]> source.dussan.org Git - archiva.git/blob
projects / archiva.git / blob
? search:


6c265b225065e84b7674bbca4084d689c911d39d
[archiva.git] /
1 package org.apache.maven.archiva.webdav;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import java.io.File;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.util.List;
26
27 import javax.servlet.http.HttpServletResponse;
28
29 import net.sf.ehcache.CacheManager;
30
31 import org.apache.archiva.repository.audit.TestAuditListener;
32 import org.apache.commons.io.FileUtils;
33 import org.apache.jackrabbit.webdav.DavSessionProvider;
34 import org.apache.maven.archiva.configuration.ArchivaConfiguration;
35 import org.apache.maven.archiva.configuration.Configuration;
36 import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
37 import org.apache.maven.archiva.repository.audit.AuditListener;
38 import org.apache.maven.archiva.security.ArchivaRoleConstants;
39 import org.apache.maven.archiva.security.ServletAuthenticator;
40 import org.codehaus.plexus.redback.authentication.AuthenticationException;
41 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
42 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
43 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
44 import org.codehaus.plexus.redback.system.SecuritySession;
45 import org.codehaus.plexus.redback.users.User;
46 import org.codehaus.plexus.redback.users.memory.SimpleUser;
47 import org.codehaus.plexus.spring.PlexusInSpringTestCase;
48 import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
49 import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
50 import org.easymock.MockControl;
51 import org.easymock.classextension.MockClassControl;
52
53 import com.meterware.httpunit.GetMethodWebRequest;
54 import com.meterware.httpunit.HttpUnitOptions;
55 import com.meterware.httpunit.PutMethodWebRequest;
56 import com.meterware.httpunit.WebRequest;
57 import com.meterware.httpunit.WebResponse;
58 import com.meterware.servletunit.InvocationContext;
59 import com.meterware.servletunit.ServletRunner;
60 import com.meterware.servletunit.ServletUnitClient;
61
62 /**
63  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
64  * perform redback security checking.
65  * 
66  * @version $Id$
67  */
68 public class RepositoryServletSecurityTest
69     extends PlexusInSpringTestCase
70 {
71     protected static final String REPOID_INTERNAL = "internal";
72
73     protected ServletUnitClient sc;
74
75     protected File repoRootInternal;
76
77     private ServletRunner sr;
78
79     protected ArchivaConfiguration archivaConfiguration;
80
81     private DavSessionProvider davSessionProvider;
82
83     private MockControl servletAuthControl;
84
85     private ServletAuthenticator servletAuth;
86
87     private MockClassControl httpAuthControl;
88
89     private HttpAuthenticator httpAuth;
90
91     private RepositoryServlet servlet;
92
93     public void setUp()
94         throws Exception
95     {
96         super.setUp();
97
98         String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
99         System.setProperty( "appserver.base", appserverBase );
100
101         File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
102         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
103         FileUtils.copyFile( testConf, testConfDest );
104
105         archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
106         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
107         Configuration config = archivaConfiguration.getConfiguration();
108
109         config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
110         saveConfiguration( archivaConfiguration );
111
112         CacheManager.getInstance().removeCache( "url-failures-cache" );
113
114         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
115
116         sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
117         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
118         sc = sr.newClient();
119
120         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
121         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
122         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
123
124         httpAuthControl =
125             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
126         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
127         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
128
129         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
130     }
131
132     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
133     {
134         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
135         repo.setId( id );
136         repo.setName( name );
137         repo.setLocation( location.getAbsolutePath() );
138         return repo;
139     }
140
141     protected void saveConfiguration()
142         throws Exception
143     {
144         saveConfiguration( archivaConfiguration );
145     }
146
147     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
148         throws Exception
149     {
150         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
151     }
152
153     protected void setupCleanRepo( File repoRootDir )
154         throws IOException
155     {
156         FileUtils.deleteDirectory( repoRootDir );
157         if ( !repoRootDir.exists() )
158         {
159             repoRootDir.mkdirs();
160         }
161     }
162
163     @Override
164     protected String getPlexusConfigLocation()
165     {
166         return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
167     }
168
169     @Override
170     protected void tearDown()
171         throws Exception
172     {
173         if ( sc != null )
174         {
175             sc.clearContents();
176         }
177
178         if ( sr != null )
179         {
180             sr.shutDown();
181         }
182
183         if ( repoRootInternal.exists() )
184         {
185             FileUtils.deleteDirectory( repoRootInternal );
