; you can redistribute it and/or

  7.  * modify it under the terms of the GNU Lesser General Public

  8.  * License as published by the Free Software Foundation; either

  9.  * version 3 of the License, or (at your option) any later version.

  10.  *

  11.  * This program is distributed in the hope that it will be useful,

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  14.  * Lesser General Public License for more details.

  15.  *

  16.  * You should have received a copy of the GNU Lesser General Public License

  17.  * along with this program; if not, write to the Free Software Foundation,

  18.  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

  19.  */

  20. package org.sonar.auth.github;

  21. 

  22. import java.io.IOException;

  23. import java.net.URLEncoder;

  24. import java.nio.charset.StandardCharsets;

  25. import java.util.TreeSet;

  26. import java.util.concurrent.atomic.AtomicBoolean;

  27. import javax.servlet.http.HttpServletRequest;

  28. import javax.servlet.http.HttpServletResponse;

  29. import okhttp3.mockwebserver.MockResponse;

  30. import okhttp3.mockwebserver.MockWebServer;

  31. import okhttp3.mockwebserver.RecordedRequest;

  32. import org.junit.Before;

  33. import org.junit.Rule;

  34. import org.junit.Test;

  35. import org.sonar.api.config.PropertyDefinitions;

  36. import org.sonar.api.config.internal.MapSettings;

  37. import org.sonar.api.server.authentication.OAuth2IdentityProvider;

  38. import org.sonar.api.server.authentication.UnauthorizedException;

  39. import org.sonar.api.server.authentication.UserIdentity;

  40. import org.sonar.api.utils.System2;

  41. 

  42. import static java.lang.String.format;

  43. import static org.assertj.core.api.Assertions.assertThat;

  44. import static org.assertj.core.api.Assertions.fail;

  45. import static org.mockito.Mockito.mock;

  46. import static org.mockito.Mockito.when;

  47. 

  48. public class IntegrationTest {

  49. 

  50.   private static final String CALLBACK_URL = "http://localhost/oauth/callback/github";

  51. 

  52.   @Rule

  53.   public MockWebServer github = new MockWebServer();

  54. 

  55.   // load settings with default values

  56.   private MapSettings settings = new MapSettings(new PropertyDefinitions(System2.INSTANCE, GitHubSettings.definitions()));

  57.   private GitHubSettings gitHubSettings = new GitHubSettings(settings.asConfig());

  58.   private UserIdentityFactoryImpl userIdentityFactory = new UserIdentityFactoryImpl();

  59.   private ScribeGitHubApi scribeApi = new ScribeGitHubApi(gitHubSettings);

  60.   private GitHubRestClient gitHubRestClient = new GitHubRestClient(gitHubSettings);

  61. 

  62.   private String gitHubUrl;

  63. 

  64.   private GitHubIdentityProvider underTest = new GitHubIdentityProvider(gitHubSettings, userIdentityFactory, scribeApi, gitHubRestClient);

  65. 

  66.   @Before

  67.   public void enable() {

  68.     gitHubUrl = format("http://%s:%d", github.getHostName(), github.getPort());

  69.     settings.setProperty("sonar.auth.github.clientId.secured", "the_id");

  70.     settings.setProperty("sonar.auth.github.clientSecret.secured", "the_secret");

  71.     settings.setProperty("sonar.auth.github.enabled", true);

  72.     settings.setProperty("sonar.auth.github.apiUrl", gitHubUrl);

  73.     settings.setProperty("sonar.auth.github.webUrl", gitHubUrl);

  74.   }

  75. 

  76.   /**

  77.    * First phase: SonarQube redirects browser to GitHub authentication form, requesting the

  78.    * minimal access rights ("scope") to get user profile (login, name, email and others).

  79.    */

  80.   @Test

  81.   public void redirect_browser_to_github_authentication_form() throws Exception {

  82.     DumbInitContext context = new DumbInitContext("the-csrf-state");

  83.     underTest.init(context);

  84. 

