SONAR-23078 Fix SSF-644

(cherry picked from commit 0516f003dfe1776ffa4c554f203c298dbc36ac45)

2 files changed, 18 insertions, 4 deletions

diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java
index dc1311bd51a..8fba174df38 100644
--- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java
+++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java
@@ -148,7 +148,11 @@ public class GitLabIdentityProvider implements OAuth2IdentityProvider {
   }
 
   private static boolean isAllowedGroup(String group, Set<String> allowedGroups) {
-    return allowedGroups.stream().anyMatch(group::startsWith);
+    return allowedGroups.stream().anyMatch(allowedGroup -> isExactGroupOrParentGroup(group, allowedGroup));
+  }
+
+  private static boolean isExactGroupOrParentGroup(String group, String allowedGroup) {
+    return group.equals(allowedGroup) || group.startsWith(allowedGroup + "/");
   }
 
   private Set<String> getGroups(OAuth20Service scribe, OAuth2AccessToken accessToken) {
diff --git a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java
index 4c7a432a6de..1b3b7c86f8f 100644
--- a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java
+++ b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java
@@ -174,14 +174,16 @@ public class GitLabIdentityProviderTest {
   public static Object[][] allowedGroups() {
     return new Object[][]{
       {Set.of()},
-      {Set.of("path")}
+      {Set.of("path")},
+      {Set.of("path/to/group")},
     };
   }
 
   @Test
-  public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow() {
+  @UseDataProvider("notAllowedGroups")
+  public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow(Set<String> notAllowedGroups) {
     when(gitLabSettings.syncUserGroups()).thenReturn(true);
-    when(gitLabSettings.allowedGroups()).thenReturn(Set.of("path2"));
+    when(gitLabSettings.allowedGroups()).thenReturn(notAllowedGroups);
 
     mockGsonUser();
     mockGitlabGroups();
@@ -191,6 +193,14 @@ public class GitLabIdentityProviderTest {
       .withMessage("You are not allowed to authenticate");
   }
 
+  @DataProvider
+  public static Object[][] notAllowedGroups() {
+    return new Object[][]{
+      {Set.of("pat")},
+      {Set.of("path2")},
+    };
+  }
+
   @Test
   public void onCallback_ifScribeFactoryFails_shouldThrow() {
     IllegalStateException exception = new IllegalStateException("message");