mirror of
https://github.com/scm-manager/scm-manager.git
synced 2026-07-03 13:37:31 +02:00
Handle Plugin Center Authentication failures (#1940)
If the plugin center authentication fails, the plugins are fetched without authentication and a warning is displayed on the plugin page. Co-authored-by: Konstantin Schaper <konstantin.schaper@cloudogu.com>
This commit is contained in:
@@ -147,6 +147,14 @@ class PluginCenterAuthResourceTest {
|
||||
assertThat(root.get("_links").get("login").get("href").asText()).isEqualTo("/v2/plugins/auth/login");
|
||||
}
|
||||
|
||||
@Test
|
||||
@SubjectAware(value = "marvin", permissions = "plugin:write")
|
||||
void shouldReturnReconnectAndLogoutLinkForFailedAuthentication() throws URISyntaxException, IOException {
|
||||
JsonNode root = requestAuthInfo(true);
|
||||
|
||||
assertThat(root.get("_links").get("reconnect").get("href").asText()).isEqualTo("/v2/plugins/auth/login?reconnect=true");
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldReturnAuthenticationInfo() throws IOException, URISyntaxException {
|
||||
JsonNode root = requestAuthInfo();
|
||||
@@ -181,8 +189,12 @@ class PluginCenterAuthResourceTest {
|
||||
}
|
||||
|
||||
private JsonNode requestAuthInfo() throws IOException, URISyntaxException {
|
||||
return requestAuthInfo(false);
|
||||
}
|
||||
|
||||
private JsonNode requestAuthInfo(boolean failed) throws IOException, URISyntaxException {
|
||||
AuthenticationInfo info = new SimpleAuthenticationInfo(
|
||||
"trillian", "tricia.mcmillan@hitchhiker.com", Instant.now()
|
||||
"trillian", "tricia.mcmillan@hitchhiker.com", Instant.now(), failed
|
||||
);
|
||||
when(authenticator.getAuthenticationInfo()).thenReturn(Optional.of(info));
|
||||
|
||||
@@ -233,6 +245,19 @@ class PluginCenterAuthResourceTest {
|
||||
assertError(response, ERROR_ALREADY_AUTHENTICATED);
|
||||
}
|
||||
|
||||
@Test
|
||||
@SubjectAware("trillian")
|
||||
void shouldIgnorePreviousAuthenticationOnReconnection() throws URISyntaxException, IOException {
|
||||
lenient().when(authenticator.isAuthenticated()).thenReturn(true);
|
||||
when(challengeGenerator.create()).thenReturn("abcd");
|
||||
when(parameterSerializer.serialize(any(AuthParameter.class))).thenReturn("def");
|
||||
|
||||
scmConfiguration.setPluginAuthUrl("https://plug.ins");
|
||||
|
||||
MockHttpResponse response = get("/v2/plugins/auth/login?source=/admin/plugins&reconnect=true");
|
||||
assertRedirect(response, "https://plug.ins?instance=%2Fv2%2Fplugins%2Fauth%2Fcallback?params%3Ddef");
|
||||
}
|
||||
|
||||
@Test
|
||||
@SubjectAware("trillian")
|
||||
void shouldReturnRedirectToPluginAuthUrl() throws URISyntaxException, IOException {
|
||||
@@ -453,6 +478,7 @@ class PluginCenterAuthResourceTest {
|
||||
String principal;
|
||||
String pluginCenterSubject;
|
||||
Instant date;
|
||||
boolean failed;
|
||||
}
|
||||
|
||||
private static final ScmPathInfo rootPathInfo = new ScmPathInfo() {
|
||||
|
||||
@@ -47,6 +47,7 @@ import sonia.scm.store.InMemoryConfigurationStoreFactory;
|
||||
import java.io.IOException;
|
||||
import java.time.Instant;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
@@ -146,7 +147,7 @@ class PluginCenterAuthenticatorTest {
|
||||
|
||||
@Test
|
||||
void shouldAuthenticate() throws IOException {
|
||||
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
|
||||
authenticator.authenticate("tricia.mcmillan@hitchhiker.com", "my-awesome-refresh-token");
|
||||
assertThat(authenticator.isAuthenticated()).isTrue();
|
||||
@@ -154,7 +155,7 @@ class PluginCenterAuthenticatorTest {
|
||||
|
||||
@Test
|
||||
void shouldFireLoginEvent() throws IOException {
|
||||
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
|
||||
authenticator.authenticate("tricia.mcmillan@hitchhiker.com", "my-awesome-refresh-token");
|
||||
|
||||
@@ -174,51 +175,89 @@ class PluginCenterAuthenticatorTest {
|
||||
void shouldUseUrlFromScmConfiguration() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
scmConfiguration.setPluginAuthUrl("https://pca.org/oidc/");
|
||||
mockAuthProtocol("https://pca.org/oidc/refresh", "access", "refresh");
|
||||
mockSuccessfulAuth("https://pca.org/oidc/refresh", "access", "refresh");
|
||||
|
||||
String accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).isEqualTo("access");
