mirror of
https://github.com/scm-manager/scm-manager.git
synced 2025-11-14 17:26:22 +01:00
Reduce SecurityFilter to user injection and enable SecurityInterceptor
Remove all the unnecessary stuff and all endpoints that would be no longer secure.
This commit is contained in:
René Pfeuffer
@@ -1,85 +0,0 @@
|
||||
/**
|
||||
* Copyright (c) 2014, Sebastian Sdorra
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
* 3. Neither the name of SCM-Manager; nor the names of its
|
||||
* contributors may be used to endorse or promote products derived from this
|
||||
* software without specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
||||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
|
||||
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
|
||||
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* http://bitbucket.org/sdorra/scm-manager
|
||||
*
|
||||
*/
|
||||
|
||||
package sonia.scm.filter;
|
||||
|
||||
import com.github.sdorra.shiro.ShiroRule;
|
||||
import com.github.sdorra.shiro.SubjectAware;
|
||||
import org.apache.shiro.SecurityUtils;
|
||||
import org.junit.Test;
|
||||
import static org.junit.Assert.*;
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import sonia.scm.config.ScmConfiguration;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link AdminSecurityFilter}.
|
||||
*
|
||||
* @author Sebastian Sdorra
|
||||
*/
|
||||
@RunWith(MockitoJUnitRunner.class)
|
||||
@SubjectAware(configuration = "classpath:sonia/scm/shiro-001.ini")
|
||||
public class AdminSecurityFilterTest {
|
||||
|
||||
private AdminSecurityFilter securityFilter;
|
||||
|
||||
@Rule
|
||||
public ShiroRule shiro = new ShiroRule();
|
||||
|
||||
/**
|
||||
* Prepare object under test and mocks.
|
||||
*/
|
||||
@Before
|
||||
public void setUp(){
|
||||
this.securityFilter = new AdminSecurityFilter(new ScmConfiguration());
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link AdminSecurityFilter#hasPermission(org.apache.shiro.subject.Subject)} as administrator.
|
||||
*/
|
||||
@Test
|
||||
@SubjectAware(username = "dent", password = "secret")
|
||||
public void testHasPermissionAsAdministrator() {
|
||||
assertTrue(securityFilter.hasPermission(SecurityUtils.getSubject()));
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests {@link AdminSecurityFilter#hasPermission(org.apache.shiro.subject.Subject)} as user.
|
||||
*/
|
||||
@Test
|
||||
@SubjectAware(username = "trillian", password = "secret")
|
||||
public void testHasPermissionAsUser() {
|
||||
assertFalse(securityFilter.hasPermission(SecurityUtils.getSubject()));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -33,30 +33,30 @@ package sonia.scm.filter;
|
||||
|
||||
import com.github.sdorra.shiro.ShiroRule;
|
||||
import com.github.sdorra.shiro.SubjectAware;
|
||||
import java.io.IOException;
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import org.apache.shiro.subject.SimplePrincipalCollection;
|
||||
import org.apache.shiro.subject.Subject;
|
||||
import org.junit.Test;
|
||||
import static org.junit.Assert.*;
|
||||
import static org.hamcrest.Matchers.*;
|
||||
import org.junit.Before;
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.ArgumentCaptor;
|
||||
import org.mockito.Captor;
|
||||
import org.mockito.Mock;
|
||||
import org.mockito.Mockito;
|
||||
import static org.mockito.Mockito.*;
|
||||
import org.mockito.junit.MockitoJUnitRunner;
|
||||
import sonia.scm.SCMContext;
|
||||
import sonia.scm.config.ScmConfiguration;
|
||||
import sonia.scm.user.User;
|
||||
import sonia.scm.user.UserTestData;
|
||||
|
||||
import javax.servlet.FilterChain;
|
||||
import javax.servlet.ServletException;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import java.io.IOException;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.mockito.Mockito.verify;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link SecurityFilter}.
|
||||
*
|
||||
@@ -95,37 +95,6 @@ public class SecurityFilterTest {
|
||||
public void setUp(){
|
||||
this.configuration = new ScmConfiguration();
|
||||
this.securityFilter = new SecurityFilter(configuration);
|
||||
|
||||
when(request.getContextPath()).thenReturn("/scm");
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests filter on authentication endpoint v1.
