source.dussan.org Git - archiva.git/blob

   1 package org.apache.maven.archiva.security;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import javax.inject.Inject;
  23 import javax.servlet.http.HttpServletRequest;
  24
  25 import org.codehaus.plexus.redback.authentication.AuthenticationException;
  26 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
  27 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
  28 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
  29 import org.codehaus.plexus.redback.system.SecuritySession;
  30 import org.codehaus.plexus.redback.users.User;
  31 import org.codehaus.plexus.redback.users.UserManager;
  32
  33 import org.easymock.MockControl;
  34 import org.junit.Before;
  35 import org.junit.Test;
  36
  37 /**
  38  * ArchivaServletAuthenticatorTest
  39  *
  40  * @version
  41  */
  42 public class ArchivaServletAuthenticatorTest
  43     extends AbstractSecurityTest
  44 {
  45     @Inject
  46     private ServletAuthenticator servletAuth;
  47
  48     private MockControl httpServletRequestControl;
  49
  50     private HttpServletRequest request;
  51
  52     @Before
  53     public void setUp()
  54         throws Exception
  55     {
  56         super.setUp();
  57
  58         httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
  59         request = (HttpServletRequest) httpServletRequestControl.getMock();
  60
  61         setupRepository( "corporate" );
  62     }
  63
  64     protected String getPlexusConfigLocation()
  65     {
  66         return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
  67     }
  68
  69     protected void assignRepositoryManagerRole( String principal, String repoId )
  70         throws Exception
  71     {
  72         roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
  73     }
  74
  75     @Test
  76     public void testIsAuthenticatedUserExists()
  77         throws Exception
  78     {
  79         AuthenticationResult result = new AuthenticationResult( true, "user", null );
  80         boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
  81
  82         assertTrue( isAuthenticated );
  83     }
  84
  85     @Test
  86     public void testIsAuthenticatedUserDoesNotExist()
  87         throws Exception
  88     {
  89         AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
  90         try
  91         {
  92             servletAuth.isAuthenticated( request, result );
  93             fail( "Authentication exception should have been thrown." );
  94         }
  95         catch ( AuthenticationException e )
  96         {
  97             assertEquals( "User Credentials Invalid", e.getMessage() );
  98         }
  99     }
 100
 101     @Test
 102     public void testIsAuthorizedUserHasWriteAccess()
 103         throws Exception
 104     {
 105         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 106
 107         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
 108
 109         UserManager userManager = securitySystem.getUserManager();
 110         User user = userManager.findUser( USER_ALPACA );
 111
 112         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 113
 114         SecuritySession session = new DefaultSecuritySession( result, user );
 115         boolean isAuthorized =
 116             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 117
 118         assertTrue( isAuthorized );
 119     }
 120
 121     @Test
 122     public void testIsAuthorizedUserHasNoWriteAccess()
 123         throws Exception
 124     {
 125         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 126
 127         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 128
 129         httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
 130
 131         UserManager userManager = securitySystem.getUserManager();
 132         User user = userManager.findUser( USER_ALPACA );
 133
 134         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 135
 136         SecuritySession session = new DefaultSecuritySession( result, user );
 137
 138         httpServletRequestControl.replay();
 139
 140         try
 141         {
 142             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 143             fail( "UnauthorizedException should have been thrown." );
 144         }
 145         catch ( UnauthorizedException e )
 146         {
 147             assertEquals( "Access denied for repository corporate", e.getMessage() );
 148         }
 149
 150         httpServletRequestControl.verify();
 151     }
 152
 153     @Test
 154     public void testIsAuthorizedUserHasReadAccess()
 155         throws Exception
 156     {
 157         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 158
 159         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 160
 161         UserManager userManager = securitySystem.getUserManager();
 162         User user = userManager.findUser( USER_ALPACA );
 163
 164         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 165
 166         SecuritySession session = new DefaultSecuritySession( result, user );
 167         boolean isAuthorized =
 168             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 169
 170         assertTrue( isAuthorized );
 171     }
 172
 173     @Test
 174     public void testIsAuthorizedUserHasNoReadAccess()
 175         throws Exception
 176     {
 177         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 178
 179         UserManager userManager = securitySystem.getUserManager();
 180         User user = userManager.findUser( USER_ALPACA );
 181
 182         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 183
 184         SecuritySession session = new DefaultSecuritySession( result, user );
 185         try
 186         {
 187             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 188             fail( "UnauthorizedException should have been thrown." );
 189         }
 190         catch ( UnauthorizedException e )
 191         {
 192             assertEquals( "Access denied for repository corporate", e.getMessage() );
 193         }
 194     }
 195
 196     @Test
 197     public void testIsAuthorizedGuestUserHasWriteAccess()
 198         throws Exception
 199     {
 200         assignRepositoryManagerRole( USER_GUEST, "corporate" );
 201         boolean isAuthorized =
 202             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 203
 204         assertTrue( isAuthorized );
 205     }
 206
 207     @Test
 208     public void testIsAuthorizedGuestUserHasNoWriteAccess()
 209         throws Exception
 210     {
 211         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 212
 213         boolean isAuthorized =
 214             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 215         assertFalse( isAuthorized );
 216     }
 217
 218     @Test
 219     public void testIsAuthorizedGuestUserHasReadAccess()
 220         throws Exception
 221     {
 222         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 223
 224         boolean isAuthorized =
 225             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 226
 227         assertTrue( isAuthorized );
 228     }
 229
 230     @Test
 231     public void testIsAuthorizedGuestUserHasNoReadAccess()
 232         throws Exception
 233     {
 234         boolean isAuthorized =
 235             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 236
 237         assertFalse( isAuthorized );
 238     }
 239 }