  85.     assertThat(context.redirectedTo).isEqualTo(

  86.       gitHubSettings.webURL() +

  87.         "login/oauth/authorize" +

  88.         "?response_type=code" +

  89.         "&client_id=the_id" +

  90.         "&redirect_uri=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()) +

  91.         "&scope=" + URLEncoder.encode("user:email", StandardCharsets.UTF_8.name()) +

  92.         "&state=the-csrf-state");

  93.   }

  94. 

  95.   /**

  96.    * Second phase: GitHub redirects browser to SonarQube at /oauth/callback/github?code={the verifier code}.

  97.    * This SonarQube web service sends two requests to GitHub:

  98.    * <ul>

  99.    *   <li>get an access token</li>

  100.    *   <li>get the profile of the authenticated user</li>

  101.    * </ul>

  102.    */

  103.   @Test

  104.   public void callback_on_successful_authentication() throws IOException, InterruptedException {

  105.     github.enqueue(newSuccessfulAccessTokenResponse());

  106.     // response of api.github.com/user

  107.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  108. 

  109.     HttpServletRequest request = newRequest("the-verifier-code");

  110.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  111.     underTest.callback(callbackContext);

  112. 

  113.     assertThat(callbackContext.csrfStateVerified.get()).isTrue();

  114.     assertThat(callbackContext.userIdentity.getProviderId()).isEqualTo("ABCD");

  115.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("octocat");

  116.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("monalisa octocat");

  117.     assertThat(callbackContext.userIdentity.getEmail()).isEqualTo("octocat@github.com");

  118.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  119. 

  120.     // Verify the requests sent to GitHub

  121.     RecordedRequest accessTokenGitHubRequest = github.takeRequest();

  122.     assertThat(accessTokenGitHubRequest.getMethod()).isEqualTo("POST");

  123.     assertThat(accessTokenGitHubRequest.getPath()).isEqualTo("/login/oauth/access_token");

  124.     assertThat(accessTokenGitHubRequest.getBody().readUtf8()).isEqualTo(

  125.       "code=the-verifier-code" +

  126.         "&redirect_uri=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()) +

  127.         "&grant_type=authorization_code");

  128. 

  129.     RecordedRequest profileGitHubRequest = github.takeRequest();

  130.     assertThat(profileGitHubRequest.getMethod()).isEqualTo("GET");

  131.     assertThat(profileGitHubRequest.getPath()).isEqualTo("/user");

  132.   }

  133. 

  134.   @Test

  135.   public void should_retrieve_private_primary_verified_email_address() {

  136.     github.enqueue(newSuccessfulAccessTokenResponse());

  137.     // response of api.github.com/user

  138.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":null}"));

  139.     // response of api.github.com/user/emails

  140.     github.enqueue(new MockResponse().setBody(

  141.       "[\n" +

  142.         "  {\n" +

  143.         "    \"email\": \"support@github.com\",\n" +

  144.         "    \"verified\": false,\n" +

  145.         "    \"primary\": false\n" +

  146.         "  },\n" +

  147.         "  {\n" +

  148.         "    \"email\": \"octocat@github.com\",\n" +

  149.         "    \"verified\": true,\n" +

  150.         "    \"primary\": true\n" +

  151.         "  },\n" +

  152.         "]"));

  153. 

  154.     HttpServletRequest request = newRequest("the-verifier-code");

  155.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  156.     underTest.callback(callbackContext);

  157. 

  158.     assertThat(callbackContext.csrfStateVerified.get()).isTrue();

  159.     assertThat(callbackContext.userIdentity.getProviderId()).isEqualTo("ABCD");

  160.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("octocat");

  161.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("monalisa octocat");

  162.     assertThat(callbackContext.userIdentity.getEmail()).isEqualTo("octocat@github.com");

  163.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  164.   }

  165. 

  166.   @Test

  167.   public void should_not_fail_if_no_email() {

  168.     github.enqueue(newSuccessfulAccessTokenResponse());

  169.     // response of api.github.com/user

  170.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":null}"));

  171.     // response of api.github.com/user/emails

  172.     github.enqueue(new MockResponse().setBody("[]"));

  173. 

  174.     HttpServletRequest request = newRequest("the-verifier-code");

  175.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  176.     underTest.callback(callbackContext);

  177. 

