source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.webdav;
   2
   3 /*
   4  * Licensed to the Apache Software Foundation (ASF) under one
   5  * or more contributor license agreements.  See the NOTICE file
   6  * distributed with this work for additional information
   7  * regarding copyright ownership.  The ASF licenses this file
   8  * to you under the Apache License, Version 2.0 (the
   9  * "License"); you may not use this file except in compliance
  10  * with the License.  You may obtain a copy of the License at
  11  *
  12  *  http://www.apache.org/licenses/LICENSE-2.0
  13  *
  14  * Unless required by applicable law or agreed to in writing,
  15  * software distributed under the License is distributed on an
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  17  * KIND, either express or implied.  See the License for the
  18  * specific language governing permissions and limitations
  19  * under the License.
  20  */
  21
  22 import com.meterware.httpunit.GetMethodWebRequest;
  23 import com.meterware.httpunit.HttpUnitOptions;
  24 import com.meterware.httpunit.PutMethodWebRequest;
  25 import com.meterware.httpunit.WebRequest;
  26 import com.meterware.httpunit.WebResponse;
  27 import com.meterware.servletunit.InvocationContext;
  28 import com.meterware.servletunit.ServletRunner;
  29 import com.meterware.servletunit.ServletUnitClient;
  30 import junit.framework.TestCase;
  31 import net.sf.ehcache.CacheManager;
  32 import org.apache.archiva.configuration.ArchivaConfiguration;
  33 import org.apache.archiva.configuration.Configuration;
  34 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
  35 import org.apache.archiva.redback.authentication.AuthenticationException;
  36 import org.apache.archiva.redback.authentication.AuthenticationResult;
  37 import org.apache.archiva.redback.authorization.UnauthorizedException;
  38 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
  39 import org.apache.archiva.redback.system.DefaultSecuritySession;
  40 import org.apache.archiva.redback.system.SecuritySession;
  41 import org.apache.archiva.redback.users.User;
  42 import org.apache.archiva.redback.users.memory.SimpleUser;
  43 import org.apache.archiva.repository.audit.TestAuditListener;
  44 import org.apache.archiva.security.ServletAuthenticator;
  45 import org.apache.archiva.security.common.ArchivaRoleConstants;
  46 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
  47 import org.apache.commons.io.FileUtils;
  48 import org.apache.jackrabbit.webdav.DavSessionProvider;
  49 import org.easymock.EasyMock;
  50 import static org.easymock.EasyMock.*;
  51 import org.easymock.IMocksControl;
  52 import org.junit.After;
  53 import org.junit.Before;
  54 import org.junit.Test;
  55 import org.junit.runner.RunWith;
  56 import org.springframework.context.ApplicationContext;
  57 import org.springframework.test.context.ContextConfiguration;
  58
  59 import javax.inject.Inject;
  60 import javax.servlet.http.HttpServletRequest;
  61 import javax.servlet.http.HttpServletResponse;
  62 import javax.servlet.http.HttpSession;
  63 import java.io.File;
  64 import java.io.IOException;
  65 import java.io.InputStream;
  66 import java.nio.charset.Charset;
  67
  68 /**
  69  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
  70  * perform redback security checking.
  71  */
  72 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
  73 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
  74 public class RepositoryServletSecurityTest
  75     extends TestCase
  76 {
  77     protected static final String REPOID_INTERNAL = "internal";
  78
  79     protected ServletUnitClient sc;
  80
  81     protected File repoRootInternal;
  82
  83     private ServletRunner sr;
  84
  85     protected ArchivaConfiguration archivaConfiguration;
  86
  87     private DavSessionProvider davSessionProvider;
  88
  89     private IMocksControl servletAuthControl;
  90
  91     private ServletAuthenticator servletAuth;
  92
  93     private IMocksControl httpAuthControl;
  94
  95     private HttpAuthenticator httpAuth;
  96
  97     private RepositoryServlet servlet;
  98
  99     @Inject
 100     ApplicationContext applicationContext;
 101
 102     @Before
 103     public void setUp()
 104         throws Exception
 105     {
 106         super.setUp();
 107
 108         String appserverBase =
 109             System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
 110
 111         File testConf = new File( "src/test/resources/repository-archiva.xml" );
 112         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
 113         FileUtils.copyFile( testConf, testConfDest );
 114
 115         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
 116
 117         archivaConfiguration = applicationContext.getBean( ArchivaConfiguration.class );
 118         Configuration config = archivaConfiguration.getConfiguration();
 119
 120         if ( !config.getManagedRepositoriesAsMap().containsKey( REPOID_INTERNAL ) )
 121         {
 122             config.addManagedRepository(
 123                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
 124         }
 125         saveConfiguration( archivaConfiguration );
 126
 127         CacheManager.getInstance().clearAll();
 128
 129         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
 130
 131         sr = new ServletRunner( new File( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
 132         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
 133         sc = sr.newClient();
 134
 135         servletAuthControl = EasyMock.createControl();
 136
 137         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
 138
 139         httpAuthControl = EasyMock.createControl();
 140
 141         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
 142
 143         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
 144     }
 145
 146     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
 147     {
 148         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
 149         repo.setId( id );
 150         repo.setName( name );
 151         repo.setLocation( location.getAbsolutePath() );
 152         return repo;
 153     }
 154
 155     protected void saveConfiguration()
 156         throws Exception
 157     {
 158         saveConfiguration( archivaConfiguration );
 159     }
 160
 161     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
 162         throws Exception
 163     {
 164         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
 165     }
 166
