return true;
}
- public boolean isAuthorized( String principal, String repoId )
+ public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
throws UnauthorizedException
{
try
{
+ String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
+
+ if ( isWriteRequest )
+ {
+ permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
+ }
+
User user = securitySystem.getUserManager().findUser( principal );
if ( user.isLocked() )
{
AuthenticationResult authn = new AuthenticationResult( true, principal, null );
SecuritySession securitySession = new DefaultSecuritySession( authn, user );
- return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS,
- repoId );
+ return securitySystem.isAuthorized( securitySession, permission, repoId );
}
catch ( UserNotFoundException e )
{
return guest;
}
+
+ public void setGuest( String guesT )
+ {
+ guest = guesT;
+ }
}
*/
public interface ServletAuthenticator
{
+ /**
+ * Authentication check for users.
+ *
+ * @param request
+ * @param result
+ * @return
+ * @throws AuthenticationException
+ * @throws AccountLockedException
+ * @throws MustChangePasswordException
+ */
public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result )
throws AuthenticationException, AccountLockedException, MustChangePasswordException;
+ /**
+ * Authorization check for valid users.
+ *
+ * @param request
+ * @param securitySession
+ * @param repositoryId
+ * @param isWriteRequest
+ * @return
+ * @throws AuthorizationException
+ * @throws UnauthorizedException
+ */
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException;
- public boolean isAuthorized( String principal, String repoId )
+ /**
+ * Authorization check specific for user guest, which doesn't go through
+ * HttpBasicAuthentication#getAuthenticationResult( HttpServletRequest request, HttpServletResponse response )
+ * since no credentials are attached to the request.
+ *
+ * See also MRM-911
+ *
+ * @param principal
+ * @param repoId
+ * @param isWriteRequest
+ * @return
+ * @throws UnauthorizedException
+ */
+ public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
throws UnauthorizedException;
}
--- /dev/null
+package org.apache.maven.archiva.security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.io.File;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.maven.archiva.configuration.ArchivaConfiguration;
+import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
+import org.codehaus.plexus.redback.rbac.RBACManager;
+import org.codehaus.plexus.redback.role.RoleManager;
+import org.codehaus.plexus.redback.system.SecuritySystem;
+import org.codehaus.plexus.redback.users.User;
+import org.codehaus.plexus.redback.users.UserManager;
+import org.codehaus.plexus.spring.PlexusInSpringTestCase;
+
+/**
+ * AbstractSecurityTest
+ *
+ * @author <a href="mailto:oching@apache.org">Maria Odea Ching</a>
+ * @version $Id: AbstractSecurityTest
+ */
+public abstract class AbstractSecurityTest
+ extends PlexusInSpringTestCase
+{
+ protected static final String USER_GUEST = "guest";
+
+ protected static final String USER_ADMIN = "admin";
+
+ protected static final String USER_ALPACA = "alpaca";
+
+ protected SecuritySystem securitySystem;
+
+ private RBACManager rbacManager;
+
+ protected RoleManager roleManager;
+
+ private ArchivaConfiguration archivaConfiguration;
+
+ protected UserRepositories userRepos;
+
+ protected void setupRepository( String repoId )
+ throws Exception
+ {
+ // Add repo to configuration.
+ ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration();
+ repoConfig.setId( repoId );
+ repoConfig.setName( "Testable repo <" + repoId + ">" );
+ repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) );
+ archivaConfiguration.getConfiguration().addManagedRepository( repoConfig );
+
+ // Add repo roles to security.
+ userRepos.createMissingRepositoryRoles( repoId );
+ }
+
+ protected void assignRepositoryObserverRole( String principal, String repoId )
+ throws Exception
+ {
+ roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal );
+ }
+
+ protected User createUser( String principal, String fullname )
+ {
+ UserManager userManager = securitySystem.getUserManager();
+
+ User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" );
+ securitySystem.getPolicy().setEnabled( false );
+ userManager.addUser( user );
+ securitySystem.getPolicy().setEnabled( true );
+
+ return user;
+ }
+
+ @Override
+ public void setUp()
+ throws Exception
+ {
+ super.setUp();
+
+ File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" );
+ File destConfig = getTestFile( "target/test-conf/archiva.xml" );
+
+ destConfig.getParentFile().mkdirs();
+ destConfig.delete();
+
+ FileUtils.copyFile( srcConfig, destConfig );
+
+ securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" );
+ rbacManager = (RBACManager) lookup( RBACManager.class, "memory" );
+ roleManager = (RoleManager) lookup( RoleManager.class, "default" );
+ userRepos = (UserRepositories) lookup( UserRepositories.class, "default" );
+ archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
+
+ // Some basic asserts.
