source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22
  23 import com.gargoylesoftware.htmlunit.WebRequest;
  24 import com.gargoylesoftware.htmlunit.WebResponse;
  25 import junit.framework.TestCase;
  26 import net.sf.ehcache.CacheManager;
  27 import org.apache.archiva.configuration.ArchivaConfiguration;
  28 import org.apache.archiva.configuration.Configuration;
  29 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  30 import org.apache.archiva.redback.authentication.AuthenticationException;
  31 import org.apache.archiva.redback.authentication.AuthenticationResult;
  32 import org.apache.archiva.redback.authorization.UnauthorizedException;
  33 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  34 import org.apache.archiva.redback.system.DefaultSecuritySession;
  35 import org.apache.archiva.redback.system.SecuritySession;
  36 import org.apache.archiva.redback.users.User;
  37 import org.apache.archiva.redback.users.memory.SimpleUser;
  38 import org.apache.archiva.repository.audit.TestAuditListener;
  39 import org.apache.archiva.security.ServletAuthenticator;
  40 import org.apache.archiva.security.common.ArchivaRoleConstants;
  41 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  42 import org.apache.archiva.webdav.util.MavenIndexerCleaner;
  43 import org.apache.catalina.Context;
  44 import org.apache.catalina.deploy.ApplicationParameter;
  45 import org.apache.catalina.startup.Tomcat;
  46 import org.apache.commons.io.FileUtils;
  47 import org.apache.jackrabbit.webdav.DavSessionProvider;
  48 import org.easymock.EasyMock;
  49 import static org.easymock.EasyMock.*;
  50 import org.easymock.IMocksControl;
  51 import org.junit.After;
  52 import org.junit.Before;
  53 import org.junit.Ignore;
  54 import org.junit.Test;
  55 import org.junit.runner.RunWith;
  56 import org.springframework.context.ApplicationContext;
  57 import org.springframework.test.context.ContextConfiguration;
  58 import org.springframework.web.context.ContextLoaderListener;
  59
  60 import javax.inject.Inject;
  61 import javax.servlet.http.HttpServletRequest;
  62 import javax.servlet.http.HttpServletResponse;
  63 import javax.servlet.http.HttpSession;
  64 import java.io.File;
  65 import java.io.IOException;
  66 import java.io.InputStream;
  67 import java.nio.charset.Charset;
  68
  69 /**
  70  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  71  * perform redback security checking.
  72  */
  73 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  74 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
  75 public class RepositoryServletSecurityTest
  76     extends TestCase
  77 {
  78     protected static final String REPOID_INTERNAL = "internal";
  79
  80
  81     protected File repoRootInternal;
  82
  83     protected ArchivaConfiguration archivaConfiguration;
  84
  85     private DavSessionProvider davSessionProvider;
  86
  87     private IMocksControl servletAuthControl;
  88
  89     private ServletAuthenticator servletAuth;
  90
  91     private IMocksControl httpAuthControl;
  92
  93     private HttpAuthenticator httpAuth;
  94
  95     private RepositoryServlet servlet;
  96
  97     protected Tomcat tomcat;
  98
  99     protected static int port;
 100
 101     @Inject
 102     ApplicationContext applicationContext;
 103
 104     @Before
 105     public void setUp()
 106         throws Exception
 107     {
 108         super.setUp();
 109
 110         String appserverBase =
 111             System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
 112
 113         File testConf = new File( "src/test/resources/repository-archiva.xml" );
 114         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
 115         FileUtils.copyFile( testConf, testConfDest );
 116
 117         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
 118
 119         archivaConfiguration = applicationContext.getBean( ArchivaConfiguration.class );
 120         Configuration config = archivaConfiguration.getConfiguration();
 121
 122         if ( !config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ) )
 123         {
 124             config.addManagedRepository(
 125                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
 126         }
 127         saveConfiguration( archivaConfiguration );
 128
 129         CacheManager.getInstance().clearAll();
 130
 131         /*
 132         sr = new ServletRunner( new File( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
 133         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
 134         sc = sr.newClient();
 135         */
 136
 137
 138         tomcat = new Tomcat();
 139         tomcat.setBaseDir( System.getProperty( "java.io.tmpdir" ) );
 140         tomcat.setPort( 0 );
 141
 142         Context context = tomcat.addContext( "", System.getProperty( "java.io.tmpdir" ) );
 143
 144         ApplicationParameter applicationParameter = new ApplicationParameter();
 145         applicationParameter.setName( "contextConfigLocation" );
 146         applicationParameter.setValue( getSpringConfigLocation() );
 147         context.addApplicationParameter( applicationParameter );
 148
 149         context.addApplicationListener( ContextLoaderListener.class.getName() );
 150
 151         context.addApplicationListener( MavenIndexerCleaner.class.getName() );
 152
