SONAR-23070 Fix SSF-635

author: Jacek Poreda <jacek.poreda@sonarsource.com> 2024-09-17 14:59:33 +0200
committer: sonartech <sonartech@sonarsource.com> 2024-09-20 20:02:37 +0000
commit: 747d4ede9457dcf3dd0e89d080913f3e24396361 (patch)
tree: 7f09834ed423c2a2acaa50a00096d3cc6d6c2e1b /server/sonar-webserver-auth/src/it/java/org/sonar
parent: 300226052a9c81c3246472e645087580b201824e (diff)
download: sonarqube-747d4ede9457dcf3dd0e89d080913f3e24396361.tar.gz
sonarqube-747d4ede9457dcf3dd0e89d080913f3e24396361.zip
1 files changed, 234 insertions, 12 deletions
diff --git a/server/sonar-webserver-auth/src/it/java/org/sonar/server/user/TokenUserSessionIT.java b/server/sonar-webserver-auth/src/it/java/org/sonar/server/user/TokenUserSessionIT.java
index 8c9591c5544..fe40850c56a 100644
--- a/server/sonar-webserver-auth/src/it/java/org/sonar/server/user/TokenUserSessionIT.java
+++ b/server/sonar-webserver-auth/src/it/java/org/sonar/server/user/TokenUserSessionIT.java
@@ -19,22 +19,36 @@
  */
 package org.sonar.server.user;
 
+import com.tngtech.java.junit.dataprovider.DataProvider;
+import com.tngtech.java.junit.dataprovider.DataProviderRunner;
+import com.tngtech.java.junit.dataprovider.UseDataProvider;
+import java.util.List;
+import java.util.Set;
 import org.junit.Rule;
 import org.junit.Test;
+import org.junit.runner.RunWith;
 import org.sonar.api.utils.System2;
+import org.sonar.api.web.UserRole;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbTester;
+import org.sonar.db.component.ComponentDto;
+import org.sonar.db.component.ProjectData;
 import org.sonar.db.permission.GlobalPermission;
 import org.sonar.db.project.ProjectDto;
 import org.sonar.db.user.UserDto;
 import org.sonar.db.user.UserTokenDto;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.sonar.api.web.UserRole.CODEVIEWER;
 import static org.sonar.api.web.UserRole.SCAN;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.user.TokenType.GLOBAL_ANALYSIS_TOKEN;
 import static org.sonar.db.user.TokenType.PROJECT_ANALYSIS_TOKEN;
+import static org.sonar.db.user.TokenType.PROJECT_BADGE_TOKEN;
 import static org.sonar.db.user.TokenType.USER_TOKEN;
 
+@RunWith(DataProviderRunner.class)
 public class TokenUserSessionIT {
 
   @Rule
@@ -59,7 +73,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasProjectsPermission_for_UserToken() {
+  public void hasProjectsPermission_for_UserToken() {
     ProjectDto project1 = db.components().insertPrivateProject().getProjectDto();
     ProjectDto project2 = db.components().insertPrivateProject().getProjectDto();
 
@@ -74,7 +88,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasProjectsPermission_for_ProjecAnalysisToken() {
+  public void hasProjectsPermission_for_ProjecAnalysisToken() {
     ProjectDto project1 = db.components().insertPrivateProject().getProjectDto();
     ProjectDto project2 = db.components().insertPrivateProject().getProjectDto();
 
@@ -83,14 +97,14 @@ public class TokenUserSessionIT {
     db.users().insertProjectPermissionOnUser(user, SCAN, project1);
     db.users().insertProjectPermissionOnUser(user, SCAN, project2);
 
-    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user,project1);
+    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user, project1);
 
     assertThat(userSession.hasEntityUuidPermission(SCAN, project1.getUuid())).isTrue();
     assertThat(userSession.hasEntityUuidPermission(SCAN, project2.getUuid())).isFalse();
   }
 
   @Test
-  public void test_hasProjectsPermission_for_ProjectAnalysisToken_with_global_permission() {
+  public void hasProjectsPermission_for_ProjectAnalysisToken_with_global_permission() {
     ProjectDto project1 = db.components().insertPrivateProject().getProjectDto();
     ProjectDto project2 = db.components().insertPrivateProject().getProjectDto();
 