186         }
187
188         servlet = null;
189
190         super.tearDown();
191     }
192
193     // test deploy with invalid user, and guest has no write access to repo
194     // 401 must be returned
195     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
196         throws Exception
197     {
198         setupCleanRepo( repoRootInternal );
199
200         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
201         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
202         assertNotNull( "artifact.jar inputstream", is );
203
204         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
205         InvocationContext ic = sc.newInvocation( request );
206         servlet = (RepositoryServlet) ic.getServlet();
207         servlet.setDavSessionProvider( davSessionProvider );
208
209         AuthenticationResult result = new AuthenticationResult();
210         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
211         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
212                                            new AuthenticationException( "Authentication error" ) );
213
214         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
215         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
216         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
217
218         httpAuthControl.replay();
219         servletAuthControl.replay();
220
221         servlet.service( ic.getRequest(), ic.getResponse() );
222
223         httpAuthControl.verify();
224         servletAuthControl.verify();
225
226         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
227     }
228
229     // test deploy with invalid user, but guest has write access to repo
230     public void testPutWithInvalidUserAndGuestHasWriteAccess()
231         throws Exception
232     {
233         setupCleanRepo( repoRootInternal );
234
235         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
236         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
237         assertNotNull( "artifact.jar inputstream", is );
238
239         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
240
241         InvocationContext ic = sc.newInvocation( request );
242         servlet = (RepositoryServlet) ic.getServlet();
243         servlet.setDavSessionProvider( davSessionProvider );
244
245         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
246         archivaDavResourceFactory.setHttpAuth( httpAuth );
247         archivaDavResourceFactory.setServletAuth( servletAuth );
248
249         servlet.setResourceFactory( archivaDavResourceFactory );
250
251         AuthenticationResult result = new AuthenticationResult();
252         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
253         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
254                                            new AuthenticationException( "Authentication error" ) );
255
256         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
257         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
258         servletAuthControl.setReturnValue( true );
259
260         // ArchivaDavResourceFactory#isAuthorized()
261         SecuritySession session = new DefaultSecuritySession();
262         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
263         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
264         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
265                                            new AuthenticationException( "Authentication error" ) );
266
267         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
268
269         // check if guest has write access
270         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
271         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
272         servletAuthControl.setReturnValue( true );
273
274         httpAuthControl.replay();
275         servletAuthControl.replay();
276
277         servlet.service( ic.getRequest(), ic.getResponse() );
278
279         httpAuthControl.verify();
280         servletAuthControl.verify();
281
282         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
283     }
284
285     // test deploy with a valid user with no write access
286     public void testPutWithValidUserWithNoWriteAccess()
287         throws Exception
288     {
289         setupCleanRepo( repoRootInternal );
290
291         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
292         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
293         assertNotNull( "artifact.jar inputstream", is );
294
295         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
296
297         InvocationContext ic = sc.newInvocation( request );
298         servlet = (RepositoryServlet) ic.getServlet();
299         servlet.setDavSessionProvider( davSessionProvider );
300
301         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
302         archivaDavResourceFactory.setHttpAuth( httpAuth );
303         archivaDavResourceFactory.setServletAuth( servletAuth );
304         servlet.setResourceFactory( archivaDavResourceFactory );
305
306         AuthenticationResult result = new AuthenticationResult();
307         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
308         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
309
310         // ArchivaDavResourceFactory#isAuthorized()
311         SecuritySession session = new DefaultSecuritySession();
312         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
313         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
314         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
315         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
316         servletAuthControl.expectAndThrow(
317                                            servletAuth.isAuthorized( null, session, "internal",
318                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