 167     protected void setupCleanRepo( File repoRootDir )
 168         throws IOException
 169     {
 170         FileUtils.deleteDirectory( repoRootDir );
 171         if ( !repoRootDir.exists() )
 172         {
 173             repoRootDir.mkdirs();
 174         }
 175     }
 176
 177     @Override
 178     @After
 179     public void tearDown()
 180         throws Exception
 181     {
 182         if ( sc != null )
 183         {
 184             sc.clearContents();
 185         }
 186
 187         if ( sr != null )
 188         {
 189             sr.shutDown();
 190         }
 191
 192         if ( repoRootInternal.exists() )
 193         {
 194             FileUtils.deleteDirectory( repoRootInternal );
 195         }
 196
 197         servlet = null;
 198
 199         super.tearDown();
 200     }
 201
 202     // test deploy with invalid user, and guest has no write access to repo
 203     // 401 must be returned
 204     @Test
 205     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
 206         throws Exception
 207     {
 208         setupCleanRepo( repoRootInternal );
 209
 210         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 211         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 212         assertNotNull( "artifact.jar inputstream", is );
 213
 214         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 215         InvocationContext ic = sc.newInvocation( request );
 216         servlet = (RepositoryServlet) ic.getServlet();
 217         servlet.setDavSessionProvider( davSessionProvider );
 218
 219         AuthenticationResult result = new AuthenticationResult();
 220
 221         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 222                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 223
 224         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
 225                                      EasyMock.anyObject( AuthenticationResult.class ) );
 226         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
 227
 228         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
 229
 230         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
 231
 232         httpAuthControl.replay();
 233         servletAuthControl.replay();
 234
 235         servlet.service( ic.getRequest(), ic.getResponse() );
 236
 237         httpAuthControl.verify();
 238         servletAuthControl.verify();
 239
 240         //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 241     }
 242
 243     // test deploy with invalid user, but guest has write access to repo
 244     @Test
 245     public void testPutWithInvalidUserAndGuestHasWriteAccess()
 246         throws Exception
 247     {
 248         setupCleanRepo( repoRootInternal );
 249
 250         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 251         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 252         assertNotNull( "artifact.jar inputstream", is );
 253
 254         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 255
 256         InvocationContext ic = sc.newInvocation( request );
 257         servlet = (RepositoryServlet) ic.getServlet();
 258         servlet.setDavSessionProvider( davSessionProvider );
 259
 260         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 261         archivaDavResourceFactory.setHttpAuth( httpAuth );
 262         archivaDavResourceFactory.setServletAuth( servletAuth );
 263
 264         servlet.setResourceFactory( archivaDavResourceFactory );
 265
 266         AuthenticationResult result = new AuthenticationResult();
 267
 268         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 269                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 270
 271         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 272                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
 273             new AuthenticationException( "Authentication error" ) );
 274
 275         EasyMock.expect(servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )).andReturn( true );
 276
 277         // ArchivaDavResourceFactory#isAuthorized()
 278         SecuritySession session = new DefaultSecuritySession();
 279
 280         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 281                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 282
 283         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 284
 285         EasyMock.expect(servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) )).andThrow( new AuthenticationException( "Authentication error" ) );
 286
 287         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 288
 289         // check if guest has write access
 290         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 291                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
 292             true );
 293
 294         httpAuthControl.replay();
 295         servletAuthControl.replay();
 296
 297         servlet.service( ic.getRequest(), ic.getResponse() );
 298
 299         httpAuthControl.verify();
 300         servletAuthControl.verify();
 301
 302         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
 303     }
 304
 305     // test deploy with a valid user with no write access
 306     @Test
 307     public void testPutWithValidUserWithNoWriteAccess()
 308         throws Exception
 309     {
 310         setupCleanRepo( repoRootInternal );
 311
 312         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 313         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 314         assertNotNull( "artifact.jar inputstream", is );
 315
 316         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 317
 318         InvocationContext ic = sc.newInvocation( request );
 319         servlet = (RepositoryServlet) ic.getServlet();
 320         servlet.setDavSessionProvider( davSessionProvider );
 321
 322         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 323         archivaDavResourceFactory.setHttpAuth( httpAuth );
 324         archivaDavResourceFactory.setServletAuth( servletAuth );
 325         servlet.setResourceFactory( archivaDavResourceFactory );
 326
 327         AuthenticationResult result = new AuthenticationResult();
 328
 329         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 330                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 331
 332         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 333                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 334
 335         // ArchivaDavResourceFactory#isAuthorized()
 336         SecuritySession session = new DefaultSecuritySession();
