source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import com.meterware.httpunit.GetMethodWebRequest;
  23 import com.meterware.httpunit.HttpUnitOptions;
  24 import com.meterware.httpunit.PutMethodWebRequest;
  25 import com.meterware.httpunit.WebRequest;
  26 import com.meterware.httpunit.WebResponse;
  27 import com.meterware.servletunit.InvocationContext;
  28 import com.meterware.servletunit.ServletRunner;
  29 import com.meterware.servletunit.ServletUnitClient;
  30 import junit.framework.TestCase;
  31 import net.sf.ehcache.CacheManager;
  32 import org.apache.archiva.redback.authentication.AuthenticationException;
  33 import org.apache.archiva.redback.users.User;
  34 import org.apache.archiva.repository.audit.TestAuditListener;
  35 import org.apache.archiva.security.common.ArchivaRoleConstants;
  36 import org.apache.commons.io.FileUtils;
  37 import org.apache.jackrabbit.webdav.DavSessionProvider;
  38 import org.apache.archiva.configuration.ArchivaConfiguration;
  39 import org.apache.archiva.configuration.Configuration;
  40 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  41 import org.apache.archiva.security.ServletAuthenticator;
  42 import org.apache.archiva.redback.authentication.AuthenticationResult;
  43 import org.apache.archiva.redback.authorization.UnauthorizedException;
  44 import org.apache.archiva.redback.system.DefaultSecuritySession;
  45 import org.apache.archiva.redback.system.SecuritySession;
  46 import org.apache.archiva.redback.users.memory.SimpleUser;
  47 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  48 import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
  49 import org.easymock.MockControl;
  50 import org.easymock.classextension.MockClassControl;
  51 import org.junit.After;
  52 import org.junit.Before;
  53 import org.junit.Test;
  54 import org.junit.runner.RunWith;
  55 import org.springframework.context.ApplicationContext;
  56 import org.springframework.test.context.ContextConfiguration;
  57
  58 import javax.inject.Inject;
  59 import javax.servlet.http.HttpServletResponse;
  60 import java.io.File;
  61 import java.io.IOException;
  62 import java.io.InputStream;
  63 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  64
  65 /**
  66  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  67  * perform redback security checking.
  68  *
  69  * @version $Id$
  70  */
  71 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  72 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
  73 public class RepositoryServletSecurityTest
  74     extends TestCase
  75 {
  76     protected static final String REPOID_INTERNAL = "internal";
  77
  78     protected ServletUnitClient sc;
  79
  80     protected File repoRootInternal;
  81
  82     private ServletRunner sr;
  83
  84     protected ArchivaConfiguration archivaConfiguration;
  85
  86     private DavSessionProvider davSessionProvider;
  87
  88     private MockControl servletAuthControl;
  89
  90     private ServletAuthenticator servletAuth;
  91
  92     private MockClassControl httpAuthControl;
  93
  94     private HttpAuthenticator httpAuth;
  95
  96     private RepositoryServlet servlet;
  97
  98     @Inject
  99     ApplicationContext applicationContext;
 100
 101     @Before
 102     public void setUp()
 103         throws Exception
 104     {
 105         super.setUp();
 106
 107         String appserverBase =  System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
 108
 109         File testConf = new File( "src/test/resources/repository-archiva.xml" );
 110         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
 111         FileUtils.copyFile( testConf, testConfDest );
 112
 113         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
 114
 115         archivaConfiguration = applicationContext.getBean( ArchivaConfiguration.class );
 116         Configuration config = archivaConfiguration.getConfiguration();
 117
 118         if (!config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ))
 119         {
 120             config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
 121         }
 122         saveConfiguration( archivaConfiguration );
 123
 124         CacheManager.getInstance().clearAll();
 125
 126         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
 127
 128         sr = new ServletRunner( new File( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
 129         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
 130         sc = sr.newClient();
 131
 132         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
 133         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
 134         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
 135
 136         httpAuthControl =
 137             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
 138         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
 139         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
 140
 141         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 142     }
 143
 144     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
 145     {
 146         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 147         repo.setId( id );
 148         repo.setName( name );
 149         repo.setLocation( location.getAbsolutePath() );
 150         return repo;
 151     }
 152
 153     protected void saveConfiguration()
 154         throws Exception
 155     {
 156         saveConfiguration( archivaConfiguration );
 157     }
 158
 159     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 160         throws Exception
 161     {
 162         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 163     }
 164
 165     protected void setupCleanRepo( File repoRootDir )
 166         throws IOException
 167     {
 168         FileUtils.deleteDirectory( repoRootDir );
 169         if ( !repoRootDir.exists() )
 170         {
 171             repoRootDir.mkdirs();
 172         }
 173     }
 174
 175     @Override
 176     @After
 177     public void tearDown()
 178         throws Exception
 179     {
 180         if ( sc != null )
 181         {
