1 package org.apache.archiva.webdav;
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
23 import junit.framework.TestCase;
24 import org.apache.archiva.configuration.ArchivaConfiguration;
25 import org.apache.archiva.configuration.Configuration;
26 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
27 import org.apache.archiva.redback.authentication.AuthenticationException;
28 import org.apache.archiva.redback.authentication.AuthenticationResult;
29 import org.apache.archiva.redback.authorization.UnauthorizedException;
30 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
31 import org.apache.archiva.redback.system.DefaultSecuritySession;
32 import org.apache.archiva.redback.system.SecuritySession;
33 import org.apache.archiva.redback.users.User;
34 import org.apache.archiva.redback.users.memory.SimpleUser;
35 import org.apache.archiva.repository.RepositoryRegistry;
36 import org.apache.archiva.webdav.mock.metadata.audit.TestAuditListener;
37 import org.apache.archiva.repository.base.group.RepositoryGroupHandler;
38 import org.apache.archiva.security.ServletAuthenticator;
39 import org.apache.archiva.security.common.ArchivaRoleConstants;
40 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
41 import org.apache.commons.io.FileUtils;
42 import org.apache.commons.io.IOUtils;
43 import org.apache.commons.lang3.StringUtils;
44 import org.apache.jackrabbit.webdav.DavSessionProvider;
45 import org.junit.After;
46 import org.junit.Before;
47 import org.junit.Rule;
48 import org.junit.Test;
49 import org.junit.runner.RunWith;
50 import org.mockito.Mockito;
51 import org.springframework.context.ApplicationContext;
52 import org.springframework.mock.web.MockHttpServletRequest;
53 import org.springframework.mock.web.MockHttpServletResponse;
54 import org.springframework.mock.web.MockServletConfig;
55 import org.springframework.mock.web.MockServletContext;
56 import org.springframework.test.context.ContextConfiguration;
57 import org.springframework.web.context.WebApplicationContext;
59 import javax.inject.Inject;
60 import javax.servlet.ServletContext;
61 import javax.servlet.http.HttpServletRequest;
62 import javax.servlet.http.HttpServletResponse;
63 import javax.servlet.http.HttpSession;
64 import java.io.InputStream;
65 import java.nio.charset.Charset;
66 import java.nio.file.Files;
67 import java.nio.file.Path;
68 import java.nio.file.Paths;
69 import java.util.ArrayList;
70 import java.util.List;
71 import java.util.concurrent.atomic.AtomicReference;
73 import static org.mockito.AdditionalMatchers.not;
74 import static org.mockito.ArgumentMatchers.any;
75 import static org.mockito.ArgumentMatchers.eq;
76 import static org.mockito.Mockito.*;
80 * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
81 * perform redback security checking.
83 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
84 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
85 public class RepositoryServletSecurityTest
88 protected static final String REPOID_INTERNAL = "internal";
91 protected ArchivaConfiguration archivaConfiguration;
94 protected RepositoryRegistry repositoryRegistry;
96 @SuppressWarnings( "unused" )
98 RepositoryGroupHandler repositoryGroupHandler;
100 private DavSessionProvider davSessionProvider;
102 private ServletAuthenticator servletAuth;
104 private HttpAuthenticator httpAuth;
106 private RepositoryServlet servlet;
109 ApplicationContext applicationContext;
113 public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();
115 private AtomicReference<Path> projectBase = new AtomicReference<>( );
117 public Path getProjectBase() {
118 if (this.projectBase.get()==null) {
119 String pathVal = System.getProperty("mvn.project.base.dir");
121 if ( StringUtils.isEmpty(pathVal)) {
122 baseDir= Paths.get("").toAbsolutePath();
124 baseDir = Paths.get(pathVal).toAbsolutePath();
126 this.projectBase.compareAndSet(null, baseDir);
128 return this.projectBase.get();
139 String appserverBase =
140 System.getProperty( "appserver.base", getProjectBase().resolve( "target/appserver-base" ).toAbsolutePath().toString() );
142 Path testConf = getProjectBase().resolve( "src/test/resources/repository-archiva.xml" );
143 Path testConfDest = Paths.get(appserverBase, "conf/archiva.xml" );
144 FileUtils.copyFile( testConf.toFile(), testConfDest.toFile() );
148 Configuration config = archivaConfiguration.getConfiguration();
149 // clear managed repository
150 List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());
151 for (ManagedRepositoryConfiguration f: f1 ) {
152 config.removeManagedRepository(f);
154 assertEquals(0,config.getManagedRepositories().size());
156 config.addManagedRepository(
157 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );
159 saveConfiguration( archivaConfiguration );
162 servletAuth = mock( ServletAuthenticator.class );
164 httpAuth = mock( HttpAuthenticator.class );
166 davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
168 final MockServletContext mockServletContext = new MockServletContext();
170 WebApplicationContext webApplicationContext =
171 new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
173 mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
174 webApplicationContext );