  178.     assertThat(callbackContext.csrfStateVerified.get()).isTrue();

  179.     assertThat(callbackContext.userIdentity.getProviderId()).isEqualTo("ABCD");

  180.     assertThat(callbackContext.userIdentity.getProviderLogin()).isEqualTo("octocat");

  181.     assertThat(callbackContext.userIdentity.getName()).isEqualTo("monalisa octocat");

  182.     assertThat(callbackContext.userIdentity.getEmail()).isNull();

  183.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  184.   }

  185. 

  186.   @Test

  187.   public void redirect_browser_to_github_authentication_form_with_group_sync() throws Exception {

  188.     settings.setProperty("sonar.auth.github.groupsSync", true);

  189.     DumbInitContext context = new DumbInitContext("the-csrf-state");

  190.     underTest.init(context);

  191.     assertThat(context.redirectedTo).isEqualTo(

  192.       gitHubSettings.webURL() +

  193.         "login/oauth/authorize" +

  194.         "?response_type=code" +

  195.         "&client_id=the_id" +

  196.         "&redirect_uri=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()) +

  197.         "&scope=" + URLEncoder.encode("user:email,read:org", StandardCharsets.UTF_8.name()) +

  198.         "&state=the-csrf-state");

  199.   }

  200. 

  201.   @Test

  202.   public void callback_on_successful_authentication_with_group_sync() {

  203.     settings.setProperty("sonar.auth.github.groupsSync", true);

  204. 

  205.     github.enqueue(newSuccessfulAccessTokenResponse());

  206.     // response of api.github.com/user

  207.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  208.     // response of api.github.com/user/teams

  209.     github.enqueue(new MockResponse().setBody("[\n" +

  210.       "  {\n" +

  211.       "    \"slug\": \"developers\",\n" +

  212.       "    \"organization\": {\n" +

  213.       "      \"login\": \"SonarSource\"\n" +

  214.       "    }\n" +

  215.       "  }\n" +

  216.       "]"));

  217. 

  218.     HttpServletRequest request = newRequest("the-verifier-code");

  219.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  220.     underTest.callback(callbackContext);

  221. 

  222.     assertThat(callbackContext.userIdentity.getGroups()).containsOnly("SonarSource/developers");

  223.   }

  224. 

  225.   @Test

  226.   public void callback_on_successful_authentication_with_group_sync_on_many_pages() {

  227.     settings.setProperty("sonar.auth.github.groupsSync", true);

  228. 

  229.     github.enqueue(newSuccessfulAccessTokenResponse());

  230.     // response of api.github.com/user

  231.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  232.     // responses of api.github.com/user/teams

  233.     github.enqueue(new MockResponse()

  234.       .setHeader("Link", "<" + gitHubUrl + "/user/teams?per_page=100&page=2>; rel=\"next\", <" + gitHubUrl + "/user/teams?per_page=100&page=2>; rel=\"last\"")

  235.       .setBody("[\n" +

  236.         "  {\n" +

  237.         "    \"slug\": \"developers\",\n" +

  238.         "    \"organization\": {\n" +

  239.         "      \"login\": \"SonarSource\"\n" +

  240.         "    }\n" +

  241.         "  }\n" +

  242.         "]"));

  243.     github.enqueue(new MockResponse()

  244.       .setHeader("Link", "<" + gitHubUrl + "/user/teams?per_page=100&page=1>; rel=\"prev\", <" + gitHubUrl + "/user/teams?per_page=100&page=1>; rel=\"first\"")

  245.       .setBody("[\n" +

  246.         "  {\n" +

  247.         "    \"slug\": \"sonarsource-developers\",\n" +

  248.         "    \"organization\": {\n" +

  249.         "      \"login\": \"SonarQubeCommunity\"\n" +

  250.         "    }\n" +

  251.         "  }\n" +

  252.         "]"));

  253. 

  254.     HttpServletRequest request = newRequest("the-verifier-code");

  255.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  256.     underTest.callback(callbackContext);

  257. 

  258.     assertThat(new TreeSet<>(callbackContext.userIdentity.getGroups())).containsOnly("SonarQubeCommunity/sonarsource-developers", "SonarSource/developers");

  259.   }

  260. 

