@Override public AuthenticationResult checkCredentials(UserDto user, String password) { if (user.getCryptedPassword() == null) { return new AuthenticationResult(false, "null password in DB"); } if (user.getSalt() == null) { return new AuthenticationResult(false, "null salt"); } if (!user.getCryptedPassword().equals(hash(user.getSalt(), password))) { return new AuthenticationResult(false, "wrong password"); } return new AuthenticationResult(true, ""); }
@Test public void update_only_login_of_local_account() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setLogin("new_login"), u -> { }); assertThat(dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN)).isNull(); UserDto userReloaded = dbClient.userDao().selectByUuid(session, user.getUuid()); assertThat(userReloaded.getLogin()).isEqualTo("new_login"); assertThat(userReloaded.getExternalIdentityProvider()).isEqualTo("sonarqube"); assertThat(userReloaded.getExternalLogin()).isEqualTo("new_login"); assertThat(userReloaded.getExternalId()).isEqualTo("new_login"); // Following fields has not changed assertThat(userReloaded.isLocal()).isTrue(); assertThat(userReloaded.getName()).isEqualTo(user.getName()); assertThat(userReloaded.getEmail()).isEqualTo(user.getEmail()); assertThat(userReloaded.getScmAccountsAsList()).containsAll(user.getScmAccountsAsList()); assertThat(userReloaded.getSalt()).isEqualTo(user.getSalt()); assertThat(userReloaded.getCryptedPassword()).isEqualTo(user.getCryptedPassword()); }
@Test public void update_only_scm_accounts() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr") .setScmAccounts(asList("ma", "marius33")) .setSalt("salt") .setCryptedPassword("crypted password")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setScmAccounts(asList("ma2")), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN); assertThat(dto.getScmAccountsAsList()).containsOnly("ma2"); // Following fields has not changed assertThat(dto.getName()).isEqualTo("Marius"); assertThat(dto.getEmail()).isEqualTo("marius@lesbronzes.fr"); assertThat(dto.getSalt()).isEqualTo("salt"); assertThat(dto.getCryptedPassword()).isEqualTo("crypted password"); }
@Test public void update_only_user_email() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr") .setScmAccounts(asList("ma", "marius33")) .setSalt("salt") .setCryptedPassword("crypted password")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setEmail("marius2@mail.com"), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN); assertThat(dto.getEmail()).isEqualTo("marius2@mail.com"); // Following fields has not changed assertThat(dto.getName()).isEqualTo("Marius"); assertThat(dto.getScmAccountsAsList()).containsOnly("ma", "marius33"); assertThat(dto.getSalt()).isEqualTo("salt"); assertThat(dto.getCryptedPassword()).isEqualTo("crypted password"); }
@Test public void update_only_login_of_external_account() { UserDto user = db.users().insertUser(newExternalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setLogin("new_login"), u -> { }); assertThat(dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN)).isNull(); UserDto userReloaded = dbClient.userDao().selectByUuid(session, user.getUuid()); assertThat(userReloaded.getLogin()).isEqualTo("new_login"); // Following fields has not changed assertThat(userReloaded.isLocal()).isFalse(); assertThat(userReloaded.getExternalLogin()).isEqualTo(user.getExternalLogin()); assertThat(userReloaded.getExternalId()).isEqualTo(user.getExternalId()); assertThat(userReloaded.getName()).isEqualTo(user.getName()); assertThat(userReloaded.getEmail()).isEqualTo(user.getEmail()); assertThat(userReloaded.getScmAccountsAsList()).containsAll(user.getScmAccountsAsList()); assertThat(userReloaded.getSalt()).isEqualTo(user.getSalt()); assertThat(userReloaded.getCryptedPassword()).isEqualTo(user.getCryptedPassword()); }
@Test public void update_only_user_name() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr") .setScmAccounts(asList("ma", "marius33")) .setSalt("salt") .setCryptedPassword("crypted password")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setName("Marius2"), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN); assertThat(dto.getName()).isEqualTo("Marius2"); // Following fields has not changed assertThat(dto.getEmail()).isEqualTo("marius@lesbronzes.fr"); assertThat(dto.getScmAccountsAsList()).containsOnly("ma", "marius33"); assertThat(dto.getSalt()).isEqualTo("salt"); assertThat(dto.getCryptedPassword()).isEqualTo("crypted password"); }
