Prevent non-backoffice auth schemes being overridden (#11630)

2022-02-28 09:40:51 +00:00
parent cf3d697bc5
commit 25ea5cdb1b
2 changed files with 48 additions and 5 deletions
--- a/src/Umbraco.Web.BackOffice/Security/BackOfficeAuthenticationBuilder.cs
+++ b/src/Umbraco.Web.BackOffice/Security/BackOfficeAuthenticationBuilder.cs
@@ -58,16 +58,15 @@ namespace Umbraco.Cms.Web.BackOffice.Security
        // TODO: We could override and throw NotImplementedException for other methods?

        // Ensures that the sign in scheme is always the Umbraco back office external type
-        private class EnsureBackOfficeScheme<TOptions> : IPostConfigureOptions<TOptions> where TOptions : RemoteAuthenticationOptions
+        internal class EnsureBackOfficeScheme<TOptions> : IPostConfigureOptions<TOptions> where TOptions : RemoteAuthenticationOptions
        {
            public void PostConfigure(string name, TOptions options)
            {
-                if (!name.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix))
+                // ensure logic only applies to backoffice authentication schemes
+                if (name.StartsWith(Constants.Security.BackOfficeExternalAuthenticationTypePrefix))
                {
-                    return;
+                    options.SignInScheme = Constants.Security.BackOfficeExternalAuthenticationType;
                }
-
-                options.SignInScheme = Constants.Security.BackOfficeExternalAuthenticationType;
            }
        }
    }
--- a/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Security/BackOfficeAuthenticationBuilderTests.cs
+++ b/tests/Umbraco.Tests.UnitTests/Umbraco.Web.BackOffice/Security/BackOfficeAuthenticationBuilderTests.cs
@@ -0,0 +1,44 @@
+// Copyright (c) Umbraco.
+// See LICENSE for more details.
+
+using Microsoft.AspNetCore.Authentication;
+using NUnit.Framework;
+using Umbraco.Cms.Core;
+using Umbraco.Cms.Web.BackOffice.Security;
+
+namespace Umbraco.Cms.Tests.UnitTests.Umbraco.Web.BackOffice.Security
+{
+    [TestFixture]
+    public class BackOfficeAuthenticationBuilderTests
+    {
+        [Test]
+        public void EnsureBackOfficeScheme_When_Backoffice_Auth_Scheme_Expect_Updated_SignInScheme()
+        {
+            var scheme = $"{Constants.Security.BackOfficeExternalAuthenticationTypePrefix}test";
+            var options = new RemoteAuthenticationOptions
+            {
+                SignInScheme = "my_cookie"
+            };
+
+            var sut = new BackOfficeAuthenticationBuilder.EnsureBackOfficeScheme<RemoteAuthenticationOptions>();
+            sut.PostConfigure(scheme, options);
+
+            Assert.AreEqual(options.SignInScheme, Constants.Security.BackOfficeExternalAuthenticationType);
+        }
+
+        [Test]
+        public void EnsureBackOfficeScheme_When_Not_Backoffice_Auth_Scheme_Expect_No_Change()
+        {
+            var scheme = "test";
+            var options = new RemoteAuthenticationOptions
+            {
+                SignInScheme = "my_cookie"
+            };
+
+            var sut = new BackOfficeAuthenticationBuilder.EnsureBackOfficeScheme<RemoteAuthenticationOptions>();
+            sut.PostConfigure(scheme, options);
+
+            Assert.AreNotEqual(options.SignInScheme, Constants.Security.BackOfficeExternalAuthenticationType);
+        }
+    }
+}