source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22
  23 import com.gargoylesoftware.htmlunit.WebRequest;
  24 import com.gargoylesoftware.htmlunit.WebResponse;
  25 import junit.framework.TestCase;
  26 import net.sf.ehcache.CacheManager;
  27 import org.apache.archiva.configuration.ArchivaConfiguration;
  28 import org.apache.archiva.configuration.Configuration;
  29 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  30 import org.apache.archiva.redback.authentication.AuthenticationException;
  31 import org.apache.archiva.redback.authentication.AuthenticationResult;
  32 import org.apache.archiva.redback.authorization.UnauthorizedException;
  33 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  34 import org.apache.archiva.redback.system.DefaultSecuritySession;
  35 import org.apache.archiva.redback.system.SecuritySession;
  36 import org.apache.archiva.redback.users.User;
  37 import org.apache.archiva.redback.users.memory.SimpleUser;
  38 import org.apache.archiva.repository.audit.TestAuditListener;
  39 import org.apache.archiva.security.ServletAuthenticator;
  40 import org.apache.archiva.security.common.ArchivaRoleConstants;
  41 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  42 import org.apache.archiva.webdav.util.MavenIndexerCleaner;
  43 import org.apache.commons.io.FileUtils;
  44 import org.apache.commons.io.IOUtils;
  45 import org.apache.commons.lang.StringUtils;
  46 import org.apache.jackrabbit.webdav.DavSessionProvider;
  47 import org.easymock.EasyMock;
  48 import org.easymock.IMocksControl;
  49 import org.junit.After;
  50 import org.junit.Before;
  51 import org.junit.Ignore;
  52 import org.junit.Test;
  53 import org.junit.runner.RunWith;
  54 import org.springframework.context.ApplicationContext;
  55 import org.springframework.mock.web.MockHttpServletRequest;
  56 import org.springframework.mock.web.MockHttpServletResponse;
  57 import org.springframework.mock.web.MockServletConfig;
  58 import org.springframework.mock.web.MockServletContext;
  59 import org.springframework.test.context.ContextConfiguration;
  60 import org.springframework.web.context.ContextLoaderListener;
  61 import org.springframework.web.context.WebApplicationContext;
  62
  63 import javax.inject.Inject;
  64 import javax.servlet.Servlet;
  65 import javax.servlet.ServletContext;
  66 import javax.servlet.http.HttpServletRequest;
  67 import javax.servlet.http.HttpServletResponse;
  68 import javax.servlet.http.HttpSession;
  69 import java.io.File;
  70 import java.io.IOException;
  71 import java.io.InputStream;
  72 import java.nio.charset.Charset;
  73
  74 import static org.easymock.EasyMock.anyObject;
  75 import static org.easymock.EasyMock.eq;
  76
  77 /**
  78  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  79  * perform redback security checking.
  80  */
  81 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  82 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
  83 public class RepositoryServletSecurityTest
  84     extends TestCase
  85 {
  86     protected static final String REPOID_INTERNAL = "internal";
  87
  88
  89     protected File repoRootInternal;
  90
  91     @Inject
  92     protected ArchivaConfiguration archivaConfiguration;
  93
  94     private DavSessionProvider davSessionProvider;
  95
  96     private IMocksControl servletAuthControl;
  97
  98     private ServletAuthenticator servletAuth;
  99
 100     private IMocksControl httpAuthControl;
 101
 102     private HttpAuthenticator httpAuth;
 103
 104     private RepositoryServlet servlet;
 105
 106     @Inject
 107     ApplicationContext applicationContext;
 108
 109     @Before
 110     @Override
 111     public void setUp()
 112         throws Exception
 113     {
 114         super.setUp();
 115
 116         String appserverBase =
 117             System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
 118
 119         File testConf = new File( "src/test/resources/repository-archiva.xml" );
 120         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
 121         FileUtils.copyFile( testConf, testConfDest );
 122
 123         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
 124
 125         Configuration config = archivaConfiguration.getConfiguration();
 126
 127         if ( !config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ) )
 128         {
 129             config.addManagedRepository(
 130                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
 131         }
 132         saveConfiguration( archivaConfiguration );
 133
 134         CacheManager.getInstance().clearAll();
 135
 136
 137         servletAuthControl = EasyMock.createControl();
 138
 139         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
 140
 141         httpAuthControl = EasyMock.createControl();
 142
 143         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
 144
 145         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 146
 147         final MockServletContext mockServletContext = new MockServletContext();
 148
 149         WebApplicationContext webApplicationContext =
 150             new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
 151
 152         mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
 153                                          webApplicationContext );
 154
 155         MockServletConfig mockServletConfig = new MockServletConfig()
 156         {
 157             @Override
 158             public ServletContext getServletContext()
 159             {
 160                 return mockServletContext;
 161             }
 162         };
 163
 164         servlet = new RepositoryServlet();
 165
 166         servlet.init( mockServletConfig );
 167     }
 168
 169     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
 170     {
 171         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 172         repo.setId( id );
 173         repo.setName( name );
 174         repo.setLocation( location.getAbsolutePath() );
 175         return repo;
 176     }
 177
 178     protected void saveConfiguration()
 179         throws Exception
 180     {
 181         saveConfiguration( archivaConfiguration );
 182     }
 183
 184     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 185         throws Exception
 186     {
 187         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 188     }
 189
 190     protected void setupCleanRepo( File repoRootDir )
 191         throws IOException
 192     {
 193         FileUtils.deleteDirectory( repoRootDir );
 194         if ( !repoRootDir.exists() )
 195         {
 196             repoRootDir.mkdirs();
 197         }
 198     }
 199
 200     @Override
 201     @After
 202     public void tearDown()
 203         throws Exception
 204     {
 205
 206         if ( repoRootInternal.exists() )
 207         {
 208             FileUtils.deleteDirectory( repoRootInternal );
 209         }
 210
 211         applicationContext.getBean( MavenIndexerCleaner.class ).cleanupIndex();
 212
