XWIKI-20335: Wiki existence is not properly checked in authenticate

xwiki · Nov 15, 2022 · 1943ea2 · 1943ea2
1 parent f15c327
commit 1943ea2
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 4 deletions.
diff --git a/...iki/security/authentication/internal/resource/AuthenticationResourceReferenceHandler.java b/...iki/security/authentication/internal/resource/AuthenticationResourceReferenceHandler.java
@@ -37,6 +37,8 @@
 import org.xwiki.resource.ResourceReferenceHandlerException;
 import org.xwiki.resource.ResourceType;
 import org.xwiki.security.authentication.AuthenticationResourceReference;
+import org.xwiki.wiki.descriptor.WikiDescriptorManager;
+import org.xwiki.wiki.manager.WikiManagerException;
 
 import com.xpn.xwiki.XWikiContext;
 import com.xpn.xwiki.XWikiContextInitializer;
@@ -59,6 +61,9 @@ public class AuthenticationResourceReferenceHandler extends AbstractResourceRefe
     @Inject
     private Execution execution;
 
+    @Inject
+    private WikiDescriptorManager wikiDescriptorManager;
+
     @Override
     public List<ResourceType> getSupportedResourceReferences()
     {
@@ -71,6 +76,17 @@ public void handle(ResourceReference reference, ResourceReferenceHandlerChain ch
     {
         AuthenticationResourceReference authenticationResourceReference = (AuthenticationResourceReference) reference;
 
+        WikiReference wikiReference = authenticationResourceReference.getWikiReference();
+        try {
+            if (!this.wikiDescriptorManager.exists(wikiReference.getName())) {
+                throw new ResourceReferenceHandlerException(
+                    String.format("The wiki [%s] does not exist.", wikiReference.getName()));
+            }
+        } catch (WikiManagerException e) {
+            throw new ResourceReferenceHandlerException(
+                String.format("Error when checking if wiki [%s] exists.", wikiReference.getName()), e);
+        }
+
         switch (authenticationResourceReference.getAction()) {
             case RETRIEVE_USERNAME:
                 this.handleAction("forgotusername", authenticationResourceReference.getWikiReference());

diff --git a/...security/authentication/internal/resource/AuthenticationResourceReferenceHandlerTest.java b/...security/authentication/internal/resource/AuthenticationResourceReferenceHandlerTest.java
@@ -31,11 +31,14 @@
 import org.xwiki.context.ExecutionContext;
 import org.xwiki.model.reference.WikiReference;
 import org.xwiki.resource.ResourceReferenceHandlerChain;
+import org.xwiki.resource.ResourceReferenceHandlerException;
 import org.xwiki.security.authentication.AuthenticationAction;
 import org.xwiki.security.authentication.AuthenticationResourceReference;
 import org.xwiki.test.junit5.mockito.ComponentTest;
 import org.xwiki.test.junit5.mockito.InjectMockComponents;
 import org.xwiki.test.junit5.mockito.MockComponent;
+import org.xwiki.wiki.descriptor.WikiDescriptorManager;
+import org.xwiki.wiki.manager.WikiManagerException;
 
 import com.xpn.xwiki.XWiki;
 import com.xpn.xwiki.XWikiContext;
@@ -45,6 +48,7 @@
 import com.xpn.xwiki.web.XWikiResponse;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
@@ -69,6 +73,9 @@ class AuthenticationResourceReferenceHandlerTest
     @MockComponent
     private Execution execution;
 
+    @MockComponent
+    private WikiDescriptorManager wikiDescriptorManager;
+
     private XWikiResponse response;
 
     private XWiki xwiki;
@@ -112,13 +119,19 @@ void getSupportedResourceReferences()
     void handleResetPassword() throws Exception
     {
         WikiReference wikiReference = new WikiReference("foo");
+        when(this.wikiDescriptorManager.exists("foo")).thenReturn(false);
         AuthenticationResourceReference resourceReference = new AuthenticationResourceReference(
             wikiReference,
             AuthenticationAction.RESET_PASSWORD);
 
-        when(this.xwiki.evaluateTemplate("resetpassword.vm", context)).thenReturn("Reset password content");
-
         ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class);
+        ResourceReferenceHandlerException exception =
+            assertThrows(ResourceReferenceHandlerException.class,
+                () -> this.resourceReferenceHandler.handle(resourceReference, chain));
+        assertEquals("The wiki [foo] does not exist.", exception.getMessage());
+
+        when(this.wikiDescriptorManager.exists("foo")).thenReturn(true);
+        when(this.xwiki.evaluateTemplate("resetpassword.vm", context)).thenReturn("Reset password content");
         this.resourceReferenceHandler.handle(resourceReference, chain);
 
         verify(response).setContentType("text/html; charset=UTF-8");
@@ -133,20 +146,42 @@ void handleResetPassword() throws Exception
     void handleForgotUsername() throws Exception
     {
         WikiReference wikiReference = new WikiReference("bar");
+        when(this.wikiDescriptorManager.exists("bar")).thenReturn(false);
         AuthenticationResourceReference resourceReference = new AuthenticationResourceReference(
             wikiReference,
             AuthenticationAction.RETRIEVE_USERNAME);
 
+        ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class);
+        ResourceReferenceHandlerException exception =
+            assertThrows(ResourceReferenceHandlerException.class,
+                () -> this.resourceReferenceHandler.handle(resourceReference, chain));
+        assertEquals("The wiki [bar] does not exist.", exception.getMessage());
+
+        when(this.wikiDescriptorManager.exists("bar")).thenReturn(true);
         when(this.xwiki.evaluateTemplate("forgotusername.vm", context)).thenReturn("Forgot user name content");
 
-        ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class);
         this.resourceReferenceHandler.handle(resourceReference, chain);
-
         verify(response).setContentType("text/html; charset=UTF-8");
         verify(this.xWikiContextInitializer).initialize(any(ExecutionContext.class));
         verify(servletOutputStream).write("Forgot user name content".getBytes(StandardCharsets.UTF_8));
         verify(chain).handleNext(resourceReference);
         verify(context).setWikiReference(wikiReference);
         verify(context).setWikiReference(currentWiki);
     }
+
+    @Test
+    void handleForgotUsernameWikiDescriptorError() throws Exception
+    {
+        WikiReference wikiReference = new WikiReference("bar");
+        when(this.wikiDescriptorManager.exists("bar")).thenThrow(new WikiManagerException("Cannot access wiki"));
+        AuthenticationResourceReference resourceReference = new AuthenticationResourceReference(
+            wikiReference,
+            AuthenticationAction.RETRIEVE_USERNAME);
+
+        ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class);
+        ResourceReferenceHandlerException exception =
+            assertThrows(ResourceReferenceHandlerException.class,
+                () -> this.resourceReferenceHandler.handle(resourceReference, chain));
+        assertEquals("Error when checking if wiki [bar] exists.", exception.getMessage());
+    }
 }