 153         Tomcat.addServlet( context, "repository", new UnauthenticatedRepositoryServlet() );
 154         context.addServletMapping( "/repository/*", "repository" );
 155
 156         tomcat.start();
 157
 158         this.port = tomcat.getConnector().getLocalPort();
 159
 160
 161         servletAuthControl = EasyMock.createControl();
 162
 163         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
 164
 165         httpAuthControl = EasyMock.createControl();
 166
 167         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
 168
 169         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 170     }
 171
 172     protected String getSpringConfigLocation()
 173     {
 174         return "classpath*:/META-INF/spring-context.xml,classpath*:/spring-context-servlet-security-test.xml";
 175     }
 176
 177     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
 178     {
 179         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 180         repo.setId( id );
 181         repo.setName( name );
 182         repo.setLocation( location.getAbsolutePath() );
 183         return repo;
 184     }
 185
 186     protected void saveConfiguration()
 187         throws Exception
 188     {
 189         saveConfiguration( archivaConfiguration );
 190     }
 191
 192     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 193         throws Exception
 194     {
 195         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 196     }
 197
 198     protected void setupCleanRepo( File repoRootDir )
 199         throws IOException
 200     {
 201         FileUtils.deleteDirectory( repoRootDir );
 202         if ( !repoRootDir.exists() )
 203         {
 204             repoRootDir.mkdirs();
 205         }
 206     }
 207
 208     @Override
 209     @After
 210     public void tearDown()
 211         throws Exception
 212     {
 213
 214
 215         if ( repoRootInternal.exists() )
 216         {
 217             FileUtils.deleteDirectory( repoRootInternal );
 218         }
 219
 220         servlet = null;
 221
 222         if (this.tomcat != null)
 223         {
 224             this.tomcat.stop();
 225         }
 226
 227         super.tearDown();
 228     }
 229
 230     // test deploy with invalid user, and guest has no write access to repo
 231     // 401 must be returned
 232     @Ignore("rewrite")
 233     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 234         throws Exception
 235     {
 236         setupCleanRepo( repoRootInternal );
 237
 238         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 239         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 240         assertNotNull( "artifact.jar inputstream", is );
 241
 242         WebRequest request = new AbstractRepositoryServletTestCase.PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 243         //InvocationContext ic = sc.newInvocation( request );
 244         //servlet = (RepositoryServlet) ic.getServlet();
 245         servlet.setDavSessionProvider( davSessionProvider );
 246
 247         AuthenticationResult result = new AuthenticationResult();
 248
 249         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 250                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 251
 252         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
 253                                      EasyMock.anyObject( AuthenticationResult.class ) );
 254         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
 255
 256         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 257
 258         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
 259
 260         httpAuthControl.replay();
 261         servletAuthControl.replay();
 262
 263         //servlet.service( ic.getRequest(), ic.getResponse() );
 264
 265         httpAuthControl.verify();
 266         servletAuthControl.verify();
 267
 268         //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 269     }
 270
 271     // test deploy with invalid user, but guest has write access to repo
 272     @Ignore("rewrite")
 273     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 274         throws Exception
 275     {
 276         setupCleanRepo( repoRootInternal );
 277
 278         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 279         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 280         assertNotNull( "artifact.jar inputstream", is );
 281
 282         WebRequest request = new AbstractRepositoryServletTestCase.PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 283
 284         //InvocationContext ic = sc.newInvocation( request );
 285         //servlet = (RepositoryServlet) ic.getServlet();
 286         servlet.setDavSessionProvider( davSessionProvider );
 287
 288         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 289         archivaDavResourceFactory.setHttpAuth( httpAuth );
 290         archivaDavResourceFactory.setServletAuth( servletAuth );
 291
 292         servlet.setResourceFactory( archivaDavResourceFactory );
 293
 294         AuthenticationResult result = new AuthenticationResult();
 295
 296         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 297                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 298
 299         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 300                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 301             new AuthenticationException( "Authentication error" ) );
