deal with null entities in AuthorizationFramework

Vladimir Kotal · Vladimir Kotal · commit 01cebc92842e · 2019-01-25T14:00:56.000+01:00
fixes #2587
diff --git a/opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthorizationFramework.java b/opengrok-indexer/src/main/java/org/opengrok/indexer/authorization/AuthorizationFramework.java
@@ -763,6 +763,12 @@ private boolean checkAll(HttpServletRequest request, String cache, Nameable enti
             return true;
         }
 
+        if (entity == null) {
+            LOGGER.log(Level.WARNING, "entity was null for request with parameters: {}",
+                    request.getParameterMap());
+            return false;
+        }
+
         Statistics stats = RuntimeEnvironment.getInstance().getStatistics();
 
         Boolean val;
diff --git a/opengrok-indexer/src/test/java/org/opengrok/indexer/authorization/AuthorizationFrameworkTest.java b/opengrok-indexer/src/test/java/org/opengrok/indexer/authorization/AuthorizationFrameworkTest.java
@@ -24,6 +24,7 @@
 package org.opengrok.indexer.authorization;
 
 import java.util.Arrays;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
@@ -69,6 +70,14 @@ public static StackSetup[][] params() {
                 NewTest(true, createUnallowedProject()),
                 NewTest(true, createUnallowedGroup()))
             },
+            // Test that null entities will result in denial.
+            {
+                    new StackSetup(
+                        NewStack(AuthControlFlag.REQUIRED),
+                        // no plugins should return true however we have null entities here
+                        NewTest(false, (Project) null),
+                        NewTest(false, (Group) null))
+            },
             // -------------------------------------------------------------- //
             //
             // Test authorization flags for plugins. Both plugins do not fail
@@ -657,14 +666,15 @@ public void testPluginsGeneric() {
         String format = "%s <%s> was <%s> for entity %s";
 
         for (TestCase innerSetup : setup.setup) {
+            String entityName = (innerSetup.entity == null ? "null" : innerSetup.entity.getName());
             try {
                 actual = framework.isAllowed(innerSetup.request, (Group) innerSetup.entity);
-                Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, innerSetup.entity.getName()),
+                Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, entityName),
                         innerSetup.expected,
                         actual);
             } catch (ClassCastException ex) {
                 actual = framework.isAllowed(innerSetup.request, (Project) innerSetup.entity);
-                Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, innerSetup.entity.getName()),
+                Assert.assertEquals(String.format(format, setup.toString(), innerSetup.expected, actual, entityName),
                         innerSetup.expected,
                         actual);
             }
@@ -692,7 +702,12 @@ static private Group createUnallowedGroup() {
     }
 
     static private HttpServletRequest createRequest() {
-        return new DummyHttpServletRequest();
+        return new DummyHttpServletRequest() {
+            @Override
+            public Map<String, String[]> getParameterMap() {
+                return new HashMap<>();
+            }
+        };
     }
 
     static private IAuthorizationPlugin createAllowedPrefixPlugin() {
@@ -792,7 +807,7 @@ public TestCase(boolean expected, HttpServletRequest request, Nameable entity) {
 
         @Override
         public String toString() {
-            return "expected <" + expected + "> for entity " + entity.getName();
+            return "expected <" + expected + "> for entity " + (entity == null ? "null" : entity.getName());
         }
     }
 