 213         super.tearDown();
 214     }
 215
 216
 217
 218     // test deploy with invalid user, and guest has no write access to repo
 219     // 401 must be returned
 220     @Test
 221     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 222         throws Exception
 223     {
 224         setupCleanRepo( repoRootInternal );
 225
 226         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 227         assertNotNull( "artifact.jar inputstream", is );
 228
 229         servlet.setDavSessionProvider( davSessionProvider );
 230
 231         AuthenticationResult result = new AuthenticationResult();
 232
 233         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 234                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 235             result );
 236
 237         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
 238                                      EasyMock.anyObject( AuthenticationResult.class ) );
 239         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
 240
 241         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 242
 243         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
 244
 245         httpAuthControl.replay();
 246         servletAuthControl.replay();
 247         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 248         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 249         mockHttpServletRequest.setMethod( "PUT" );
 250         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 251         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 252         mockHttpServletRequest.setContentType( "application/octet-stream" );
 253
 254         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 255
 256         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 257
 258         httpAuthControl.verify();
 259         servletAuthControl.verify();
 260
 261         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 262     }
 263
 264     // test deploy with invalid user, but guest has write access to repo
 265     @Test
 266     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 267         throws Exception
 268     {
 269         setupCleanRepo( repoRootInternal );
 270
 271         servlet.setDavSessionProvider( davSessionProvider );
 272
 273         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 274         archivaDavResourceFactory.setHttpAuth( httpAuth );
 275         archivaDavResourceFactory.setServletAuth( servletAuth );
 276
 277         servlet.setResourceFactory( archivaDavResourceFactory );
 278
 279         AuthenticationResult result = new AuthenticationResult();
 280
 281         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 282                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 283             result );
 284
 285         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 286                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 287             new AuthenticationException( "Authentication error" ) );
 288
 289         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 290                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 291             true );
 292
 293         // ArchivaDavResourceFactory#isAuthorized()
 294         SecuritySession session = new DefaultSecuritySession();
 295
 296         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 297                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 298             result );
 299
 300         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 301
 302         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(
 303             new AuthenticationException( "Authentication error" ) );
 304
 305         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 306
 307         // check if guest has write access
 308         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 309                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 310             true );
 311
 312         httpAuthControl.replay();
 313         servletAuthControl.replay();
 314
 315         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 316         assertNotNull( "artifact.jar inputstream", is );
 317
 318         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 319         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 320         mockHttpServletRequest.setMethod( "PUT" );
 321         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 322         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 323         mockHttpServletRequest.setContentType( "application/octet-stream" );
 324
 325         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 326
 327         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 328
 329         httpAuthControl.verify();
 330         servletAuthControl.verify();
 331
 332         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
 333     }
 334
 335     // test deploy with a valid user with no write access
 336     @Test
 337     public void testPutWithValidUserWithNoWriteAccess()
 338         throws Exception
 339     {
 340         setupCleanRepo( repoRootInternal );
 341
 342         servlet.setDavSessionProvider( davSessionProvider );
 343
 344         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 345         archivaDavResourceFactory.setHttpAuth( httpAuth );
 346         archivaDavResourceFactory.setServletAuth( servletAuth );
 347         servlet.setResourceFactory( archivaDavResourceFactory );
 348
 349         AuthenticationResult result = new AuthenticationResult();
 350
 351         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 352                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 353             result );
 354
 355         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 356                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 357
 358         // ArchivaDavResourceFactory#isAuthorized()
 359         SecuritySession session = new DefaultSecuritySession();
 360
 361         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 362                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 363             result );
 364
 365         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 366
 367         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(
 368             session );
 369
 370         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );
 371
 372         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 373             true );
 374
 375         EasyMock.expect(
 376             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 377                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(
 378             new UnauthorizedException( "User not authorized" ) );
 379         httpAuthControl.replay();
 380         servletAuthControl.replay();
 381
 382         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 383         assertNotNull( "artifact.jar inputstream", is );
 384
