Skip to content

Update tests and make authorization header check for Basic case-insensitive (RFC 7235) #679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
michael-doubez merged 17 commits into from
Mar 16, 2026
Merged

Update tests and make authorization header check for Basic case-insensitive (RFC 7235) #679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
ce4bca6
Add README.md with hint how to run tests locally
Oct 28, 2025
fab709a
Split test PluginTest.java into smaller classes
Oct 28, 2025
c4012e9
ignore for test coverage
Oct 28, 2025
bef9dcc
Assert that objects are not null
Oct 28, 2025
f41009b
Simplify path
Oct 28, 2025
29aeac5
Also test avatar if user is null
Oct 28, 2025
cc09580
Move token test to own file
Oct 28, 2025
9031ad4
Keep parameter order
Oct 28, 2025
0198880
Move API Token test to custom class
Oct 28, 2025
fc00b31
New Test which do not require WithJenkins/JenkinsRule
Oct 28, 2025
f943764
Check if ApiTokenProperty is set first
Nov 11, 2025
fe5696a
Split into single bool variable
Nov 11, 2025
55d030e
Refactor OicSecurityRealmTokenExpirationTest.java
Nov 11, 2025
0aadcb6
Extend metadata
Nov 11, 2025
30b1e24
Dissolve MockHttpServletRequest.java
Nov 11, 2025
67685d2
Replace banned junit import
Nov 11, 2025
50ffb8f
Allow basic auth header value start with lower case
Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 15 additions & 8 deletions src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1240,24 +1240,29 @@
if (isAllowTokenAccessWithoutOicSession()) {
// check if this is a valid api token based request
String authHeader = httpRequest.getHeader("Authorization");
if (authHeader != null && authHeader.startsWith("Basic ")) {
String token = new String(Base64.getDecoder().decode(authHeader.substring(6)), StandardCharsets.UTF_8)
.split(":")[1];

if (authHeader != null && authHeader.trim().toLowerCase().startsWith("basic ")) {
// this was a valid jenkins token being used, exit this filter and let
// the rest of chain be processed
// else do nothing and continue evaluating this request
ApiTokenProperty apiTokenProperty = user.getProperty(ApiTokenProperty.class);
return apiTokenProperty != null && apiTokenProperty.matchesPassword(token);
if (apiTokenProperty == null) {
return false;
}

String token = new String(Base64.getDecoder().decode(authHeader.substring(6)), StandardCharsets.UTF_8)
.split(":")[1];
return apiTokenProperty.matchesPassword(token);
}
}
return false;
}

boolean canRefreshToken(OicCredentials credentials) {
return serverConfiguration.toProviderMetadata().getGrantTypes() != null
&& serverConfiguration.toProviderMetadata().getGrantTypes().contains(GrantType.REFRESH_TOKEN)
&& !Strings.isNullOrEmpty(credentials.getRefreshToken());
boolean hasGrantTypes = getServerConfiguration().toProviderMetadata().getGrantTypes() != null;

Check warning on line 1261 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 1261 is only partially covered, one branch is missing
boolean containsGrantFreshToken = hasGrantTypes

Check warning on line 1262 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 1262 is only partially covered, one branch is missing
&& getServerConfiguration().toProviderMetadata().getGrantTypes().contains(GrantType.REFRESH_TOKEN);
boolean refreshTokenSet = credentials != null && !Strings.isNullOrEmpty(credentials.getRefreshToken());

Check warning on line 1264 in src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

View check run for this annotation

ci.jenkins.io / Code Coverage

Partially covered line 

Line 1264 is only partially covered, one branch is missing
return containsGrantFreshToken && refreshTokenSet;
}

private void redirectToLoginUrl(HttpServletRequest req, HttpServletResponse res) throws IOException {
Expand Down Expand Up @@ -1327,6 +1332,7 @@
// we need to keep using exactly the same principal otherwise there is a potential for crumbs not to match.
// whilst we could do some normalization of the username, just use the original (expected) username
// see https://github.com/jenkinsci/oic-auth-plugin/issues/411
// codecov:ignore:start -- ignore for test coverage
if (LOGGER.isLoggable(Level.FINE)) {
Authentication a = SecurityContextHolder.getContext().getAuthentication();
User u = User.get2(a);
Expand All @@ -1336,6 +1342,7 @@
+ (u == null ? "null user" : u.getId()) + " newly retrieved username would have been: "
+ username);
}
// codecov:ignore:end
username = expectedUsername;

if (failedCheckOfTokenField(idToken)) {
Expand Down
9 changes: 9 additions & 0 deletions src/test/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
# Running Tests Locally

## Running test with Maven

To execute all tests locally, call `mvn clean install`

## Running test with an IDE

To run all tests in `src/test/java` at once, ensure that fork mode class is enabled.
Loading
Loading