 302
 303         EasyMock.expect(servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )).andReturn( true );
 304
 305         // ArchivaDavResourceFactory#isAuthorized()
 306         SecuritySession session = new DefaultSecuritySession();
 307
 308         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 309                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 310
 311         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 312
 313         EasyMock.expect(servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) )).andThrow( new AuthenticationException( "Authentication error" ) );
 314
 315         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 316
 317         // check if guest has write access
 318         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 319                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 320             true );
 321
 322         httpAuthControl.replay();
 323         servletAuthControl.replay();
 324
 325         //servlet.service( ic.getRequest(), ic.getResponse() );
 326
 327         httpAuthControl.verify();
 328         servletAuthControl.verify();
 329
 330         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
 331     }
 332
 333     // test deploy with a valid user with no write access
 334     @Ignore("rewrite")
 335     public void testPutWithValidUserWithNoWriteAccess()
 336         throws Exception
 337     {
 338         setupCleanRepo( repoRootInternal );
 339
 340         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 341         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 342         assertNotNull( "artifact.jar inputstream", is );
 343
 344         WebRequest request = new AbstractRepositoryServletTestCase.PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 345
 346         //InvocationContext ic = sc.newInvocation( request );
 347         //servlet = (RepositoryServlet) ic.getServlet();
 348         servlet.setDavSessionProvider( davSessionProvider );
 349
 350         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 351         archivaDavResourceFactory.setHttpAuth( httpAuth );
 352         archivaDavResourceFactory.setServletAuth( servletAuth );
 353         servlet.setResourceFactory( archivaDavResourceFactory );
 354
 355         AuthenticationResult result = new AuthenticationResult();
 356
 357         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 358                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 359
 360         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 361                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 362
 363         // ArchivaDavResourceFactory#isAuthorized()
 364         SecuritySession session = new DefaultSecuritySession();
 365
 366         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 367                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 368
 369         //EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 370
 371         //EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( new SimpleUser() );
 372
 373         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 374                                                       eq( result ) ) ).andReturn( true );
 375
 376         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 377                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andThrow(
 378             new UnauthorizedException( "User not authorized" ) );
 379         httpAuthControl.replay();
 380         servletAuthControl.replay();
 381
 382         //servlet.service( ic.getRequest(), ic.getResponse() );
 383
 384         httpAuthControl.verify();
 385         servletAuthControl.verify();
 386
 387         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 388     }
 389
 390     // test deploy with a valid user with write access
 391     @Ignore("rewrite")
 392     public void testPutWithValidUserWithWriteAccess()
 393         throws Exception
 394     {
 395         setupCleanRepo( repoRootInternal );
 396         assertTrue( repoRootInternal.exists() );
 397
 398         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 399         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 400         assertNotNull( "artifact.jar inputstream", is );
 401
 402         WebRequest request = new AbstractRepositoryServletTestCase.PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 403
 404         //InvocationContext ic = sc.newInvocation( request );
 405         //servlet = (RepositoryServlet) ic.getServlet();
 406         servlet.setDavSessionProvider( davSessionProvider );
 407
 408         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 409         archivaDavResourceFactory.setHttpAuth( httpAuth );
 410         archivaDavResourceFactory.setServletAuth( servletAuth );
 411
 412         TestAuditListener listener = new TestAuditListener();
 413         archivaDavResourceFactory.addAuditListener( listener );
 414         servlet.setResourceFactory( archivaDavResourceFactory );
 415
 416         AuthenticationResult result = new AuthenticationResult();
 417
 418         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 419                                                            anyObject( HttpServletResponse.class) )).andReturn( result );
