source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.security;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import org.apache.archiva.redback.users.User;
  23 import org.apache.archiva.redback.users.UserManager;
  24 import org.apache.archiva.security.common.ArchivaRoleConstants;
  25 import org.apache.archiva.redback.authentication.AuthenticationException;
  26 import org.apache.archiva.redback.authentication.AuthenticationResult;
  27 import org.apache.archiva.redback.authorization.UnauthorizedException;
  28 import org.apache.archiva.redback.system.DefaultSecuritySession;
  29 import org.apache.archiva.redback.system.SecuritySession;
  30 import org.easymock.MockControl;
  31 import org.junit.Before;
  32 import org.junit.Test;
  33
  34 import javax.inject.Inject;
  35 import javax.inject.Named;
  36 import javax.servlet.http.HttpServletRequest;
  37
  38 /**
  39  * ArchivaServletAuthenticatorTest
  40  */
  41 public class ArchivaServletAuthenticatorTest
  42     extends AbstractSecurityTest
  43 {
  44     @Inject
  45     @Named( value = "servletAuthenticator#test" )
  46     private ServletAuthenticator servletAuth;
  47
  48     private MockControl httpServletRequestControl;
  49
  50     private HttpServletRequest request;
  51
  52     @Before
  53     public void setUp()
  54         throws Exception
  55     {
  56         super.setUp();
  57
  58         httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
  59         request = (HttpServletRequest) httpServletRequestControl.getMock();
  60
  61         setupRepository( "corporate" );
  62     }
  63
  64     protected void assignRepositoryManagerRole( String principal, String repoId )
  65         throws Exception
  66     {
  67         roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
  68     }
  69
  70     @Test
  71     public void testIsAuthenticatedUserExists()
  72         throws Exception
  73     {
  74         AuthenticationResult result = new AuthenticationResult( true, "user", null );
  75         boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
  76
  77         assertTrue( isAuthenticated );
  78     }
  79
  80     @Test
  81     public void testIsAuthenticatedUserDoesNotExist()
  82         throws Exception
  83     {
  84         AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
  85         try
  86         {
  87             servletAuth.isAuthenticated( request, result );
  88             fail( "Authentication exception should have been thrown." );
  89         }
  90         catch ( AuthenticationException e )
  91         {
  92             assertEquals( "User Credentials Invalid", e.getMessage() );
  93         }
  94     }
  95
  96     @Test
  97     public void testIsAuthorizedUserHasWriteAccess()
  98         throws Exception
  99     {
 100         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 101
 102         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
 103
 104         UserManager userManager = securitySystem.getUserManager();
 105         User user = userManager.findUser( USER_ALPACA );
 106
 107         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 108
 109         SecuritySession session = new DefaultSecuritySession( result, user );
 110         boolean isAuthorized =
 111             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 112
 113         assertTrue( isAuthorized );
 114
 115         restoreGuestInitialValues( USER_ALPACA );
 116     }
 117
 118     @Test
 119     public void testIsAuthorizedUserHasNoWriteAccess()
 120         throws Exception
 121     {
 122         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 123
 124         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 125
 126         httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
 127
 128         UserManager userManager = securitySystem.getUserManager();
 129         User user = userManager.findUser( USER_ALPACA );
 130
 131         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 132
 133         SecuritySession session = new DefaultSecuritySession( result, user );
 134
 135         httpServletRequestControl.replay();
 136
 137         try
 138         {
 139             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 140             fail( "UnauthorizedException should have been thrown." );
 141         }
 142         catch ( UnauthorizedException e )
 143         {
 144             assertEquals( "Access denied for repository corporate", e.getMessage() );
 145         }
 146
 147         httpServletRequestControl.verify();
 148
 149         restoreGuestInitialValues( USER_ALPACA );
 150     }
 151
 152     @Test
 153     public void testIsAuthorizedUserHasReadAccess()
 154         throws Exception
 155     {
 156         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 157
 158         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
 159
 160         UserManager userManager = securitySystem.getUserManager();
 161         User user = userManager.findUser( USER_ALPACA );
 162
 163         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 164
 165         SecuritySession session = new DefaultSecuritySession( result, user );
 166         boolean isAuthorized =
 167             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 168
 169         assertTrue( isAuthorized );
 170
 171         restoreGuestInitialValues( USER_ALPACA );
 172     }
 173
 174     @Test
 175     public void testIsAuthorizedUserHasNoReadAccess()
 176         throws Exception
 177     {
 178         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
 179
 180         UserManager userManager = securitySystem.getUserManager();
 181         User user = userManager.findUser( USER_ALPACA );
 182
 183         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
 184
 185         SecuritySession session = new DefaultSecuritySession( result, user );
 186         try
 187         {
 188             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 189             fail( "UnauthorizedException should have been thrown." );
 190         }
 191         catch ( UnauthorizedException e )
 192         {
 193             assertEquals( "Access denied for repository corporate", e.getMessage() );
 194         }
 195
 196         restoreGuestInitialValues( USER_ALPACA );
 197     }
 198
 199     @Test
 200     public void testIsAuthorizedGuestUserHasWriteAccess()
 201         throws Exception
 202     {
 203         assignRepositoryManagerRole( USER_GUEST, "corporate" );
 204         boolean isAuthorized =
 205             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 206
 207         assertTrue( isAuthorized );
 208
 209         // cleanup previously add karma
 210         restoreGuestInitialValues(USER_GUEST);
 211
 212     }
 213
 214     @Test
 215     public void testIsAuthorizedGuestUserHasNoWriteAccess()
 216         throws Exception
 217     {
 218         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 219
 220         boolean isAuthorized =
 221             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 222         assertFalse( isAuthorized );
 223
 224         // cleanup previously add karma
 225         restoreGuestInitialValues(USER_GUEST);
 226
 227     }
 228
 229     @Test
 230     public void testIsAuthorizedGuestUserHasReadAccess()
 231         throws Exception
 232     {
 233         assignRepositoryObserverRole( USER_GUEST, "corporate" );
 234
 235         boolean isAuthorized =
 236             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 237
 238         assertTrue( isAuthorized );
 239
 240         // cleanup previously add karma
 241         restoreGuestInitialValues(USER_GUEST);
 242     }
 243
 244     @Test
 245     public void testIsAuthorizedGuestUserHasNoReadAccess()
 246         throws Exception
 247     {
 248         boolean isAuthorized =
 249             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
 250
 251         assertFalse( isAuthorized );
 252     }
 253
 254 }