Access control at endpoints rather than internal logic (#36)

Author: takezoe

build.sbt

@@ -11,4 +11,5 @@ libraryDependencies ++= Seq(
   "org.scalatest" %% "scalatest-funspec"  % "3.2.3" % "test",
   "org.scalatest" %% "scalatest-funsuite" % "3.2.3" % "test",
   "org.scalatra"  %% "scalatra-scalatest" % ScalatraVersion % "test",
+  "org.mockito"   %  "mockito-core"       % "3.9.0" % "test",
 )

src/main/scala/fr/brouillard/gitbucket/h2/controller/H2BackupController.scala

@@ -3,7 +3,7 @@ package fr.brouillard.gitbucket.h2.controller
 import java.io.File
 import java.util.Date
 import fr.brouillard.gitbucket.h2._
-import fr.brouillard.gitbucket.h2.controller.H2BackupController.{defaultBackupFileName, doBackup, exportConnectedDatabase, logger}
+import fr.brouillard.gitbucket.h2.controller.H2BackupController.{defaultBackupFileName, exportConnectedDatabase}
 import gitbucket.core.controller.ControllerBase
 import gitbucket.core.model.Account
 import gitbucket.core.util.AdminAuthenticator
@@ -25,16 +25,6 @@ object H2BackupController {
     "gitbucket-db-" + format.format(new Date()) + ".zip"
   }
 
-  def doBackup(exportDatabase: File => Unit, loginAccount: Option[Account], params: Params): ActionResult = {
-    loginAccount match {
-      case Some(x) if x.isAdmin =>
-        val filePath: String = params.getOrElse("dest", defaultBackupFileName())
-        exportDatabase(new File(filePath))
-        Ok(filePath, Map("Content-Type" -> "text/plain"))
-      case _ => org.scalatra.Unauthorized()
-    }
-  }
-
   def exportConnectedDatabase(conn: Connection, exportFile: File): Unit = {
     val destFile = if (exportFile.isAbsolute) exportFile else new File(GitBucketHome + "/backup", exportFile.toString)
 
@@ -58,38 +48,41 @@ class H2BackupController extends ControllerBase with AdminAuthenticator {
     "dest" -> trim(label("Destination", text(required)))
   )(BackupForm.apply)
 
-  def exportDatabase(exportFile: File): Unit = {
+  private def exportDatabase(exportFile: File): Unit = {
     exportConnectedDatabase(Database.getSession(request).conn, exportFile)
   }
 
+  private def doBackupMoved(): ActionResult = {
+    org.scalatra.MethodNotAllowed("This has moved to POST /api/v3/plugins/database/backup")
+  }
+
   get("/admin/h2backup")(adminOnly {
     html.export(flash.get("info"), flash.get("dest").orElse(Some(defaultBackupFileName())))
   })
 
-  get("/api/v3/plugins/database/backup") {
+  // Migrated to POST method. This action will be removed in the future version.
+  get("/api/v3/plugins/database/backup")(adminOnly {
     doBackupMoved()
-  }
+  })
 
-  post("/api/v3/plugins/database/backup") {
-    doBackup(exportDatabase, context.loginAccount, params)
-  }
+  post("/api/v3/plugins/database/backup")(adminOnly {
+    val filePath = params.getOrElse("dest", defaultBackupFileName())
+    exportDatabase(new File(filePath))
+    Ok(filePath, Map("Content-Type" -> "text/plain"))
+  })
 
-  // Legacy api that was insecure/open by default
-  get("/database/backup") {
+  // Legacy api that was insecure/open by default. This action will be removed in the future version.
+  get("/database/backup")(adminOnly {
     doBackupMoved()
-  }
-
-  private def doBackupMoved(): ActionResult = {
-    org.scalatra.MethodNotAllowed("This has moved to POST /api/v3/plugins/database/backup")
-  }
+  })
 
   // Responds to a form post from a web page
-  post("/database/backup", backupForm) { form: BackupForm =>
+  post("/database/backup", backupForm)(adminOnly { form: BackupForm =>
     exportDatabase(new File(form.destFile))
     val msg: String = "H2 Database has been exported to '" + form.destFile + "'."
     flash.update("info", msg)
     flash.update("dest", form.destFile)
     redirect("/admin/h2backup")
-  }
+  })
 
 }

src/test/scala/fr/brouillard/gitbucket/h2/controller/H2BackupControllerTests.scala

@@ -1,10 +1,12 @@
 package fr.brouillard.gitbucket.h2.controller
 
+import gitbucket.core.controller.Context
 import gitbucket.core.model.Account
 import gitbucket.core.servlet.ApiAuthenticationFilter
 import org.apache.commons.io.FileSystemUtils
 import org.h2.Driver
 import org.h2.engine.Database
+import org.mockito.Mockito._
 import org.scalatest.funsuite.AnyFunSuite
 import org.scalatest.matchers.should.Matchers.{convertToAnyShouldWrapper, equal}
 import org.scalatra.{Ok, Params, ScalatraParams}
@@ -15,30 +17,76 @@ import java.nio.file.{Files, Path, Paths}
 import java.util.{Date, Properties}
 import scala.util.Using
 
-class H2BackupControllerTests extends ScalatraFunSuite {
+import H2BackupControllerTests._
+import gitbucket.core.service.SystemSettingsService
+
+class H2BackupControllerWithAdminTests extends ScalatraFunSuite {
   addFilter(classOf[ApiAuthenticationFilter], path="/api/*")
-  addFilter(classOf[H2BackupController], "/*")
+  addFilter(new H2BackupController() {
+    override implicit val context = buildContext(isAdmin = true)
+  }, "/*")
 
