source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import com.meterware.httpunit.GetMethodWebRequest;
  23 import com.meterware.httpunit.HttpUnitOptions;
  24 import com.meterware.httpunit.PutMethodWebRequest;
  25 import com.meterware.httpunit.WebRequest;
  26 import com.meterware.httpunit.WebResponse;
  27 import com.meterware.servletunit.InvocationContext;
  28 import com.meterware.servletunit.ServletRunner;
  29 import com.meterware.servletunit.ServletUnitClient;
  30 import junit.framework.TestCase;
  31 import net.sf.ehcache.CacheManager;
  32 import org.apache.archiva.configuration.ArchivaConfiguration;
  33 import org.apache.archiva.configuration.Configuration;
  34 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  35 import org.apache.archiva.redback.authentication.AuthenticationException;
  36 import org.apache.archiva.redback.authentication.AuthenticationResult;
  37 import org.apache.archiva.redback.authorization.UnauthorizedException;
  38 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  39 import org.apache.archiva.redback.system.DefaultSecuritySession;
  40 import org.apache.archiva.redback.system.SecuritySession;
  41 import org.apache.archiva.redback.users.User;
  42 import org.apache.archiva.redback.users.memory.SimpleUser;
  43 import org.apache.archiva.repository.audit.TestAuditListener;
  44 import org.apache.archiva.security.ServletAuthenticator;
  45 import org.apache.archiva.security.common.ArchivaRoleConstants;
  46 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  47 import org.apache.commons.io.FileUtils;
  48 import org.apache.jackrabbit.webdav.DavSessionProvider;
  49 import org.easymock.EasyMock;
  50 import static org.easymock.EasyMock.*;
  51 import org.easymock.IMocksControl;
  52 import org.junit.After;
  53 import org.junit.Before;
  54 import org.junit.Test;
  55 import org.junit.runner.RunWith;
  56 import org.springframework.context.ApplicationContext;
  57 import org.springframework.test.context.ContextConfiguration;
  58
  59 import javax.inject.Inject;
  60 import javax.servlet.http.HttpServletRequest;
  61 import javax.servlet.http.HttpServletResponse;
  62 import javax.servlet.http.HttpSession;
  63 import java.io.File;
  64 import java.io.IOException;
  65 import java.io.InputStream;
  66 import java.nio.charset.Charset;
  67
  68 /**
  69  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  70  * perform redback security checking.
  71  */
  72 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  73 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
  74 public class RepositoryServletSecurityTest
  75     extends TestCase
  76 {
  77     protected static final String REPOID_INTERNAL = "internal";
  78
  79     protected ServletUnitClient sc;
  80
  81     protected File repoRootInternal;
  82
  83     private ServletRunner sr;
  84
  85     protected ArchivaConfiguration archivaConfiguration;
  86
  87     private DavSessionProvider davSessionProvider;
  88
  89     private IMocksControl servletAuthControl;
  90
  91     private ServletAuthenticator servletAuth;
  92
  93     private IMocksControl httpAuthControl;
  94
  95     private HttpAuthenticator httpAuth;
  96
  97     private RepositoryServlet servlet;
  98
  99     @Inject
 100     ApplicationContext applicationContext;
 101
 102     @Before
 103     public void setUp()
 104         throws Exception
 105     {
 106         super.setUp();
 107
 108         String appserverBase =
 109             System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
 110
 111         File testConf = new File( "src/test/resources/repository-archiva.xml" );
 112         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
 113         FileUtils.copyFile( testConf, testConfDest );
 114
 115         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
 116
 117         archivaConfiguration = applicationContext.getBean( ArchivaConfiguration.class );
 118         Configuration config = archivaConfiguration.getConfiguration();
 119
 120         if ( !config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ) )
 121         {
 122             config.addManagedRepository(
 123                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
 124         }
 125         saveConfiguration( archivaConfiguration );
 126
 127         CacheManager.getInstance().clearAll();
 128
 129         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
 130
 131         sr = new ServletRunner( new File( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
 132         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
 133         sc = sr.newClient();
 134
 135         servletAuthControl = EasyMock.createControl();// MockControl.createControl( ServletAuthenticator.class );
 136         //servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
 137         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
 138
 139         httpAuthControl = EasyMock.createControl();
 140         //MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
 141         //httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
 142         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
 143
 144         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 145     }
 146
 147     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
 148     {
 149         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 150         repo.setId( id );
 151         repo.setName( name );
 152         repo.setLocation( location.getAbsolutePath() );
 153         return repo;
 154     }
 155
 156     protected void saveConfiguration()
 157         throws Exception
 158     {
 159         saveConfiguration( archivaConfiguration );
 160     }
 161
 162     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 163         throws Exception
 164     {
 165         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 166     }
 167
 168     protected void setupCleanRepo( File repoRootDir )
 169         throws IOException
 170     {
 171         FileUtils.deleteDirectory( repoRootDir );
 172         if ( !repoRootDir.exists() )
 173         {
 174             repoRootDir.mkdirs();
 175         }
 176     }
 177
 178     @Override
 179     @After
 180     public void tearDown()
 181         throws Exception
 182     {
 183         if ( sc != null )
 184         {
 185             sc.clearContents();
 186         }
 187
 188         if ( sr != null )
 189         {
 190             sr.shutDown();
 191         }
 192
 193         if ( repoRootInternal.exists() )
 194         {
 195             FileUtils.deleteDirectory( repoRootInternal );
 196         }
 197
 198         servlet = null;
 199
 200         super.tearDown();
 201     }
 202
 203     // test deploy with invalid user, and guest has no write access to repo
 204     // 401 must be returned
 205     @Test
 206     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 207         throws Exception
 208     {
 209         setupCleanRepo( repoRootInternal );
 210
 211         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 212         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 213         assertNotNull( "artifact.jar inputstream", is );
 214
 215         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 216         InvocationContext ic = sc.newInvocation( request );
 217         servlet = (RepositoryServlet) ic.getServlet();
 218         servlet.setDavSessionProvider( davSessionProvider );
 219
 220         AuthenticationResult result = new AuthenticationResult();
