private boolean authenticateWithIdentityClaimedDuringHandshake( AuthRequest req, HttpServletResponse rsp, String claimedIdentifier) throws AccountException, IOException { Account.Id claimedId = accountManager.lookup(claimedIdentifier); Account.Id actualId = accountManager.lookup(user.getExternalId()); if (claimedId != null && actualId != null) { if (claimedId.equals(actualId)) { // Both link to the same account, that's what we expected. log.debug("OAuth2: claimed identity equals current id"); } else { // This is (for now) a fatal error. There are two records // for what might be the same user. // log.error( "OAuth accounts disagree over user identity:\n" + " Claimed ID: " + claimedId + " is " + claimedIdentifier + "\n" + " Delgate ID: " + actualId + " is " + user.getExternalId()); rsp.sendError(HttpServletResponse.SC_FORBIDDEN); return false; } } else if (claimedId != null && actualId == null) { // Claimed account already exists: link to it. // log.info("OAuth2: linking claimed identity to {}", claimedId.toString()); try { accountManager.link(claimedId, req); } catch (OrmException e) { log.error( "Cannot link: " + user.getExternalId() + " to user identity:\n" + " Claimed ID: " + claimedId + " is " + claimedIdentifier); rsp.sendError(HttpServletResponse.SC_FORBIDDEN); return false; } } return true; }
@Test public void byCommentBy() throws Exception { TestRepository<Repo> repo = createProject("repo"); Change change1 = newChange(repo, null, null, null, null).insert(); Change change2 = newChange(repo, null, null, null, null).insert(); int user2 = accountManager.authenticate(AuthRequest.forUser("anotheruser")).getAccountId().get(); ReviewInput input = new ReviewInput(); input.message = "toplevel"; ReviewInput.CommentInput comment = new ReviewInput.CommentInput(); comment.line = 1; comment.message = "inline"; input.comments = ImmutableMap.<String, List<ReviewInput.CommentInput>>of( Patch.COMMIT_MSG, ImmutableList.<ReviewInput.CommentInput>of(comment)); gApi.changes().id(change1.getId().get()).current().review(input); input = new ReviewInput(); input.message = "toplevel"; gApi.changes().id(change2.getId().get()).current().review(input); assertQuery("commentby:" + userId.get(), change2, change1); assertQuery("commentby:" + user2); }
private void authenticateAndRedirect(HttpServletRequest req, HttpServletResponse rsp) throws IOException { AuthRequest areq = new AuthRequest(user.getExternalId()); AuthResult arsp; try { String claimedIdentifier = user.getClaimedIdentity(); if (!Strings.isNullOrEmpty(claimedIdentifier)) { if (!authenticateWithIdentityClaimedDuringHandshake(areq, rsp, claimedIdentifier)) { return; } } else if (linkMode) { if (!authenticateWithLinkedIdentity(areq, rsp)) { return; } } areq.setUserName(user.getUserName()); areq.setEmailAddress(user.getEmailAddress()); areq.setDisplayName(user.getDisplayName()); arsp = accountManager.authenticate(areq); } catch (AccountException e) { log.error("Unable to authenticate user \"" + user + "\"", e); rsp.sendError(HttpServletResponse.SC_FORBIDDEN); return; } webSession.get().login(arsp, true); String suffix = redirectToken.substring(OAuthWebFilter.GERRIT_LOGIN.length() + 1); StringBuilder rdr = new StringBuilder(urlProvider.get(req)); rdr.append(Url.decode(suffix)); rsp.sendRedirect(rdr.toString()); }
private AuthResult create() { String fakeId = AccountExternalId.SCHEME_UUID + UUID.randomUUID(); try { return accountManager.authenticate(new AuthRequest(fakeId)); } catch (AccountException e) { getServletContext().log("cannot create new account", e); return null; } }
@Test public void byOwnerIn() throws Exception { TestRepository<Repo> repo = createProject("repo"); Change change1 = newChange(repo, null, null, userId.get(), null).insert(); int user2 = accountManager.authenticate(AuthRequest.forUser("anotheruser")).getAccountId().get(); Change change2 = newChange(repo, null, null, user2, null).insert(); assertQuery("ownerin:Administrators", change1); assertQuery("ownerin:\"Registered Users\"", change2, change1); }
@Test public void filterOutAllResults() throws Exception { TestRepository<Repo> repo = createProject("repo"); int user2 = accountManager.authenticate(AuthRequest.forUser("anotheruser")).getAccountId().get(); for (int i = 0; i < 5; i++) { newChange(repo, null, null, user2, null).insert(); } assertQuery("status:new ownerin:Administrators"); assertQuery("status:new ownerin:Administrators limit:2"); }
@Before public void setUpInjector() throws Exception { lifecycle = new LifecycleManager(); Injector injector = createInjector(); lifecycle.add(injector); injector.injectMembers(this); lifecycle.start(); db = schemaFactory.open(); schemaCreator.create(db); userId = accountManager.authenticate(AuthRequest.forUser("user")).getAccountId(); Account userAccount = db.accounts().get(userId); userAccount.setPreferredEmail("*****@*****.**"); db.accounts().update(ImmutableList.of(userAccount)); user = userFactory.create(Providers.of(db), userId); requestContext.setContext(newRequestContext(userAccount.getId())); }