 385         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 386         mockHttpServletRequest.setMethod( "PUT" );
 387         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 388         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 389         mockHttpServletRequest.setContentType( "application/octet-stream" );
 390
 391         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 392
 393         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 394
 395         httpAuthControl.verify();
 396         servletAuthControl.verify();
 397
 398         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 399     }
 400
 401     // test deploy with a valid user with write access
 402     @Test
 403     public void testPutWithValidUserWithWriteAccess()
 404         throws Exception
 405     {
 406         setupCleanRepo( repoRootInternal );
 407         assertTrue( repoRootInternal.exists() );
 408
 409         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 410         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 411         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 412         assertNotNull( "artifact.jar inputstream", is );
 413
 414         servlet.setDavSessionProvider( davSessionProvider );
 415
 416         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 417         archivaDavResourceFactory.setHttpAuth( httpAuth );
 418         archivaDavResourceFactory.setServletAuth( servletAuth );
 419
 420         TestAuditListener listener = new TestAuditListener();
 421         archivaDavResourceFactory.addAuditListener( listener );
 422         servlet.setResourceFactory( archivaDavResourceFactory );
 423
 424         AuthenticationResult result = new AuthenticationResult();
 425
 426         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 427                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 428             result );
 429
 430         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 431                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 432
 433         User user = new SimpleUser();
 434         user.setUsername( "admin" );
 435
 436         // ArchivaDavResourceFactory#isAuthorized()
 437         SecuritySession session = new DefaultSecuritySession();
 438
 439         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 440                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 441             result );
 442
 443         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );
 444
 445         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );
 446
 447         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 448             true );
 449
 450         EasyMock.expect(
 451             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 452                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );
 453
 454         httpAuthControl.replay();
 455         servletAuthControl.replay();
 456
 457         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 458         mockHttpServletRequest.setMethod( "PUT" );
 459         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
 460         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
 461         mockHttpServletRequest.setContentType( "application/octet-stream" );
 462
 463         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 464
 465         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 466
 467         httpAuthControl.verify();
 468         servletAuthControl.verify();
 469
 470         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
 471
 472         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 473     }
 474
 475     // test get with invalid user, and guest has read access to repo
 476     @Test
 477     public void testGetWithInvalidUserAndGuestHasReadAccess()
 478         throws Exception
 479     {
 480         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 481         String expectedArtifactContents = "dummy-commons-lang-artifact";
 482
 483         File artifactFile = new File( repoRootInternal, commonsLangJar );
 484         artifactFile.getParentFile().mkdirs();
 485
 486         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 487
 488         servlet.setDavSessionProvider( davSessionProvider );
 489
 490         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 491         archivaDavResourceFactory.setHttpAuth( httpAuth );
 492         archivaDavResourceFactory.setServletAuth( servletAuth );
 493
 494         servlet.setResourceFactory( archivaDavResourceFactory );
 495
 496         AuthenticationResult result = new AuthenticationResult();
 497
 498         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 499                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 500             result );
 501
 502         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 503                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 504             new AuthenticationException( "Authentication error" ) );
 505
 506         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 507                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 508             true );
 509
 510         // ArchivaDavResourceFactory#isAuthorized()
 511         SecuritySession session = new DefaultSecuritySession();
 512
 513         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 514                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 515             result );
 516
 517         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 518
 519         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 520
 521         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 522             true );
 523
 524         EasyMock.expect(
 525             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 526                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
 527         httpAuthControl.replay();
 528         servletAuthControl.replay();
 529
 530         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 531         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 532         mockHttpServletRequest.setMethod( "GET" );
 533         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 534
 535
 536         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 537
 538         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 539
 540         httpAuthControl.verify();
 541         servletAuthControl.verify();
 542
 543         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
 544
 545         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
 546     }
 547
 548     // test get with invalid user, and guest has no read access to repo
 549     @Test
 550     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 551         throws Exception
 552     {
 553         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 554         String expectedArtifactContents = "dummy-commons-lang-artifact";
 555
