From b4a63aad7f56486c164a15ae2477bcd251b0bb1b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 18 Mar 2014 21:10:48 -0400
Subject: [PATCH] Fix authentication security hole with external providers

---
 src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java |   27 ++++++++++++++++-----------
 1 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
index 1fe8459..6ede831 100644
--- a/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
+++ b/src/test/java/com/gitblit/tests/RedmineAuthenticationTest.java
@@ -8,6 +8,7 @@
 
 import com.gitblit.IStoredSettings;
 import com.gitblit.auth.RedmineAuthProvider;
+import com.gitblit.manager.AuthenticationManager;
 import com.gitblit.manager.RuntimeManager;
 import com.gitblit.manager.UserManager;
 import com.gitblit.models.UserModel;
@@ -18,10 +19,6 @@
     private static final String JSON = "{\"user\":{\"created_on\":\"2011-03-28T00:41:29Z\",\"lastname\":\"foo\","
         + "\"last_login_on\":\"2012-09-06T23:59:26Z\",\"firstname\":\"baz\","
         + "\"id\":4,\"login\":\"RedmineUserId\",\"mail\":\"baz@example.com\"}}";
-
-    private static final String NOT_ADMIN_JSON = "{\"user\":{\"lastname\":\"foo\","
-        + "\"last_login_on\":\"2012-09-08T13:59:01Z\",\"created_on\":\"2009-03-17T14:25:50Z\","
-        + "\"mail\":\"baz@example.com\",\"id\":5,\"firstname\":\"baz\"}}";
 
     MemorySettings getSettings() {
     	return new MemorySettings(new HashMap<String, Object>());
@@ -38,6 +35,17 @@
     RedmineAuthProvider newRedmineAuthentication() {
     	return newRedmineAuthentication(getSettings());
     }
+    
+    AuthenticationManager newAuthenticationManager() {
+    	RuntimeManager runtime = new RuntimeManager(getSettings(), GitBlitSuite.BASEFOLDER).start();
+    	UserManager users = new UserManager(runtime).start();
+    	RedmineAuthProvider redmine = new RedmineAuthProvider();
+    	redmine.setup(runtime, users);
+        redmine.setTestingCurrentUserAsJson(JSON);
+    	AuthenticationManager auth = new AuthenticationManager(runtime, users);
+    	auth.addAuthenticationProvider(redmine);
+    	return auth;
+    }
 
     @Test
     public void testAuthenticate() throws Exception {
@@ -48,18 +56,15 @@
         assertThat(userModel.getDisplayName(), is("baz foo"));
         assertThat(userModel.emailAddress, is("baz@example.com"));
         assertNotNull(userModel.cookie);
-        assertThat(userModel.canAdmin, is(true));
     }
 
     @Test
-    public void testAuthenticateNotAdminUser() throws Exception {
-    	RedmineAuthProvider redmine = newRedmineAuthentication();
-        redmine.setTestingCurrentUserAsJson(NOT_ADMIN_JSON);
-        UserModel userModel = redmine.authenticate("RedmineUserId", "RedmineAPIKey".toCharArray());
-        assertThat(userModel.getName(), is("redmineuserid"));
+    public void testAuthenticationManager() throws Exception {
+    	AuthenticationManager auth = newAuthenticationManager();
+        UserModel userModel = auth.authenticate("RedmineAdminId", "RedmineAPIKey".toCharArray());
+        assertThat(userModel.getName(), is("redmineadminid"));
         assertThat(userModel.getDisplayName(), is("baz foo"));
         assertThat(userModel.emailAddress, is("baz@example.com"));
         assertNotNull(userModel.cookie);
-        assertThat(userModel.canAdmin, is(false));
     }
 }

--
Gitblit v1.9.1