 221         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 222         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 223                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 224         //servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 225         //                                   new AuthenticationException( "Authentication error" ) );
 226         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
 227                                      EasyMock.anyObject( AuthenticationResult.class ) );
 228         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
 229
 230         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 231         //servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 232         //servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
 233         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
 234
 235         httpAuthControl.replay();
 236         servletAuthControl.replay();
 237
 238         servlet.service( ic.getRequest(), ic.getResponse() );
 239
 240         httpAuthControl.verify();
 241         servletAuthControl.verify();
 242
 243         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 244     }
 245
 246     // test deploy with invalid user, but guest has write access to repo
 247     @Test
 248     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 249         throws Exception
 250     {
 251         setupCleanRepo( repoRootInternal );
 252
 253         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 254         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 255         assertNotNull( "artifact.jar inputstream", is );
 256
 257         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 258
 259         InvocationContext ic = sc.newInvocation( request );
 260         servlet = (RepositoryServlet) ic.getServlet();
 261         servlet.setDavSessionProvider( davSessionProvider );
 262
 263         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 264         archivaDavResourceFactory.setHttpAuth( httpAuth );
 265         archivaDavResourceFactory.setServletAuth( servletAuth );
 266
 267         servlet.setResourceFactory( archivaDavResourceFactory );
 268
 269         AuthenticationResult result = new AuthenticationResult();
 270         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 271         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 272                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 273         //servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 274         //                                   new AuthenticationException( "Authentication error" ) );
 275
 276         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 277                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 278             new AuthenticationException( "Authentication error" ) );
 279
 280         //servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 281         //servletAuthControl.setReturnValue( true );
 282         EasyMock.expect(servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )).andReturn( true );
 283
 284         // ArchivaDavResourceFactory#isAuthorized()
 285         SecuritySession session = new DefaultSecuritySession();
 286         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 287         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 288                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 289         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 290         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 291         //servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
 292         //                                   new AuthenticationException( "Authentication error" ) );
 293         EasyMock.expect(servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) )).andThrow( new AuthenticationException( "Authentication error" ) );
 294
 295         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
 296         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 297
 298         // check if guest has write access
 299         //servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 300         //servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 301         //servletAuthControl.setReturnValue( true );
 302         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 303                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 304             true );
 305
 306         httpAuthControl.replay();
 307         servletAuthControl.replay();
 308
 309         servlet.service( ic.getRequest(), ic.getResponse() );
 310
 311         httpAuthControl.verify();
 312         servletAuthControl.verify();
 313
 314         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
 315     }
 316
 317     // test deploy with a valid user with no write access
 318     @Test
 319     public void testPutWithValidUserWithNoWriteAccess()
 320         throws Exception
 321     {
 322         setupCleanRepo( repoRootInternal );
 323
 324         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 325         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 326         assertNotNull( "artifact.jar inputstream", is );
 327
 328         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 329
 330         InvocationContext ic = sc.newInvocation( request );
 331         servlet = (RepositoryServlet) ic.getServlet();
 332         servlet.setDavSessionProvider( davSessionProvider );
 333
 334         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 335         archivaDavResourceFactory.setHttpAuth( httpAuth );
 336         archivaDavResourceFactory.setServletAuth( servletAuth );
 337         servlet.setResourceFactory( archivaDavResourceFactory );
 338
 339         AuthenticationResult result = new AuthenticationResult();
 340         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 341         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 342                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 343         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 344         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 345                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 346
 347         // ArchivaDavResourceFactory#isAuthorized()
 348         SecuritySession session = new DefaultSecuritySession();
 349         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 350         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 351                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 352         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 353         EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 354         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 355         EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( new SimpleUser() );
 356         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 357         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 358                                                       eq( result ) ) ).andReturn( true );
 359         //servletAuthControl.expectAndThrow(
 360         //                                   servletAuth.isAuthorized( null, session, "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 361         //                                   new UnauthorizedException( "User not authorized" ) );
 362         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 363                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andThrow(
 364             new UnauthorizedException( "User not authorized" ) );
 365         httpAuthControl.replay();