 556         File artifactFile = new File( repoRootInternal, commonsLangJar );
 557         artifactFile.getParentFile().mkdirs();
 558
 559         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 560
 561         servlet.setDavSessionProvider( davSessionProvider );
 562
 563         AuthenticationResult result = new AuthenticationResult();
 564
 565         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 566                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 567             result );
 568
 569         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 570                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 571             new AuthenticationException( "Authentication error" ) );
 572
 573         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 574                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 575             false );
 576         httpAuthControl.replay();
 577         servletAuthControl.replay();
 578
 579         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 580         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 581         mockHttpServletRequest.setMethod( "GET" );
 582         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 583
 584
 585         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 586
 587         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 588
 589         httpAuthControl.verify();
 590         servletAuthControl.verify();
 591
 592         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 593     }
 594
 595     // test get with valid user with read access to repo
 596     @Test
 597     public void testGetWithAValidUserWithReadAccess()
 598         throws Exception
 599     {
 600         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 601         String expectedArtifactContents = "dummy-commons-lang-artifact";
 602
 603         File artifactFile = new File( repoRootInternal, commonsLangJar );
 604         artifactFile.getParentFile().mkdirs();
 605
 606         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 607
 608         servlet.setDavSessionProvider( davSessionProvider );
 609
 610         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 611         archivaDavResourceFactory.setHttpAuth( httpAuth );
 612         archivaDavResourceFactory.setServletAuth( servletAuth );
 613
 614         servlet.setResourceFactory( archivaDavResourceFactory );
 615
 616         AuthenticationResult result = new AuthenticationResult();
 617
 618         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 619                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 620             result );
 621
 622         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 623                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 624         // ArchivaDavResourceFactory#isAuthorized()
 625         SecuritySession session = new DefaultSecuritySession();
 626
 627         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 628                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 629             result );
 630
 631         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 632
 633         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 634
 635         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 636             true );
 637
 638         EasyMock.expect(
 639             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 640                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
 641
 642         httpAuthControl.replay();
 643         servletAuthControl.replay();
 644
 645         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 646         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 647         mockHttpServletRequest.setMethod( "GET" );
 648         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 649
 650
 651         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 652
 653         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 654
 655         httpAuthControl.verify();
 656         servletAuthControl.verify();
 657
 658         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
 659         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
 660     }
 661
 662     // test get with valid user with no read access to repo
 663     @Test
 664     public void testGetWithAValidUserWithNoReadAccess()
 665         throws Exception
 666     {
 667         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 668         String expectedArtifactContents = "dummy-commons-lang-artifact";
 669
 670         File artifactFile = new File( repoRootInternal, commonsLangJar );
 671         artifactFile.getParentFile().mkdirs();
 672
 673         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 674
 675         servlet.setDavSessionProvider( davSessionProvider );
 676
 677         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 678         archivaDavResourceFactory.setHttpAuth( httpAuth );
 679         archivaDavResourceFactory.setServletAuth( servletAuth );
 680
 681         servlet.setResourceFactory( archivaDavResourceFactory );
 682
 683         AuthenticationResult result = new AuthenticationResult();
 684
 685         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 686                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 687             result );
 688
 689         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 690                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 691
 692         // ArchivaDavResourceFactory#isAuthorized()
 693         SecuritySession session = new DefaultSecuritySession();
 694
 695         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 696                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
 697             result );
 698
 699         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 700
 701         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 702
 703         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
 704             true );
 705
 706         EasyMock.expect(
 707             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
 708                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(
 709             new UnauthorizedException( "User not authorized to read repository." ) );
 710         httpAuthControl.replay();
 711         servletAuthControl.replay();
 712
 713         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
 714         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
 715         mockHttpServletRequest.setMethod( "GET" );
 716         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
 717
 718
 719         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
 720
 721         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
 722
 723         httpAuthControl.verify();
 724         servletAuthControl.verify();
 725
 726         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
 727     }
 728 }