From 0d8bfe6aa706b19b9ea1157edf44d45f515270cc Mon Sep 17 00:00:00 2001 From: Alex Mukha Date: Tue, 17 Jan 2017 13:57:05 +0000 Subject: [PATCH] Merged DEV to 5.2.N (5.2.1) 133903 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" take user disabled status in to account for external authentication subsystem + tests 133907 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" don't propagate user disabled exception 133930 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" move test class and add to a test suite 134295 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a test to simulate creation of missing person during external auth log in. 134315 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a fallback to supprt the logging in by non provisioned users. 134354 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a test with deauthorized user. Refactored existing test to start context once. 134359 jvonka: REPO-1227: External authentication - prevent disabled user from authenticating - add log warning (with masked username, similar to brute force attack) if authentication bypassed when setting user details 134372 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Updated core and data model (contain new logging) 134390 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - isEnabled flag for users is returned correctly - Added tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@134396 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../RemoteUserAuthenticatorFactory.java | 25 +- .../org/alfresco/RemoteApi01TestSuite.java | 7 +- .../RemoteAuthenticatorFactoryTest.java | 220 ++++++++++++++++++ 3 files changed, 246 insertions(+), 6 deletions(-) create mode 100644 source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java diff --git a/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java b/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java index c101f170e1..14957b29d4 100644 --- a/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java +++ b/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java @@ -27,6 +27,7 @@ package org.alfresco.repo.web.scripts.servlet; import javax.servlet.http.HttpSession; +import org.alfresco.error.ExceptionStackUtil; import org.alfresco.repo.SessionUser; import org.alfresco.repo.management.subsystems.ActivateableBean; import org.alfresco.repo.security.authentication.AuthenticationComponent; @@ -43,6 +44,8 @@ import org.springframework.extensions.webscripts.Description.RequiredAuthenticat import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest; import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse; +import net.sf.acegisecurity.DisabledException; + /** * Authenticator to provide Remote User based Header authentication dropping back to Basic Auth otherwise. * Statelessly authenticating via a secure header now does not require a Session so can be used with @@ -99,9 +102,25 @@ public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactor final String userId = getRemoteUser(); if (userId != null) { - authenticationComponent.setCurrentUser(userId); - listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket())); - authenticated = true; + try + { + authenticationComponent.setCurrentUser(userId); + listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket())); + authenticated = true; + } + catch (AuthenticationException authErr) + { + // don't propagate if the user is disabled + Throwable disabledCause = ExceptionStackUtil.getCause(authErr, DisabledException.class); + if(disabledCause != null) + { + listener.authenticationFailed(new WebCredentials() {}); + } + else + { + throw authErr; + } + } } else { diff --git a/source/test-java/org/alfresco/RemoteApi01TestSuite.java b/source/test-java/org/alfresco/RemoteApi01TestSuite.java index d9b95d15e4..7611dcd8a7 100644 --- a/source/test-java/org/alfresco/RemoteApi01TestSuite.java +++ b/source/test-java/org/alfresco/RemoteApi01TestSuite.java @@ -25,8 +25,8 @@ */ package org.alfresco; -import junit.framework.JUnit4TestAdapter; -import junit.framework.Test; +import junit.framework.JUnit4TestAdapter; +import junit.framework.Test; import junit.framework.TestSuite; /** @@ -60,7 +60,8 @@ public class RemoteApi01TestSuite extends TestSuite { suite.addTestSuite(org.alfresco.repo.management.subsystems.test.SubsystemsTest.class); suite.addTestSuite(org.alfresco.repo.remoteticket.RemoteAlfrescoTicketServiceTest.class); - suite.addTest(new JUnit4TestAdapter(org.alfresco.rest.api.tests.TestCustomModelExport.class)); + suite.addTest(new JUnit4TestAdapter(org.alfresco.rest.api.tests.TestCustomModelExport.class)); + suite.addTest(new JUnit4TestAdapter(org.alfresco.repo.web.scripts.servlet.RemoteAuthenticatorFactoryTest.class)); } static void tests2(TestSuite suite) // diff --git a/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java b/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java new file mode 100644 index 0000000000..dc0126d73e --- /dev/null +++ b/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java @@ -0,0 +1,220 @@ +/* + * #%L + * Alfresco Repository + * %% + * Copyright (C) 2005 - 2016 Alfresco Software Limited + * %% + * This file is part of the Alfresco software. + * If the software was purchased under a paid Alfresco license, the terms of + * the paid license agreement will prevail. Otherwise, the software is + * provided under the following open source license terms: + * + * Alfresco is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Alfresco is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with Alfresco. If not, see . + * #L% + */ +package org.alfresco.repo.web.scripts.servlet; + +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.io.Serializable; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.alfresco.model.ContentModel; +import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory; +import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager; +import org.alfresco.repo.security.authentication.AuthenticationUtil; +import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork; +import org.alfresco.repo.security.authentication.MutableAuthenticationDao; +import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback; +import org.alfresco.service.cmr.security.PersonService; +import org.alfresco.service.namespace.QName; +import