source.dussan.org Git - archiva.git/blob

   1 package org.apache.maven.archiva.security;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import javax.servlet.http.HttpServletRequest;
  23
  24 import org.codehaus.plexus.redback.authentication.AuthenticationException;
  25 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
  26 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
  27 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
  28 import org.codehaus.plexus.redback.system.SecuritySession;
  29 import org.codehaus.plexus.redback.users.User;
  30 import org.codehaus.plexus.redback.users.UserManager;
  31
  32 import org.easymock.MockControl;
  33
  34 /**
  35  * ArchivaServletAuthenticatorTest
  36  *
  37  * @version
  38  */
  39 public class ArchivaServletAuthenticatorTest
  40     extends AbstractSecurityTest
  41 {
  42     private ServletAuthenticator servletAuth;
  43
  44     private MockControl httpServletRequestControl;
  45
  46     private HttpServletRequest request;
  47
  48     @Override
  49     public void setUp()
  50         throws Exception
  51     {
  52         super.setUp();
  53
  54         servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" );
  55
  56         httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
  57         request = ( HttpServletRequest ) httpServletRequestControl.getMock();
  58
  59         setupRepository( "corporate" );
  60     }
  61
  62     @Override
  63     protected String getPlexusConfigLocation()
  64     {
  65         return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
  66     }
  67
  68     protected void assignRepositoryManagerRole( String principal, String repoId )
  69         throws Exception
  70     {
  71         roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
  72     }
  73
  74     public void testIsAuthenticatedUserExists()
  75         throws Exception
  76     {
  77         AuthenticationResult result = new AuthenticationResult( true, "user", null );
  78         boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
  79
  80         assertTrue( isAuthenticated );
  81     }
  82
  83     public void testIsAuthenticatedUserDoesNotExist()
  84         throws Exception
  85     {
  86         AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
  87         try
  88         {
  89             servletAuth.isAuthenticated( request, result );
  90             fail( "Authentication exception should have been thrown." );
  91         }
  92         catch ( AuthenticationException e )
  93         {
  94             assertEquals( "User Credentials Invalid", e.getMessage() );
  95         }
  96     }
  97
  98     public void testIsAuthorizedUserHasWriteAccess()
  99         throws Exception
 100     {
 101         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 102
 103         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
 104
 105         UserManager userManager = securitySystem.getUserManager();
 106         User user = userManager.findUser( USER_ALPACA );
 107
 108         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 109
 110         SecuritySession session = new DefaultSecuritySession( result, user );
 111         boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true );
 112
 113         assertTrue( isAuthorized );
 114     }
 115
 116     public void testIsAuthorizedUserHasNoWriteAccess()
 117         throws Exception
 118     {
 119         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 120
 121         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 122
 123         httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
 124
 125         UserManager userManager = securitySystem.getUserManager();
 126         User user = userManager.findUser( USER_ALPACA );
 127
 128         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 129
 130         SecuritySession session = new DefaultSecuritySession( result, user );
 131
 132         httpServletRequestControl.replay();
 133
 134         try
 135         {
 136             servletAuth.isAuthorized( request, session, "corporate", true );
 137             fail( "UnauthorizedException should have been thrown." );
 138         }
 139         catch ( UnauthorizedException e )
 140         {
 141             assertEquals( "Access denied for repository corporate", e.getMessage() );
 142         }
 143
 144         httpServletRequestControl.verify();
 145     }
 146
 147
 148     public void testIsAuthorizedUserHasReadAccess()
 149         throws Exception
 150     {
 151         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 152
 153         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 154
 155         UserManager userManager = securitySystem.getUserManager();
 156         User user = userManager.findUser( USER_ALPACA );
 157
 158         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 159
 160         SecuritySession session = new DefaultSecuritySession( result, user );
 161         boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false );
 162
 163         assertTrue( isAuthorized );
 164     }
 165
 166     public void testIsAuthorizedUserHasNoReadAccess()
 167         throws Exception
 168     {
 169         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 170
 171         UserManager userManager = securitySystem.getUserManager();
 172         User user = userManager.findUser( USER_ALPACA );
 173
 174         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 175
 176         SecuritySession session = new DefaultSecuritySession( result, user );
 177         try
 178         {
 179             servletAuth.isAuthorized( request, session, "corporate", false );
 180             fail( "UnauthorizedException should have been thrown." );
 181         }
 182         catch ( UnauthorizedException e )
 183         {
 184             assertEquals( "Access denied for repository corporate", e.getMessage() );
 185         }
 186     }
 187
 188     public void testIsAuthorizedGuestUserHasWriteAccess()
 189         throws Exception
 190     {
 191         assignRepositoryManagerRole( USER_GUEST, "corporate" );
 192         boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
 193
 194         assertTrue( isAuthorized );
 195     }
 196
 197     public void testIsAuthorizedGuestUserHasNoWriteAccess()
 198         throws Exception
 199     {
 200         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 201
 202         boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
 203         assertFalse( isAuthorized );
 204     }
 205
 206     public void testIsAuthorizedGuestUserHasReadAccess()
 207         throws Exception
 208     {
 209         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 210
 211         boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
 212
 213         assertTrue( isAuthorized );
 214     }
 215
 216     public void testIsAuthorizedGuestUserHasNoReadAccess()
 217         throws Exception
 218     {
 219         boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
 220
 221         assertFalse( isAuthorized );
 222     }
 223 }