@@ -98,14 +112,14 @@ public class TokenUserSessionIT {
 
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);
 
-    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user,project1);
+    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user, project1);
 
     assertThat(userSession.hasEntityUuidPermission(SCAN, project1.getUuid())).isTrue();
     assertThat(userSession.hasEntityUuidPermission(SCAN, project2.getUuid())).isFalse();
   }
 
   @Test
-  public void test_hasGlobalPermission_for_UserToken() {
+  public void hasGlobalPermission_for_UserToken() {
     UserDto user = db.users().insertUser();
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);
 
@@ -115,7 +129,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasGlobalPermission_for_ProjecAnalysisToken() {
+  public void hasGlobalPermission_for_ProjecAnalysisToken() {
     ProjectDto project1 = db.components().insertPrivateProject().getProjectDto();
     ProjectDto project2 = db.components().insertPrivateProject().getProjectDto();
 
@@ -126,13 +140,13 @@ public class TokenUserSessionIT {
 
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);
 
-    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user,project1);
+    TokenUserSession userSession = mockProjectAnalysisTokenUserSession(user, project1);
 
     assertThat(userSession.hasPermission(GlobalPermission.SCAN)).isFalse();
   }
 
   @Test
-  public void test_hasGlobalPermission_for_GlobalAnalysisToken() {
+  public void hasGlobalPermission_for_GlobalAnalysisToken() {
     ProjectDto project1 = db.components().insertPrivateProject().getProjectDto();
 
     UserDto user = db.users().insertUser();
@@ -146,7 +160,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasProvisionProjectsGlobalPermission_for_GlobalAnalysisToken_returnsTrueIfUserIsGranted() {
+  public void hasProvisionProjectsGlobalPermission_for_GlobalAnalysisToken_returnsTrueIfUserIsGranted() {
     UserDto user = db.users().insertUser();
 
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);
@@ -158,7 +172,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasProvisionProjectsGlobalPermission_for_GlobalAnalysisToken_returnsFalseIfUserIsNotGranted() {
+  public void hasProvisionProjectsGlobalPermission_for_GlobalAnalysisToken_returnsFalseIfUserIsNotGranted() {
     UserDto user = db.users().insertUser();
 
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.SCAN);
@@ -169,7 +183,7 @@ public class TokenUserSessionIT {
   }
 
   @Test
-  public void test_hasAdministerGlobalPermission_for_GlobalAnalysisToken_returnsFalse() {
+  public void hasAdministerGlobalPermission_for_GlobalAnalysisToken_returnsFalse() {
     UserDto user = db.users().insertUser();
 
     db.users().insertGlobalPermissionOnUser(user, GlobalPermission.ADMINISTER);
@@ -179,6 +193,202 @@ public class TokenUserSessionIT {
     assertThat(userSession.hasPermission(GlobalPermission.ADMINISTER)).isFalse();
   }
 
