]> source.dussan.org Git - archiva.git/blob
54b25518033bb34800b935f5c9d1b33735c2c006
[archiva.git] /
1 package org.apache.archiva.webdav;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import com.meterware.httpunit.GetMethodWebRequest;
23 import com.meterware.httpunit.HttpUnitOptions;
24 import com.meterware.httpunit.PutMethodWebRequest;
25 import com.meterware.httpunit.WebRequest;
26 import com.meterware.httpunit.WebResponse;
27 import com.meterware.servletunit.InvocationContext;
28 import com.meterware.servletunit.ServletRunner;
29 import com.meterware.servletunit.ServletUnitClient;
30 import junit.framework.TestCase;
31 import net.sf.ehcache.CacheManager;
32 import org.apache.archiva.redback.users.User;
33 import org.apache.archiva.repository.audit.TestAuditListener;
34 import org.apache.archiva.security.common.ArchivaRoleConstants;
35 import org.apache.commons.io.FileUtils;
36 import org.apache.jackrabbit.webdav.DavSessionProvider;
37 import org.apache.archiva.configuration.ArchivaConfiguration;
38 import org.apache.archiva.configuration.Configuration;
39 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
40 import org.apache.archiva.security.ServletAuthenticator;
41 import org.codehaus.plexus.redback.authentication.AuthenticationException;
42 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
43 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
44 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
45 import org.codehaus.plexus.redback.system.SecuritySession;
46 import org.codehaus.plexus.redback.users.memory.SimpleUser;
47 import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
48 import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
49 import org.easymock.MockControl;
50 import org.easymock.classextension.MockClassControl;
51 import org.junit.After;
52 import org.junit.Before;
53 import org.junit.Test;
54 import org.junit.runner.RunWith;
55 import org.springframework.context.ApplicationContext;
56 import org.springframework.test.context.ContextConfiguration;
57 import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
58
59 import javax.inject.Inject;
60 import javax.servlet.http.HttpServletResponse;
61 import java.io.File;
62 import java.io.IOException;
63 import java.io.InputStream;
64
65 /**
66  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
67  * perform redback security checking.
68  * 
69  * @version $Id$
70  */
71 @RunWith( SpringJUnit4ClassRunner.class )
72 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
73 public class RepositoryServletSecurityTest
74     extends TestCase
75 {
76     protected static final String REPOID_INTERNAL = "internal";
77
78     protected ServletUnitClient sc;
79
80     protected File repoRootInternal;
81
82     private ServletRunner sr;
83
84     protected ArchivaConfiguration archivaConfiguration;
85
86     private DavSessionProvider davSessionProvider;
87
88     private MockControl servletAuthControl;
89
90     private ServletAuthenticator servletAuth;
91
92     private MockClassControl httpAuthControl;
93
94     private HttpAuthenticator httpAuth;
95
96     private RepositoryServlet servlet;
97
98     @Inject
99     ApplicationContext applicationContext;
100
101     @Before
102     public void setUp()
103         throws Exception
104     {
105         super.setUp();
106
107         String appserverBase =  System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
108
109         File testConf = new File( "src/test/resources/repository-archiva.xml" );
110         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
111         FileUtils.copyFile( testConf, testConfDest );
112
113         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
114
115         archivaConfiguration = applicationContext.getBean( ArchivaConfiguration.class );
116         Configuration config = archivaConfiguration.getConfiguration();
117
118         if (!config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ))
119         {
120             config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
121         }
122         saveConfiguration( archivaConfiguration );
123
124         CacheManager.getInstance().clearAll();
125
126         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
127
128         sr = new ServletRunner( new File( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
129         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
130         sc = sr.newClient();
131
132         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
133         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
134         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
135
136         httpAuthControl =
137             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
138         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
139         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
140
141         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
142     }
143
144     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
145     {
146         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
147         repo.setId( id );
148         repo.setName( name );
149         repo.setLocation( location.getAbsolutePath() );
150         return repo;
151     }
152
153     protected void saveConfiguration()
154         throws Exception
155     {
156         saveConfiguration( archivaConfiguration );
157     }
158
159     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
160         throws Exception
161     {
162         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
163     }
164
165     protected void setupCleanRepo( File repoRootDir )
166         throws IOException
167     {
168         FileUtils.deleteDirectory( repoRootDir );
169         if ( !repoRootDir.exists() )
170         {
171             repoRootDir.mkdirs();
172         }
173     }
174
175     @Override
176     @After
177     public void tearDown()
178         throws Exception
179     {
180         if ( sc != null )
181         {
182             sc.clearContents();