@Test public void create_user_with_identity_provider() { createDefaultGroup(); underTest.createAndCommit(db.getSession(), NewUser.builder() .setLogin("user") .setName("User") .setExternalIdentity(new ExternalIdentity("github", "github-user", "ABCD")) .build(), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, "user"); assertThat(dto.isLocal()).isFalse(); assertThat(dto.getExternalId()).isEqualTo("ABCD"); assertThat(dto.getExternalLogin()).isEqualTo("github-user"); assertThat(dto.getExternalIdentityProvider()).isEqualTo("github"); assertThat(dto.getCryptedPassword()).isNull(); assertThat(dto.getSalt()).isNull(); }
@Test public void create_user_with_sonarqube_external_identity() { createDefaultGroup(); underTest.createAndCommit(db.getSession(), NewUser.builder() .setLogin("user") .setName("User") .setExternalIdentity(new ExternalIdentity(SQ_AUTHORITY, "user", "user")) .build(), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, "user"); assertThat(dto.isLocal()).isFalse(); assertThat(dto.getExternalId()).isEqualTo("user"); assertThat(dto.getExternalLogin()).isEqualTo("user"); assertThat(dto.getExternalIdentityProvider()).isEqualTo("sonarqube"); assertThat(dto.getCryptedPassword()).isNull(); assertThat(dto.getSalt()).isNull(); }
assertThat(dto.isActive()).isTrue(); assertThat(dto.getScmAccountsAsList()).containsOnly("ma", "marius33"); assertThat(dto.getSalt()).isEqualTo("79bd6a8e79fb8c76ac8b121cc7e8e11ad1af8365"); assertThat(dto.getCryptedPassword()).isEqualTo("650d2261c98361e2f67f90ce5c65a95e7d8ea2fg"); assertThat(dto.isRoot()).isFalse();
@Test public void deactivate_user() { UserDto user = insertActiveUser(); insertUserGroup(user); UserDto otherUser = insertActiveUser(); session.commit(); underTest.deactivateUser(session, user); UserDto userReloaded = underTest.selectUserById(session, user.getId()); assertThat(userReloaded.isActive()).isFalse(); assertThat(userReloaded.getLogin()).isNotNull(); assertThat(userReloaded.getExternalId()).isNotNull(); assertThat(userReloaded.getExternalLogin()).isNotNull(); assertThat(userReloaded.getExternalIdentityProvider()).isNotNull(); assertThat(userReloaded.getEmail()).isNull(); assertThat(userReloaded.getScmAccounts()).isNull(); assertThat(userReloaded.getSalt()).isNull(); assertThat(userReloaded.getCryptedPassword()).isNull(); assertThat(userReloaded.isRoot()).isFalse(); assertThat(userReloaded.getUpdatedAt()).isEqualTo(NOW); assertThat(userReloaded.getHomepageType()).isNull(); assertThat(userReloaded.getHomepageParameter()).isNull(); assertThat(underTest.selectUserById(session, otherUser.getId())).isNotNull(); }
assertThat(dto.isLocal()).isTrue(); assertThat(dto.getSalt()).isNull(); assertThat(dto.getHashMethod()).isEqualTo(HashMethod.BCRYPT.name()); assertThat(dto.getCryptedPassword()).isNotNull();
@Test public void update_user_external_identity_when_user_was_local() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@email.com")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setName("Marius2") .setEmail("marius2@email.com") .setExternalIdentity(new ExternalIdentity("github", "john", "ABCD")), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN); assertThat(dto.getExternalId()).isEqualTo("ABCD"); assertThat(dto.getExternalLogin()).isEqualTo("john"); assertThat(dto.getExternalIdentityProvider()).isEqualTo("github"); // Password must be removed assertThat(dto.getCryptedPassword()).isNull(); assertThat(dto.getSalt()).isNull(); assertThat(dto.getUpdatedAt()).isGreaterThan(user.getCreatedAt()); }
@Test public void update_only_user_password() { UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@lesbronzes.fr") .setScmAccounts(asList("ma", "marius33")) .setSalt("salt") .setCryptedPassword("crypted password")); createDefaultGroup(); underTest.updateAndCommit(session, user, new UpdateUser() .setPassword("password2"), u -> { }); UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN); assertThat(dto.getSalt()).isNotEqualTo("salt"); assertThat(dto.getCryptedPassword()).isNotEqualTo("crypted password"); // Following fields has not changed assertThat(dto.getName()).isEqualTo("Marius"); assertThat(dto.getScmAccountsAsList()).containsOnly("ma", "marius33"); assertThat(dto.getEmail()).isEqualTo("marius@lesbronzes.fr"); }
assertThat(user.isOnboarded()).isTrue(); assertThat(user.getScmAccounts()).isEqualTo(",jo.hn,john2,"); assertThat(user.getSalt()).isEqualTo("1234"); assertThat(user.getCryptedPassword()).isEqualTo("abcd"); assertThat(user.getHashMethod()).isEqualTo("SHA1");
