Handle Plugin Center Authentication failures (#1940)

If the plugin center authentication fails,
the plugins are fetched without authentication
and a warning is displayed on the plugin page.

Co-authored-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
This commit is contained in:
Sebastian Sdorra
2022-01-31 15:41:12 +01:00
committed by GitHub
parent 67bd96ea81
commit c74e9984f6
22 changed files with 505 additions and 117 deletions

View File

@@ -147,6 +147,14 @@ class PluginCenterAuthResourceTest {
assertThat(root.get("_links").get("login").get("href").asText()).isEqualTo("/v2/plugins/auth/login");
}
@Test
@SubjectAware(value = "marvin", permissions = "plugin:write")
void shouldReturnReconnectAndLogoutLinkForFailedAuthentication() throws URISyntaxException, IOException {
JsonNode root = requestAuthInfo(true);
assertThat(root.get("_links").get("reconnect").get("href").asText()).isEqualTo("/v2/plugins/auth/login?reconnect=true");
}
@Test
void shouldReturnAuthenticationInfo() throws IOException, URISyntaxException {
JsonNode root = requestAuthInfo();
@@ -181,8 +189,12 @@ class PluginCenterAuthResourceTest {
}
private JsonNode requestAuthInfo() throws IOException, URISyntaxException {
return requestAuthInfo(false);
}
private JsonNode requestAuthInfo(boolean failed) throws IOException, URISyntaxException {
AuthenticationInfo info = new SimpleAuthenticationInfo(
"trillian", "tricia.mcmillan@hitchhiker.com", Instant.now()
"trillian", "tricia.mcmillan@hitchhiker.com", Instant.now(), failed
);
when(authenticator.getAuthenticationInfo()).thenReturn(Optional.of(info));
@@ -233,6 +245,19 @@ class PluginCenterAuthResourceTest {
assertError(response, ERROR_ALREADY_AUTHENTICATED);
}
@Test
@SubjectAware("trillian")
void shouldIgnorePreviousAuthenticationOnReconnection() throws URISyntaxException, IOException {
lenient().when(authenticator.isAuthenticated()).thenReturn(true);
when(challengeGenerator.create()).thenReturn("abcd");
when(parameterSerializer.serialize(any(AuthParameter.class))).thenReturn("def");
scmConfiguration.setPluginAuthUrl("https://plug.ins");
MockHttpResponse response = get("/v2/plugins/auth/login?source=/admin/plugins&reconnect=true");
assertRedirect(response, "https://plug.ins?instance=%2Fv2%2Fplugins%2Fauth%2Fcallback?params%3Ddef");
}
@Test
@SubjectAware("trillian")
void shouldReturnRedirectToPluginAuthUrl() throws URISyntaxException, IOException {
@@ -453,6 +478,7 @@ class PluginCenterAuthResourceTest {
String principal;
String pluginCenterSubject;
Instant date;
boolean failed;
}
private static final ScmPathInfo rootPathInfo = new ScmPathInfo() {