 366         servletAuthControl.replay();
 367
 368         servlet.service( ic.getRequest(), ic.getResponse() );
 369
 370         httpAuthControl.verify();
 371         servletAuthControl.verify();
 372
 373         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 374     }
 375
 376     // test deploy with a valid user with write access
 377     @Test
 378     public void testPutWithValidUserWithWriteAccess()
 379         throws Exception
 380     {
 381         setupCleanRepo( repoRootInternal );
 382         assertTrue( repoRootInternal.exists() );
 383
 384         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 385         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 386         assertNotNull( "artifact.jar inputstream", is );
 387
 388         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 389
 390         InvocationContext ic = sc.newInvocation( request );
 391         servlet = (RepositoryServlet) ic.getServlet();
 392         servlet.setDavSessionProvider( davSessionProvider );
 393
 394         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 395         archivaDavResourceFactory.setHttpAuth( httpAuth );
 396         archivaDavResourceFactory.setServletAuth( servletAuth );
 397
 398         TestAuditListener listener = new TestAuditListener();
 399         archivaDavResourceFactory.addAuditListener( listener );
 400         servlet.setResourceFactory( archivaDavResourceFactory );
 401
 402         AuthenticationResult result = new AuthenticationResult();
 403         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 404         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 405                                                            anyObject( HttpServletResponse.class) )).andReturn( result );
 406         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 407         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 408                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 409
 410         User user = new SimpleUser();
 411         user.setUsername( "admin" );
 412
 413         // ArchivaDavResourceFactory#isAuthorized()
 414         SecuritySession session = new DefaultSecuritySession();
 415         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 416         EasyMock.expect( httpAuth.getAuthenticationResult(anyObject( HttpServletRequest.class ),
 417                                                           anyObject( HttpServletResponse.class) ) ).andReturn( result );
 418         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 419         EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 420         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), user );
 421         EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( user );
 422         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 423         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 424             true );
 425         //servletAuthControl.expectAndReturn(
 426         //                                    servletAuth.isAuthorized( null, session, "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 427         //                                    true );
 428         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 429                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andReturn(
 430             true );
 431
 432         httpAuthControl.replay();
 433         servletAuthControl.replay();
 434
 435         servlet.service( ic.getRequest(), ic.getResponse() );
 436
 437         httpAuthControl.verify();
 438         servletAuthControl.verify();
 439
 440         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
 441
 442         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 443     }
 444
 445     // test get with invalid user, and guest has read access to repo
 446     @Test
 447     public void testGetWithInvalidUserAndGuestHasReadAccess()
 448         throws Exception
 449     {
 450         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 451         String expectedArtifactContents = "dummy-commons-lang-artifact";
 452
 453         File artifactFile = new File( repoRootInternal, commonsLangJar );
 454         artifactFile.getParentFile().mkdirs();
 455
 456         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 457
 458         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 459         InvocationContext ic = sc.newInvocation( request );
 460         servlet = (RepositoryServlet) ic.getServlet();
 461         servlet.setDavSessionProvider( davSessionProvider );
 462
 463         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 464         archivaDavResourceFactory.setHttpAuth( httpAuth );
 465         archivaDavResourceFactory.setServletAuth( servletAuth );
 466
 467         servlet.setResourceFactory( archivaDavResourceFactory );
 468
 469         AuthenticationResult result = new AuthenticationResult();
 470         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 471         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) )
 472             .andReturn( result );
 473         //servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 474         //                                   new AuthenticationException( "Authentication error" ) );
 475         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 476             new AuthenticationException( "Authentication error" ) );
 477         //servletAuthControl.expectAndReturn(
 478         //                                    servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
 479         //                                    true );
 480         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 481                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 482             true );
 483
 484         // ArchivaDavResourceFactory#isAuthorized()
 485         SecuritySession session = new DefaultSecuritySession();
 486         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 487         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 488         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 489         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 490         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
 491         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 492         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 493         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 494             true );
 495         //servletAuthControl.expectAndReturn(
 496         //                                    servletAuth.isAuthorized( null, session, "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 497         //                                    true );
 498         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 499                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn(
 500             true );
 501         httpAuthControl.replay();
 502         servletAuthControl.replay();
 503
 504         WebResponse response = sc.getResponse( request );
 505
 506         httpAuthControl.verify();
 507         servletAuthControl.verify();
 508
 509         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 510         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 511     }
 512
 513     // test get with invalid user, and guest has no read access to repo
 514     @Test
 515     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 516         throws Exception
 517     {
 518         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 519         String expectedArtifactContents = "dummy-commons-lang-artifact";