 420
 421         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 422                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 423
 424         User user = new SimpleUser();
 425         user.setUsername( "admin" );
 426
 427         // ArchivaDavResourceFactory#isAuthorized()
 428         SecuritySession session = new DefaultSecuritySession();
 429
 430         EasyMock.expect( httpAuth.getAuthenticationResult(anyObject( HttpServletRequest.class ),
 431                                                           anyObject( HttpServletResponse.class) ) ).andReturn( result );
 432
 433         //EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 434
 435         //EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( user );
 436
 437         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 438             true );
 439
 440         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 441                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andReturn(
 442             true );
 443
 444         httpAuthControl.replay();
 445         servletAuthControl.replay();
 446
 447         //servlet.service( ic.getRequest(), ic.getResponse() );
 448
 449         httpAuthControl.verify();
 450         servletAuthControl.verify();
 451
 452         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
 453
 454         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 455     }
 456
 457     // test get with invalid user, and guest has read access to repo
 458     @Ignore("rewrite")
 459     public void testGetWithInvalidUserAndGuestHasReadAccess()
 460         throws Exception
 461     {
 462         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 463         String expectedArtifactContents = "dummy-commons-lang-artifact";
 464
 465         File artifactFile = new File( repoRootInternal, commonsLangJar );
 466         artifactFile.getParentFile().mkdirs();
 467
 468         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 469
 470         WebRequest request = new AbstractRepositoryServletTestCase.GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 471         //InvocationContext ic = sc.newInvocation( request );
 472         //servlet = (RepositoryServlet) ic.getServlet();
 473         servlet.setDavSessionProvider( davSessionProvider );
 474
 475         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 476         archivaDavResourceFactory.setHttpAuth( httpAuth );
 477         archivaDavResourceFactory.setServletAuth( servletAuth );
 478
 479         servlet.setResourceFactory( archivaDavResourceFactory );
 480
 481         AuthenticationResult result = new AuthenticationResult();
 482
 483         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) )
 484             .andReturn( result );
 485
 486         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 487             new AuthenticationException( "Authentication error" ) );
 488
 489         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 490                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 491             true );
 492
 493         // ArchivaDavResourceFactory#isAuthorized()
 494         SecuritySession session = new DefaultSecuritySession();
 495
 496         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 497
 498         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 499
 500         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 501
 502         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 503             true );
 504
 505         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 506                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn( true );
 507         httpAuthControl.replay();
 508         servletAuthControl.replay();
 509
 510         WebResponse response = null;// sc.getResponse( request );
 511
 512         httpAuthControl.verify();
 513         servletAuthControl.verify();
 514
 515         assertEquals( HttpServletResponse.SC_OK, response.getStatusCode() );
 516         assertEquals( "Expected file contents", expectedArtifactContents, response.getContentAsString() );
 517     }
 518
 519     // test get with invalid user, and guest has no read access to repo
 520     @Ignore("rewrite")
 521     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 522         throws Exception
 523     {
 524         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 525         String expectedArtifactContents = "dummy-commons-lang-artifact";
 526
 527         File artifactFile = new File( repoRootInternal, commonsLangJar );
 528         artifactFile.getParentFile().mkdirs();
 529
 530         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 531
 532         WebRequest request = new AbstractRepositoryServletTestCase.GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 533         //InvocationContext ic = sc.newInvocation( request );
 534         //servlet = (RepositoryServlet) ic.getServlet();
 535         servlet.setDavSessionProvider( davSessionProvider );
 536
 537         AuthenticationResult result = new AuthenticationResult();
 538
 539         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 540
 541         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 542             new AuthenticationException( "Authentication error" ) );
 543