@Test public void reactivate_user() { UserDto user = db.users().insertUser(u -> u.setActive(false)); createDefaultGroup(); underTest.reactivateAndCommit(db.getSession(), user, NewUser.builder() .setLogin("marius") .setName("Marius2") .setEmail("marius2@mail.com") .setPassword("password2") .build(), u -> { }); UserDto reloaded = dbClient.userDao().selectByUuid(session, user.getUuid()); assertThat(reloaded.isActive()).isTrue(); assertThat(reloaded.getLogin()).isEqualTo("marius"); assertThat(reloaded.getName()).isEqualTo("Marius2"); assertThat(reloaded.getEmail()).isEqualTo("marius2@mail.com"); assertThat(reloaded.getScmAccounts()).isNull(); assertThat(reloaded.isLocal()).isTrue(); assertThat(reloaded.getSalt()).isNull(); assertThat(reloaded.getHashMethod()).isEqualTo(HashMethod.BCRYPT.name()); assertThat(reloaded.getCryptedPassword()).isNotNull().isNotEqualTo("650d2261c98361e2f67f90ce5c65a95e7d8ea2fg"); assertThat(reloaded.getCreatedAt()).isEqualTo(user.getCreatedAt()); assertThat(reloaded.getUpdatedAt()).isGreaterThan(user.getCreatedAt()); }
@Test public void update_login_from_sonarqube_account() { userSession.logIn().setSystemAdministrator(); UserDto user = db.users().insertUser(u -> u .setLogin("old_login") .setLocal(true) .setExternalIdentityProvider("sonarqube") .setExternalLogin("old_login") .setExternalId("old_login")); ws.newRequest() .setParam("login", user.getLogin()) .setParam("newLogin", "new_login") .execute(); assertThat(db.getDbClient().userDao().selectByLogin(db.getSession(), "old_login")).isNull(); UserDto userReloaded = db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()); assertThat(userReloaded.getLogin()).isEqualTo("new_login"); assertThat(userReloaded.getExternalLogin()).isEqualTo("new_login"); assertThat(userReloaded.getExternalId()).isEqualTo("new_login"); assertThat(userReloaded.isLocal()).isTrue(); assertThat(userReloaded.getCryptedPassword()).isNotNull().isEqualTo(user.getCryptedPassword()); assertThat(userReloaded.getSalt()).isNotNull().isEqualTo(user.getSalt()); }
assertThat(reloaded.isOnboarded()).isTrue(); assertThat(reloaded.getScmAccounts()).isEqualTo(",jo.hn,john2,johndoo,"); assertThat(reloaded.getSalt()).isEqualTo("12345"); assertThat(reloaded.getCryptedPassword()).isEqualTo("abcde"); assertThat(reloaded.getHashMethod()).isEqualTo("BCRYPT");
@Test public void reactivate_user_not_having_password() { UserDto user = db.users().insertDisabledUser(u -> u.setSalt(null).setCryptedPassword(null)); createDefaultGroup(); UserDto dto = underTest.reactivateAndCommit(db.getSession(), user, NewUser.builder() .setLogin(user.getLogin()) .setName(user.getName()) .build(), u -> { }); assertThat(dto.isActive()).isTrue(); assertThat(dto.getName()).isEqualTo(user.getName()); assertThat(dto.getScmAccounts()).isNull(); assertThat(dto.getSalt()).isNull(); assertThat(dto.getCryptedPassword()).isNull(); assertThat(dto.getCreatedAt()).isEqualTo(user.getCreatedAt()); assertThat(dto.getUpdatedAt()).isGreaterThan(user.getCreatedAt()); }
@Test public void authentication_upgrade_hash_function_when_SHA1_was_used() { String password = randomAlphanumeric(60); byte[] saltRandom = new byte[20]; RANDOM.nextBytes(saltRandom); String salt = DigestUtils.sha1Hex(saltRandom); UserDto user = newUserDto() .setLogin("myself") .setHashMethod(SHA1.name()) .setCryptedPassword(DigestUtils.sha1Hex("--" + salt + "--" + password + "--")) .setSalt(salt); db.users().insertUser(user); underTest.authenticate(db.getSession(), user, password, AuthenticationEvent.Method.BASIC); Optional<UserDto> myself = db.users().selectUserByLogin("myself"); assertThat(myself).isPresent(); assertThat(myself.get().getHashMethod()).isEqualTo(BCRYPT.name()); assertThat(myself.get().getSalt()).isNull(); // authentication must work with upgraded hash method underTest.authenticate(db.getSession(), user, password, AuthenticationEvent.Method.BASIC); } }
@Test public void update_login_from_external_account() { userSession.logIn().setSystemAdministrator(); UserDto user = db.users().insertUser(u -> u .setLogin("old_login") .setLocal(false) .setExternalIdentityProvider("github") .setExternalLogin("github_login") .setExternalId("github_id") .setCryptedPassword(null) .setSalt(null)); ws.newRequest() .setParam("login", user.getLogin()) .setParam("newLogin", "new_login") .execute(); UserDto userReloaded = db.getDbClient().userDao().selectByUuid(db.getSession(), user.getUuid()); assertThat(userReloaded.getLogin()).isEqualTo("new_login"); assertThat(userReloaded.getExternalLogin()).isEqualTo("github_login"); assertThat(userReloaded.getExternalId()).isEqualTo("github_id"); assertThat(userReloaded.isLocal()).isFalse(); assertThat(userReloaded.getCryptedPassword()).isNull(); assertThat(userReloaded.getSalt()).isNull(); }