 182             sc.clearContents();
 183         }
 184
 185         if ( sr != null )
 186         {
 187             sr.shutDown();
 188         }
 189
 190         if ( repoRootInternal.exists() )
 191         {
 192             FileUtils.deleteDirectory( repoRootInternal );
 193         }
 194
 195         servlet = null;
 196
 197         super.tearDown();
 198     }
 199
 200     // test deploy with invalid user, and guest has no write access to repo
 201     // 401 must be returned
 202     @Test
 203     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 204         throws Exception
 205     {
 206         setupCleanRepo( repoRootInternal );
 207
 208         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 209         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 210         assertNotNull( "artifact.jar inputstream", is );
 211
 212         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 213         InvocationContext ic = sc.newInvocation( request );
 214         servlet = (RepositoryServlet) ic.getServlet();
 215         servlet.setDavSessionProvider( davSessionProvider );
 216
 217         AuthenticationResult result = new AuthenticationResult();
 218         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 219         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 220                                            new AuthenticationException( "Authentication error" ) );
 221
 222         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 223         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 224         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
 225
 226         httpAuthControl.replay();
 227         servletAuthControl.replay();
 228
 229         servlet.service( ic.getRequest(), ic.getResponse() );
 230
 231         httpAuthControl.verify();
 232         servletAuthControl.verify();
 233
 234         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 235     }
 236
 237     // test deploy with invalid user, but guest has write access to repo
 238     @Test
 239     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 240         throws Exception
 241     {
 242         setupCleanRepo( repoRootInternal );
 243
 244         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 245         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 246         assertNotNull( "artifact.jar inputstream", is );
 247
 248         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 249
 250         InvocationContext ic = sc.newInvocation( request );
 251         servlet = (RepositoryServlet) ic.getServlet();
 252         servlet.setDavSessionProvider( davSessionProvider );
 253
 254         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 255         archivaDavResourceFactory.setHttpAuth( httpAuth );
 256         archivaDavResourceFactory.setServletAuth( servletAuth );
 257
 258         servlet.setResourceFactory( archivaDavResourceFactory );
 259
 260         AuthenticationResult result = new AuthenticationResult();
 261         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 262         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 263                                            new AuthenticationException( "Authentication error" ) );
 264
 265         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 266         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 267         servletAuthControl.setReturnValue( true );
 268
 269         // ArchivaDavResourceFactory#isAuthorized()
 270         SecuritySession session = new DefaultSecuritySession();
 271         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 272         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 273         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
 274                                            new AuthenticationException( "Authentication error" ) );
 275
 276         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
 277
 278         // check if guest has write access
 279         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 280         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
 281         servletAuthControl.setReturnValue( true );
 282
 283         httpAuthControl.replay();
 284         servletAuthControl.replay();
 285
 286         servlet.service( ic.getRequest(), ic.getResponse() );
 287
 288         httpAuthControl.verify();
 289         servletAuthControl.verify();
 290
 291         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
 292     }
 293
 294     // test deploy with a valid user with no write access
 295     @Test
 296     public void testPutWithValidUserWithNoWriteAccess()
 297         throws Exception
 298     {
 299         setupCleanRepo( repoRootInternal );
 300
 301         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 302         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 303         assertNotNull( "artifact.jar inputstream", is );
 304
 305         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 306
 307         InvocationContext ic = sc.newInvocation( request );
 308         servlet = (RepositoryServlet) ic.getServlet();
 309         servlet.setDavSessionProvider( davSessionProvider );
 310
 311         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 312         archivaDavResourceFactory.setHttpAuth( httpAuth );
 313         archivaDavResourceFactory.setServletAuth( servletAuth );
 314         servlet.setResourceFactory( archivaDavResourceFactory );
 315
 316         AuthenticationResult result = new AuthenticationResult();
 317         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 318         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 319
 320         // ArchivaDavResourceFactory#isAuthorized()
 321         SecuritySession session = new DefaultSecuritySession();
 322         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 323         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 324         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 325         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 326         servletAuthControl.expectAndThrow(