 520
 521         File artifactFile = new File( repoRootInternal, commonsLangJar );
 522         artifactFile.getParentFile().mkdirs();
 523
 524         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 525
 526         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 527         InvocationContext ic = sc.newInvocation( request );
 528         servlet = (RepositoryServlet) ic.getServlet();
 529         servlet.setDavSessionProvider( davSessionProvider );
 530
 531         AuthenticationResult result = new AuthenticationResult();
 532         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 533         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 534         //servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 535         //                                   new AuthenticationException( "Authentication error" ) );
 536         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 537             new AuthenticationException( "Authentication error" ) );
 538         //servletAuthControl.expectAndReturn(
 539         //                                    servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
 540         //                                    false );
 541         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 542                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 543             false );
 544         httpAuthControl.replay();
 545         servletAuthControl.replay();
 546
 547         WebResponse response = sc.getResponse( request );
 548
 549         httpAuthControl.verify();
 550         servletAuthControl.verify();
 551
 552         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 553     }
 554
 555     // test get with valid user with read access to repo
 556     @Test
 557     public void testGetWithAValidUserWithReadAccess()
 558         throws Exception
 559     {
 560         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 561         String expectedArtifactContents = "dummy-commons-lang-artifact";
 562
 563         File artifactFile = new File( repoRootInternal, commonsLangJar );
 564         artifactFile.getParentFile().mkdirs();
 565
 566         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 567
 568         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 569         InvocationContext ic = sc.newInvocation( request );
 570         servlet = (RepositoryServlet) ic.getServlet();
 571         servlet.setDavSessionProvider( davSessionProvider );
 572
 573         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 574         archivaDavResourceFactory.setHttpAuth( httpAuth );
 575         archivaDavResourceFactory.setServletAuth( servletAuth );
 576
 577         servlet.setResourceFactory( archivaDavResourceFactory );
 578
 579         AuthenticationResult result = new AuthenticationResult();
 580         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 581         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 582         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 583         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 584         // ArchivaDavResourceFactory#isAuthorized()
 585         SecuritySession session = new DefaultSecuritySession();
 586         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 587         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 588         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 589         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 590         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 591         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 592         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 593         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 594             true );
 595         //servletAuthControl.expectAndReturn(
 596         //                                    servletAuth.isAuthorized( null, session, "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 597         //                                    true );
 598         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 599                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn(
 600             true );
 601
 602         httpAuthControl.replay();
 603         servletAuthControl.replay();
 604
 605         WebResponse response = sc.getResponse( request );
 606
 607         httpAuthControl.verify();
 608         servletAuthControl.verify();
 609
 610         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 611         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 612     }
 613
 614     // test get with valid user with no read access to repo
 615     @Test
 616     public void testGetWithAValidUserWithNoReadAccess()
 617         throws Exception
 618     {
 619         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 620         String expectedArtifactContents = "dummy-commons-lang-artifact";
 621
 622         File artifactFile = new File( repoRootInternal, commonsLangJar );
 623         artifactFile.getParentFile().mkdirs();
 624
 625         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 626
 627         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 628         InvocationContext ic = sc.newInvocation( request );
 629         servlet = (RepositoryServlet) ic.getServlet();
 630         servlet.setDavSessionProvider( davSessionProvider );
 631
 632         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 633         archivaDavResourceFactory.setHttpAuth( httpAuth );
 634         archivaDavResourceFactory.setServletAuth( servletAuth );
 635
 636         servlet.setResourceFactory( archivaDavResourceFactory );
 637
 638         AuthenticationResult result = new AuthenticationResult();
 639         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 640         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 641         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 642         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 643
 644         // ArchivaDavResourceFactory#isAuthorized()
 645         SecuritySession session = new DefaultSecuritySession();
 646         //httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 647         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 648         //httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 649         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class) ) ).andReturn( session );
 650         //httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 651         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class) ) ).andReturn( new SimpleUser() );
 652         //servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 653         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 654             true );
 655         //servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 656         //                                   new UnauthorizedException( "User not authorized to read repository." ) );
 657         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 658                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andThrow(
 659             new UnauthorizedException( "User not authorized to read repository." ) );
 660         httpAuthControl.replay();
 661         servletAuthControl.replay();
 662
 663         WebResponse response = sc.getResponse( request );
 664
 665         httpAuthControl.verify();
 666         servletAuthControl.verify();
 667
 668         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 669     }
 670 }