176 MockServletConfig mockServletConfig = new MockServletConfig()
179 public ServletContext getServletContext()
181 return mockServletContext;
185 servlet = new RepositoryServlet();
187 servlet.init( mockServletConfig );
190 protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, Path location )
192 ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
194 repo.setName( name );
195 repo.setLocation( location.toAbsolutePath().toString() );
199 /*protected void saveConfiguration()
202 saveConfiguration( archivaConfiguration );
205 protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
208 repositoryRegistry.reload();
209 archivaConfiguration.save( archivaConfiguration.getConfiguration() );
212 /*protected void setupCleanRepo( File repoRootDir )
219 public void tearDown()
223 /* if ( repoRootInternal.exists() )
225 FileUtils.deleteDirectory( repoRootInternal );
229 String appBaseProp = System.getProperty( "appserver.base" );
230 if (StringUtils.isNotEmpty( appBaseProp )) {
231 org.apache.archiva.common.utils.FileUtils.deleteDirectory( Paths.get(appBaseProp) );
237 // test deploy with invalid user, and guest has no write access to repo
238 // 401 must be returned
240 public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
244 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
245 assertNotNull( "artifact.jar inputstream", is );
247 servlet.setDavSessionProvider( davSessionProvider );
249 AuthenticationResult result = new AuthenticationResult();
251 when( httpAuth.getAuthenticationResult( any( ),
252 any( ) ) ).thenReturn(
255 when(servletAuth.isAuthenticated( any( ),
256 any( ) )).thenThrow( new AuthenticationException( "Authentication error" ) );
258 when(servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_ADD_ARTIFACT ))
259 .thenThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
261 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
262 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
263 mockHttpServletRequest.setMethod( "PUT" );
264 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
265 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
266 mockHttpServletRequest.setContentType( "application/octet-stream" );
268 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
270 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
272 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
275 // test deploy with invalid user, but guest has write access to repo
277 public void testPutWithInvalidUserAndGuestHasWriteAccess()
280 servlet.setDavSessionProvider( davSessionProvider );
282 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
283 archivaDavResourceFactory.setHttpAuth( httpAuth );
284 archivaDavResourceFactory.setServletAuth( servletAuth );
286 servlet.setResourceFactory( archivaDavResourceFactory );
288 AuthenticationResult result = new AuthenticationResult();
290 when( httpAuth.getAuthenticationResult( any( ),
291 any( ) ) ).thenReturn(
295 when( servletAuth.isAuthorized( "guest", "internal",
296 ArchivaRoleConstants.OPERATION_ADD_ARTIFACT ) ).thenReturn(
299 // ArchivaDavResourceFactory#isAuthorized()
300 SecuritySession session = new DefaultSecuritySession();
302 when( httpAuth.getAuthenticationResult( any( ),
303 any( ) ) ).thenReturn(
306 when( httpAuth.getSecuritySession( any( ) ) ).thenReturn( session );
308 when( servletAuth.isAuthenticated( any( ),
309 any( ) ) ).thenThrow(
310 new AuthenticationException( "Authentication error" ) );
312 when( httpAuth.getSessionUser( any( ) ) ).thenReturn( null );
314 // check if guest has write access
315 when( servletAuth.isAuthorized( "guest", "internal",
316 ArchivaRoleConstants.OPERATION_ADD_ARTIFACT ) ).thenReturn(
319 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
320 assertNotNull( "artifact.jar inputstream", is );
322 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
323 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
324 mockHttpServletRequest.setMethod( "PUT" );
325 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
326 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
327 mockHttpServletRequest.setContentType( "application/octet-stream" );
329 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
331 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
333 assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
336 // test deploy with a valid user with no write access
338 public void testPutWithValidUserWithNoWriteAccess()
342 servlet.setDavSessionProvider( davSessionProvider );
344 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
345 archivaDavResourceFactory.setHttpAuth( httpAuth );
346 archivaDavResourceFactory.setServletAuth( servletAuth );
347 servlet.setResourceFactory( archivaDavResourceFactory );
349 AuthenticationResult result = new AuthenticationResult();
351 when( httpAuth.getAuthenticationResult( any( ),
352 any( ) ) ).thenReturn(
355 when( servletAuth.isAuthenticated( any( ),
356 any( ) ) ).thenReturn( true );
358 // ArchivaDavResourceFactory#isAuthorized()
359 SecuritySession session = new DefaultSecuritySession();
361 when( httpAuth.getAuthenticationResult( any( ),
362 any( ) ) ).thenReturn(
365 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
367 when( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).thenReturn(
