Do not apply basic auth on webhook apis in at filter level

- Authentication for webhook is implemented at controller level(`controllers/api/web_hooks/WEB_HOOK_CONTROLLER`) based on provider.
gocd · Jul 16, 2018 · 9edcd29 · 9edcd29
1 parent a61bdfb
commit 9edcd29
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/...n/java/com/thoughtworks/go/server/newsecurity/filterchains/AuthenticationFilterChain.java b/...n/java/com/thoughtworks/go/server/newsecurity/filterchains/AuthenticationFilterChain.java
@@ -47,6 +47,7 @@ public AuthenticationFilterChain(
                 // For API authentication
                 .addFilterChain("/api/config-repository.git/**", invalidateAuthenticationOnSecurityConfigChangeFilter, assumeAnonymousUserFilter, reAuthenticationWithChallenge, basicAuthenticationWithChallengeFilter)
                 .addFilterChain("/cctray.xml", invalidateAuthenticationOnSecurityConfigChangeFilter, reAuthenticationWithChallenge, assumeAnonymousUserFilter, basicAuthenticationWithChallengeFilter)
+                .addFilterChain("/api/webhooks/*/notify", assumeAnonymousUserFilter)
                 .addFilterChain("/api/**", invalidateAuthenticationOnSecurityConfigChangeFilter, reAuthenticationWithChallenge, assumeAnonymousUserFilter, basicAuthenticationWithChallengeFilter)
 
                 .addFilterChain("/api/version", invalidateAuthenticationOnSecurityConfigChangeFilter, reAuthenticationWithRedirectToLoginPage, assumeAnonymousUserFilter, basicAuthenticationWithRedirectToLoginFilter)

diff --git a/...va/com/thoughtworks/go/server/newsecurity/filterchains/AuthenticationFilterChainTest.java b/...va/com/thoughtworks/go/server/newsecurity/filterchains/AuthenticationFilterChainTest.java
@@ -191,6 +191,26 @@ void shouldReauthenticateIfAuthenticationTokenIsInvalid(String url) throws IOExc
             assertThat(SessionUtils.getAuthenticationToken(request)).isSameAs(reauthenticatedToken);
         }
 
+        @ParameterizedTest
+        @ValueSource(strings = {"/api/webhooks/bitbucket/notify", "/api/webhooks/github/notify", "/api/webhooks/foo/notify"})
+        void shouldAllowAnonymousAccessForWebhookApis(String url) throws IOException, ServletException {
+            request = HttpRequestBuilder.GET(url)
+                    .build();
+
+            new AuthenticationFilterChain(null, null,
+                    null,
+                    null,
+                    null,
+                    null,
+                    null,
+                    assumeAnonymousUserFilter)
+                    .doFilter(request, response, filterChain);
+
+            verify(filterChain).doFilter(wrap(request), wrap(response));
+            MockHttpServletResponseAssert.assertThat(response).isOk();
+            assertThat(SessionUtils.getAuthenticationToken(request).getCredentials()).isSameAs(AnonymousCredential.INSTANCE);
+        }
+
         @ParameterizedTest
         @ValueSource(strings = {"/api/config-repository.git/git-upload-something", "/cctray.xml", "/api/foo", "/blah"})
         void shouldAuthenticateUsingBasicAuthForAllCalls(String url) throws IOException, ServletException {