Merged DEV to 5.2.N (5.2.1)

133903 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" take user disabled status in to account for external authentication subsystem + tests 133907 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" don't propagate user disabled exception 133930 sglover: MNT-17247 "Disabled user can log into Alfresco Share using external authentication" move test class and add to a test suite 134295 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a test to simulate creation of missing person during external auth log in. 134315 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a fallback to supprt the logging in by non provisioned users. 134354 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Added a test with deauthorized user. Refactored existing test to start context once. 134359 jvonka: REPO-1227: External authentication - prevent disabled user from authenticating - add log warning (with masked username, similar to brute force attack) if authentication bypassed when setting user details 134372 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - Updated core and data model (contain new logging) 134390 amukha: MNT-17247: Disabled user can log into Alfresco Share using external authentication - isEnabled flag for users is returned correctly - Added tests git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/BRANCHES/DEV/5.2.N/root@134396 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-14 17:58:59 +00:00 · 2017-01-17 13:57:05 +00:00
parent 868f0029d3
commit 0d8bfe6aa7
3 changed files with 246 additions and 6 deletions
--- a/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java
+++ b/source/java/org/alfresco/repo/web/scripts/servlet/RemoteUserAuthenticatorFactory.java
@@ -27,6 +27,7 @@ package org.alfresco.repo.web.scripts.servlet;
 import javax.servlet.http.HttpSession;
 import org.alfresco.error.ExceptionStackUtil;
 import org.alfresco.repo.SessionUser;
 import org.alfresco.repo.management.subsystems.ActivateableBean;
 import org.alfresco.repo.security.authentication.AuthenticationComponent;
@@ -43,6 +44,8 @@ import org.springframework.extensions.webscripts.Description.RequiredAuthenticat
 import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
 import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
 import net.sf.acegisecurity.DisabledException;
 /**
 * Authenticator to provide Remote User based Header authentication dropping back to Basic Auth otherwise. 
 * Statelessly authenticating via a secure header now does not require a Session so can be used with
@@ -98,11 +101,27 @@ public class RemoteUserAuthenticatorFactory extends BasicHttpAuthenticatorFactor
            // retrieve the remote user if configured and available - authenticate that user directly
            final String userId = getRemoteUser();
            if (userId != null)
            {
                try
                {
                    authenticationComponent.setCurrentUser(userId);
                    listener.userAuthenticated(new TicketCredentials(authenticationService.getCurrentTicket()));
                    authenticated = true;
                }
                catch (AuthenticationException authErr)
                {
                    // don't propagate if the user is disabled
                    Throwable disabledCause = ExceptionStackUtil.getCause(authErr, DisabledException.class);
                    if(disabledCause != null)
                    {
                    	listener.authenticationFailed(new WebCredentials() {});
                    }
                    else
                    {
                        throw authErr;
                    }
                }
            }
            else
            {
                // is there a Session which might contain a valid user ticket?
--- a/source/test-java/org/alfresco/RemoteApi01TestSuite.java
+++ b/source/test-java/org/alfresco/RemoteApi01TestSuite.java
@@ -61,6 +61,7 @@ public class RemoteApi01TestSuite extends TestSuite
        suite.addTestSuite(org.alfresco.repo.management.subsystems.test.SubsystemsTest.class);
        suite.addTestSuite(org.alfresco.repo.remoteticket.RemoteAlfrescoTicketServiceTest.class);
        suite.addTest(new JUnit4TestAdapter(org.alfresco.rest.api.tests.TestCustomModelExport.class));
        suite.addTest(new JUnit4TestAdapter(org.alfresco.repo.web.scripts.servlet.RemoteAuthenticatorFactoryTest.class));
    }
    static void tests2(TestSuite suite) // 
--- a/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java
+++ b/source/test-java/org/alfresco/repo/web/scripts/servlet/RemoteAuthenticatorFactoryTest.java
@@ -0,0 +1,220 @@
 /*
 * #%L
 * Alfresco Repository
 * %%
 * Copyright (C) 2005 - 2016 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
 * the paid license agreement will prevail.  Otherwise, the software is 
 * provided under the following open source license terms:
 * 
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
 * #L%
 */
 package org.alfresco.repo.web.scripts.servlet;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import java.io.Serializable;
 import java.util.HashMap;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.alfresco.model.ContentModel;
 import org.alfresco.repo.management.subsystems.ChildApplicationContextFactory;
 import org.alfresco.repo.management.subsystems.DefaultChildApplicationContextManager;
 import org.alfresco.repo.security.authentication.AuthenticationUtil;
 import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
 import org.alfresco.repo.security.authentication.MutableAuthenticationDao;
 import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
 import org.alfresco.service.cmr.security.PersonService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.ApplicationContextHelper;
 import org.alfresco.util.GUID;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.springframework.context.ApplicationContext;
 import org.springframework.extensions.webscripts.Authenticator;
 import org.springframework.extensions.webscripts.Description.RequiredAuthentication;
 import org.springframework.extensions.webscripts.servlet.WebScriptServletRequest;
 import org.springframework.extensions.webscripts.servlet.WebScriptServletResponse;
 /**
 * 
 * @author sglover
 *
 */
 public class RemoteAuthenticatorFactoryTest
 {
    private static final String[] contextLocations = new String[] {
            "classpath:alfresco/application-context.xml",
            "classpath:alfresco/web-scripts-application-context.xml",
            "classpath:alfresco/web-scripts-application-context-test.xml"
    };
    private static RemoteUserAuthenticatorFactory remoteUserAuthenticatorFactory;