370 when( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).thenReturn( new SimpleUser() );
372 when( servletAuth.isAuthenticated( any( ), eq( result ) ) ).thenReturn(
376 servletAuth.isAuthorized( any( ), eq( session ), eq( "internal" ),
377 eq( ArchivaRoleConstants.OPERATION_ADD_ARTIFACT ) ) ).thenThrow(
378 new UnauthorizedException( "User not authorized" ) );
379 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
380 assertNotNull( "artifact.jar inputstream", is );
382 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
383 mockHttpServletRequest.setMethod( "PUT" );
384 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
385 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
386 mockHttpServletRequest.setContentType( "application/octet-stream" );
388 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
390 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
391 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
394 // test deploy with a valid user with write access
396 public void testPutWithValidUserWithWriteAccess()
399 assertTrue( Files.exists(repoRootInternal.getRoot()) );
401 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
402 String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
403 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
404 assertNotNull( "artifact.jar inputstream", is );
406 servlet.setDavSessionProvider( davSessionProvider );
408 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
409 archivaDavResourceFactory.setHttpAuth( httpAuth );
410 archivaDavResourceFactory.setServletAuth( servletAuth );
412 TestAuditListener listener = new TestAuditListener();
413 archivaDavResourceFactory.addAuditListener( listener );
414 servlet.setResourceFactory( archivaDavResourceFactory );
416 AuthenticationResult result = new AuthenticationResult();
418 when( httpAuth.getAuthenticationResult( any( ),
419 any( ) ) ).thenReturn(
422 when( servletAuth.isAuthenticated( any( ),
423 any( ) ) ).thenReturn( true );
425 User user = new SimpleUser();
426 user.setUsername( "admin" );
428 // ArchivaDavResourceFactory#isAuthorized()
429 SecuritySession session = new DefaultSecuritySession();
431 when( httpAuth.getAuthenticationResult( any( ),
432 any( ) ) ).thenReturn(
435 when( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).thenReturn( session );
437 when( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).thenReturn( user );
439 when( servletAuth.isAuthenticated( any( ), eq( result ) ) ).thenReturn(
443 servletAuth.isAuthorized( any( ), eq( session ), eq( "internal" ),
444 eq( ArchivaRoleConstants.OPERATION_ADD_ARTIFACT ) ) ).thenReturn( true );
446 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
447 mockHttpServletRequest.setMethod( "PUT" );
448 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
449 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
450 mockHttpServletRequest.setContentType( "application/octet-stream" );
452 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
454 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
455 assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
457 assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
460 // test get with invalid user, and guest has read access to repo
462 public void testGetWithInvalidUserAndGuestHasReadAccess()
465 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
466 String expectedArtifactContents = "dummy-commons-lang-artifact";
468 Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
469 Files.createDirectories(artifactFile.getParent());
471 org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
473 servlet.setDavSessionProvider( davSessionProvider );
475 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
476 archivaDavResourceFactory.setHttpAuth( httpAuth );
477 archivaDavResourceFactory.setServletAuth( servletAuth );
479 servlet.setResourceFactory( archivaDavResourceFactory );
481 AuthenticationResult result = new AuthenticationResult();
483 when( httpAuth.getAuthenticationResult( any( ),
484 any( ) ) ).thenReturn(
488 when( servletAuth.isAuthorized( "guest", "internal",
489 ArchivaRoleConstants.OPERATION_READ_REPOSITORY ) ).thenReturn(
492 // ArchivaDavResourceFactory#isAuthorized()
493 SecuritySession session = new DefaultSecuritySession();
495 when( httpAuth.getSecuritySession( any( ) ) ).thenReturn( session );
497 when( httpAuth.getSessionUser( any( ) ) ).thenReturn( null );
499 when( servletAuth.isAuthenticated( any( ), eq( result ) ) ).thenReturn(
501 when( servletAuth.isAuthenticated( any( ),
502 not(eq(result)) ) ).thenThrow(
503 new AuthenticationException( "Authentication error" ) );
506 servletAuth.isAuthorized( any( ), eq( session ), eq( "internal" ),
507 eq( ArchivaRoleConstants.OPERATION_READ_REPOSITORY ) ) ).thenReturn( true );
508 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
509 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
510 mockHttpServletRequest.setMethod( "GET" );
511 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
513 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
515 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
516 assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
518 assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