319                                            new UnauthorizedException( "User not authorized" ) );
320
321         httpAuthControl.replay();
322         servletAuthControl.replay();
323
324         servlet.service( ic.getRequest(), ic.getResponse() );
325
326         httpAuthControl.verify();
327         servletAuthControl.verify();
328
329         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
330     }
331
332     // test deploy with a valid user with write access
333     public void testPutWithValidUserWithWriteAccess()
334         throws Exception
335     {
336         setupCleanRepo( repoRootInternal );
337         assertTrue( repoRootInternal.exists() );
338
339         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
340         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
341         assertNotNull( "artifact.jar inputstream", is );
342
343         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
344
345         InvocationContext ic = sc.newInvocation( request );
346         servlet = (RepositoryServlet) ic.getServlet();
347         servlet.setDavSessionProvider( davSessionProvider );
348
349         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
350         archivaDavResourceFactory.setHttpAuth( httpAuth );
351         archivaDavResourceFactory.setServletAuth( servletAuth );
352
353         TestAuditListener listener = new TestAuditListener();
354         archivaDavResourceFactory.addAuditListener( listener );
355         servlet.setResourceFactory( archivaDavResourceFactory );
356
357         AuthenticationResult result = new AuthenticationResult();
358         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
359         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
360
361         User user = new SimpleUser();
362         user.setUsername( "admin" );
363         
364         // ArchivaDavResourceFactory#isAuthorized()
365         SecuritySession session = new DefaultSecuritySession();
366         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
367         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
368         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), user );
369         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
370         servletAuthControl.expectAndReturn(
371                                             servletAuth.isAuthorized( null, session, "internal",
372                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
373                                             true );
374
375         httpAuthControl.replay();
376         servletAuthControl.replay();
377
378         servlet.service( ic.getRequest(), ic.getResponse() );
379
380         httpAuthControl.verify();
381         servletAuthControl.verify();
382
383         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
384
385         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
386     }
387
388     // test get with invalid user, and guest has read access to repo
389     public void testGetWithInvalidUserAndGuestHasReadAccess()
390         throws Exception
391     {
392         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
393         String expectedArtifactContents = "dummy-commons-lang-artifact";
394
395         File artifactFile = new File( repoRootInternal, commonsLangJar );
396         artifactFile.getParentFile().mkdirs();
397
398         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
399
400         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
401         InvocationContext ic = sc.newInvocation( request );
402         servlet = (RepositoryServlet) ic.getServlet();
403         servlet.setDavSessionProvider( davSessionProvider );
404
405         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
406         archivaDavResourceFactory.setHttpAuth( httpAuth );
407         archivaDavResourceFactory.setServletAuth( servletAuth );
408
409         servlet.setResourceFactory( archivaDavResourceFactory );
410
411         AuthenticationResult result = new AuthenticationResult();
412         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
413         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
414                                            new AuthenticationException( "Authentication error" ) );
415         servletAuthControl.expectAndReturn(
416                                             servletAuth.isAuthorized( "guest", "internal",
417                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
418                                             true );
419
420         // ArchivaDavResourceFactory#isAuthorized()
421         SecuritySession session = new DefaultSecuritySession();
422         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
423         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
424         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
425         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
426         servletAuthControl.expectAndReturn(
427                                             servletAuth.isAuthorized( null, session, "internal",
428                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
429                                             true );
430
431         httpAuthControl.replay();
432         servletAuthControl.replay();
433
434         WebResponse response = sc.getResponse( request );
435
436         httpAuthControl.verify();
437         servletAuthControl.verify();
438
439         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
440         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
441     }
442
443     // test get with invalid user, and guest has no read access to repo
444     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
445         throws Exception
446     {
447         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
448         String expectedArtifactContents = "dummy-commons-lang-artifact";
449
450         File artifactFile = new File( repoRootInternal, commonsLangJar );