 337
 338         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 339                                                            anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 340
 341         EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 342
 343         EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( new SimpleUser() );
 344
 345         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 346                                                       eq( result ) ) ).andReturn( true );
 347
 348         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 349                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andThrow(
 350             new UnauthorizedException( "User not authorized" ) );
 351         httpAuthControl.replay();
 352         servletAuthControl.replay();
 353
 354         servlet.service( ic.getRequest(), ic.getResponse() );
 355
 356         httpAuthControl.verify();
 357         servletAuthControl.verify();
 358
 359         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
 360     }
 361
 362     // test deploy with a valid user with write access
 363     @Test
 364     public void testPutWithValidUserWithWriteAccess()
 365         throws Exception
 366     {
 367         setupCleanRepo( repoRootInternal );
 368         assertTrue( repoRootInternal.exists() );
 369
 370         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
 371         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
 372         assertNotNull( "artifact.jar inputstream", is );
 373
 374         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
 375
 376         InvocationContext ic = sc.newInvocation( request );
 377         servlet = (RepositoryServlet) ic.getServlet();
 378         servlet.setDavSessionProvider( davSessionProvider );
 379
 380         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 381         archivaDavResourceFactory.setHttpAuth( httpAuth );
 382         archivaDavResourceFactory.setServletAuth( servletAuth );
 383
 384         TestAuditListener listener = new TestAuditListener();
 385         archivaDavResourceFactory.addAuditListener( listener );
 386         servlet.setResourceFactory( archivaDavResourceFactory );
 387
 388         AuthenticationResult result = new AuthenticationResult();
 389
 390         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
 391                                                            anyObject( HttpServletResponse.class) )).andReturn( result );
 392
 393         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
 394                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 395
 396         User user = new SimpleUser();
 397         user.setUsername( "admin" );
 398
 399         // ArchivaDavResourceFactory#isAuthorized()
 400         SecuritySession session = new DefaultSecuritySession();
 401
 402         EasyMock.expect( httpAuth.getAuthenticationResult(anyObject( HttpServletRequest.class ),
 403                                                           anyObject( HttpServletResponse.class) ) ).andReturn( result );
 404
 405         EasyMock.expect( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ) ).andReturn( session );
 406
 407         EasyMock.expect( httpAuth.getSessionUser( ic.getRequest().getSession() ) ).andReturn( user );
 408
 409         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 410             true );
 411
 412         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 413                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD) ) ).andReturn(
 414             true );
 415
 416         httpAuthControl.replay();
 417         servletAuthControl.replay();
 418
 419         servlet.service( ic.getRequest(), ic.getResponse() );
 420
 421         httpAuthControl.verify();
 422         servletAuthControl.verify();
 423
 424         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
 425
 426         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
 427     }
 428
 429     // test get with invalid user, and guest has read access to repo
 430     @Test
 431     public void testGetWithInvalidUserAndGuestHasReadAccess()
 432         throws Exception
 433     {
 434         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 435         String expectedArtifactContents = "dummy-commons-lang-artifact";
 436
 437         File artifactFile = new File( repoRootInternal, commonsLangJar );
 438         artifactFile.getParentFile().mkdirs();
 439
 440         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 441
 442         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 443         InvocationContext ic = sc.newInvocation( request );
 444         servlet = (RepositoryServlet) ic.getServlet();
 445         servlet.setDavSessionProvider( davSessionProvider );
 446
 447         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 448         archivaDavResourceFactory.setHttpAuth( httpAuth );
 449         archivaDavResourceFactory.setServletAuth( servletAuth );
 450
 451         servlet.setResourceFactory( archivaDavResourceFactory );
 452
 453         AuthenticationResult result = new AuthenticationResult();
 454
 455         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) )
 456             .andReturn( result );
 457
 458         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 459             new AuthenticationException( "Authentication error" ) );
 460
 461         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 462                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 463             true );
 464
 465         // ArchivaDavResourceFactory#isAuthorized()
 466         SecuritySession session = new DefaultSecuritySession();
 467
 468         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 469
 470         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 471
 472         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
 473
 474         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 475             true );
 476
 477         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 478                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn(
 479             true );
 480         httpAuthControl.replay();
 481         servletAuthControl.replay();
 482
 483         WebResponse response = sc.getResponse( request );
 484
 485         httpAuthControl.verify();
 486         servletAuthControl.verify();
 487
 488         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 489         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 490     }
