Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-13 08:55:44 +01:00
Code Issues Packages Projects Releases Activity

fix wrong OutOfScopeException detection

Browse Source
This commit is contained in:
Sebastian Sdorra
2019-10-22 11:23:34 +02:00
parent 52f471b5dd
commit 10fbf50263
2 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java
View File

@@ -37,6 +37,7 @@ import javax.inject.Provider;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import com.google.inject.OutOfScopeException; import com.google.inject.OutOfScopeException;
import com.google.inject.ProvisionException;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import sonia.scm.config.ScmConfiguration; import sonia.scm.config.ScmConfiguration;
@@ -98,8 +99,12 @@ public class XsrfAccessTokenEnricher implements AccessTokenEnricher {
} else { } else {
LOG.trace("skip xsrf enrichment, because jwt session is started from a non wui client"); LOG.trace("skip xsrf enrichment, because jwt session is started from a non wui client");
} }
} catch (OutOfScopeException ex) { } catch (ProvisionException ex) {
if (ex.getCause() instanceof OutOfScopeException) {
LOG.trace("skip xsrf enrichment, because no request scope is available"); LOG.trace("skip xsrf enrichment, because no request scope is available");
} else {
throw ex;
}
} }
return false; return false;
} }

17
scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java
View File

@@ -31,6 +31,7 @@
package sonia.scm.security; package sonia.scm.security;
import com.google.inject.OutOfScopeException; import com.google.inject.OutOfScopeException;
import com.google.inject.ProvisionException;
import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Nested; import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
@@ -43,6 +44,7 @@ import sonia.scm.util.HttpUtil;
import javax.inject.Provider; import javax.inject.Provider;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.Mockito.*; import static org.mockito.Mockito.*;
/** /**
@@ -73,7 +75,7 @@ class XsrfAccessTokenEnricherTest {
void testWithoutRequestScope() { void testWithoutRequestScope() {
// prepare // prepare
Provider<HttpServletRequest> requestProvider = mock(Provider.class); Provider<HttpServletRequest> requestProvider = mock(Provider.class);
when(requestProvider.get()).thenThrow(new OutOfScopeException("request scope is not available")); when(requestProvider.get()).thenThrow(new ProvisionException("failed to provision", new OutOfScopeException("no request scope is available")));
configuration.setEnabledXsrfProtection(true); configuration.setEnabledXsrfProtection(true);
XsrfAccessTokenEnricher enricher = createEnricher(requestProvider); XsrfAccessTokenEnricher enricher = createEnricher(requestProvider);
@@ -84,6 +86,19 @@ class XsrfAccessTokenEnricherTest {
verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42"); verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
} }
@Test
@SuppressWarnings("unchecked")
void testWithProvisionException() {
// prepare
Provider<HttpServletRequest> requestProvider = mock(Provider.class);
when(requestProvider.get()).thenThrow(new ProvisionException("failed to provision"));
configuration.setEnabledXsrfProtection(true);
XsrfAccessTokenEnricher enricher = createEnricher(requestProvider);
// execute
assertThrows(ProvisionException.class, () -> enricher.enrich(builder));
}
private XsrfAccessTokenEnricher createEnricher(Provider<HttpServletRequest> requestProvider) { private XsrfAccessTokenEnricher createEnricher(Provider<HttpServletRequest> requestProvider) {
return new XsrfAccessTokenEnricher(configuration, requestProvider) { return new XsrfAccessTokenEnricher(configuration, requestProvider) {
@Override @Override