]> source.dussan.org Git - archiva.git/blob
c18f040ba86c3382175f44d0b17439501697f569
[archiva.git] /
1 package org.apache.archiva.security;
2
3 /*
4  * Licensed to the Apache Software Foundation (ASF) under one
5  * or more contributor license agreements.  See the NOTICE file
6  * distributed with this work for additional information
7  * regarding copyright ownership.  The ASF licenses this file
8  * to you under the Apache License, Version 2.0 (the
9  * "License"); you may not use this file except in compliance
10  * with the License.  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  * Unless required by applicable law or agreed to in writing,
15  * software distributed under the License is distributed on an
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17  * KIND, either express or implied.  See the License for the
18  * specific language governing permissions and limitations
19  * under the License.
20  */
21
22 import org.apache.archiva.redback.users.User;
23 import org.apache.archiva.redback.users.UserManager;
24 import org.apache.archiva.security.common.ArchivaRoleConstants;
25 import org.apache.archiva.redback.authentication.AuthenticationException;
26 import org.apache.archiva.redback.authentication.AuthenticationResult;
27 import org.apache.archiva.redback.authorization.UnauthorizedException;
28 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
29 import org.codehaus.plexus.redback.system.SecuritySession;
30 import org.easymock.MockControl;
31 import org.junit.Before;
32 import org.junit.Test;
33
34 import javax.inject.Inject;
35 import javax.inject.Named;
36 import javax.servlet.http.HttpServletRequest;
37
38 /**
39  * ArchivaServletAuthenticatorTest
40  */
41 public class ArchivaServletAuthenticatorTest
42     extends AbstractSecurityTest
43 {
44     @Inject
45     @Named( value = "servletAuthenticator#test" )
46     private ServletAuthenticator servletAuth;
47
48     private MockControl httpServletRequestControl;
49
50     private HttpServletRequest request;
51
52     @Before
53     public void setUp()
54         throws Exception
55     {
56         super.setUp();
57
58         httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
59         request = (HttpServletRequest) httpServletRequestControl.getMock();
60
61         setupRepository( "corporate" );
62     }
63
64     protected void assignRepositoryManagerRole( String principal, String repoId )
65         throws Exception
66     {
67         roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
68     }
69
70     @Test
71     public void testIsAuthenticatedUserExists()
72         throws Exception
73     {
74         AuthenticationResult result = new AuthenticationResult( true, "user", null );
75         boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
76
77         assertTrue( isAuthenticated );
78     }
79
80     @Test
81     public void testIsAuthenticatedUserDoesNotExist()
82         throws Exception
83     {
84         AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
85         try
86         {
87             servletAuth.isAuthenticated( request, result );
88             fail( "Authentication exception should have been thrown." );
89         }
90         catch ( AuthenticationException e )
91         {
92             assertEquals( "User Credentials Invalid", e.getMessage() );
93         }
94     }
95
96     @Test
97     public void testIsAuthorizedUserHasWriteAccess()
98         throws Exception
99     {
100         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
101
102         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
103
104         UserManager userManager = securitySystem.getUserManager();
105         User user = userManager.findUser( USER_ALPACA );
106
107         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
108
109         SecuritySession session = new DefaultSecuritySession( result, user );
110         boolean isAuthorized =
111             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
112
113         assertTrue( isAuthorized );
114
115         restoreGuestInitialValues( USER_ALPACA );
116     }
117
118     @Test
119     public void testIsAuthorizedUserHasNoWriteAccess()
120         throws Exception
121     {
122         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
123
124         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
125
126         httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
127
128         UserManager userManager = securitySystem.getUserManager();
129         User user = userManager.findUser( USER_ALPACA );
130
131         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
132
133         SecuritySession session = new DefaultSecuritySession( result, user );
134
135         httpServletRequestControl.replay();
136
137         try
138         {
139             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
140             fail( "UnauthorizedException should have been thrown." );
141         }
142         catch ( UnauthorizedException e )
143         {
144             assertEquals( "Access denied for repository corporate", e.getMessage() );
145         }
146
147         httpServletRequestControl.verify();
148
149         restoreGuestInitialValues( USER_ALPACA );
150     }
151
152     @Test
153     public void testIsAuthorizedUserHasReadAccess()
154         throws Exception
155     {
156         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
157
158         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
159
160         UserManager userManager = securitySystem.getUserManager();
161         User user = userManager.findUser( USER_ALPACA );
162
163         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
164
165         SecuritySession session = new DefaultSecuritySession( result, user );
166         boolean isAuthorized =
167             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
168
169         assertTrue( isAuthorized );
170
171         restoreGuestInitialValues( USER_ALPACA );
172     }
173
174     @Test
175     public void testIsAuthorizedUserHasNoReadAccess()
176         throws Exception
177     {
178         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
179
180         UserManager userManager = securitySystem.getUserManager();
181         User user = userManager.findUser( USER_ALPACA );
182
183         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
184
185         SecuritySession session = new DefaultSecuritySession( result, user );
186         try
187         {
188             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
189             fail( "UnauthorizedException should have been thrown." );
190         }
191         catch ( UnauthorizedException e )
192         {
193             assertEquals( "Access denied for repository corporate", e.getMessage() );
194         }
195
196         restoreGuestInitialValues( USER_ALPACA );
197     }
198
199     @Test
200     public void testIsAuthorizedGuestUserHasWriteAccess()
201         throws Exception
202     {
203         assignRepositoryManagerRole( USER_GUEST, "corporate" );
204         boolean isAuthorized =
205             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
206
207         assertTrue( isAuthorized );
208
209         // cleanup previously add karma
210         restoreGuestInitialValues(USER_GUEST);
211
212     }
213
214     @Test
215     public void testIsAuthorizedGuestUserHasNoWriteAccess()
216         throws Exception
217     {
218         assignRepositoryObserverRole( USER_GUEST, "corporate" );
219
220         boolean isAuthorized =
221             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
222         assertFalse( isAuthorized );
223
224         // cleanup previously add karma
225         restoreGuestInitialValues(USER_GUEST);
226
227     }
228
229     @Test
230     public void testIsAuthorizedGuestUserHasReadAccess()
231         throws Exception
232     {
233         assignRepositoryObserverRole( USER_GUEST, "corporate" );
234
235         boolean isAuthorized =
236             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
237
238         assertTrue( isAuthorized );
239
240         // cleanup previously add karma
241         restoreGuestInitialValues(USER_GUEST);
242     }
243
244     @Test
245     public void testIsAuthorizedGuestUserHasNoReadAccess()
246         throws Exception
247     {
248         boolean isAuthorized =
249             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
250
251         assertFalse( isAuthorized );
252     }
253
254 }