Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-13 00:45:44 +01:00
Code Issues Packages Projects Releases Activity

add missing check if anonymous access is enabled but anonymous user doesn't exists

Browse Source
This commit is contained in:
Eduard Heimbuch
2019-10-18 09:43:03 +02:00
parent 3e6e7bd4cb
commit 1af4acabbe
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
scm-webapp/src/main/java/sonia/scm/security/AnonymousRealm.java
View File

@@ -6,8 +6,10 @@ import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher; import org.apache.shiro.authc.credential.AllowAllCredentialsMatcher;
import org.apache.shiro.realm.AuthenticatingRealm; import org.apache.shiro.realm.AuthenticatingRealm;
import sonia.scm.ConfigurationException;
import sonia.scm.SCMContext; import sonia.scm.SCMContext;
import sonia.scm.plugin.Extension; import sonia.scm.plugin.Extension;
import sonia.scm.user.UserDAO;
import javax.inject.Singleton; import javax.inject.Singleton;
@@ -27,10 +29,12 @@ public class AnonymousRealm extends AuthenticatingRealm {
* dao realm helper * dao realm helper
*/ */
private final DAORealmHelper helper; private final DAORealmHelper helper;
private final UserDAO userDAO;
@Inject @Inject
public AnonymousRealm(DAORealmHelperFactory helperFactory) { public AnonymousRealm(DAORealmHelperFactory helperFactory, UserDAO userDAO) {
this.helper = helperFactory.create(REALM); this.helper = helperFactory.create(REALM);
this.userDAO = userDAO;
setAuthenticationTokenClass(AnonymousToken.class); setAuthenticationTokenClass(AnonymousToken.class);
setCredentialsMatcher(new AllowAllCredentialsMatcher()); setCredentialsMatcher(new AllowAllCredentialsMatcher());
@@ -38,6 +42,9 @@ public class AnonymousRealm extends AuthenticatingRealm {
@Override @Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) { protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) {
if (!userDAO.contains(SCMContext.USER_ANONYMOUS)) {
throw new ConfigurationException("trying to access anonymous but _anonymous user does not exist");
}
checkArgument(authenticationToken instanceof AnonymousToken, "%s is required", AnonymousToken.class); checkArgument(authenticationToken instanceof AnonymousToken, "%s is required", AnonymousToken.class);
return helper.authenticationInfoBuilder(SCMContext.USER_ANONYMOUS).build(); return helper.authenticationInfoBuilder(SCMContext.USER_ANONYMOUS).build();
} }

15
scm-webapp/src/test/java/sonia/scm/security/AnonymousRealmTest.java
View File

@@ -8,7 +8,9 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks; import org.mockito.InjectMocks;
import org.mockito.Mock; import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension; import org.mockito.junit.jupiter.MockitoExtension;
import sonia.scm.ConfigurationException;
import sonia.scm.SCMContext; import sonia.scm.SCMContext;
import sonia.scm.user.UserDAO;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -26,6 +28,9 @@ class AnonymousRealmTest {
@Mock @Mock
private DAORealmHelper.AuthenticationInfoBuilder builder; private DAORealmHelper.AuthenticationInfoBuilder builder;
@Mock
private UserDAO userDAO;
@InjectMocks @InjectMocks
private AnonymousRealm realm; private AnonymousRealm realm;
@@ -35,20 +40,28 @@ class AnonymousRealmTest {
@BeforeEach @BeforeEach
void prepareObjectUnderTest() { void prepareObjectUnderTest() {
when(realmHelperFactory.create(AnonymousRealm.REALM)).thenReturn(realmHelper); when(realmHelperFactory.create(AnonymousRealm.REALM)).thenReturn(realmHelper);
realm = new AnonymousRealm(realmHelperFactory); realm = new AnonymousRealm(realmHelperFactory, userDAO);
} }
@Test @Test
void shouldDoGetAuthentication() { void shouldDoGetAuthentication() {
when(realmHelper.authenticationInfoBuilder(SCMContext.USER_ANONYMOUS)).thenReturn(builder); when(realmHelper.authenticationInfoBuilder(SCMContext.USER_ANONYMOUS)).thenReturn(builder);
when(builder.build()).thenReturn(authenticationInfo); when(builder.build()).thenReturn(authenticationInfo);
when(userDAO.contains(SCMContext.USER_ANONYMOUS)).thenReturn(true);
AuthenticationInfo result = realm.doGetAuthenticationInfo(new AnonymousToken()); AuthenticationInfo result = realm.doGetAuthenticationInfo(new AnonymousToken());
assertThat(result).isSameAs(authenticationInfo); assertThat(result).isSameAs(authenticationInfo);
} }
@Test
void shouldThrowNotAuthorizedExceptionIfAnonymousUserNotExists() {
when(userDAO.contains(SCMContext.USER_ANONYMOUS)).thenReturn(false);
assertThrows(ConfigurationException.class, () -> realm.doGetAuthenticationInfo(new AnonymousToken()));
}
@Test @Test
void shouldThrowIllegalArgumentExceptionForWrongTypeOfToken() { void shouldThrowIllegalArgumentExceptionForWrongTypeOfToken() {
when(userDAO.contains(SCMContext.USER_ANONYMOUS)).thenReturn(true);
assertThrows(IllegalArgumentException.class, () -> realm.doGetAuthenticationInfo(new UsernamePasswordToken())); assertThrows(IllegalArgumentException.class, () -> realm.doGetAuthenticationInfo(new UsernamePasswordToken()));
} }
} }