-  test("get database backup api") {
+  test("get database backup api with admin") {
     get("/api/v3/plugins/database/backup") {
       status should equal (405)
       body should include ("This has moved")
     }
   }
 
-  test("get database backup legacy") {
+  test("get database backup legacy with admin") {
     get("/database/backup") {
       status should equal (405)
       body should include ("This has moved")
     }
   }
+}
 
-  test("post database backup without credentials is unauthorized") {
+class H2BackupControllerWithNonAdminTests extends ScalatraFunSuite {
+  addFilter(classOf[ApiAuthenticationFilter], path="/api/*")
+  addFilter(new H2BackupController() {
+    override implicit val context = buildContext(isAdmin = false)
+  }, "/*")
+
+  test("get database backup api with non-admin") {
+    get("/api/v3/plugins/database/backup") {
+      status should equal (401)
+    }
+  }
+
+  test("get database backup legacy with non-admin") {
+    get("/database/backup") {
+      status should equal (401)
+    }
+  }
+
+  test("post database backup with non-admin") {
     post("/api/v3/plugins/database/backup") {
       status should equal (401)
     }
   }
+}
+
+class H2BackupControllerWithoutLoginTests extends ScalatraFunSuite {
+  addFilter(classOf[ApiAuthenticationFilter], path="/api/*")
+  addFilter(classOf[H2BackupController], "/*")
+
+  test("get database backup api without login") {
+    get("/api/v3/plugins/database/backup") {
+      status should equal (401)
+    }
+  }
 
+  test("get database backup legacy without login") {
+    get("/database/backup") {
+      status should equal (401)
+    }
+  }
+
+  test("post database backup without login") {
+    post("/api/v3/plugins/database/backup") {
+      status should equal (401)
+    }
+  }
 }
 
 class H2BackupControllerObjectTests extends AnyFunSuite {
@@ -47,23 +95,6 @@ class H2BackupControllerObjectTests extends AnyFunSuite {
     assert(name.endsWith(".zip"))
   }
 
-  private def buildAccount(isAdmin: Boolean) = {
-    Account(
-      userName = "a",
-      fullName = "b",
-      mailAddress = "c",
-      password = "d",
-      isAdmin = isAdmin,
-      url = None,
-      registeredDate = new Date(),
-      updatedDate = new Date(),
-      lastLoginDate = None,
-      image = None,
-      isGroupAccount = false,
-      isRemoved = false,
-      description = None)
-  }
-
   private def h2Url(file: File): String = {
     "jdbc:h2:file:" + file + ";DATABASE_TO_UPPER=false"
   }
@@ -110,62 +141,34 @@ class H2BackupControllerObjectTests extends AnyFunSuite {
   test("generates default file name") {
     assertDefaultFileName(H2BackupController.defaultBackupFileName())
   }
+}
 
-  test("post database backup with admin credentials is executed with default file name") {
-    val account = buildAccount(true)
-    val params: Params = new ScalatraParams(Map())
-
-    var executed = false;
-
-    val exportDatabase = (file: File) => {
-      assert(!executed)
-      assertDefaultFileName(file.getName)
-
-      executed = true
-    }
-
-    val action = H2BackupController.doBackup(exportDatabase, Some(account), params)
-
-    assert(executed)
-    assert(action.status == 200)
-
-    // Not JSON and not HTML
-    assert(action.headers.get("Content-Type").contains("text/plain"))
-  }
-
-  test("post database backup with admin credentials is executed with specific file name") {
-    val fileName = "foo.zip"
-    val account = buildAccount(true)
-    val params: Params = new ScalatraParams(Map("dest" -> Seq(fileName)))
-
-    var executed = false;
-
-    val exportDatabase = (file: File) => {
-      assert(!executed)
-      assert(file.getName.equals(fileName))
-
-      executed = true
-    }
-
-    val action = H2BackupController.doBackup(exportDatabase, Some(account), params)
-
-    assert(executed)
-    assert(action.status == 200)
+object H2BackupControllerTests {
+  val systemSetting = mock(classOf[SystemSettingsService.SystemSettings])
+  when(systemSetting.sshAddress).thenReturn(None)
 
-    // Not JSON and not HTML
-    assert(action.headers.get("Content-Type").contains("text/plain"))
+  def buildContext(isAdmin: Boolean) = {
+    val context = mock(classOf[Context])
+    when(context.baseUrl).thenReturn("http://localhost:8080")
+    when(context.loginAccount).thenReturn(Some(buildAccount(isAdmin)))
+    when(context.settings).thenReturn(systemSetting)
+    context
   }
 
-  test("post database backup with unprivileged credentials is unauthorized") {
-    val account = buildAccount(false)
-    val params: Params = new ScalatraParams(Map())
-
-    val exportDatabase = (file: File) => {
-      fail()
-    }
-
-    val action = H2BackupController.doBackup(exportDatabase, Some(account), params)
-    assert(action.status == 401)
+  def buildAccount(isAdmin: Boolean) = {
+    Account(
+      userName = "a",
+      fullName = "b",
+      mailAddress = "c",
+      password = "d",
+      isAdmin = isAdmin,
+      url = None,
+      registeredDate = new Date(),
+      updatedDate = new Date(),
+      lastLoginDate = None,
+      image = None,
+      isGroupAccount = false,
+      isRemoved = false,
+      description = None)
   }
-
 }