4 files changed, 149 insertions, 2 deletions
diff --git a/tests/plugins/fake-governance-plugin/src/main/java/FakeGovernancePlugin.java b/tests/plugins/fake-governance-plugin/src/main/java/FakeGovernancePlugin.java
index 9460af58547..19f6fdf68c3 100644
--- a/tests/plugins/fake-governance-plugin/src/main/java/FakeGovernancePlugin.java
+++ b/tests/plugins/fake-governance-plugin/src/main/java/FakeGovernancePlugin.java
@@ -1,4 +1,3 @@
-
 /*
  * SonarQube
  * Copyright (C) 2009-2017 SonarSource SA
@@ -20,6 +19,7 @@
  */
 
 import org.sonar.api.Plugin;
+import systemPasscode.SystemPasscodeWebService;
 import workerCount.FakeWorkerCountProviderImpl;
 import workerCount.RefreshWorkerCountAction;
 import workerlatch.LatchControllerWorkerMeasureComputer;
@@ -35,6 +35,7 @@ public class FakeGovernancePlugin implements Plugin {
       context.addExtension(WorkerLatchMetrics.class);
       context.addExtension(LatchControllerWorkerMeasureComputer.class);
       context.addExtension(RefreshWorkerCountAction.class);
+      context.addExtension(SystemPasscodeWebService.class);
     }
   }
 
diff --git a/tests/plugins/fake-governance-plugin/src/main/java/systemPasscode/SystemPasscodeWebService.java b/tests/plugins/fake-governance-plugin/src/main/java/systemPasscode/SystemPasscodeWebService.java
new file mode 100644
index 00000000000..cdeadf75de0
--- /dev/null
+++ b/tests/plugins/fake-governance-plugin/src/main/java/systemPasscode/SystemPasscodeWebService.java
@@ -0,0 +1,49 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2017 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package systemPasscode;
+
+import java.net.HttpURLConnection;
+import org.sonar.api.server.ws.Request;
+import org.sonar.api.server.ws.RequestHandler;
+import org.sonar.api.server.ws.Response;
+import org.sonar.api.server.ws.WebService;
+import org.sonar.server.user.SystemPasscode;
+
+public class SystemPasscodeWebService implements WebService, RequestHandler {
+  private final SystemPasscode passcode;
+
+  public SystemPasscodeWebService(SystemPasscode passcode) {
+    this.passcode = passcode;
+  }
+
+  @Override
+  public void define(Context context) {
+    NewController controller = context.createController("api/system_passcode");
+    controller.createAction("check").setHandler(this);
+    controller.done();
+  }
+
+  @Override
+  public void handle(Request request, Response response) throws Exception {
+    if (!passcode.isValid(request)) {
+      response.stream().setStatus(HttpURLConnection.HTTP_UNAUTHORIZED);
+    }
+  }
+}
diff --git a/tests/src/test/java/org/sonarqube/tests/Category5Suite.java b/tests/src/test/java/org/sonarqube/tests/Category5Suite.java
index 298d51dcabe..951185485a8 100644
--- a/tests/src/test/java/org/sonarqube/tests/Category5Suite.java
+++ b/tests/src/test/java/org/sonarqube/tests/Category5Suite.java
@@ -21,6 +21,7 @@ package org.sonarqube.tests;
 
 import org.junit.runner.RunWith;
 import org.junit.runners.Suite;
+import org.sonarqube.tests.authorisation.SystemPasscodeTest;
 import org.sonarqube.tests.ce.CeShutdownTest;
 import org.sonarqube.tests.ce.CeWorkersTest;
 import org.sonarqube.tests.cluster.ClusterTest;
@@ -73,7 +74,9 @@ import org.sonarqube.tests.user.UserEsResilienceTest;
   IssueCreationDatePluginChangedTest.class,
 
   // elasticsearch
-  ElasticsearchSettingsTest.class
+  ElasticsearchSettingsTest.class,
+
+  SystemPasscodeTest.class
 })
 public class Category5Suite {
 
diff --git a/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java
new file mode 100644
index 00000000000..32fa0cba328
--- /dev/null
+++ b/tests/src/test/java/org/sonarqube/tests/authorisation/SystemPasscodeTest.java
@@ -0,0 +1,94 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2017 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonarqube.tests.authorisation;
+
+import com.sonar.orchestrator.Orchestrator;
+import com.sonar.orchestrator.OrchestratorBuilder;
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonarqube.tests.Tester;
+import org.sonarqube.ws.client.GetRequest;
+import org.sonarqube.ws.client.WsRequest;
+import org.sonarqube.ws.client.WsResponse;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static util.ItUtils.pluginArtifact;
+
+public class SystemPasscodeTest {
+
+  private static final String VALID_PASSCODE = "123456";
+  private static final String INVALID_PASSCODE = "not" + VALID_PASSCODE;
+  private static final String PASSCODE_HEADER = "X-Sonar-Passcode";
+
+  private static Orchestrator orchestrator;
+
+  @BeforeClass
+  public static void setUp() throws Exception {
+    OrchestratorBuilder builder = Orchestrator.builderEnv()
+      // this privileged plugin provides the WS api/system_passcode/check
+      // that is used by the tests
+      .addPlugin(pluginArtifact("fake-governance-plugin"))
+      .setServerProperty("sonar.web.systemPasscode", VALID_PASSCODE);
+    orchestrator = builder.build();
+    orchestrator.start();
+  }
+
+  @AfterClass
+  public static void stop() {
+    if (orchestrator != null) {
+      orchestrator.stop();
+    }
+  }
+
+  @Rule
+  public Tester tester = new Tester(orchestrator);
+
+  @Test
+  public void system_access_is_granted_if_valid_passcode_is_sent_through_http_header() {
+    WsRequest request = newRequest()
+      .setHeader(PASSCODE_HEADER, VALID_PASSCODE);
+
+    WsResponse response = tester.asAnonymous().wsClient().wsConnector().call(request);
+    assertThat(response.code()).isEqualTo(200);
+  }
+
+  @Test
+  public void system_access_is_rejected_if_invalid_passcode_is_sent_through_http_header() {
+    WsRequest request = newRequest()
+      .setHeader(PASSCODE_HEADER, INVALID_PASSCODE);
+
+    WsResponse response = tester.asAnonymous().wsClient().wsConnector().call(request);
+    assertThat(response.code()).isEqualTo(401);
+  }
+
+  @Test
+  public void system_access_is_rejected_if_passcode_is_not_sent() {
+    WsRequest request = newRequest();
+
+    WsResponse response = tester.asAnonymous().wsClient().wsConnector().call(request);
+    assertThat(response.code()).isEqualTo(401);
+  }
+
+  private static GetRequest newRequest() {
+    return new GetRequest("api/system_passcode/check");
+  }
+}