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldFailIfFetchFails() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
scmConfiguration.setPluginAuthUrl("https://plug.ins/oidc/");
|
||||
|
||||
when(advancedHttpClient.post("https://plug.ins/oidc/refresh")).thenReturn(request);
|
||||
when(request.request()).thenThrow(new IOException("network down down down"));
|
||||
|
||||
assertThrows(FetchAccessTokenFailedException.class, () -> authenticator.fetchAccessToken());
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldFailIfFetchResponseIsNotSuccessful() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
scmConfiguration.setPluginAuthUrl("https://plug.ins/oidc/");
|
||||
|
||||
when(advancedHttpClient.post("https://plug.ins/oidc/refresh")).thenReturn(request);
|
||||
|
||||
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
|
||||
when(request.request()).thenReturn(response);
|
||||
|
||||
when(response.isSuccessful()).thenReturn(false);
|
||||
|
||||
assertThrows(FetchAccessTokenFailedException.class, () -> authenticator.fetchAccessToken());
|
||||
Optional<String> accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).contains("access");
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldFetchAccessToken() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
|
||||
String accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).isEqualTo("access");
|
||||
Optional<String> accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).contains("access");
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldReturnEmptyAccessTokenOnFailedRequest() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
|
||||
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
|
||||
when(response.isSuccessful()).thenReturn(false);
|
||||
|
||||
Optional<String> accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldReturnEmptyAccessTokenOnException() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
|
||||
when(advancedHttpClient.post("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh"))
|
||||
.thenReturn(request);
|
||||
when(request.request()).thenThrow(new IOException("failed"));
|
||||
|
||||
Optional<String> accessToken = authenticator.fetchAccessToken();
|
||||
assertThat(accessToken).isEmpty();
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldMarkAuthenticationAsFailed() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
|
||||
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
|
||||
when(response.isSuccessful()).thenReturn(false);
|
||||
|
||||
authenticator.fetchAccessToken();
|
||||
assertThat(authenticator.getAuthenticationInfo()).hasValueSatisfying(
|
||||
auth -> assertThat(auth.isFailed()).isTrue()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldUnmarkAfterSuccessfulAuthentication() throws IOException {
|
||||
preAuth("cool-refresh-token", true);
|
||||
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "access", "refresh");
|
||||
|
||||
authenticator.fetchAccessToken();
|
||||
|
||||
assertThat(authenticator.getAuthenticationInfo()).hasValueSatisfying(
|
||||
auth -> assertThat(auth.isFailed()).isFalse()
|
||||
);
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldFireAuthenticationFailedEvent() throws IOException {
|
||||
preAuth("cool-refresh-token");
|
||||
|
||||
AdvancedHttpResponse response = mockAuthResponse("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh");
|
||||
when(response.isSuccessful()).thenReturn(false);
|
||||
|
||||
authenticator.fetchAccessToken();
|
||||
|
||||
ArgumentCaptor<PluginCenterAuthenticationFailedEvent> eventCaptor = ArgumentCaptor.forClass(PluginCenterAuthenticationFailedEvent.class);
|
||||
verify(eventBus).post(eventCaptor.capture());
|
||||
PluginCenterAuthenticationFailedEvent event = eventCaptor.getValue();
|
||||
|
||||
assertThat(event.getAuthenticationInfo().isFailed()).isTrue();
|
||||
}
|
||||
|
||||
@Test
|
||||
void shouldStoreRefreshTokenAfterFetch() throws IOException {
|
||||
preAuth("refreshOne");
|
||||
mockAuthProtocol("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "accessTwo", "refreshTwo");
|
||||
mockSuccessfulAuth("https://plugin-center-api.scm-manager.org/api/v1/auth/oidc/refresh", "accessTwo", "refreshTwo");
|
||||
|
||||
authenticator.fetchAccessToken();
|
||||
authenticator.fetchAccessToken();
|
||||