  261.   @Test

  262.   public void redirect_browser_to_github_authentication_form_with_organizations() throws Exception {

  263.     settings.setProperty("sonar.auth.github.organizations", "example0, example1");

  264.     DumbInitContext context = new DumbInitContext("the-csrf-state");

  265.     underTest.init(context);

  266.     assertThat(context.redirectedTo).isEqualTo(

  267.       gitHubSettings.webURL() +

  268.         "login/oauth/authorize" +

  269.         "?response_type=code" +

  270.         "&client_id=the_id" +

  271.         "&redirect_uri=" + URLEncoder.encode(CALLBACK_URL, StandardCharsets.UTF_8.name()) +

  272.         "&scope=" + URLEncoder.encode("user:email,read:org", StandardCharsets.UTF_8.name()) +

  273.         "&state=the-csrf-state");

  274.   }

  275. 

  276.   @Test

  277.   public void callback_on_successful_authentication_with_organizations_with_membership() {

  278.     settings.setProperty("sonar.auth.github.organizations", "example0, example1");

  279. 

  280.     github.enqueue(newSuccessfulAccessTokenResponse());

  281.     // response of api.github.com/user

  282.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  283.     // response of api.github.com/orgs/example0/members/user

  284.     github.enqueue(new MockResponse().setResponseCode(204));

  285. 

  286.     HttpServletRequest request = newRequest("the-verifier-code");

  287.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  288.     underTest.callback(callbackContext);

  289. 

  290.     assertThat(callbackContext.csrfStateVerified.get()).isTrue();

  291.     assertThat(callbackContext.userIdentity).isNotNull();

  292.     assertThat(callbackContext.redirectedToRequestedPage.get()).isTrue();

  293.   }

  294. 

  295.   @Test

  296.   public void callback_on_successful_authentication_with_organizations_without_membership() {

  297.     settings.setProperty("sonar.auth.github.organizations", "first_org,second_org");

  298. 

  299.     github.enqueue(newSuccessfulAccessTokenResponse());

  300.     // response of api.github.com/user

  301.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  302.     // response of api.github.com/orgs/first_org/members/user

  303.     github.enqueue(new MockResponse().setResponseCode(404).setBody("{}"));

  304.     // response of api.github.com/orgs/second_org/members/user

  305.     github.enqueue(new MockResponse().setResponseCode(404).setBody("{}"));

  306. 

  307.     HttpServletRequest request = newRequest("the-verifier-code");

  308.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  309.     try {

  310.       underTest.callback(callbackContext);

  311.       fail("exception expected");

  312.     } catch (UnauthorizedException e) {

  313.       assertThat(e.getMessage()).isEqualTo("'octocat' must be a member of at least one organization: 'first_org', 'second_org'");

  314.     }

  315.   }

  316. 

  317.   @Test

  318.   public void callback_throws_ISE_if_error_when_requesting_user_profile() {

  319.     github.enqueue(newSuccessfulAccessTokenResponse());

  320.     // api.github.com/user crashes

  321.     github.enqueue(new MockResponse().setResponseCode(500).setBody("{error}"));

  322. 

  323.     DumbCallbackContext callbackContext = new DumbCallbackContext(newRequest("the-verifier-code"));

  324.     try {

  325.       underTest.callback(callbackContext);

  326.       fail("exception expected");

  327.     } catch (IllegalStateException e) {

  328.       assertThat(e.getMessage()).isEqualTo("Fail to execute request '" + gitHubSettings.apiURL() + "user'. HTTP code: 500, response: {error}");

  329.     }

  330. 

  331.     assertThat(callbackContext.csrfStateVerified.get()).isTrue();

  332.     assertThat(callbackContext.userIdentity).isNull();

  333.     assertThat(callbackContext.redirectedToRequestedPage.get()).isFalse();

  334.   }

  335. 

  336.   @Test

  337.   public void callback_throws_ISE_if_error_when_checking_membership() {

  338.     settings.setProperty("sonar.auth.github.organizations", "example");

  339. 

