source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22
  23 import junit.framework.TestCase;
  24 import net.sf.ehcache.CacheManager;
  25 import org.apache.archiva.configuration.ArchivaConfiguration;
  26 import org.apache.archiva.configuration.Configuration;
  27 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  28 import org.apache.archiva.redback.authentication.AuthenticationException;
  29 import org.apache.archiva.redback.authentication.AuthenticationResult;
  30 import org.apache.archiva.redback.authorization.UnauthorizedException;
  31 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  32 import org.apache.archiva.redback.system.DefaultSecuritySession;
  33 import org.apache.archiva.redback.system.SecuritySession;
  34 import org.apache.archiva.redback.users.User;
  35 import org.apache.archiva.redback.users.memory.SimpleUser;
  36 import org.apache.archiva.repository.audit.TestAuditListener;
  37 import org.apache.archiva.security.ServletAuthenticator;
  38 import org.apache.archiva.security.common.ArchivaRoleConstants;
  39 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  40 import org.apache.archiva.webdav.util.MavenIndexerCleaner;
  41 import org.apache.commons.io.FileUtils;
  42 import org.apache.commons.io.IOUtils;
  43 import org.apache.jackrabbit.webdav.DavSessionProvider;
  44 import org.easymock.EasyMock;
  45 import org.easymock.IMocksControl;
  46 import org.junit.After;
  47 import org.junit.Before;
  48 import org.junit.Rule;
  49 import org.junit.Test;
  50 import org.junit.runner.RunWith;
  51 import org.springframework.context.ApplicationContext;
  52 import org.springframework.mock.web.MockHttpServletRequest;
  53 import org.springframework.mock.web.MockHttpServletResponse;
  54 import org.springframework.mock.web.MockServletConfig;
  55 import org.springframework.mock.web.MockServletContext;
  56 import org.springframework.test.context.ContextConfiguration;
  57 import org.springframework.web.context.WebApplicationContext;
  58
  59 import javax.inject.Inject;
  60 import javax.servlet.ServletContext;
  61 import javax.servlet.http.HttpServletRequest;
  62 import javax.servlet.http.HttpServletResponse;
  63 import javax.servlet.http.HttpSession;
  64 import java.io.InputStream;
  65 import java.nio.charset.Charset;
  66 import java.nio.file.Files;
  67 import java.nio.file.Path;
  68 import java.nio.file.Paths;
  69 import java.util.ArrayList;
  70 import java.util.List;
  71
  72 import static org.easymock.EasyMock.anyObject;
  73 import static org.easymock.EasyMock.eq;
  74
  75 /**
  76  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  77  * perform redback security checking.
  78  */
  79 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  80 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
  81 public class RepositoryServletSecurityTest
  82     extends TestCase
  83 {
  84     protected static final String REPOID_INTERNAL = "internal";
  85
  86     @Inject
  87     protected ArchivaConfiguration archivaConfiguration;
  88
  89     private DavSessionProvider davSessionProvider;
  90
  91     private IMocksControl servletAuthControl;
  92
  93     private ServletAuthenticator servletAuth;
  94
  95     private IMocksControl httpAuthControl;
  96
  97     private HttpAuthenticator httpAuth;
  98
  99     private RepositoryServlet servlet;
 100
 101     @Inject
 102     ApplicationContext applicationContext;
 103
 104
 105     @Rule
 106     public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();
 107
 108     @Before
 109     @Override
 110     public void setUp()
 111         throws Exception
 112     {
 113
 114         super.setUp();
 115
 116         String appserverBase =
 117             System.getProperty( "appserver.base", Paths.get( "target/appserver-base" ).toAbsolutePath().toString() );
 118
 119         Path testConf = Paths.get( "src/test/resources/repository-archiva.xml" );
 120         Path testConfDest = Paths.get(appserverBase, "conf/archiva.xml" );
 121         FileUtils.copyFile( testConf.toFile(), testConfDest.toFile() );
 122
 123
 124
 125         Configuration config = archivaConfiguration.getConfiguration();
 126         // clear managed repository
 127         List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());
 128         for (ManagedRepositoryConfiguration f: f1 ) {
 129             config.removeManagedRepository(f);
 130         }
 131         assertEquals(0,config.getManagedRepositories().size());
 132         // add internal repo
 133         config.addManagedRepository(
 134                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );
 135
 136         saveConfiguration( archivaConfiguration );
 137
 138         CacheManager.getInstance().clearAll();
 139
 140
 141         servletAuthControl = EasyMock.createControl();
 142
 143         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
 144
 145         httpAuthControl = EasyMock.createControl();
 146
 147         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
 148
 149         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 150
 151         final MockServletContext mockServletContext = new MockServletContext();
 152
 153         WebApplicationContext webApplicationContext =
 154             new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
 155
 156         mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
 157                                          webApplicationContext );
 158
 159         MockServletConfig mockServletConfig = new MockServletConfig()
 160         {
 161             @Override
 162             public ServletContext getServletContext()
 163             {
 164                 return mockServletContext;
 165             }
 166         };
 167
 168         servlet = new RepositoryServlet();
 169
 170         servlet.init( mockServletConfig );
 171     }
 172
 173     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, Path location )
 174     {
 175         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 176         repo.setId( id );
 177         repo.setName( name );
 178         repo.setLocation( location.toAbsolutePath().toString() );
 179         return repo;
 180     }
 181
 182     /*protected void saveConfiguration()
 183         throws Exception
 184     {
 185         saveConfiguration( archivaConfiguration );
 186     }*/
 187
 188     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 189         throws Exception
 190     {
 191         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 192     }
 193
 194     /*protected void setupCleanRepo( File repoRootDir )
 195         throws IOException
 196     {
 197     }*/
 198
 199     @Override
 200     @After
 201     public void tearDown()
 202         throws Exception
 203     {
 204
 205        /* if ( repoRootInternal.exists() )
 206         {
 207             FileUtils.deleteDirectory( repoRootInternal );
 208         }*/
 209
