[archiva.git] /

package org.apache.archiva.upload;
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import org.apache.archiva.admin.model.beans.RemoteRepository;
import org.apache.archiva.redback.rest.api.services.RoleManagementService;
import org.apache.archiva.redback.rest.services.AbstractRestServicesTest;
import org.apache.archiva.remotedownload.AbstractDownloadTest;
import org.apache.archiva.rest.api.services.ArchivaRestServiceException;
import org.apache.archiva.security.common.ArchivaRoleConstants;
import org.apache.archiva.test.utils.ArchivaBlockJUnit4ClassRunner;
import org.apache.archiva.web.api.FileUploadService;
import org.apache.archiva.web.api.RuntimeInfoService;
import org.apache.archiva.web.model.ApplicationRuntimeInfo;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.SystemUtils;
import org.apache.cxf.jaxrs.client.JAXRSClientFactory;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.ext.multipart.Attachment;
import org.apache.cxf.jaxrs.ext.multipart.AttachmentBuilder;
import org.apache.cxf.jaxrs.ext.multipart.ContentDisposition;
import org.apache.cxf.jaxrs.ext.multipart.MultipartBody;
import org.apache.maven.wagon.providers.http.HttpWagon;
import org.apache.maven.wagon.repository.Repository;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.File;
import java.io.IOException;
import java.net.URLEncoder;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.util.Collections;
import java.util.List;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;

/**
 * @author Olivier Lamy
 */
@RunWith( ArchivaBlockJUnit4ClassRunner.class )
public class UploadArtifactsTest
    extends AbstractRestServicesTest
{
    @Override
    @Before
    public void startServer()
        throws Exception
    {
        File appServerBase = new File( System.getProperty( "appserver.base" ) );
        File confDir = new File(appServerBase, "conf");
        if (!confDir.exists()) {
            confDir.mkdir();
        }
        Path log4jCfg = Paths.get("src/test/resources/log4j2-test.xml");
        Path log4jCfgDst = confDir.toPath().resolve(log4jCfg.getFileName());
        Files.copy( log4jCfg, log4jCfgDst, StandardCopyOption.REPLACE_EXISTING );

        File jcrDirectory = new File( appServerBase, "jcr" );

        if ( jcrDirectory.exists() )
        {
            FileUtils.deleteDirectory( jcrDirectory );
        }
        // We have to activate this to verify the bad path traversal protection. We cannot rely on
        // the application server only.
        System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH","true");

        super.startServer();
    }

    @After
    public void stop() {
        System.clearProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH" );
    }

    @Override
    protected String getSpringConfigLocation()
    {
        return "classpath*:META-INF/spring-context.xml,classpath:/spring-context-with-jcr.xml";
    }

    @Override
    protected String getRestServicesPath()
    {
        return "restServices";
    }

    protected String getBaseUrl()
    {
        String baseUrlSysProps = System.getProperty( "archiva.baseRestUrl" );
        return StringUtils.isBlank( baseUrlSysProps ) ? "http://localhost:" + port : baseUrlSysProps;
    }

    private FileUploadService getUploadService()
    {
        FileUploadService service =
            JAXRSClientFactory.create( getBaseUrl( ) + "/" + getRestServicesPath( ) + "/archivaUiServices/",
                FileUploadService.class,
                Collections.singletonList( new JacksonJaxbJsonProvider( ) ) );

        WebClient.client( service ).header( "Authorization", authorizationHeader );
        WebClient.client( service ).header( "Referer", "http://localhost:" + port );

        WebClient.client( service ).header( "Referer", "http://localhost" );
        return service;
    }

    @Test
    public void clearUploadedFiles()
        throws Exception
    {
        FileUploadService service = getUploadService( );
        service.clearUploadedFiles();
    }