  340.     github.enqueue(newSuccessfulAccessTokenResponse());

  341.     // response of api.github.com/user

  342.     github.enqueue(new MockResponse().setBody("{\"id\":\"ABCD\", \"login\":\"octocat\", \"name\":\"monalisa octocat\",\"email\":\"octocat@github.com\"}"));

  343.     // crash of api.github.com/orgs/example/members/user

  344.     github.enqueue(new MockResponse().setResponseCode(500).setBody("{error}"));

  345. 

  346.     HttpServletRequest request = newRequest("the-verifier-code");

  347.     DumbCallbackContext callbackContext = new DumbCallbackContext(request);

  348.     try {

  349.       underTest.callback(callbackContext);

  350.       fail("exception expected");

  351.     } catch (IllegalStateException e) {

  352.       assertThat(e.getMessage()).isEqualTo("Fail to execute request '" + gitHubSettings.apiURL() + "orgs/example/members/octocat'. HTTP code: 500, response: {error}");

  353.     }

  354.   }

  355. 

  356.   /**

  357.    * Response sent by GitHub to SonarQube when generating an access token

  358.    */

  359.   private static MockResponse newSuccessfulAccessTokenResponse() {

  360.     // github does not return the standard JSON format but plain-text

  361.     // see https://developer.github.com/v3/oauth/

  362.     return new MockResponse().setBody("access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&scope=user%2Cgist&token_type=bearer");

  363.   }

  364. 

  365.   private static HttpServletRequest newRequest(String verifierCode) {

  366.     HttpServletRequest request = mock(HttpServletRequest.class);

  367.     when(request.getParameter("code")).thenReturn(verifierCode);

  368.     return request;

  369.   }

  370. 

  371.   private static class DumbCallbackContext implements OAuth2IdentityProvider.CallbackContext {

  372.     final HttpServletRequest request;

  373.     final AtomicBoolean csrfStateVerified = new AtomicBoolean(false);

  374.     final AtomicBoolean redirectedToRequestedPage = new AtomicBoolean(false);

  375.     UserIdentity userIdentity = null;

  376. 

  377.     public DumbCallbackContext(HttpServletRequest request) {

  378.       this.request = request;

  379.     }

  380. 

  381.     @Override

  382.     public void verifyCsrfState() {

  383.       this.csrfStateVerified.set(true);

  384.     }

  385. 

  386.     @Override

  387.     public void verifyCsrfState(String parameterName) {

  388.       throw new UnsupportedOperationException("not used");

  389.     }

  390. 

  391.     @Override

  392.     public void redirectToRequestedPage() {

  393.       redirectedToRequestedPage.set(true);

  394.     }

  395. 

  396.     @Override

  397.     public void authenticate(UserIdentity userIdentity) {

  398.       this.userIdentity = userIdentity;

  399.     }

  400. 

  401.     @Override

  402.     public String getCallbackUrl() {

  403.       return CALLBACK_URL;

  404.     }

  405. 

  406.     @Override

  407.     public HttpServletRequest getRequest() {

  408.       return request;

  409.     }

  410. 

  411.     @Override

  412.     public HttpServletResponse getResponse() {

  413.       throw new UnsupportedOperationException("not used");

  414.     }

  415.   }

  416. 

  417.   private static class DumbInitContext implements OAuth2IdentityProvider.InitContext {

  418.     String redirectedTo = null;

  419.     private final String generatedCsrfState;

  420. 

  421.     public DumbInitContext(String generatedCsrfState) {

  422.       this.generatedCsrfState = generatedCsrfState;

  423.     }

  424. 

  425.     @Override

  426.     public String generateCsrfState() {

  427.       return generatedCsrfState;

  428.     }

  429. 

  430.     @Override

  431.     public void redirectTo(String url) {

  432.       this.redirectedTo = url;

  433.     }

  434. 

  435.     @Override

  436.     public String getCallbackUrl() {

  437.       return CALLBACK_URL;

  438.     }

  439. 

  440.     @Override

  441.     public HttpServletRequest getRequest() {

  442.       return null;

  443.     }

  444. 

  445.     @Override

  446.     public HttpServletResponse getResponse() {

  447.       return null;

  448.     }

  449.   }

  450. }