183         }
184
185         if ( sr != null )
186         {
187             sr.shutDown();
188         }
189
190         if ( repoRootInternal.exists() )
191         {
192             FileUtils.deleteDirectory( repoRootInternal );
193         }
194
195         servlet = null;
196
197         super.tearDown();
198     }
199
200     // test deploy with invalid user, and guest has no write access to repo
201     // 401 must be returned
202     @Test
203     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
204         throws Exception
205     {
206         setupCleanRepo( repoRootInternal );
207
208         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
209         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
210         assertNotNull( "artifact.jar inputstream", is );
211
212         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
213         InvocationContext ic = sc.newInvocation( request );
214         servlet = (RepositoryServlet) ic.getServlet();
215         servlet.setDavSessionProvider( davSessionProvider );
216
217         AuthenticationResult result = new AuthenticationResult();
218         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
219         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
220                                            new AuthenticationException( "Authentication error" ) );
221
222         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
223         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
224         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
225
226         httpAuthControl.replay();
227         servletAuthControl.replay();
228
229         servlet.service( ic.getRequest(), ic.getResponse() );
230
231         httpAuthControl.verify();
232         servletAuthControl.verify();
233
234         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
235     }
236
237     // test deploy with invalid user, but guest has write access to repo
238     @Test
239     public void testPutWithInvalidUserAndGuestHasWriteAccess()
240         throws Exception
241     {
242         setupCleanRepo( repoRootInternal );
243
244         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
245         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
246         assertNotNull( "artifact.jar inputstream", is );
247
248         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
249
250         InvocationContext ic = sc.newInvocation( request );
251         servlet = (RepositoryServlet) ic.getServlet();
252         servlet.setDavSessionProvider( davSessionProvider );
253
254         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
255         archivaDavResourceFactory.setHttpAuth( httpAuth );
256         archivaDavResourceFactory.setServletAuth( servletAuth );
257
258         servlet.setResourceFactory( archivaDavResourceFactory );
259
260         AuthenticationResult result = new AuthenticationResult();
261         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
262         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
263                                            new AuthenticationException( "Authentication error" ) );
264
265         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
266         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
267         servletAuthControl.setReturnValue( true );
268
269         // ArchivaDavResourceFactory#isAuthorized()
270         SecuritySession session = new DefaultSecuritySession();
271         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
272         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
273         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
274                                            new AuthenticationException( "Authentication error" ) );
275
276         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
277
278         // check if guest has write access
279         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
280         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
281         servletAuthControl.setReturnValue( true );
282
283         httpAuthControl.replay();
284         servletAuthControl.replay();
285
286         servlet.service( ic.getRequest(), ic.getResponse() );
287
288         httpAuthControl.verify();
289         servletAuthControl.verify();
290
291         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
292     }
293
294     // test deploy with a valid user with no write access
295     @Test
296     public void testPutWithValidUserWithNoWriteAccess()
297         throws Exception
298     {
299         setupCleanRepo( repoRootInternal );
300
301         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
302         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
303         assertNotNull( "artifact.jar inputstream", is );
304
305         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
306
307         InvocationContext ic = sc.newInvocation( request );
308         servlet = (RepositoryServlet) ic.getServlet();
309         servlet.setDavSessionProvider( davSessionProvider );
310
311         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
312         archivaDavResourceFactory.setHttpAuth( httpAuth );
313         archivaDavResourceFactory.setServletAuth( servletAuth );
314         servlet.setResourceFactory( archivaDavResourceFactory );
315
316         AuthenticationResult result = new AuthenticationResult();
317         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
318         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
319
320         // ArchivaDavResourceFactory#isAuthorized()
321         SecuritySession session = new DefaultSecuritySession();
322         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
323         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
324         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
325         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
326         servletAuthControl.expectAndThrow(