 210         applicationContext.getBean( MavenIndexerCleaner.class ).cleanupIndex();
 211
 212         super.tearDown();
 213     }
 214
 215
 216
 217     // test deploy with invalid user, and guest has no write access to repo
 218     // 401 must be returned
 219     @Test
 220     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 221         throws Exception
 222     {
 223
 224         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 225         assertNotNull( "artifact.jar inputstream", is );
 226
 227         servlet.setDavSessionProvider( davSessionProvider );
 228
 229         AuthenticationResult result = new AuthenticationResult();
 230
 231         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 232                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 233             result );
 234
 235         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
 236                                      EasyMock.anyObject( AuthenticationResult.class ) );
 237         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
 238
 239         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 240
 241         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
 242
 243         httpAuthControl.replay();
 244         servletAuthControl.replay();
 245         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 246         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 247         mockHttpServletRequest.setMethod( "PUT" );
 248         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 249         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 250         mockHttpServletRequest.setContentType( "application/octet-stream" );
 251
 252         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 253
 254         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 255
 256         httpAuthControl.verify();
 257         servletAuthControl.verify();
 258
 259         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 260     }
 261
 262     // test deploy with invalid user, but guest has write access to repo
 263     @Test
 264     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 265         throws Exception
 266     {
 267
 268         servlet.setDavSessionProvider( davSessionProvider );
 269
 270         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 271         archivaDavResourceFactory.setHttpAuth( httpAuth );
 272         archivaDavResourceFactory.setServletAuth( servletAuth );
 273
 274         servlet.setResourceFactory( archivaDavResourceFactory );
 275
 276         AuthenticationResult result = new AuthenticationResult();
 277
 278         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 279                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 280             result );
 281
 282         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 283                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 284             new AuthenticationException( "Authentication error" ) );
 285
 286         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 287                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 288             true );
 289
 290         // ArchivaDavResourceFactory#isAuthorized()
 291         SecuritySession session = new DefaultSecuritySession();
 292
 293         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 294                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 295             result );
 296
 297         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 298
 299         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(
 300             new AuthenticationException( "Authentication error" ) );
 301
 302         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 303
 304         // check if guest has write access
 305         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 306                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 307             true );
 308
 309         httpAuthControl.replay();
 310         servletAuthControl.replay();
 311
 312         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 313         assertNotNull( "artifact.jar inputstream", is );
 314
 315         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 316         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 317         mockHttpServletRequest.setMethod( "PUT" );
 318         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 319         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 320         mockHttpServletRequest.setContentType( "application/octet-stream" );
 321
 322         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 323
 324         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 325
 326         httpAuthControl.verify();
 327         servletAuthControl.verify();
 328
 329         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
 330     }
 331
 332     // test deploy with a valid user with no write access
 333     @Test
 334     public void testPutWithValidUserWithNoWriteAccess()
 335         throws Exception
 336     {
 337
 338         servlet.setDavSessionProvider( davSessionProvider );
 339
 340         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 341         archivaDavResourceFactory.setHttpAuth( httpAuth );
 342         archivaDavResourceFactory.setServletAuth( servletAuth );
 343         servlet.setResourceFactory( archivaDavResourceFactory );
 344
 345         AuthenticationResult result = new AuthenticationResult();
 346
 347         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 348                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 349             result );
 350
 351         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 352                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 353
 354         // ArchivaDavResourceFactory#isAuthorized()
 355         SecuritySession session = new DefaultSecuritySession();
 356
 357         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 358                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 359             result );
 360
 361         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 362
 363         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(
 364             session );
 365
 366         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );
 367
 368         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 369             true );
 370
 371         EasyMock.expect(
 372             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 373                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(
 374             new UnauthorizedException( "User not authorized" ) );
 375         httpAuthControl.replay();
 376         servletAuthControl.replay();
 377
 378         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 379         assertNotNull( "artifact.jar inputstream", is );
 380