451         artifactFile.getParentFile().mkdirs();
452
453         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
454
455         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
456         InvocationContext ic = sc.newInvocation( request );
457         servlet = (RepositoryServlet) ic.getServlet();
458         servlet.setDavSessionProvider( davSessionProvider );
459
460         AuthenticationResult result = new AuthenticationResult();
461         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
462         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
463                                            new AuthenticationException( "Authentication error" ) );
464         servletAuthControl.expectAndReturn(
465                                             servletAuth.isAuthorized( "guest", "internal",
466                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
467                                             false );
468
469         httpAuthControl.replay();
470         servletAuthControl.replay();
471
472         WebResponse response = sc.getResponse( request );
473
474         httpAuthControl.verify();
475         servletAuthControl.verify();
476
477         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
478     }
479
480     // test get with valid user with read access to repo
481     public void testGetWithAValidUserWithReadAccess()
482         throws Exception
483     {
484         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
485         String expectedArtifactContents = "dummy-commons-lang-artifact";
486
487         File artifactFile = new File( repoRootInternal, commonsLangJar );
488         artifactFile.getParentFile().mkdirs();
489
490         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
491
492         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
493         InvocationContext ic = sc.newInvocation( request );
494         servlet = (RepositoryServlet) ic.getServlet();
495         servlet.setDavSessionProvider( davSessionProvider );
496
497         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
498         archivaDavResourceFactory.setHttpAuth( httpAuth );
499         archivaDavResourceFactory.setServletAuth( servletAuth );
500
501         servlet.setResourceFactory( archivaDavResourceFactory );
502
503         AuthenticationResult result = new AuthenticationResult();
504         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
505         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
506
507         // ArchivaDavResourceFactory#isAuthorized()
508         SecuritySession session = new DefaultSecuritySession();
509         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
510         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
511         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
512         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
513         servletAuthControl.expectAndReturn(
514                                             servletAuth.isAuthorized( null, session, "internal",
515                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
516                                             true );
517
518         httpAuthControl.replay();
519         servletAuthControl.replay();
520
521         WebResponse response = sc.getResponse( request );
522
523         httpAuthControl.verify();
524         servletAuthControl.verify();
525
526         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
527         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
528     }
529
530     // test get with valid user with no read access to repo
531     public void testGetWithAValidUserWithNoReadAccess()
532         throws Exception
533     {
534         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
535         String expectedArtifactContents = "dummy-commons-lang-artifact";
536
537         File artifactFile = new File( repoRootInternal, commonsLangJar );
538         artifactFile.getParentFile().mkdirs();
539
540         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
541
542         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
543         InvocationContext ic = sc.newInvocation( request );
544         servlet = (RepositoryServlet) ic.getServlet();
545         servlet.setDavSessionProvider( davSessionProvider );
546
547         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
548         archivaDavResourceFactory.setHttpAuth( httpAuth );
549         archivaDavResourceFactory.setServletAuth( servletAuth );
550
551         servlet.setResourceFactory( archivaDavResourceFactory );
552
553         AuthenticationResult result = new AuthenticationResult();
554         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
555         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
556
557         // ArchivaDavResourceFactory#isAuthorized()
558         SecuritySession session = new DefaultSecuritySession();
559         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
560         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
561         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
562         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
563         servletAuthControl.expectAndThrow(
564                                            servletAuth.isAuthorized( null, session, "internal",
565                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
566                                            new UnauthorizedException( "User not authorized to read repository." ) );
567
568         httpAuthControl.replay();
569         servletAuthControl.replay();
570
571         WebResponse response = sc.getResponse( request );
572
573         httpAuthControl.verify();
574         servletAuthControl.verify();
575
576         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
577     }
578 }
Apache Archiva Repository: https://github.com/apache/archiva