+  @Test
+  public void keepAuthorizedEntities_shouldFilterProjects_whenGlobalAnalysisToken() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ProjectDto> projectDto = Set.of(publicProject.getProjectDto(), privateProject.getProjectDto());
+    List<ProjectDto> projectDtos = mockGlobalAnalysisTokenUserSession(user).keepAuthorizedEntities(USER, projectDto);
+
+    assertThat(projectDtos).containsExactlyInAnyOrder(privateProject.getProjectDto(), publicProject.getProjectDto())
+      .doesNotContain(privateProjectWithoutAccess.getProjectDto());
+  }
+
+  @Test
+  @UseDataProvider("validPermissions")
+  public void keepAuthorizedEntities_shouldFilterPrivateProjects_whenProjectAnalysisToken(String permission) {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, permission, privateProject.getProjectDto());
+
+    Set<ProjectDto> projectDto = Set.of(publicProject.getProjectDto(), privateProject.getProjectDto());
+    List<ProjectDto> projectDtos = mockProjectAnalysisTokenUserSession(user, privateProject.getProjectDto()).keepAuthorizedEntities(permission, projectDto);
+
+    assertThat(projectDtos).containsExactly(privateProject.getProjectDto())
+      .doesNotContain(privateProjectWithoutAccess.getProjectDto());
+  }
+
+  @Test
+  public void keepAuthorizedEntities_shouldFilterPrivateProjects_whenUserToken() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ProjectDto> projectDto = Set.of(publicProject.getProjectDto(), privateProject.getProjectDto());
+    List<ProjectDto> projectDtos = mockTokenUserSession(user).keepAuthorizedEntities(USER, projectDto);
+
+    assertThat(projectDtos).containsExactlyInAnyOrder(privateProject.getProjectDto(), publicProject.getProjectDto())
+      .doesNotContain(privateProjectWithoutAccess.getProjectDto());
+  }
+
+  @Test
+  public void keepAuthorizedEntities_shouldFilterPrivateProjects_returnEmptyListForPermissionOtherThanScanOrBrowse() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, CODEVIEWER, privateProject.getProjectDto());
+
+    Set<ProjectDto> projectDto = Set.of(publicProject.getProjectDto(), privateProject.getProjectDto());
+    List<ProjectDto> projectDtos = mockProjectAnalysisTokenUserSession(user, privateProject.getProjectDto()).keepAuthorizedEntities(CODEVIEWER, projectDto);
+
+    assertThat(projectDtos).isEmpty();
+  }
+
+  @Test
+  public void keepAuthorizedEntities_shouldFailForUnsupportedTokenSession() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ProjectDto> projectDto = Set.of(publicProject.getProjectDto(), privateProject.getProjectDto());
+
+    TokenUserSession tokenUserSession = mockProjectBadgeTokenSession(user);
+    assertThatThrownBy(() -> tokenUserSession.keepAuthorizedEntities(USER, projectDto))
+      .isInstanceOf(IllegalArgumentException.class)
+      .hasMessage("Unsupported token type PROJECT_BADGE_TOKEN");
+  }
+
+  @Test
+  public void keepAuthorizedComponents_shouldFilterProjects_whenGlobalAnalysisToken() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ComponentDto> componentDtos = Set.of(publicProject.getMainBranchComponent(), privateProject.getMainBranchComponent());
+    List<ComponentDto> authorizedComponents = mockGlobalAnalysisTokenUserSession(user).keepAuthorizedComponents(USER, componentDtos);
+
+    assertThat(authorizedComponents).containsExactlyInAnyOrder(privateProject.getMainBranchComponent(), publicProject.getMainBranchComponent())
+      .doesNotContain(privateProjectWithoutAccess.getMainBranchComponent());
+  }
+
+  @Test
+  @UseDataProvider("validPermissions")
+  public void keepAuthorizedComponents_shouldFilterPrivateProjects_whenProjectAnalysisToken(String permission) {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, permission, privateProject.getProjectDto());
+
+    Set<ComponentDto> componentDtos = Set.of(publicProject.getMainBranchComponent(), privateProject.getMainBranchComponent());
+    List<ComponentDto> authorizedComponents = mockProjectAnalysisTokenUserSession(user, privateProject.getProjectDto())
+      .keepAuthorizedComponents(permission, componentDtos);
+
+    assertThat(authorizedComponents).containsExactly(privateProject.getMainBranchComponent())
+      .doesNotContain(privateProjectWithoutAccess.getMainBranchComponent(), publicProject.getMainBranchComponent());
+  }
+
+  @Test
+  public void keepAuthorizedComponents_shouldFilterPrivateProjects_whenUserToken() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+    ProjectData privateProjectWithoutAccess = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ComponentDto> componentDtos = Set.of(publicProject.getMainBranchComponent(), privateProject.getMainBranchComponent());
+    List<ComponentDto> authorizedComponents = mockTokenUserSession(user).keepAuthorizedComponents(USER, componentDtos);
+
+    assertThat(authorizedComponents).containsExactlyInAnyOrder(privateProject.getMainBranchComponent(), publicProject.getMainBranchComponent())
+      .doesNotContain(privateProjectWithoutAccess.getMainBranchComponent());
+  }
+
+  @Test
+  public void keepAuthorizedComponents_returnEmptyListForPermissionOtherThanScanOrBrowse() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, UserRole.CODEVIEWER, privateProject.getProjectDto());
+
+    Set<ComponentDto> componentDtos = Set.of(publicProject.getMainBranchComponent(), privateProject.getMainBranchComponent());
+    List<ComponentDto> authorizedComponents = mockProjectAnalysisTokenUserSession(user, privateProject.getProjectDto())
+      .keepAuthorizedComponents(UserRole.CODEVIEWER, componentDtos);
+
+    assertThat(authorizedComponents).isEmpty();
+  }
+
+  @Test
+  public void keepAuthorizedComponents_shouldFailForUnsupportedTokenSession() {
+    UserDto user = db.users().insertUser();
+
+    ProjectData publicProject = db.components().insertPublicProject();
+    ProjectData privateProject = db.components().insertPrivateProject();
+
+    db.users().insertProjectPermissionOnUser(user, USER, privateProject.getProjectDto());
+
+    Set<ComponentDto> componentDtos = Set.of(publicProject.getMainBranchComponent(), privateProject.getMainBranchComponent());
+
+    TokenUserSession tokenUserSession = mockProjectBadgeTokenSession(user);
+    assertThatThrownBy(() -> tokenUserSession.keepAuthorizedComponents(USER, componentDtos))
+      .isInstanceOf(IllegalArgumentException.class)
+      .hasMessage("Unsupported token type PROJECT_BADGE_TOKEN");
+  }
+
+  @DataProvider
+  public static Object[][] validPermissions() {
+    return new Object[][] {
+      {USER},
+      {SCAN},
+    };
+  }
+
+  @Test
+  public void getType_shouldReturnValidTypeOfToken() {
+    UserDto user = db.users().insertUser();
+    ProjectData privateProject = db.components().insertPrivateProject();
+
+    TokenUserSession projectBadgeTokenSession = mockProjectBadgeTokenSession(user);
+    assertThat(projectBadgeTokenSession.getTokenType()).isEqualTo(PROJECT_BADGE_TOKEN);
+
+    TokenUserSession tokenUserSession = mockTokenUserSession(user);
+    assertThat(tokenUserSession.getTokenType()).isEqualTo(USER_TOKEN);
+
+    TokenUserSession projectAnalysisTokenUserSession = mockProjectAnalysisTokenUserSession(user, privateProject.getProjectDto());
+    assertThat(projectAnalysisTokenUserSession.getTokenType()).isEqualTo(PROJECT_ANALYSIS_TOKEN);
+
+    TokenUserSession globalAnalysisTokenUserSession = mockGlobalAnalysisTokenUserSession(user);
+    assertThat(globalAnalysisTokenUserSession.getTokenType()).isEqualTo(GLOBAL_ANALYSIS_TOKEN);
+  }
+
   private TokenUserSession mockTokenUserSession(UserDto userDto) {
     return new TokenUserSession(dbClient, userDto, mockUserTokenDto());
   }
@@ -191,6 +401,10 @@ public class TokenUserSessionIT {
     return new TokenUserSession(dbClient, userDto, mockGlobalAnalysisTokenDto());
   }
 