@@ -272,22 +311,24 @@ class PluginCenterAuthenticatorTest {
|
||||
assertThat(info.getPluginCenterSubject()).isEqualTo("tricia.mcmillan@hitchhiker.com");
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
private void preAuth(String refreshToken) {
|
||||
preAuth(refreshToken, false);
|
||||
}
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
private void preAuth(String refreshToken, boolean failed) {
|
||||
Authentication authentication = new Authentication();
|
||||
authentication.setPluginCenterSubject("tricia.mcmillan@hitchhiker.com");
|
||||
authentication.setPrincipal("trillian");
|
||||
authentication.setRefreshToken(refreshToken);
|
||||
authentication.setDate(Instant.now());
|
||||
authentication.setFailed(failed);
|
||||
factory.get(STORE_NAME, null).set(authentication);
|
||||
}
|
||||
|
||||
@CanIgnoreReturnValue
|
||||
private void mockAuthProtocol(String url, String accessToken, String refreshToken) throws IOException {
|
||||
when(advancedHttpClient.post(url)).thenReturn(request);
|
||||
|
||||
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
|
||||
when(request.request()).thenReturn(response);
|
||||
private void mockSuccessfulAuth(String url, String accessToken, String refreshToken) throws IOException {
|
||||
AdvancedHttpResponse response = mockAuthResponse(url);
|
||||
|
||||
RefreshResponse refreshResponse = new RefreshResponse();
|
||||
refreshResponse.setAccessToken(accessToken);
|
||||
@@ -297,6 +338,15 @@ class PluginCenterAuthenticatorTest {
|
||||
when(response.isSuccessful()).thenReturn(true);
|
||||
}
|
||||
|
||||
private AdvancedHttpResponse mockAuthResponse(String url) throws IOException {
|
||||
when(advancedHttpClient.post(url)).thenReturn(request);
|
||||
|
||||
AdvancedHttpResponse response = mock(AdvancedHttpResponse.class);
|
||||
when(request.request()).thenReturn(response);
|
||||
|
||||
return response;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -37,6 +37,7 @@ import sonia.scm.net.ahc.AdvancedHttpResponse;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Collections;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
@@ -107,7 +108,7 @@ class PluginCenterLoaderTest {
|
||||
@Test
|
||||
void shouldAppendAccessToken() throws IOException {
|
||||
when(authenticator.isAuthenticated()).thenReturn(true);
|
||||
when(authenticator.fetchAccessToken()).thenReturn("mega-cool-at");
|
||||
when(authenticator.fetchAccessToken()).thenReturn(Optional.of("mega-cool-at"));
|
||||
|
||||
mockResponse();
|
||||
loader.load(PLUGIN_URL);
|
||||
|
||||
@@ -43,6 +43,7 @@ import java.io.InputStream;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Path;
|
||||
import java.util.Collections;
|
||||
import java.util.Optional;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.junit.jupiter.api.Assertions.assertThrows;
|
||||
@@ -200,7 +201,7 @@ class PluginInstallerTest {
|
||||
@Test
|
||||
void shouldAppendBearerAuth() throws IOException {
|
||||
when(authenticator.isAuthenticated()).thenReturn(true);
|
||||
when(authenticator.fetchAccessToken()).thenReturn("atat");
|
||||
when(authenticator.fetchAccessToken()).thenReturn(Optional.of("atat"));
|
||||
mockContent("42");
|
||||
|
||||
installer.install(PluginInstallationContext.empty(), createGitPlugin());
|
||||
|
||||
@@ -72,7 +72,7 @@ class PluginCenterAuthenticationUpdateStepTest {
|
||||
@Test
|
||||
void shouldUpdateIfRefreshTokenNotEncrypted() throws Exception {
|
||||
when(configurationStore.getOptional())
|
||||
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "some_not_encrypted_token", Instant.now())));
|
||||
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "some_not_encrypted_token", Instant.now(), false)));
|
||||
|
||||
updateStep.doUpdate();
|
||||
|
||||
@@ -85,7 +85,7 @@ class PluginCenterAuthenticationUpdateStepTest {
|
||||
@Test
|
||||
void shouldNotUpdateIfRefreshTokenIsAlreadyEncrypted() throws Exception {
|
||||
when(configurationStore.getOptional())
|
||||
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "{enc}my_encrypted_token", Instant.now())));
|
||||
.thenReturn(Optional.of(new PluginCenterAuthenticator.Authentication("trillian", "trillian", "{enc}my_encrypted_token", Instant.now(), false)));
|
||||
|
||||
updateStep.doUpdate();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user