 381         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 382         mockHttpServletRequest.setMethod( "PUT" );
 383         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 384         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 385         mockHttpServletRequest.setContentType( "application/octet-stream" );
 386
 387         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 388
 389         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 390
 391         httpAuthControl.verify();
 392         servletAuthControl.verify();
 393
 394         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 395     }
 396
 397     // test deploy with a valid user with write access
 398     @Test
 399     public void testPutWithValidUserWithWriteAccess()
 400         throws Exception
 401     {
 402         assertTrue( Files.exists(repoRootInternal.getRoot()) );
 403
 404         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 405         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 406         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 407         assertNotNull( "artifact.jar inputstream", is );
 408
 409         servlet.setDavSessionProvider( davSessionProvider );
 410
 411         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 412         archivaDavResourceFactory.setHttpAuth( httpAuth );
 413         archivaDavResourceFactory.setServletAuth( servletAuth );
 414
 415         TestAuditListener listener = new TestAuditListener();
 416         archivaDavResourceFactory.addAuditListener( listener );
 417         servlet.setResourceFactory( archivaDavResourceFactory );
 418
 419         AuthenticationResult result = new AuthenticationResult();
 420
 421         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 422                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 423             result );
 424
 425         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 426                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 427
 428         User user = new SimpleUser();
 429         user.setUsername( "admin" );
 430
 431         // ArchivaDavResourceFactory#isAuthorized()
 432         SecuritySession session = new DefaultSecuritySession();
 433
 434         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 435                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 436             result );
 437
 438         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );
 439
 440         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );
 441
 442         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 443             true );
 444
 445         EasyMock.expect(
 446             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 447                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );
 448
 449         httpAuthControl.replay();
 450         servletAuthControl.replay();
 451
 452         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 453         mockHttpServletRequest.setMethod( "PUT" );
 454         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 455         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 456         mockHttpServletRequest.setContentType( "application/octet-stream" );
 457
 458         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 459
 460         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 461
 462         httpAuthControl.verify();
 463         servletAuthControl.verify();
 464
 465         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
 466
 467         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 468     }
 469
 470     // test get with invalid user, and guest has read access to repo
 471     @Test
 472     public void testGetWithInvalidUserAndGuestHasReadAccess()
 473         throws Exception
 474     {
 475         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 476         String expectedArtifactContents = "dummy-commons-lang-artifact";
 477
 478         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
 479         Files.createDirectories(artifactFile.getParent());
 480
 481         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
 482
 483         servlet.setDavSessionProvider( davSessionProvider );
 484
 485         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 486         archivaDavResourceFactory.setHttpAuth( httpAuth );
 487         archivaDavResourceFactory.setServletAuth( servletAuth );
 488
 489         servlet.setResourceFactory( archivaDavResourceFactory );
 490
 491         AuthenticationResult result = new AuthenticationResult();
 492
 493         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 494                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 495             result );
 496
 497         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 498                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 499             new AuthenticationException( "Authentication error" ) );
 500
 501         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 502                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 503             true );
 504
 505         // ArchivaDavResourceFactory#isAuthorized()
 506         SecuritySession session = new DefaultSecuritySession();
 507
 508         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 509                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 510             result );
 511
 512         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 513
 514         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 515
 516         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 517             true );
 518
 519         EasyMock.expect(
 520             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 521                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
 522         httpAuthControl.replay();
 523         servletAuthControl.replay();
 524
 525         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 526         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 527         mockHttpServletRequest.setMethod( "GET" );
 528         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 529
 530         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 531
 532         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 533
 534         httpAuthControl.verify();
 535         servletAuthControl.verify();
 536
 537         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
 538
 539         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
 540     }
 541
 542     // test get with invalid user, and guest has no read access to repo
 543     @Test
 544     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 545         throws Exception
 546     {
 547         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 548         String expectedArtifactContents = "dummy-commons-lang-artifact";
 549
 550         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