View File

@@ -47,6 +47,7 @@ import sonia.scm.store.InMemoryConfigurationStoreFactory;
import java.io.IOException;
import java.time.Instant;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import static org.assertj.core.api.Assertions.assertThat;
@@ -146,7 +147,7 @@ class PluginCenterAuthenticatorTest {
@Test
void shouldAuthenticate() throws IOException {
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
authenticator.authenticate("tricia.mcmillan@hitchhiker.com", "my-awesome-refresh-token");
assertThat(authenticator.isAuthenticated()).isTrue();
@@ -154,7 +155,7 @@ class PluginCenterAuthenticatorTest {
@Test
void shouldFireLoginEvent() throws IOException {
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
authenticator.authenticate("tricia.mcmillan@hitchhiker.com", "my-awesome-refresh-token");
@@ -174,51 +175,89 @@ class PluginCenterAuthenticatorTest {
void shouldUseUrlFromScmConfiguration() throws IOException {
preAuth("cool-refresh-token");
scmConfiguration.setPluginAuthUrl("https://pca.org/oidc/");
mockAuthProtocol("https://pca.org/oidc/refresh", "access", "refresh");
mockSuccessfulAuth("https://pca.org/oidc/refresh", "access", "refresh");
String accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).isEqualTo("access");
}
@Test
void shouldFailIfFetchFails() throws IOException {
preAuth("cool-refresh-token");
scmConfiguration.setPluginAuthUrl("https://plug.ins/oidc/");
when(advancedHttpClient.post("https://plug.ins/oidc/refresh")).thenReturn(request);
when(request.request()).thenThrow(new IOException("network down down down"));
assertThrows(FetchAccessTokenFailedException.class, () -> authenticator.fetchAccessToken());
}
@Test
void shouldFailIfFetchResponseIsNotSuccessful() throws IOException {
preAuth("cool-refresh-token");
scmConfiguration.setPluginAuthUrl("https://plug.ins/oidc/");
when(advancedHttpClient.post("https://plug.ins/oidc/refresh")).thenReturn(request);
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
when(request.request()).thenReturn(response);
when(response.isSuccessful()).thenReturn(false);
assertThrows(FetchAccessTokenFailedException.class, () -> authenticator.fetchAccessToken());
Optional<String> accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).contains("access");
}
@Test
void shouldFetchAccessToken() throws IOException {
preAuth("cool-refresh-token");
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
String accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).isEqualTo("access");
Optional<String> accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).contains("access");
}
@Test
void shouldReturnEmptyAccessTokenOnFailedRequest() throws IOException {
preAuth("cool-refresh-token");
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
when(response.isSuccessful()).thenReturn(false);
Optional<String> accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).isEmpty();
}
@Test
void shouldReturnEmptyAccessTokenOnException() throws IOException {
preAuth("cool-refresh-token");
when(advancedHttpClient.post("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh"))
.thenReturn(request);
when(request.request()).thenThrow(new IOException("failed"));
Optional<String> accessToken = authenticator.fetchAccessToken();
assertThat(accessToken).isEmpty();
}
@Test
void shouldMarkAuthenticationAsFailed() throws IOException {
preAuth("cool-refresh-token");
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
when(response.isSuccessful()).thenReturn(false);
authenticator.fetchAccessToken();
assertThat(authenticator.getAuthenticationInfo()).hasValueSatisfying(
auth -> assertThat(auth.isFailed()).isTrue()
);
}
@Test
void shouldUnmarkAfterSuccessfulAuthentication() throws IOException {
preAuth("cool-refresh-token", true);
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
authenticator.fetchAccessToken();
assertThat(authenticator.getAuthenticationInfo()).hasValueSatisfying(
auth -> assertThat(auth.isFailed()).isFalse()
);
}
@Test
void shouldFireAuthenticationFailedEvent() throws IOException {
preAuth("cool-refresh-token");
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
when(response.isSuccessful()).thenReturn(false);
authenticator.fetchAccessToken();
ArgumentCaptor<PluginCenterAuthenticationFailedEvent> eventCaptor = ArgumentCaptor.forClass(PluginCenterAuthenticationFailedEvent.class);
verify(eventBus).post(eventCaptor.capture());
PluginCenterAuthenticationFailedEvent event = eventCaptor.getValue();
assertThat(event.getAuthenticationInfo().isFailed()).isTrue();
}
@Test
void shouldStoreRefreshTokenAfterFetch() throws IOException {
preAuth("refreshOne");
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "accessTwo", "refreshTwo");
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "accessTwo", "refreshTwo");
authenticator.fetchAccessToken();
authenticator.fetchAccessToken();
@@ -272,22 +311,24 @@ class PluginCenterAuthenticatorTest {
assertThat(info.getPluginCenterSubject()).isEqualTo("tricia.mcmillan@hitchhiker.com");
}
@SuppressWarnings("unchecked")
private void preAuth(String refreshToken) {
preAuth(refreshToken, false);
}
@SuppressWarnings("unchecked")
private void preAuth(String refreshToken, boolean failed) {
Authentication authentication = new Authentication();
authentication.setPluginCenterSubject("tricia.mcmillan@hitchhiker.com");
authentication.setPrincipal("trillian");
authentication.setRefreshToken(refreshToken);
authentication.setDate(Instant.now());
authentication.setFailed(failed);
factory.get(STORE_NAME, null).set(authentication);
}
@CanIgnoreReturnValue
private void mockAuthProtocol(String url, String accessToken, String refreshToken) throws IOException {
when(advancedHttpClient.post(url)).thenReturn(request);
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
when(request.request()).thenReturn(response);
private void mockSuccessfulAuth(String url, String accessToken, String refreshToken) throws IOException {
AdvancedHttpResponse response = mockAuthResponse(url);
RefreshResponse refreshResponse = new RefreshResponse();
refreshResponse.setAccessToken(accessToken);
@@ -297,6 +338,15 @@ class PluginCenterAuthenticatorTest {
when(response.isSuccessful()).thenReturn(true);
}
private AdvancedHttpResponse mockAuthResponse(String url) throws IOException {
when(advancedHttpClient.post(url)).thenReturn(request);
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
when(request.request()).thenReturn(response);
return response;
}
}
}

View File

@@ -37,6 +37,7 @@ import sonia.scm.net.ahc.AdvancedHttpResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import static org.assertj.core.api.Assertions.assertThat;
@@ -107,7 +108,7 @@ class PluginCenterLoaderTest {
@Test
void shouldAppendAccessToken() throws IOException {
when(authenticator.isAuthenticated()).thenReturn(true);
when(authenticator.fetchAccessToken()).thenReturn("mega-cool-at");
when(authenticator.fetchAccessToken()).thenReturn(Optional.of("mega-cool-at"));
mockResponse();
loader.load(PLUGIN_URL);

View File

@@ -43,6 +43,7 @@ import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.util.Collections;
import java.util.Optional;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -200,7 +201,7 @@ class PluginInstallerTest {
@Test
void shouldAppendBearerAuth() throws IOException {
when(authenticator.isAuthenticated()).thenReturn(true);
when(authenticator.fetchAccessToken()).thenReturn("atat");
when(authenticator.fetchAccessToken()).thenReturn(Optional.of("atat"));
mockContent("42");
installer.install(PluginInstallationContext.empty(), createGitPlugin());

View File

@@ -72,7 +72,7 @@ class PluginCenterAuthenticationUpdateStepTest {
@Test
void shouldUpdateIfRefreshTokenNotEncrypted() throws Exception {
when(configurationStore.getOptional())
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "some_not_encrypted_token", Instant.now())));
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "some_not_encrypted_token", Instant.now(), false)));
updateStep.doUpdate();
@@ -85,7 +85,7 @@ class PluginCenterAuthenticationUpdateStepTest {
@Test
void shouldNotUpdateIfRefreshTokenIsAlreadyEncrypted() throws Exception {
when(configurationStore.getOptional())
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "{enc}my_encrypted_token", Instant.now())));
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "{enc}my_encrypted_token", Instant.now(), false)));
updateStep.doUpdate();