From e61a5bcaba82f2c256f3745cb2dc9fdaf0a0c2b2 Mon Sep 17 00:00:00 2001 From: Nolwenn Cadic <98824442+nolwenn-cadic-sonarsource@users.noreply.github.com> Date: Wed, 18 Sep 2024 15:31:27 +0200 Subject: SONAR-23078 Fix SSF-644 (cherry picked from commit 0516f003dfe1776ffa4c554f203c298dbc36ac45) --- .../org/sonar/auth/gitlab/GitLabIdentityProvider.java | 6 +++++- .../sonar/auth/gitlab/GitLabIdentityProviderTest.java | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java index dc1311bd51a..8fba174df38 100644 --- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java +++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java @@ -148,7 +148,11 @@ public class GitLabIdentityProvider implements OAuth2IdentityProvider { } private static boolean isAllowedGroup(String group, Set allowedGroups) { - return allowedGroups.stream().anyMatch(group::startsWith); + return allowedGroups.stream().anyMatch(allowedGroup -> isExactGroupOrParentGroup(group, allowedGroup)); + } + + private static boolean isExactGroupOrParentGroup(String group, String allowedGroup) { + return group.equals(allowedGroup) || group.startsWith(allowedGroup + "/"); } private Set getGroups(OAuth20Service scribe, OAuth2AccessToken accessToken) { diff --git a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java index 4c7a432a6de..1b3b7c86f8f 100644 --- a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java +++ b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java @@ -174,14 +174,16 @@ public class GitLabIdentityProviderTest { public static Object[][] allowedGroups() { return new Object[][]{ {Set.of()}, - {Set.of("path")} + {Set.of("path")}, + {Set.of("path/to/group")}, }; } @Test - public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow() { + @UseDataProvider("notAllowedGroups") + public void onCallback_withGroupSyncAndAllowedGroupsNotMatching_shouldThrow(Set notAllowedGroups) { when(gitLabSettings.syncUserGroups()).thenReturn(true); - when(gitLabSettings.allowedGroups()).thenReturn(Set.of("path2")); + when(gitLabSettings.allowedGroups()).thenReturn(notAllowedGroups); mockGsonUser(); mockGitlabGroups(); @@ -191,6 +193,14 @@ public class GitLabIdentityProviderTest { .withMessage("You are not allowed to authenticate"); } + @DataProvider + public static Object[][] notAllowedGroups() { + return new Object[][]{ + {Set.of("pat")}, + {Set.of("path2")}, + }; + } + @Test public void onCallback_ifScribeFactoryFails_shouldThrow() { IllegalStateException exception = new IllegalStateException("message"); -- cgit v1.2.3