 551         Files.createDirectories(artifactFile.getParent());
 552
 553         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
 554
 555         servlet.setDavSessionProvider( davSessionProvider );
 556
 557         AuthenticationResult result = new AuthenticationResult();
 558
 559         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 560                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 561             result );
 562
 563         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 564                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 565             new AuthenticationException( "Authentication error" ) );
 566
 567         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 568                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 569             false );
 570         httpAuthControl.replay();
 571         servletAuthControl.replay();
 572
 573         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 574         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 575         mockHttpServletRequest.setMethod( "GET" );
 576         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 577
 578         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 579
 580         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 581
 582         httpAuthControl.verify();
 583         servletAuthControl.verify();
 584
 585         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 586     }
 587
 588     // test get with valid user with read access to repo
 589     @Test
 590     public void testGetWithAValidUserWithReadAccess()
 591         throws Exception
 592     {
 593         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 594         String expectedArtifactContents = "dummy-commons-lang-artifact";
 595
 596         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
 597         Files.createDirectories(artifactFile.getParent());
 598
 599         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
 600
 601         servlet.setDavSessionProvider( davSessionProvider );
 602
 603         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 604         archivaDavResourceFactory.setHttpAuth( httpAuth );
 605         archivaDavResourceFactory.setServletAuth( servletAuth );
 606
 607         servlet.setResourceFactory( archivaDavResourceFactory );
 608
 609         AuthenticationResult result = new AuthenticationResult();
 610
 611         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 612                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 613             result );
 614
 615         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 616                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 617         // ArchivaDavResourceFactory#isAuthorized()
 618         SecuritySession session = new DefaultSecuritySession();
 619
 620         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 621                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 622             result );
 623
 624         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 625
 626         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 627
 628         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 629             true );
 630
 631         EasyMock.expect(
 632             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 633                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
 634
 635         httpAuthControl.replay();
 636         servletAuthControl.replay();
 637
 638         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 639         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 640         mockHttpServletRequest.setMethod( "GET" );
 641         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 642
 643         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 644
 645         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 646
 647         httpAuthControl.verify();
 648         servletAuthControl.verify();
 649
 650         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
 651         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
 652     }
 653
 654     // test get with valid user with no read access to repo
 655     @Test
 656     public void testGetWithAValidUserWithNoReadAccess()
 657         throws Exception
 658     {
 659         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 660         String expectedArtifactContents = "dummy-commons-lang-artifact";
 661
 662         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );
 663         Files.createDirectories(artifactFile.getParent());
 664
 665         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);
 666
 667         servlet.setDavSessionProvider( davSessionProvider );
 668
 669         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 670         archivaDavResourceFactory.setHttpAuth( httpAuth );
 671         archivaDavResourceFactory.setServletAuth( servletAuth );
 672
 673         servlet.setResourceFactory( archivaDavResourceFactory );
 674
 675         AuthenticationResult result = new AuthenticationResult();
 676
 677         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 678                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 679             result );
 680
 681         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 682                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 683
 684         // ArchivaDavResourceFactory#isAuthorized()
 685         SecuritySession session = new DefaultSecuritySession();
 686
 687         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 688                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 689             result );
 690
 691         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 692
 693         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 694
 695         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 696             true );
 697
 698         EasyMock.expect(
 699             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 700                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(
 701             new UnauthorizedException( "User not authorized to read repository." ) );
 702         httpAuthControl.replay();
 703         servletAuthControl.replay();
 704
 705         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 706         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 707         mockHttpServletRequest.setMethod( "GET" );
 708         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 709
 710
 711         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 712
 713         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 714
 715         httpAuthControl.verify();
 716         servletAuthControl.verify();
 717
 718         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 719     }
 720
 721 }