327                                            servletAuth.isAuthorized( null, session, "internal",
328                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
329                                            new UnauthorizedException( "User not authorized" ) );
330
331         httpAuthControl.replay();
332         servletAuthControl.replay();
333
334         servlet.service( ic.getRequest(), ic.getResponse() );
335
336         httpAuthControl.verify();
337         servletAuthControl.verify();
338
339         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
340     }
341
342     // test deploy with a valid user with write access
343     @Test
344     public void testPutWithValidUserWithWriteAccess()
345         throws Exception
346     {
347         setupCleanRepo( repoRootInternal );
348         assertTrue( repoRootInternal.exists() );
349
350         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
351         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
352         assertNotNull( "artifact.jar inputstream", is );
353
354         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
355
356         InvocationContext ic = sc.newInvocation( request );
357         servlet = (RepositoryServlet) ic.getServlet();
358         servlet.setDavSessionProvider( davSessionProvider );
359
360         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
361         archivaDavResourceFactory.setHttpAuth( httpAuth );
362         archivaDavResourceFactory.setServletAuth( servletAuth );
363
364         TestAuditListener listener = new TestAuditListener();
365         archivaDavResourceFactory.addAuditListener( listener );
366         servlet.setResourceFactory( archivaDavResourceFactory );
367
368         AuthenticationResult result = new AuthenticationResult();
369         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
370         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
371
372         User user = new SimpleUser();
373         user.setUsername( "admin" );
374         
375         // ArchivaDavResourceFactory#isAuthorized()
376         SecuritySession session = new DefaultSecuritySession();
377         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
378         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
379         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), user );
380         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
381         servletAuthControl.expectAndReturn(
382                                             servletAuth.isAuthorized( null, session, "internal",
383                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
384                                             true );
385
386         httpAuthControl.replay();
387         servletAuthControl.replay();
388
389         servlet.service( ic.getRequest(), ic.getResponse() );
390
391         httpAuthControl.verify();
392         servletAuthControl.verify();
393
394         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
395
396         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
397     }
398
399     // test get with invalid user, and guest has read access to repo
400     @Test
401     public void testGetWithInvalidUserAndGuestHasReadAccess()
402         throws Exception
403     {
404         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
405         String expectedArtifactContents = "dummy-commons-lang-artifact";
406
407         File artifactFile = new File( repoRootInternal, commonsLangJar );
408         artifactFile.getParentFile().mkdirs();
409
410         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
411
412         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
413         InvocationContext ic = sc.newInvocation( request );
414         servlet = (RepositoryServlet) ic.getServlet();
415         servlet.setDavSessionProvider( davSessionProvider );
416
417         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
418         archivaDavResourceFactory.setHttpAuth( httpAuth );
419         archivaDavResourceFactory.setServletAuth( servletAuth );
420
421         servlet.setResourceFactory( archivaDavResourceFactory );
422
423         AuthenticationResult result = new AuthenticationResult();
424         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
425         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
426                                            new AuthenticationException( "Authentication error" ) );
427         servletAuthControl.expectAndReturn(
428                                             servletAuth.isAuthorized( "guest", "internal",
429                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
430                                             true );
431
432         // ArchivaDavResourceFactory#isAuthorized()
433         SecuritySession session = new DefaultSecuritySession();
434         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
435         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
436         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
437         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
438         servletAuthControl.expectAndReturn(
439                                             servletAuth.isAuthorized( null, session, "internal",
440                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
441                                             true );
442
443         httpAuthControl.replay();
444         servletAuthControl.replay();
445
446         WebResponse response = sc.getResponse( request );
447
448         httpAuthControl.verify();
449         servletAuthControl.verify();
450
451         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
452         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
453     }
454
455     // test get with invalid user, and guest has no read access to repo
456     @Test
457     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
458         throws Exception
459     {
460         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