 327                                            servletAuth.isAuthorized( null, session, "internal",
 328                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 329                                            new UnauthorizedException( "User not authorized" ) );
 330
 331         httpAuthControl.replay();
 332         servletAuthControl.replay();
 333
 334         servlet.service( ic.getRequest(), ic.getResponse() );
 335
 336         httpAuthControl.verify();
 337         servletAuthControl.verify();
 338
 339         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 340     }
 341
 342     // test deploy with a valid user with write access
 343     @Test
 344     public void testPutWithValidUserWithWriteAccess()
 345         throws Exception
 346     {
 347         setupCleanRepo( repoRootInternal );
 348         assertTrue( repoRootInternal.exists() );
 349
 350         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 351         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 352         assertNotNull( "artifact.jar inputstream", is );
 353
 354         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 355
 356         InvocationContext ic = sc.newInvocation( request );
 357         servlet = (RepositoryServlet) ic.getServlet();
 358         servlet.setDavSessionProvider( davSessionProvider );
 359
 360         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 361         archivaDavResourceFactory.setHttpAuth( httpAuth );
 362         archivaDavResourceFactory.setServletAuth( servletAuth );
 363
 364         TestAuditListener listener = new TestAuditListener();
 365         archivaDavResourceFactory.addAuditListener( listener );
 366         servlet.setResourceFactory( archivaDavResourceFactory );
 367
 368         AuthenticationResult result = new AuthenticationResult();
 369         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 370         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 371
 372         User user = new SimpleUser();
 373         user.setUsername( "admin" );
 374
 375         // ArchivaDavResourceFactory#isAuthorized()
 376         SecuritySession session = new DefaultSecuritySession();
 377         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 378         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 379         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), user );
 380         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 381         servletAuthControl.expectAndReturn(
 382                                             servletAuth.isAuthorized( null, session, "internal",
 383                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 384                                             true );
 385
 386         httpAuthControl.replay();
 387         servletAuthControl.replay();
 388
 389         servlet.service( ic.getRequest(), ic.getResponse() );
 390
 391         httpAuthControl.verify();
 392         servletAuthControl.verify();
 393
 394         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
 395
 396         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 397     }
 398
 399     // test get with invalid user, and guest has read access to repo
 400     @Test
 401     public void testGetWithInvalidUserAndGuestHasReadAccess()
 402         throws Exception
 403     {
 404         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 405         String expectedArtifactContents = "dummy-commons-lang-artifact";
 406
 407         File artifactFile = new File( repoRootInternal, commonsLangJar );
 408         artifactFile.getParentFile().mkdirs();
 409
 410         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
 411
 412         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 413         InvocationContext ic = sc.newInvocation( request );
 414         servlet = (RepositoryServlet) ic.getServlet();
 415         servlet.setDavSessionProvider( davSessionProvider );
 416
 417         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 418         archivaDavResourceFactory.setHttpAuth( httpAuth );
 419         archivaDavResourceFactory.setServletAuth( servletAuth );
 420
 421         servlet.setResourceFactory( archivaDavResourceFactory );
 422
 423         AuthenticationResult result = new AuthenticationResult();
 424         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 425         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 426                                            new AuthenticationException( "Authentication error" ) );
 427         servletAuthControl.expectAndReturn(
 428                                             servletAuth.isAuthorized( "guest", "internal",
 429                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
 430                                             true );
 431
 432         // ArchivaDavResourceFactory#isAuthorized()
 433         SecuritySession session = new DefaultSecuritySession();
 434         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 435         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 436         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
 437         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 438         servletAuthControl.expectAndReturn(
 439                                             servletAuth.isAuthorized( null, session, "internal",
 440                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 441                                             true );
 442
 443         httpAuthControl.replay();
 444         servletAuthControl.replay();
 445
 446         WebResponse response = sc.getResponse( request );
 447
 448         httpAuthControl.verify();
 449         servletAuthControl.verify();
 450
 451         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 452         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 453     }
 454
 455     // test get with invalid user, and guest has no read access to repo
 456     @Test
 457     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 458         throws Exception
 459     {
 460         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 461         String expectedArtifactContents = "dummy-commons-lang-artifact";