521 // test get with invalid user, and guest has no read access to repo
523 public void testGetWithInvalidUserAndGuestHasNoReadAccess()
526 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
527 String expectedArtifactContents = "dummy-commons-lang-artifact";
529 Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
530 Files.createDirectories(artifactFile.getParent());
532 org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
534 servlet.setDavSessionProvider( davSessionProvider );
536 AuthenticationResult result = new AuthenticationResult();
538 when( httpAuth.getAuthenticationResult( any( ),
539 any( ) ) ).thenReturn(
542 when( servletAuth.isAuthenticated( any( ),
543 any( ) ) ).thenThrow(
544 new AuthenticationException( "Authentication error" ) );
546 when( servletAuth.isAuthorized( "guest", "internal",
547 ArchivaRoleConstants.OPERATION_READ_REPOSITORY ) ).thenReturn(
549 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
550 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
551 mockHttpServletRequest.setMethod( "GET" );
552 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
554 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
556 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
557 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
560 // test get with valid user with read access to repo
562 public void testGetWithAValidUserWithReadAccess()
565 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
566 String expectedArtifactContents = "dummy-commons-lang-artifact";
568 Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
569 Files.createDirectories(artifactFile.getParent());
571 org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
573 servlet.setDavSessionProvider( davSessionProvider );
575 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
576 archivaDavResourceFactory.setHttpAuth( httpAuth );
577 archivaDavResourceFactory.setServletAuth( servletAuth );
579 servlet.setResourceFactory( archivaDavResourceFactory );
581 AuthenticationResult result = new AuthenticationResult();
583 when( httpAuth.getAuthenticationResult( any( ),
584 any( ) ) ).thenReturn(
587 when( servletAuth.isAuthenticated( any( ),
588 any( ) ) ).thenReturn( true );
589 // ArchivaDavResourceFactory#isAuthorized()
590 SecuritySession session = new DefaultSecuritySession();
592 when( httpAuth.getAuthenticationResult( any( ),
593 any( ) ) ).thenReturn(
596 when( httpAuth.getSecuritySession( any( ) ) ).thenReturn( session );
598 when( httpAuth.getSessionUser( any( ) ) ).thenReturn( new SimpleUser() );
600 when( servletAuth.isAuthenticated( any( ), eq( result ) ) ).thenReturn(
604 servletAuth.isAuthorized( any( ), eq( session ), eq( "internal" ),
605 eq( ArchivaRoleConstants.OPERATION_READ_REPOSITORY ) ) ).thenReturn( true );
607 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
608 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
609 mockHttpServletRequest.setMethod( "GET" );
610 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
612 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
614 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
615 assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
616 assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
619 // test get with valid user with no read access to repo
621 public void testGetWithAValidUserWithNoReadAccess()
624 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
625 String expectedArtifactContents = "dummy-commons-lang-artifact";
627 Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
628 Files.createDirectories(artifactFile.getParent());
630 org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
632 servlet.setDavSessionProvider( davSessionProvider );
634 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
635 archivaDavResourceFactory.setHttpAuth( httpAuth );
636 archivaDavResourceFactory.setServletAuth( servletAuth );
638 servlet.setResourceFactory( archivaDavResourceFactory );
640 AuthenticationResult result = new AuthenticationResult();
642 when( httpAuth.getAuthenticationResult( any( ),
643 any( ) ) ).thenReturn(
646 when( servletAuth.isAuthenticated( any( ),
647 any( ) ) ).thenReturn( true );
649 // ArchivaDavResourceFactory#isAuthorized()
650 SecuritySession session = new DefaultSecuritySession();
652 when( httpAuth.getAuthenticationResult( any( ),
653 any( ) ) ).thenReturn(
656 when( httpAuth.getSecuritySession( any( ) ) ).thenReturn( session );
658 when( httpAuth.getSessionUser( any( ) ) ).thenReturn( new SimpleUser() );
660 when( servletAuth.isAuthenticated( any( ), eq( result ) ) ).thenReturn(
664 servletAuth.isAuthorized( any( ), eq( session ), eq( "internal" ),
665 eq( ArchivaRoleConstants.OPERATION_READ_REPOSITORY ) ) ).thenThrow(
666 new UnauthorizedException( "User not authorized to read repository." ) );
667 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
668 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
669 mockHttpServletRequest.setMethod( "GET" );
670 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
673 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
675 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
676 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
projects / archiva.git / blob