+  private TokenUserSession mockProjectBadgeTokenSession(UserDto userDto) {
+    return new TokenUserSession(dbClient, userDto, mockBadgeTokenDto());
+  }
+
   private static UserTokenDto mockUserTokenDto() {
     UserTokenDto userTokenDto = new UserTokenDto();
     userTokenDto.setType(USER_TOKEN.name());
@@ -218,4 +432,12 @@ public class TokenUserSessionIT {
     return userTokenDto;
   }
 
+  private static UserTokenDto mockBadgeTokenDto() {
+    UserTokenDto userTokenDto = new UserTokenDto();
+    userTokenDto.setType(PROJECT_BADGE_TOKEN.name());
+    userTokenDto.setName("Badge token");
+    userTokenDto.setUserUuid("userUid");
+    return userTokenDto;
+  }
+
 }
author	Jacek Poreda <jacek.poreda@sonarsource.com>	2024-09-17 14:59:33 +0200
committer	sonartech <sonartech@sonarsource.com>	2024-09-20 20:02:37 +0000
commit	747d4ede9457dcf3dd0e89d080913f3e24396361 (patch)
tree	7f09834ed423c2a2acaa50a00096d3cc6d6c2e1b /server/sonar-webserver-auth/src/it/java/org/sonar
parent	300226052a9c81c3246472e645087580b201824e (diff)
download	sonarqube-747d4ede9457dcf3dd0e89d080913f3e24396361.tar.gz sonarqube-747d4ede9457dcf3dd0e89d080913f3e24396361.zip