461         String expectedArtifactContents = "dummy-commons-lang-artifact";
462
463         File artifactFile = new File( repoRootInternal, commonsLangJar );
464         artifactFile.getParentFile().mkdirs();
465
466         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
467
468         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
469         InvocationContext ic = sc.newInvocation( request );
470         servlet = (RepositoryServlet) ic.getServlet();
471         servlet.setDavSessionProvider( davSessionProvider );
472
473         AuthenticationResult result = new AuthenticationResult();
474         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
475         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
476                                            new AuthenticationException( "Authentication error" ) );
477         servletAuthControl.expectAndReturn(
478                                             servletAuth.isAuthorized( "guest", "internal",
479                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
480                                             false );
481
482         httpAuthControl.replay();
483         servletAuthControl.replay();
484
485         WebResponse response = sc.getResponse( request );
486
487         httpAuthControl.verify();
488         servletAuthControl.verify();
489
490         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
491     }
492
493     // test get with valid user with read access to repo
494     @Test
495     public void testGetWithAValidUserWithReadAccess()
496         throws Exception
497     {
498         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
499         String expectedArtifactContents = "dummy-commons-lang-artifact";
500
501         File artifactFile = new File( repoRootInternal, commonsLangJar );
502         artifactFile.getParentFile().mkdirs();
503
504         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
505
506         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
507         InvocationContext ic = sc.newInvocation( request );
508         servlet = (RepositoryServlet) ic.getServlet();
509         servlet.setDavSessionProvider( davSessionProvider );
510
511         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
512         archivaDavResourceFactory.setHttpAuth( httpAuth );
513         archivaDavResourceFactory.setServletAuth( servletAuth );
514
515         servlet.setResourceFactory( archivaDavResourceFactory );
516
517         AuthenticationResult result = new AuthenticationResult();
518         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
519         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
520
521         // ArchivaDavResourceFactory#isAuthorized()
522         SecuritySession session = new DefaultSecuritySession();
523         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
524         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
525         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
526         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
527         servletAuthControl.expectAndReturn(
528                                             servletAuth.isAuthorized( null, session, "internal",
529                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
530                                             true );
531
532         httpAuthControl.replay();
533         servletAuthControl.replay();
534
535         WebResponse response = sc.getResponse( request );
536
537         httpAuthControl.verify();
538         servletAuthControl.verify();
539
540         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
541         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
542     }
543
544     // test get with valid user with no read access to repo
545     @Test
546     public void testGetWithAValidUserWithNoReadAccess()
547         throws Exception
548     {
549         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
550         String expectedArtifactContents = "dummy-commons-lang-artifact";
551
552         File artifactFile = new File( repoRootInternal, commonsLangJar );
553         artifactFile.getParentFile().mkdirs();
554
555         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
556
557         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
558         InvocationContext ic = sc.newInvocation( request );
559         servlet = (RepositoryServlet) ic.getServlet();
560         servlet.setDavSessionProvider( davSessionProvider );
561
562         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
563         archivaDavResourceFactory.setHttpAuth( httpAuth );
564         archivaDavResourceFactory.setServletAuth( servletAuth );
565
566         servlet.setResourceFactory( archivaDavResourceFactory );
567
568         AuthenticationResult result = new AuthenticationResult();
569         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
570         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
571
572         // ArchivaDavResourceFactory#isAuthorized()
573         SecuritySession session = new DefaultSecuritySession();
574         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
575         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
576         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
577         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
578         servletAuthControl.expectAndThrow(
579                                            servletAuth.isAuthorized( null, session, "internal",
580                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
581                                            new UnauthorizedException( "User not authorized to read repository." ) );
582
583         httpAuthControl.replay();
584         servletAuthControl.replay();
585
586         WebResponse response = sc.getResponse( request );
587
588         httpAuthControl.verify();
589         servletAuthControl.verify();
590
591         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
592     }
593 }