+ assertNotNull( securitySystem );
+ assertNotNull( rbacManager );
+ assertNotNull( roleManager );
+ assertNotNull( userRepos );
+ assertNotNull( archivaConfiguration );
+
+ // Setup Admin User.
+ User adminUser = createUser( USER_ADMIN, "Admin User" );
+ roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() );
+
+ // Setup Guest User.
+ User guestUser = createUser( USER_GUEST, "Guest User" );
+ roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() );
+ }
+}
--- /dev/null
+package org.apache.maven.archiva.security;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.codehaus.plexus.redback.authentication.AuthenticationException;
+import org.codehaus.plexus.redback.authentication.AuthenticationResult;
+import org.codehaus.plexus.redback.authorization.UnauthorizedException;
+import org.codehaus.plexus.redback.system.DefaultSecuritySession;
+import org.codehaus.plexus.redback.system.SecuritySession;
+import org.codehaus.plexus.redback.users.User;
+import org.codehaus.plexus.redback.users.UserManager;
+
+import org.easymock.MockControl;
+
+/**
+ * ArchivaServletAuthenticatorTest
+ *
+ * @author <a href="mailto:oching@apache.org">Maria Odea Ching</a>
+ * @version
+ */
+public class ArchivaServletAuthenticatorTest
+ extends AbstractSecurityTest
+{
+ private ServletAuthenticator servletAuth;
+
+ private MockControl httpServletRequestControl;
+
+ private HttpServletRequest request;
+
+ @Override
+ public void setUp()
+ throws Exception
+ {
+ super.setUp();
+
+ servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" );
+
+ httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
+ request = ( HttpServletRequest ) httpServletRequestControl.getMock();
+
+ setupRepository( "corporate" );
+ }
+
+ @Override
+ protected String getPlexusConfigLocation()
+ {
+ return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
+ }
+
+ protected void assignRepositoryManagerRole( String principal, String repoId )
+ throws Exception
+ {
+ roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
+ }
+
+ public void testIsAuthenticatedUserExists()
+ throws Exception
+ {
+ AuthenticationResult result = new AuthenticationResult( true, "user", null );
+ boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
+
+ assertTrue( isAuthenticated );
+ }
+
+ public void testIsAuthenticatedUserDoesNotExist()
+ throws Exception
+ {
+ AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
+ try
+ {
+ servletAuth.isAuthenticated( request, result );
+ fail( "Authentication exception should have been thrown." );
+ }
+ catch ( AuthenticationException e )
+ {
+ assertEquals( "User Credentials Invalid", e.getMessage() );
+ }
+ }
+
+ public void testIsAuthorizedUserHasWriteAccess()
+ throws Exception
+ {
+ createUser( USER_ALPACA, "Al 'Archiva' Paca" );
+
+ assignRepositoryManagerRole( USER_ALPACA, "corporate" );
+
+ UserManager userManager = securitySystem.getUserManager();
+ User user = userManager.findUser( USER_ALPACA );
+
+ AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
+
+ SecuritySession session = new DefaultSecuritySession( result, user );
+ boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true );
+
+ assertTrue( isAuthorized );
+ }
+
+ public void testIsAuthorizedUserHasNoWriteAccess()
+ throws Exception
+ {
+ createUser( USER_ALPACA, "Al 'Archiva' Paca" );
+
+ assignRepositoryObserverRole( USER_ALPACA, "corporate" );
+
+ httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
+
+ UserManager userManager = securitySystem.getUserManager();
+ User user = userManager.findUser( USER_ALPACA );
+
+ AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
+
+ SecuritySession session = new DefaultSecuritySession( result, user );
+
+ httpServletRequestControl.replay();
+
+ try
+ {
+ servletAuth.isAuthorized( request, session, "corporate", true );
