1 package org.apache.archiva.security;
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
22 import org.apache.archiva.redback.users.User;
23 import org.apache.archiva.redback.users.UserManager;
24 import org.apache.archiva.security.common.ArchivaRoleConstants;
25 import org.apache.archiva.redback.authentication.AuthenticationException;
26 import org.apache.archiva.redback.authentication.AuthenticationResult;
27 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
28 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
29 import org.codehaus.plexus.redback.system.SecuritySession;
30 import org.easymock.MockControl;
31 import org.junit.Before;
32 import org.junit.Test;
34 import javax.inject.Inject;
35 import javax.inject.Named;
36 import javax.servlet.http.HttpServletRequest;
39 * ArchivaServletAuthenticatorTest
41 public class ArchivaServletAuthenticatorTest
42 extends AbstractSecurityTest
45 @Named( value = "servletAuthenticator#test" )
46 private ServletAuthenticator servletAuth;
48 private MockControl httpServletRequestControl;
50 private HttpServletRequest request;
58 httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
59 request = (HttpServletRequest) httpServletRequestControl.getMock();
61 setupRepository( "corporate" );
64 protected void assignRepositoryManagerRole( String principal, String repoId )
67 roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
71 public void testIsAuthenticatedUserExists()
74 AuthenticationResult result = new AuthenticationResult( true, "user", null );
75 boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
77 assertTrue( isAuthenticated );
81 public void testIsAuthenticatedUserDoesNotExist()
84 AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
87 servletAuth.isAuthenticated( request, result );
88 fail( "Authentication exception should have been thrown." );
90 catch ( AuthenticationException e )
92 assertEquals( "User Credentials Invalid", e.getMessage() );
97 public void testIsAuthorizedUserHasWriteAccess()
100 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
102 assignRepositoryManagerRole( USER_ALPACA, "corporate" );
104 UserManager userManager = securitySystem.getUserManager();
105 User user = userManager.findUser( USER_ALPACA );
107 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
109 SecuritySession session = new DefaultSecuritySession( result, user );
110 boolean isAuthorized =
111 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
113 assertTrue( isAuthorized );
115 restoreGuestInitialValues( USER_ALPACA );
119 public void testIsAuthorizedUserHasNoWriteAccess()
122 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
124 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
126 httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
128 UserManager userManager = securitySystem.getUserManager();
129 User user = userManager.findUser( USER_ALPACA );
131 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
133 SecuritySession session = new DefaultSecuritySession( result, user );
135 httpServletRequestControl.replay();
139 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
140 fail( "UnauthorizedException should have been thrown." );
142 catch ( UnauthorizedException e )
144 assertEquals( "Access denied for repository corporate", e.getMessage() );
147 httpServletRequestControl.verify();
149 restoreGuestInitialValues( USER_ALPACA );
153 public void testIsAuthorizedUserHasReadAccess()
156 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
158 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
160 UserManager userManager = securitySystem.getUserManager();
161 User user = userManager.findUser( USER_ALPACA );
163 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
165 SecuritySession session = new DefaultSecuritySession( result, user );
166 boolean isAuthorized =
167 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
169 assertTrue( isAuthorized );
171 restoreGuestInitialValues( USER_ALPACA );
175 public void testIsAuthorizedUserHasNoReadAccess()
178 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
180 UserManager userManager = securitySystem.getUserManager();
181 User user = userManager.findUser( USER_ALPACA );
183 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
185 SecuritySession session = new DefaultSecuritySession( result, user );
188 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
189 fail( "UnauthorizedException should have been thrown." );
191 catch ( UnauthorizedException e )
193 assertEquals( "Access denied for repository corporate", e.getMessage() );
196 restoreGuestInitialValues( USER_ALPACA );
200 public void testIsAuthorizedGuestUserHasWriteAccess()
203 assignRepositoryManagerRole( USER_GUEST, "corporate" );
204 boolean isAuthorized =
205 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
207 assertTrue( isAuthorized );
209 // cleanup previously add karma
210 restoreGuestInitialValues(USER_GUEST);
215 public void testIsAuthorizedGuestUserHasNoWriteAccess()
218 assignRepositoryObserverRole( USER_GUEST, "corporate" );
220 boolean isAuthorized =
221 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
222 assertFalse( isAuthorized );
224 // cleanup previously add karma
225 restoreGuestInitialValues(USER_GUEST);
230 public void testIsAuthorizedGuestUserHasReadAccess()
233 assignRepositoryObserverRole( USER_GUEST, "corporate" );
235 boolean isAuthorized =
236 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
238 assertTrue( isAuthorized );
240 // cleanup previously add karma
241 restoreGuestInitialValues(USER_GUEST);
245 public void testIsAuthorizedGuestUserHasNoReadAccess()
248 boolean isAuthorized =
249 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
251 assertFalse( isAuthorized );