    private static PersonService personService;
    private static TransactionService transactionService;
    private static MutableAuthenticationDao authenticationDAO;
    @BeforeClass
    public static void beforeClass() throws Exception
    {
        ApplicationContext ctx = ApplicationContextHelper.getApplicationContext(contextLocations);
        DefaultChildApplicationContextManager childApplicationContextManager = (DefaultChildApplicationContextManager) ctx.getBean("Authentication");
        remoteUserAuthenticatorFactory = (RemoteUserAuthenticatorFactory) ctx.getBean("webscripts.authenticator.remoteuser");
        personService = (PersonService)ctx.getBean("PersonService");
        transactionService = (TransactionService)ctx.getBean("TransactionService");
        authenticationDAO = (MutableAuthenticationDao)ctx.getBean("authenticationDao");
        childApplicationContextManager.stop();
        childApplicationContextManager.setProperty("chain", "external1:external");
        ChildApplicationContextFactory childApplicationContextFactory = childApplicationContextManager.getChildApplicationContextFactory("external1");
        childApplicationContextFactory.stop();
        childApplicationContextFactory.setProperty("external.authentication.proxyUserName", "");
    }
    private String createPerson(boolean enabled)
    {
        Map<QName, Serializable> properties = new HashMap<>();
        String username = "user" + GUID.generate();
        properties.put(ContentModel.PROP_USERNAME, username);
        properties.put(ContentModel.PROP_FIRSTNAME, username);
        properties.put(ContentModel.PROP_LASTNAME, username);
        if(!enabled)
        {
            properties.put(ContentModel.PROP_ENABLED, enabled);
        }
        personService.createPerson(properties);
        authenticationDAO.createUser(username, "password".toCharArray());
        authenticationDAO.setEnabled(username, enabled);
        return username;
    }
    @Test
    public void testDisabledUser() throws Exception
    {
        final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<String>()
        {
            @Override
            public String execute() throws Throwable
            {
                return AuthenticationUtil.runAs(new RunAsWork<String>()
                {
                    @Override
                    public String doWork() throws Exception
                    {
                        return createPerson(false);
                    }
                }, AuthenticationUtil.SYSTEM_USER_NAME);
            }
        }, false, true);
        transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<Void>()
        {
            @Override
            public Void execute() throws Throwable
            {
                return AuthenticationUtil.runAs(new RunAsWork<Void>()
                {
                    @Override
                    public Void doWork() throws Exception
                    {
                        // Mock a request with a username in the header
                        HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
                        when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
                        when(mockHttpRequest.getScheme()).thenReturn("http");
                        WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
                        when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
                        HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
                        WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
                        when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
                        Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
                        assertFalse(authenticator.authenticate(RequiredAuthentication.user, false));
                        return null;
                    }
                }, AuthenticationUtil.SYSTEM_USER_NAME);
            }
        }, false, true);
    }
    @Test
    public void testEnabledUser() throws Exception
    {
        final String username = transactionService.getRetryingTransactionHelper().doInTransaction(new RetryingTransactionCallback<String>()
        {
            @Override
            public String execute() throws Throwable
            {
                return AuthenticationUtil.runAs(new RunAsWork<String>()
                {
                    @Override
                    public String doWork() throws Exception
                    {
                        return createPerson(true);
                    }
                }, AuthenticationUtil.SYSTEM_USER_NAME);
            }
        }, false, true);
        // Mock a request with a username in the header
        HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
        when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
        when(mockHttpRequest.getScheme()).thenReturn("http");
        WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
        when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
        HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
        WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
        when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
        Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
        assertTrue(authenticator.authenticate(RequiredAuthentication.user, false));
    }
    @Test
    public void testLogInWithNonExistingPerson()
    {
        // Random non existing person
        final String username = GUID.generate();
        // Mock a request with a username in the header
        HttpServletRequest mockHttpRequest = mock(HttpServletRequest.class);
        when(mockHttpRequest.getHeader("X-Alfresco-Remote-User")).thenReturn(username);
        when(mockHttpRequest.getScheme()).thenReturn("http");
        WebScriptServletRequest mockRequest = mock(WebScriptServletRequest.class);
        when(mockRequest.getHttpServletRequest()).thenReturn(mockHttpRequest);
        HttpServletResponse mockHttpResponse = mock(HttpServletResponse.class);
        WebScriptServletResponse mockResponse = mock(WebScriptServletResponse.class);
        when(mockResponse.getHttpServletResponse()).thenReturn(mockHttpResponse);
        Authenticator authenticator = remoteUserAuthenticatorFactory.create(mockRequest, mockResponse);
        assertTrue("The non existing user should be authenticated.", authenticator.authenticate(RequiredAuthentication.user, false));
        assertTrue("The user should be auto created.", personService.personExists(username));
    }
 }