|
||||
*
|
||||
* @throws IOException
|
||||
* @throws ServletException
|
||||
*/
|
||||
@Test
|
||||
public void testDoOnAuthenticationUrlV1() throws IOException, ServletException {
|
||||
checkIfAuthenticationUrlIsPassedThrough("/scm/api/auth/access_token");
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests filter on authentication endpoint v2.
|
||||
*
|
||||
* @throws IOException
|
||||
* @throws ServletException
|
||||
*/
|
||||
@Test
|
||||
public void testDoOnAuthenticationUrlV2() throws IOException, ServletException {
|
||||
checkIfAuthenticationUrlIsPassedThrough("/scm/api/v2/auth/access_token");
|
||||
}
|
||||
|
||||
private void checkIfAuthenticationUrlIsPassedThrough(String uri) throws IOException, ServletException {
|
||||
when(request.getRequestURI()).thenReturn(uri);
|
||||
securityFilter.doFilter(request, response, chain);
|
||||
verify(request, never()).setAttribute(Mockito.anyString(), Mockito.any());
|
||||
verify(chain).doFilter(request, response);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -136,7 +105,6 @@ public class SecurityFilterTest {
|
||||
*/
|
||||
@Test
|
||||
public void testAnonymous() throws IOException, ServletException {
|
||||
when(request.getRequestURI()).thenReturn("/scm/api");
|
||||
securityFilter.doFilter(request, response, chain);
|
||||
response.sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
@@ -149,7 +117,6 @@ public class SecurityFilterTest {
|
||||
*/
|
||||
@Test
|
||||
public void testAnonymousWithAccessEnabled() throws IOException, ServletException {
|
||||
when(request.getRequestURI()).thenReturn("/scm/api");
|
||||
configuration.setAnonymousAccessEnabled(true);
|
||||
|
||||
// execute
|
||||
@@ -173,8 +140,7 @@ public class SecurityFilterTest {
|
||||
@Test
|
||||
public void testAuthenticated() throws IOException, ServletException {
|
||||
authenticateUser(UserTestData.createTrillian());
|
||||
when(request.getRequestURI()).thenReturn("/scm/api");
|
||||
|
||||
|
||||
// execute
|
||||
securityFilter.doFilter(request, response, chain);
|
||||
|
||||
@@ -187,42 +153,6 @@ public class SecurityFilterTest {
|
||||
assertEquals("trillian", captured.getRemoteUser());
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests filter without permissions.
|
||||
*
|
||||
* @throws IOException
|
||||
* @throws ServletException
|
||||
*/
|
||||
@Test
|
||||
public void testForbidden() throws IOException, ServletException {
|
||||
authenticateUser(UserTestData.createTrillian());
|
||||
when(request.getRequestURI()).thenReturn("/scm/api");
|
||||
|
||||
// execute
|
||||
securityFilter = new AccessForbiddenSecurityFilter(configuration);
|
||||
securityFilter.doFilter(request, response, chain);
|
||||
|
||||
// assert
|
||||
verify(response).sendError(HttpServletResponse.SC_FORBIDDEN);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests filter unauthenticated and without permissions.
|
||||
*
|
||||
* @throws IOException
|
||||
* @throws ServletException
|
||||
*/
|
||||
@Test
|
||||
public void testUnauthorized() throws IOException, ServletException {
|
||||
when(request.getRequestURI()).thenReturn("/scm/api");
|
||||
|
||||
// execute
|
||||
securityFilter = new AccessForbiddenSecurityFilter(configuration);
|
||||
securityFilter.doFilter(request, response, chain);
|
||||
|
||||
// assert
|
||||
verify(response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
private void authenticateUser(User user) {
|
||||
SimplePrincipalCollection spc = new SimplePrincipalCollection();
|
||||
@@ -236,18 +166,4 @@ public class SecurityFilterTest {
|
||||
|
||||
shiro.setSubject(subject);
|
||||
}
|
||||
|
||||
private static class AccessForbiddenSecurityFilter extends SecurityFilter {
|
||||
|
||||
private AccessForbiddenSecurityFilter(ScmConfiguration configuration) {
|
||||
super(configuration);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected boolean hasPermission(Subject subject) {
|
||||
return false;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user