From 9f458af5124cf38189d327d1027728cce94451bb Mon Sep 17 00:00:00 2001 From: Pierre Guillot Date: Wed, 11 Dec 2019 18:08:39 +0100 Subject: SONAR-12818 GitLab : lower the needed permission level if group sync is disabled --- .../sonar/auth/gitlab/GitLabIdentityProvider.java | 10 +++++++--- .../java/org/sonar/auth/gitlab/GitLabSettings.java | 2 +- .../auth/gitlab/GitLabIdentityProviderTest.java | 23 +++++++++++++++++++++- 3 files changed, 30 insertions(+), 5 deletions(-) (limited to 'server/sonar-auth-gitlab') diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java index ab0de2d184f..ba778a5b3a3 100644 --- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java +++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabIdentityProvider.java @@ -20,6 +20,7 @@ package org.sonar.auth.gitlab; import com.github.scribejava.core.builder.ServiceBuilder; +import com.github.scribejava.core.builder.ServiceBuilderOAuth20; import com.github.scribejava.core.model.OAuth2AccessToken; import com.github.scribejava.core.model.OAuthConstants; import com.github.scribejava.core.oauth.OAuth20Service; @@ -39,6 +40,8 @@ import static java.util.stream.Collectors.toSet; public class GitLabIdentityProvider implements OAuth2IdentityProvider { + public static final String API_SCOPE = "api"; + public static final String READ_USER_SCOPE = "read_user"; private final GitLabSettings gitLabSettings; private final ScribeGitLabOauth2Api scribeApi; private final GitLabRestClient gitLabRestClient; @@ -80,15 +83,16 @@ public class GitLabIdentityProvider implements OAuth2IdentityProvider { @Override public void init(InitContext context) { String state = context.generateCsrfState(); - OAuth20Service scribe = newScribeBuilder(context).build(scribeApi); + OAuth20Service scribe = newScribeBuilder(context, gitLabSettings.syncUserGroups()).build(scribeApi); String url = scribe.getAuthorizationUrl(state); context.redirectTo(url); } - private ServiceBuilder newScribeBuilder(OAuth2Context context) { + private ServiceBuilderOAuth20 newScribeBuilder(OAuth2Context context, boolean syncUserGroups) { checkState(isEnabled(), "GitLab authentication is disabled"); return new ServiceBuilder(gitLabSettings.applicationId()) .apiSecret(gitLabSettings.secret()) + .defaultScope(syncUserGroups ? API_SCOPE : READ_USER_SCOPE) .callback(context.getCallbackUrl()); } @@ -106,7 +110,7 @@ public class GitLabIdentityProvider implements OAuth2IdentityProvider { private void onCallback(CallbackContext context) throws InterruptedException, ExecutionException, IOException { HttpServletRequest request = context.getRequest(); - OAuth20Service scribe = newScribeBuilder(context).build(scribeApi); + OAuth20Service scribe = newScribeBuilder(context, gitLabSettings.syncUserGroups()).build(scribeApi); String code = request.getParameter(OAuthConstants.CODE); OAuth2AccessToken accessToken = scribe.getAccessToken(code); diff --git a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java index 9dbc7a61e91..1ea51269985 100644 --- a/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java +++ b/server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java @@ -120,7 +120,7 @@ public class GitLabSettings { PropertyDefinition.builder(GITLAB_AUTH_SYNC_USER_GROUPS) .deprecatedKey("sonar.auth.gitlab.sync_user_groups") .name("Synchronize user groups") - .description("For each GitLab group he belongs to, the user will be associated to a group with the same name (if it exists) in SonarQube.") + .description("For each GitLab group he belongs to, the user will be associated to a group with the same name (if it exists) in SonarQube. If enabled, the GitLab Oauth2 application will need to provide the api scope") .category(CATEGORY) .subCategory(SUBCATEGORY) .type(PropertyType.BOOLEAN) diff --git a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java index 9558f8a65e0..90f0e5d0c8f 100644 --- a/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java +++ b/server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabIdentityProviderTest.java @@ -60,6 +60,7 @@ public class GitLabIdentityProviderTest { when(gitLabSettings.applicationId()).thenReturn("123"); when(gitLabSettings.secret()).thenReturn("456"); when(gitLabSettings.url()).thenReturn("http://server"); + when(gitLabSettings.syncUserGroups()).thenReturn(true); GitLabIdentityProvider gitLabIdentityProvider = new GitLabIdentityProvider(gitLabSettings, new GitLabRestClient(gitLabSettings), new ScribeGitLabOauth2Api(gitLabSettings)); @@ -68,7 +69,27 @@ public class GitLabIdentityProviderTest { gitLabIdentityProvider.init(initContext); - verify(initContext).redirectTo("http://server/oauth/authorize?response_type=code&client_id=123&redirect_uri=http%3A%2F%2Fserver%2Fcallback"); + verify(initContext).redirectTo("http://server/oauth/authorize?response_type=code&client_id=123&redirect_uri=http%3A%2F%2Fserver%2Fcallback&scope=api"); + } + + @Test + public void test_init_without_sync() { + GitLabSettings gitLabSettings = mock(GitLabSettings.class); + when(gitLabSettings.isEnabled()).thenReturn(true); + when(gitLabSettings.allowUsersToSignUp()).thenReturn(true); + when(gitLabSettings.applicationId()).thenReturn("123"); + when(gitLabSettings.secret()).thenReturn("456"); + when(gitLabSettings.url()).thenReturn("http://server"); + when(gitLabSettings.syncUserGroups()).thenReturn(false); + GitLabIdentityProvider gitLabIdentityProvider = new GitLabIdentityProvider(gitLabSettings, new GitLabRestClient(gitLabSettings), + new ScribeGitLabOauth2Api(gitLabSettings)); + + OAuth2IdentityProvider.InitContext initContext = mock(OAuth2IdentityProvider.InitContext.class); + when(initContext.getCallbackUrl()).thenReturn("http://server/callback"); + + gitLabIdentityProvider.init(initContext); + + verify(initContext).redirectTo("http://server/oauth/authorize?response_type=code&client_id=123&redirect_uri=http%3A%2F%2Fserver%2Fcallback&scope=read_user"); } @Test -- cgit v1.2.3