 544         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 545                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 546             false );
 547         httpAuthControl.replay();
 548         servletAuthControl.replay();
 549
 550         WebResponse response = null;//sc.getResponse( request );
 551
 552         httpAuthControl.verify();
 553         servletAuthControl.verify();
 554
 555         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getStatusCode() );
 556     }
 557
 558     // test get with valid user with read access to repo
 559     @Ignore("rewrite")
 560     public void testGetWithAValidUserWithReadAccess()
 561         throws Exception
 562     {
 563         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 564         String expectedArtifactContents = "dummy-commons-lang-artifact";
 565
 566         File artifactFile = new File( repoRootInternal, commonsLangJar );
 567         artifactFile.getParentFile().mkdirs();
 568
 569         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 570
 571         WebRequest request = new AbstractRepositoryServletTestCase.GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 572         //InvocationContext ic = sc.newInvocation( request );
 573         //servlet = (RepositoryServlet) ic.getServlet();
 574         servlet.setDavSessionProvider( davSessionProvider );
 575
 576         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 577         archivaDavResourceFactory.setHttpAuth( httpAuth );
 578         archivaDavResourceFactory.setServletAuth( servletAuth );
 579
 580         servlet.setResourceFactory( archivaDavResourceFactory );
 581
 582         AuthenticationResult result = new AuthenticationResult();
 583
 584         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 585
 586         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 587         // ArchivaDavResourceFactory#isAuthorized()
 588         SecuritySession session = new DefaultSecuritySession();
 589
 590         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 591
 592         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 593
 594         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 595
 596         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 597             true );
 598
 599         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 600                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn(
 601             true );
 602
 603         httpAuthControl.replay();
 604         servletAuthControl.replay();
 605
 606         WebResponse response = null;// sc.getResponse( request );
 607
 608         httpAuthControl.verify();
 609         servletAuthControl.verify();
 610
 611         assertEquals( HttpServletResponse.SC_OK, response.getStatusCode() );
 612         assertEquals( "Expected file contents", expectedArtifactContents, response.getContentAsString() );
 613     }
 614
 615     // test get with valid user with no read access to repo
 616     @Ignore("rewrite")
 617     public void testGetWithAValidUserWithNoReadAccess()
 618         throws Exception
 619     {
 620         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 621         String expectedArtifactContents = "dummy-commons-lang-artifact";
 622
 623         File artifactFile = new File( repoRootInternal, commonsLangJar );
 624         artifactFile.getParentFile().mkdirs();
 625
 626         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 627
 628         WebRequest request = new AbstractRepositoryServletTestCase.GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 629         //InvocationContext ic = sc.newInvocation( request );
 630         //servlet = (RepositoryServlet) ic.getServlet();
 631         servlet.setDavSessionProvider( davSessionProvider );
 632
 633         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 634         archivaDavResourceFactory.setHttpAuth( httpAuth );
 635         archivaDavResourceFactory.setServletAuth( servletAuth );
 636
 637         servlet.setResourceFactory( archivaDavResourceFactory );
 638
 639         AuthenticationResult result = new AuthenticationResult();
 640
 641         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 642
 643         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 644
 645         // ArchivaDavResourceFactory#isAuthorized()
 646         SecuritySession session = new DefaultSecuritySession();
 647
 648         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 649
 650         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class) ) ).andReturn( session );
 651
 652         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class) ) ).andReturn( new SimpleUser() );
 653
 654         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 655             true );
 656
 657         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 658                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andThrow(
 659             new UnauthorizedException( "User not authorized to read repository." ) );
 660         httpAuthControl.replay();
 661         servletAuthControl.replay();
 662
 663         WebResponse response = null;//sc.getResponse( request );
 664
 665         httpAuthControl.verify();
 666         servletAuthControl.verify();
 667
 668         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getStatusCode() );
 669     }
 670 }