Do not resolve external groups for system accounts (#1541)

This change modifies the behaviour of the DefaultGroupCollector. The collector does not longer resolve external groups for the anonymous user and it does not resolve internal nor external groups for the account which is used by the AdministrationContext. This should reduce the requests which are send to external systems like ldap servers.
2026-02-22 06:26:56 +01:00 · 2021-02-15 08:45:47 +01:00
parent 996a3b6f16
commit 1a2dabeb66
9 changed files with 83 additions and 76 deletions
--- a/scm-webapp/src/test/java/sonia/scm/group/DefaultGroupCollectorTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/group/DefaultGroupCollectorTest.java
@@ -21,7 +21,7 @@
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
-    
+
 package sonia.scm.group;

 import com.google.common.collect.ImmutableSet;
@@ -32,8 +32,10 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.SCMContext;
 import sonia.scm.cache.MapCache;
 import sonia.scm.cache.MapCacheManager;
+import sonia.scm.security.Authentications;

 import java.util.HashSet;
 import java.util.List;
@@ -43,6 +45,8 @@ import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
+import static sonia.scm.security.Authentications.PRINCIPAL_ANONYMOUS;
+import static sonia.scm.security.Authentications.PRINCIPAL_SYSTEM;

@ExtendWith(MockitoExtension.class)
 class DefaultGroupCollectorTest {
@@ -94,6 +98,28 @@ class DefaultGroupCollectorTest {
    verify(groupResolver, never()).resolve("trillian");
  }

+  @Test
+  void shouldNotCallResolverForAnonymous() {
+    groupResolvers.add(groupResolver);
+    Set<String> groups = collector.collect(PRINCIPAL_ANONYMOUS);
+    verify(groupResolver, never()).resolve(PRINCIPAL_ANONYMOUS);
+  }
+
+  @Test
+  void shouldNotCallResolverForSystemAccount() {
+    groupResolvers.add(groupResolver);
+    Set<String> groups = collector.collect(PRINCIPAL_SYSTEM);
+    verify(groupResolver, never()).resolve(PRINCIPAL_SYSTEM);
+  }
+
+  @Test
+  void shouldNotResolveInternalGroupsForSystemAccount() {
+    Set<String> groups = collector.collect(PRINCIPAL_SYSTEM);
+    verify(groupDAO, never()).getAll();
+  }
+
+
+
  @Nested
  class WithGroupsFromDao {

--- a/scm-webapp/src/test/java/sonia/scm/web/security/DefaultAdministrationContextTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/web/security/DefaultAdministrationContextTest.java
@@ -21,7 +21,7 @@
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
-    
+
 package sonia.scm.web.security;

 import com.google.inject.Guice;
@@ -36,9 +36,9 @@ import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import sonia.scm.security.Authentications;

 import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.Mockito.when;

@ExtendWith(MockitoExtension.class)
@@ -61,7 +61,7 @@ class DefaultAdministrationContextTest {
  void shouldBindSubject() {
    context.runAsAdmin(() -> {
      Subject adminSubject = SecurityUtils.getSubject();
-      assertThat(adminSubject.getPrincipal()).isEqualTo("scmsystem");
+      assertThat(adminSubject.getPrincipal()).isEqualTo(Authentications.PRINCIPAL_SYSTEM);
    });
  }

@@ -72,7 +72,7 @@ class DefaultAdministrationContextTest {

      context.runAsAdmin(() -> {
        Subject adminSubject = SecurityUtils.getSubject();
-        assertThat(adminSubject.getPrincipal()).isEqualTo("scmsystem");
+        assertThat(adminSubject.getPrincipal()).isEqualTo(Authentications.PRINCIPAL_SYSTEM);
      });

    } finally {