Merge pull request #1 from InfoSec812/limit-gapps-domain

Added support for only allowing a single GApps domain

pom.xml

@@ -25,6 +25,7 @@
     <maven.compiler.source>1.7</maven.compiler.source>
     <maven.compiler.target>1.7</maven.compiler.target>
     <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
+    <sonar.cobertura.reportPath>${project.basedir}/target/site/cobertura/coverage.xml</sonar.cobertura.reportPath>
     <sonar.language>java</sonar.language>
   </properties>
 
@@ -132,6 +133,29 @@
           <pluginClass>org.sonarqube.auth.google.AuthGooglePlugin</pluginClass>
         </configuration>
       </plugin>
+      <plugin>
+        <groupId>org.codehaus.mojo</groupId>
+        <artifactId>cobertura-maven-plugin</artifactId>
+        <version>2.7</version>
+        <executions>
+          <execution>
+            <phase>package</phase>
+            <goals>
+              <goal>clean</goal>
+              <goal>cobertura</goal>
+            </goals>
+          </execution>
+        </executions>
+        <configuration>
+          <check>
+          </check>
+          <formats>
+            <format>html</format>
+            <format>xml</format>
+          </formats>
+          <instrumentation></instrumentation>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 

src/main/java/org/sonarqube/auth/google/GoogleIdentityProvider.java

@@ -31,7 +31,6 @@
 import org.sonar.api.utils.log.Loggers;
 
 import javax.servlet.http.HttpServletRequest;
-
 import java.io.IOException;
 
 import static java.lang.String.format;
@@ -102,10 +101,10 @@ public void callback(CallbackContext context) {
 
     GsonUser gsonUser = requestUser(scribe, accessToken);
     String redirectTo;
-    if (settings.oauthDomain()!=null && gsonUser.getEmail().endsWith("@"+settings.oauthDomain())) {
+    if (settings.oauthDomain()==null || (settings.oauthDomain()!=null && gsonUser.getEmail().endsWith("@"+settings.oauthDomain()))) {
+      redirectTo = settings.getSonarBaseURL();
       UserIdentity userIdentity = userIdentityFactory.create(gsonUser);
       context.authenticate(userIdentity);
-      redirectTo = settings.getSonarBaseURL();
     } else {
       redirectTo = settings.getSonarBaseURL()+"/sessions/unauthorized#";
     }

src/test/java/org/sonarqube/auth/google/GoogleIdentityProviderTest.java

@@ -51,18 +51,6 @@ public void check_fields() {
     assertThat(underTest.getDisplay().getBackgroundColor()).isEqualTo("#236487");
   }
 
-  @Test
-  public void is_enabled() {
-    settings.setProperty("sonar.auth.google.clientId.secured", "id");
-    settings.setProperty("sonar.auth.google.clientSecret.secured", "secret");
-    settings.setProperty("sonar.auth.google.loginStrategy", LOGIN_STRATEGY_DEFAULT_VALUE);
-    settings.setProperty("sonar.auth.google.enabled", true);
-    assertThat(underTest.isEnabled()).isTrue();
-
-    settings.setProperty("sonar.auth.google.enabled", false);
-    assertThat(underTest.isEnabled()).isFalse();
-  }
-
   @Test
   public void init() {
     setSettings(true);

src/test/java/org/sonarqube/auth/google/IntegrationTest.java

@@ -126,6 +126,20 @@ public void callback_on_successful_authentication() throws IOException, Interrup
     assertThat(userRequest.getPath()).startsWith("/oauth2/v1/userinfo");
   }
 
+  /**
+   * Second phase: Google redirects browser to SonarQube at /oauth/callback/google?code={the verifier code}.
+   * This SonarQube web service sends two requests to Google:
+   * <ul>
+   *   <li>get an access token</li>
+   *   <li>get the profile (login, name) of the authenticated user</li>
+   * </ul>
+   */
+  @Test
+  public void callback_on_successful_authentication_without_domain() throws IOException, InterruptedException {
+    settings.removeProperty("sonar.auth.google.limitOauthDomain");
+    callback_on_successful_authentication();
+  }
+
   @Test
   public void callback_throws_OAE_if_error_when_requesting_user_profile() throws IOException, InterruptedException {
     google.enqueue(newSuccessfulAccessTokenResponse());
@@ -142,6 +156,28 @@ public void callback_throws_OAE_if_error_when_requesting_user_profile() throws I
     assertThat(callbackContext.redirectSent.get()).isFalse();
   }
 
+  @Test
+  public void callback_redirects_to_unauthorized_if_domain_does_not_match() throws IOException, InterruptedException {
+    google.enqueue(newSuccessfulAccessTokenResponse());
+    // https://accounts.google.com/o/oauth2/token fails
+    google.enqueue(new MockResponse().setResponseCode(200).setBody("{\n"+
+            "    \"email\": \"[email protected]\",\n" +
+            "    \"verified_email\": true,\n" +
+            "    \"name\": \"John Smith\",\n" +
+            "    \"given_name\": \"John\",\n" +
+            "    \"family_name\": \"Smith\",\n" +
+            "    \"picture\": \"https://lh3.googleusercontent.com/-AAAAAAAA/AAAAAAAAAAA/AAAAAAAAAAA/AAAAAAAAAA/photo.jpg\",\n" +
+            "    \"locale\": \"en-US\"\n" +
+            "}"));
+
+    HttpServletRequest request = newRequest("the-verifier-code");
+    DumbCallbackContext callbackContext = new DumbCallbackContext(request);
+    underTest.callback(callbackContext);
+
+    assertThat(callbackContext.csrfStateVerified.get()).isFalse();
+    assertThat(callbackContext.userIdentity).isNull();
+  }
+
   /**
    * Response sent by Bitbucket to SonarQube when generating an access token
    */

travis.sh

@@ -13,7 +13,7 @@ if [ "${TRAVIS_BRANCH}" == "master" ] && [ "$TRAVIS_PULL_REQUEST" == "false" ];
   git fetch --unshallow || true
 
   export MAVEN_OPTS="-Xmx1536m -Xms128m"
-  mvn org.jacoco:jacoco-maven-plugin:prepare-agent verify sonar:sonar \
+  mvn cobertura:cobertura verify sonar:sonar \
       -Pcoverage-per-test \
       -Dmaven.test.redirectTestOutputToFile=false \
       -Dsonar.projectKey=$SONAR_PROJECT_KEY \
@@ -28,7 +28,7 @@ elif [ "$TRAVIS_PULL_REQUEST" != "false" ] && [ -n "${GITHUB_TOKEN:-}" ]; then
   # in Maven local repository. Phase "verify" is enough.
 
   export MAVEN_OPTS="-Xmx1G -Xms128m"
-  mvn org.jacoco:jacoco-maven-plugin:prepare-agent verify sonar:sonar \
+  mvn cobertura:cobertura verify sonar:sonar \
       -Dmaven.test.redirectTestOutputToFile=false \
       -Dsonar.projectKey=$SONAR_PROJECT_KEY \
       -Dsonar.analysis.mode=issues \