    @Test
    public void uploadFile() throws IOException, ArchivaRestServiceException
    {
        FileUploadService service = getUploadService( );
        try
        {
            Path file = Paths.get( "src/test/repositories/snapshot-repo/org/apache/archiva/archiva-model/1.4-M4-SNAPSHOT/archiva-model-1.4-M4-20130425.081822-1.jar" );
            final Attachment fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"" + file.getFileName( ).toString( ) + "\"; name=\"files[]\"" ) ).build( );
            MultipartBody body = new MultipartBody( fileAttachment );
            service.post( body );
        } finally
        {
            service.clearUploadedFiles( );
        }
    }

    @Test
    public void uploadAndDeleteFile() throws IOException, ArchivaRestServiceException
    {
        FileUploadService service = getUploadService( );
        try
        {
            Path file = Paths.get( "src/test/repositories/snapshot-repo/org/apache/archiva/archiva-model/1.4-M4-SNAPSHOT/archiva-model-1.4-M4-20130425.081822-1.jar" );
            final Attachment fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"" + file.getFileName( ).toString( ) + "\"; name=\"files[]\"" ) ).build( );
            MultipartBody body = new MultipartBody( fileAttachment );
            service.post( body );
            service.deleteFile( file.getFileName( ).toString( ) );
        } finally
        {
            service.clearUploadedFiles();
        }
    }

    @Test
    public void uploadAndDeleteWrongFile() throws IOException, ArchivaRestServiceException
    {
        FileUploadService service = getUploadService( );
        try
        {
            Path file = Paths.get( "src/test/repositories/snapshot-repo/org/apache/archiva/archiva-model/1.4-M4-SNAPSHOT/archiva-model-1.4-M4-20130425.081822-1.jar" );
            final Attachment fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"" + file.getFileName( ).toString( ) + "\"; name=\"files[]\"" ) ).build( );
            MultipartBody body = new MultipartBody( fileAttachment );
            service.post( body );
            assertFalse( service.deleteFile( "file123" + file.getFileName( ).toString( ) ) );
        } finally {
            service.clearUploadedFiles();
        }
    }

    @Test
    public void uploadAndDeleteFileInOtherDir() throws IOException, ArchivaRestServiceException
    {
        Path testFile = null;
        try
        {
            FileUploadService service = getUploadService( );
            Path file = Paths.get( "src/test/repositories/snapshot-repo/org/apache/archiva/archiva-model/1.4-M4-SNAPSHOT/archiva-model-1.4-M4-20130425.081822-1.jar" );
            Path targetDir = Paths.get( "target/testDelete" ).toAbsolutePath( );
            if ( !Files.exists( targetDir ) ) Files.createDirectory( targetDir );
            Path tempDir = SystemUtils.getJavaIoTmpDir( ).toPath( );
            testFile = Files.createTempFile( targetDir, "TestFile", ".txt" );
            log.debug( "Test file {}", testFile.toAbsolutePath( ) );
            log.debug( "Tmp dir {}", tempDir.toAbsolutePath( ) );
            assertTrue( Files.exists( testFile ) );
            Path relativePath = tempDir.relativize( testFile.toAbsolutePath( ) );
            final Attachment fileAttachment = new AttachmentBuilder( ).object( Files.newInputStream( file ) ).contentDisposition( new ContentDisposition( "form-data; filename=\"" + file.getFileName( ).toString( ) + "\"; name=\"files[]\"" ) ).build( );
            MultipartBody body = new MultipartBody( fileAttachment );
            service.post( body );
            String relativePathEncoded = URLEncoder.encode( "../target/" + relativePath.toString( ), "UTF-8" );
            log.debug( "Trying to delete with path traversal: {}, {}", relativePath, relativePathEncoded );
            try
            {
                service.deleteFile( relativePathEncoded );
            }
            catch ( ArchivaRestServiceException ex )
            {
                // Expected exception
            }
            assertTrue( "File in another directory may not be deleted", Files.exists( testFile ) );
        } finally
        {
            if (testFile!=null) {
                Files.deleteIfExists( testFile );
            }
        }
    }
}