@Test public void explicitVisibleTo() throws Exception { TestRepository<Repo> repo = createProject("repo"); Change change1 = newChange(repo, null, null, userId.get(), null).insert(); ChangeInserter ins2 = newChange(repo, null, null, userId.get(), null); Change change2 = ins2.getChange(); change2.setStatus(Change.Status.DRAFT); ins2.insert(); String q = "project:repo"; assertQuery(q, change2, change1); // Second user cannot see first user's drafts. Account.Id user2 = accountManager.authenticate(AuthRequest.forUser("anotheruser")).getAccountId(); assertQuery(q + " visibleto:" + user2.get(), change1); }
private boolean authenticateWithLinkedIdentity(AuthRequest areq, HttpServletResponse rsp) throws AccountException, IOException { try { accountManager.link(identifiedUser.get().getAccountId(), areq); } catch (OrmException e) { log.error( "Cannot link: " + user.getExternalId() + " to user identity: " + identifiedUser.get().getAccountId()); rsp.sendError(HttpServletResponse.SC_FORBIDDEN); return false; } finally { linkMode = false; } return true; }
@Test public void byLabel() throws Exception { accountManager.authenticate(AuthRequest.forUser("anotheruser")); TestRepository<Repo> repo = createProject("repo"); ChangeInserter ins = newChange(repo, null, null, null, null); Change change = ins.insert(); gApi.changes() .id(change.getId().get()) .current() .review(new ReviewInput().label("Code-Review", 1)); assertQuery("label:Code-Review=-2"); assertQuery("label:Code-Review-2"); assertQuery("label:Code-Review=-1"); assertQuery("label:Code-Review-1"); assertQuery("label:Code-Review=0"); assertQuery("label:Code-Review=+1", change); assertQuery("label:Code-Review=1", change); assertQuery("label:Code-Review+1", change); assertQuery("label:Code-Review=+2"); assertQuery("label:Code-Review=2"); assertQuery("label:Code-Review+2"); assertQuery("label:Code-Review>=0", change); assertQuery("label:Code-Review>0", change); assertQuery("label:Code-Review>=1", change); assertQuery("label:Code-Review>1"); assertQuery("label:Code-Review>=2"); assertQuery("label: Code-Review<=2", change); assertQuery("label: Code-Review<2", change); assertQuery("label: Code-Review<=1", change); assertQuery("label:Code-Review<1"); assertQuery("label:Code-Review<=0"); assertQuery("label:Code-Review=+1,anotheruser"); assertQuery("label:Code-Review=+1,user", change); assertQuery("label:Code-Review=+1,user=user", change); assertQuery("label:Code-Review=+1,Administrators", change); assertQuery("label:Code-Review=+1,group=Administrators", change); }
@Test public void reviewedBy() throws Exception { clockStepMs = MILLISECONDS.convert(2, MINUTES); TestRepository<Repo> repo = createProject("repo"); Change change1 = newChange(repo, null, null, null, null).insert(); Change change2 = newChange(repo, null, null, null, null).insert(); Change change3 = newChange(repo, null, null, null, null).insert(); gApi.changes().id(change1.getId().get()).current().review(new ReviewInput().message("comment")); Account.Id user2 = accountManager.authenticate(AuthRequest.forUser("anotheruser")).getAccountId(); requestContext.setContext(newRequestContext(user2)); gApi.changes().id(change2.getId().get()).current().review(new ReviewInput().message("comment")); PatchSet.Id ps3_1 = change3.currentPatchSetId(); change3 = newPatchSet(repo, change3); assertThat(change3.currentPatchSetId()).isNotEqualTo(ps3_1); // Response to previous patch set still counts as reviewing. gApi.changes() .id(change3.getId().get()) .revision(ps3_1.get()) .review(new ReviewInput().message("comment")); List<ChangeInfo> actual; actual = assertQuery(newQuery("is:reviewed").withOption(REVIEWED), change3, change2); assertThat(actual.get(0).reviewed).isTrue(); assertThat(actual.get(1).reviewed).isTrue(); actual = assertQuery(newQuery("-is:reviewed").withOption(REVIEWED), change1); assertThat(actual.get(0).reviewed).isNull(); actual = assertQuery("reviewedby:" + userId.get()); actual = assertQuery(newQuery("reviewedby:" + user2.get()).withOption(REVIEWED), change3, change2); assertThat(actual.get(0).reviewed).isTrue(); assertThat(actual.get(1).reviewed).isTrue(); }
private void handleAuth(HttpServletRequest req) { String username = req.getRemoteUser(); if (username != null) { if (config.getBoolean("auth", "userNameToLowerCase", false)) { username = username.toLowerCase(Locale.US); } log.debug("User name: " + username); AccountState who = accountCache.getByUsername(username); log.debug("AccountState " + who); if (who == null && username.matches("^([a-zA-Z0-9][a-zA-Z0-9._-]*[a-zA-Z0-9]|[a-zA-Z0-9])$")) { log.debug( "User is not registered with Gerrit. Register now."); // This approach assumes an auth // type of HTTP_LDAP final AuthRequest areq = AuthRequest.forUser(username); try { accountManager.authenticate(areq); who = accountCache.getByUsername(username); if (who == null) { log.warn("Unable to register user \"" + username + "\". Continue as anonymous."); } else { log.debug("User registered."); } } catch (AccountException e) { log.warn("Exception registering user \"" + username + "\". Continue as anonymous.", e); } } if (who != null && who.getAccount().isActive()) { log.debug("Not anonymous user"); WebSession ws = session.get(); ws.setUserAccountId(who.getAccount().getId()); ws.setAccessPathOk(AccessPath.REST_API, true); } else { log.debug("Anonymous user"); } } }