 462
 463         File artifactFile = new File( repoRootInternal, commonsLangJar );
 464         artifactFile.getParentFile().mkdirs();
 465
 466         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
 467
 468         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 469         InvocationContext ic = sc.newInvocation( request );
 470         servlet = (RepositoryServlet) ic.getServlet();
 471         servlet.setDavSessionProvider( davSessionProvider );
 472
 473         AuthenticationResult result = new AuthenticationResult();
 474         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 475         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
 476                                            new AuthenticationException( "Authentication error" ) );
 477         servletAuthControl.expectAndReturn(
 478                                             servletAuth.isAuthorized( "guest", "internal",
 479                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
 480                                             false );
 481
 482         httpAuthControl.replay();
 483         servletAuthControl.replay();
 484
 485         WebResponse response = sc.getResponse( request );
 486
 487         httpAuthControl.verify();
 488         servletAuthControl.verify();
 489
 490         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 491     }
 492
 493     // test get with valid user with read access to repo
 494     @Test
 495     public void testGetWithAValidUserWithReadAccess()
 496         throws Exception
 497     {
 498         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 499         String expectedArtifactContents = "dummy-commons-lang-artifact";
 500
 501         File artifactFile = new File( repoRootInternal, commonsLangJar );
 502         artifactFile.getParentFile().mkdirs();
 503
 504         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
 505
 506         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 507         InvocationContext ic = sc.newInvocation( request );
 508         servlet = (RepositoryServlet) ic.getServlet();
 509         servlet.setDavSessionProvider( davSessionProvider );
 510
 511         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 512         archivaDavResourceFactory.setHttpAuth( httpAuth );
 513         archivaDavResourceFactory.setServletAuth( servletAuth );
 514
 515         servlet.setResourceFactory( archivaDavResourceFactory );
 516
 517         AuthenticationResult result = new AuthenticationResult();
 518         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 519         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 520
 521         // ArchivaDavResourceFactory#isAuthorized()
 522         SecuritySession session = new DefaultSecuritySession();
 523         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 524         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 525         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 526         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 527         servletAuthControl.expectAndReturn(
 528                                             servletAuth.isAuthorized( null, session, "internal",
 529                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 530                                             true );
 531
 532         httpAuthControl.replay();
 533         servletAuthControl.replay();
 534
 535         WebResponse response = sc.getResponse( request );
 536
 537         httpAuthControl.verify();
 538         servletAuthControl.verify();
 539
 540         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 541         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 542     }
 543
 544     // test get with valid user with no read access to repo
 545     @Test
 546     public void testGetWithAValidUserWithNoReadAccess()
 547         throws Exception
 548     {
 549         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 550         String expectedArtifactContents = "dummy-commons-lang-artifact";
 551
 552         File artifactFile = new File( repoRootInternal, commonsLangJar );
 553         artifactFile.getParentFile().mkdirs();
 554
 555         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
 556
 557         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 558         InvocationContext ic = sc.newInvocation( request );
 559         servlet = (RepositoryServlet) ic.getServlet();
 560         servlet.setDavSessionProvider( davSessionProvider );
 561
 562         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 563         archivaDavResourceFactory.setHttpAuth( httpAuth );
 564         archivaDavResourceFactory.setServletAuth( servletAuth );
 565
 566         servlet.setResourceFactory( archivaDavResourceFactory );
 567
 568         AuthenticationResult result = new AuthenticationResult();
 569         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 570         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
 571
 572         // ArchivaDavResourceFactory#isAuthorized()
 573         SecuritySession session = new DefaultSecuritySession();
 574         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
 575         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
 576         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
 577         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
 578         servletAuthControl.expectAndThrow(
 579                                            servletAuth.isAuthorized( null, session, "internal",
 580                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
 581                                            new UnauthorizedException( "User not authorized to read repository." ) );
 582
 583         httpAuthControl.replay();
 584         servletAuthControl.replay();
 585
 586         WebResponse response = sc.getResponse( request );
 587
 588         httpAuthControl.verify();
 589         servletAuthControl.verify();
 590
 591         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 592     }
 593 }