org.alfresco.service.transaction.TransactionService; +import org.alfresco.util.ApplicationContextHelper; +import org.alfresco.util.GUID; +import org.junit.BeforeClass; +import org.junit.Test; +import org.springframework.context.ApplicationContext; +import org.springframework.extensions.webscripts.Authenticator; +import org.springframework.extensions.webscripts.Description.RequiredAuthentication; +import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest; +import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse; + +/** + * + * @author sglover + * + */ +public class RemoteAuthenticatorFactoryTest +{ + private static final String[] contextLocations = new String[] { + "classpath:alfresco/application-context.xml", + "classpath:alfresco/web-scripts-application-context.xml", + "classpath:alfresco/web-scripts-application-context-test.xml" + }; + + private static RemoteUserAuthenticatorFactory remoteUserAuthenticatorFactory; + private static PersonService personService; + private static TransactionService transactionService; + private static MutableAuthenticationDao authenticationDAO; + + @BeforeClass + public static void beforeClass() throws Exception + { + ApplicationContext ctx = ApplicationContextHelper.getApplicationContext(contextLocations); + DefaultChildApplicationContextManager childApplicationContextManager = (DefaultChildApplicationContextManager) ctx.getBean("Authentication"); + remoteUserAuthenticatorFactory = (RemoteUserAuthenticatorFactory) ctx.getBean("webscripts.authenticator.remoteuser"); + personService = (PersonService)ctx.getBean("PersonService"); + transactionService = (TransactionService)ctx.getBean("TransactionService"); + authenticationDAO = (MutableAuthenticationDao)ctx.getBean("authenticationDao"); + + childApplicationContextManager.stop(); + childApplicationContextManager.setProperty("chain", "external1:external"); + ChildApplicationContextFactory childApplicationContextFactory = childApplicationContextManager.getChildApplicationContextFactory("external1"); + childApplicationContextFactory.stop(); + childApplicationContextFactory.setProperty("external.authentication.proxyUserName", ""); + } + + private String createPerson(boolean enabled) + { + Map properties = new HashMap<>(); + String username = "user" + GUID.generate(); + properties.put(ContentModel.PROP_USERNAME, username); + properties.put(ContentModel.PROP_FIRSTNAME, username); + properties.put(ContentModel.PROP_LASTNAME, username); + if(!enabled) + { + properties.put(ContentModel.PROP_ENABLED, enabled); + } + personService.createPerson(properties); + + authenticationDAO.createUser(username, "password".toCharArray()); + authenticationDAO.setEnabled(username, enabled); + + return username; + } + + @Test + public void testDisabledUser() throws Exception + { + final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback() + { + @Override + public String execute() throws Throwable + { + return AuthenticationUtil.runAs(new RunAsWork() + { + @Override + public String doWork() throws Exception + { + return createPerson(false); + } + }, AuthenticationUtil.SYSTEM_USER_NAME); + } + }, false, true); + + transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback() + { + @Override + public Void execute() throws Throwable + { + return AuthenticationUtil.runAs(new RunAsWork() + { + @Override + public Void doWork() throws Exception + { + // Mock a request with a username in the header + HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class); + when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username); + when(mockHttpRequest.getScheme()).thenReturn("http"); + WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class); + when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest); + + HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class); + WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class); + when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse); + + Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse); + assertFalse(authenticator.authenticate(RequiredAuthentication.user, false)); + + return null; + } + }, AuthenticationUtil.SYSTEM_USER_NAME); + } + }, false, true); + } + + @Test + public void testEnabledUser() throws Exception + { + final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback() + { + @Override + public String execute() throws Throwable + { + return AuthenticationUtil.runAs(new RunAsWork() + { + @Override + public String doWork() throws Exception + { + return createPerson(true); + } + }, AuthenticationUtil.SYSTEM_USER_NAME); + } + }, false, true); + + // Mock a request with a username in the header + HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class); + when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username); + when(mockHttpRequest.getScheme()).thenReturn("http"); + WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class); + when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest); + + HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class); + WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class); + when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse); + + Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse); + assertTrue(authenticator.authenticate(RequiredAuthentication.user, false)); + } + + @Test + public void testLogInWithNonExistingPerson() + { + // Random non existing person + final String username = GUID.generate(); + + // Mock a request with a username in the header + HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class); + when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username); + when(mockHttpRequest.getScheme()).thenReturn("http"); + WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class); + when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest); + + HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class); + WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class); + when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse); + + Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse); + assertTrue("The non existing user should be authenticated.", authenticator.authenticate(RequiredAuthentication.user, false)); + assertTrue("The user should be auto created.", personService.personExists(username)); + } +} +