 491
 492     // test get with invalid user, and guest has no read access to repo
 493     @Test
 494     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
 495         throws Exception
 496     {
 497         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 498         String expectedArtifactContents = "dummy-commons-lang-artifact";
 499
 500         File artifactFile = new File( repoRootInternal, commonsLangJar );
 501         artifactFile.getParentFile().mkdirs();
 502
 503         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 504
 505         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 506         InvocationContext ic = sc.newInvocation( request );
 507         servlet = (RepositoryServlet) ic.getServlet();
 508         servlet.setDavSessionProvider( davSessionProvider );
 509
 510         AuthenticationResult result = new AuthenticationResult();
 511
 512         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 513
 514         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andThrow(
 515             new AuthenticationException( "Authentication error" ) );
 516
 517         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
 518                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
 519             false );
 520         httpAuthControl.replay();
 521         servletAuthControl.replay();
 522
 523         WebResponse response = sc.getResponse( request );
 524
 525         httpAuthControl.verify();
 526         servletAuthControl.verify();
 527
 528         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 529     }
 530
 531     // test get with valid user with read access to repo
 532     @Test
 533     public void testGetWithAValidUserWithReadAccess()
 534         throws Exception
 535     {
 536         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 537         String expectedArtifactContents = "dummy-commons-lang-artifact";
 538
 539         File artifactFile = new File( repoRootInternal, commonsLangJar );
 540         artifactFile.getParentFile().mkdirs();
 541
 542         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 543
 544         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 545         InvocationContext ic = sc.newInvocation( request );
 546         servlet = (RepositoryServlet) ic.getServlet();
 547         servlet.setDavSessionProvider( davSessionProvider );
 548
 549         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 550         archivaDavResourceFactory.setHttpAuth( httpAuth );
 551         archivaDavResourceFactory.setServletAuth( servletAuth );
 552
 553         servlet.setResourceFactory( archivaDavResourceFactory );
 554
 555         AuthenticationResult result = new AuthenticationResult();
 556
 557         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 558
 559         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 560         // ArchivaDavResourceFactory#isAuthorized()
 561         SecuritySession session = new DefaultSecuritySession();
 562
 563         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 564
 565         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
 566
 567         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
 568
 569         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 570             true );
 571
 572         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 573                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andReturn(
 574             true );
 575
 576         httpAuthControl.replay();
 577         servletAuthControl.replay();
 578
 579         WebResponse response = sc.getResponse( request );
 580
 581         httpAuthControl.verify();
 582         servletAuthControl.verify();
 583
 584         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
 585         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
 586     }
 587
 588     // test get with valid user with no read access to repo
 589     @Test
 590     public void testGetWithAValidUserWithNoReadAccess()
 591         throws Exception
 592     {
 593         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
 594         String expectedArtifactContents = "dummy-commons-lang-artifact";
 595
 596         File artifactFile = new File( repoRootInternal, commonsLangJar );
 597         artifactFile.getParentFile().mkdirs();
 598
 599         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
 600
 601         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
 602         InvocationContext ic = sc.newInvocation( request );
 603         servlet = (RepositoryServlet) ic.getServlet();
 604         servlet.setDavSessionProvider( davSessionProvider );
 605
 606         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
 607         archivaDavResourceFactory.setHttpAuth( httpAuth );
 608         archivaDavResourceFactory.setServletAuth( servletAuth );
 609
 610         servlet.setResourceFactory( archivaDavResourceFactory );
 611
 612         AuthenticationResult result = new AuthenticationResult();
 613
 614         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 615
 616         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), anyObject( AuthenticationResult.class ) ) ).andReturn( true );
 617
 618         // ArchivaDavResourceFactory#isAuthorized()
 619         SecuritySession session = new DefaultSecuritySession();
 620
 621         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ), anyObject( HttpServletResponse.class ) ) ).andReturn( result );
 622
 623         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class) ) ).andReturn( session );
 624
 625         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class) ) ).andReturn( new SimpleUser() );
 626
 627         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq(result) ) ).andReturn(
 628             true );
 629
 630         EasyMock.expect( servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq(session), eq("internal"),
 631                                                    eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS) ) ).andThrow(
 632             new UnauthorizedException( "User not authorized to read repository." ) );
 633         httpAuthControl.replay();
 634         servletAuthControl.replay();
 635
 636         WebResponse response = sc.getResponse( request );
 637
 638         httpAuthControl.verify();
 639         servletAuthControl.verify();
 640
 641         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
 642     }
 643 }