+ fail( "UnauthorizedException should have been thrown." );
+ }
+ catch ( UnauthorizedException e )
+ {
+ assertEquals( "Access denied for repository corporate", e.getMessage() );
+ }
+
+ httpServletRequestControl.verify();
+ }
+
+
+ public void testIsAuthorizedUserHasReadAccess()
+ throws Exception
+ {
+ createUser( USER_ALPACA, "Al 'Archiva' Paca" );
+
+ assignRepositoryObserverRole( USER_ALPACA, "corporate" );
+
+ UserManager userManager = securitySystem.getUserManager();
+ User user = userManager.findUser( USER_ALPACA );
+
+ AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
+
+ SecuritySession session = new DefaultSecuritySession( result, user );
+ boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false );
+
+ assertTrue( isAuthorized );
+ }
+
+ public void testIsAuthorizedUserHasNoReadAccess()
+ throws Exception
+ {
+ createUser( USER_ALPACA, "Al 'Archiva' Paca" );
+
+ UserManager userManager = securitySystem.getUserManager();
+ User user = userManager.findUser( USER_ALPACA );
+
+ AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
+
+ SecuritySession session = new DefaultSecuritySession( result, user );
+ try
+ {
+ servletAuth.isAuthorized( request, session, "corporate", false );
+ fail( "UnauthorizedException should have been thrown." );
+ }
+ catch ( UnauthorizedException e )
+ {
+ assertEquals( "Access denied for repository corporate", e.getMessage() );
+ }
+ }
+
+ public void testIsAuthorizedGuestUserHasWriteAccess()
+ throws Exception
+ {
+ assignRepositoryManagerRole( USER_GUEST, "corporate" );
+ boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
+
+ assertTrue( isAuthorized );
+ }
+
+ public void testIsAuthorizedGuestUserHasNoWriteAccess()
+ throws Exception
+ {
+ assignRepositoryObserverRole( USER_GUEST, "corporate" );
+
+ boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
+ assertFalse( isAuthorized );
+ }
+
+ public void testIsAuthorizedGuestUserHasReadAccess()
+ throws Exception
+ {
+ assignRepositoryObserverRole( USER_GUEST, "corporate" );
+
+ boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
+
+ assertTrue( isAuthorized );
+ }
+
+ public void testIsAuthorizedGuestUserHasNoReadAccess()
+ throws Exception
+ {
+ boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
+
+ assertFalse( isAuthorized );
+ }
+}
* under the License.
*/
-import java.io.File;
import java.util.List;
-import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
-import org.apache.maven.archiva.configuration.ArchivaConfiguration;
-import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
-import org.codehaus.plexus.spring.PlexusInSpringTestCase;
-import org.codehaus.plexus.redback.rbac.RBACManager;
-import org.codehaus.plexus.redback.role.RoleManager;
-import org.codehaus.plexus.redback.system.SecuritySystem;
-import org.codehaus.plexus.redback.users.User;
-import org.codehaus.plexus.redback.users.UserManager;
/**
* DefaultUserRepositoriesTest
* @version $Id$
*/
public class DefaultUserRepositoriesTest
- extends PlexusInSpringTestCase
-{
- private static final String USER_GUEST = "guest";
-
- private static final String USER_ADMIN = "admin";
-
- private static final String USER_ALPACA = "alpaca";
-
- private SecuritySystem securitySystem;
-
- private RBACManager rbacManager;
-
- private RoleManager roleManager;
-
- private ArchivaConfiguration archivaConfiguration;
-
- private UserRepositories userRepos;
-
+ extends AbstractSecurityTest
+{
+ @Override
+ protected String getPlexusConfigLocation()
+ {
+ return "org/apache/maven/archiva/security/DefaultUserRepositoriesTest.xml";
+ }
+
public void testGetObservableRepositoryIds()
throws Exception
{
}
}
- private void setupRepository( String repoId )
- throws Exception
- {
- // Add repo to configuration.
- ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration();
- repoConfig.setId( repoId );
- repoConfig.setName( "Testable repo <" + repoId + ">" );
- repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) );
- archivaConfiguration.getConfiguration().addManagedRepository( repoConfig );
-
- // Add repo roles to security.
- userRepos.createMissingRepositoryRoles( repoId );
- }
-
private void assignGlobalRepositoryObserverRole( String principal )
throws Exception
{
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GLOBAL_REPOSITORY_OBSERVER, principal );
}
-
- private void assignRepositoryObserverRole( String principal, String repoId )
- throws Exception
- {
- roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal );
- }
-
- private User createUser( String principal, String fullname )
- {
- UserManager userManager = securitySystem.getUserManager();
-
- User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" );
- securitySystem.getPolicy().setEnabled( false );
- userManager.addUser( user );
- securitySystem.getPolicy().setEnabled( true );
-
- return user;
- }
-
- @Override
- protected void setUp()
- throws Exception
- {
- super.setUp();
-
- File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" );
- File destConfig = getTestFile( "target/test-conf/archiva.xml" );
-
- destConfig.getParentFile().mkdirs();
- destConfig.delete();
-
- FileUtils.copyFile( srcConfig, destConfig );
-
- securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" );
- rbacManager = (RBACManager) lookup( RBACManager.class, "memory" );
- roleManager = (RoleManager) lookup( RoleManager.class, "default" );
- userRepos = (UserRepositories) lookup( UserRepositories.class, "default" );
- archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
-
- // Some basic asserts.
- assertNotNull( securitySystem );
- assertNotNull( rbacManager );
- assertNotNull( roleManager );
- assertNotNull( userRepos );
- assertNotNull( archivaConfiguration );
-
- // Setup Admin User.
- User adminUser = createUser( USER_ADMIN, "Admin User" );
- roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() );
-
- // Setup Guest User.
- User guestUser = createUser( USER_GUEST, "Guest User" );
- roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() );
-
- }
}
--- /dev/null
+<?xml version="1.0" ?>
+<component-set>
+ <components>
+
+ <component>
+ <role>org.apache.maven.archiva.security.ServletAuthenticator</role>
+ <role-hint>default</role-hint>
+ <implementation>org.apache.maven.archiva.security.ArchivaServletAuthenticator</implementation>
+ <description>ArchivaServletAuthenticator</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.system.SecuritySystem</role>
+ <role-hint>testable</role-hint>
+ <field-name>securitySystem</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.apache.maven.archiva.security.UserRepositories</role>
+ <role-hint>default</role-hint>
+ <implementation>org.apache.maven.archiva.security.DefaultUserRepositories</implementation>
+ <description>DefaultUserRepositories</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.system.SecuritySystem</role>
+ <role-hint>testable</role-hint>
+ <field-name>securitySystem</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>rbacManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.role.RoleManager</role>
+ <role-hint>default</role-hint>
+ <field-name>roleManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
+ <field-name>archivaConfiguration</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.system.SecuritySystem</role>
+ <role-hint>testable</role-hint>
+ <implementation>org.codehaus.plexus.redback.system.DefaultSecuritySystem</implementation>
+ <description>DefaultSecuritySystem:</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.authentication.AuthenticationManager</role>
+ <field-name>authnManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.authorization.Authorizer</role>
+ <role-hint>rbac</role-hint>
+ <field-name>authorizer</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.users.UserManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>userManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.keys.KeyManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>keyManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
+ <field-name>policy</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.authorization.Authorizer</role>
+ <role-hint>rbac</role-hint>
+ <implementation>org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer</implementation>
+ <description>RbacAuthorizer:</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>manager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.users.UserManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>userManager</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
+ <role-hint>default</role-hint>
+ <field-name>evaluator</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.configuration.UserConfiguration</role>
+ <role-hint>default</role-hint>
+ <field-name>config</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator</implementation>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.users.UserManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>userManager</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.role.RoleManager</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.redback.role.DefaultRoleManager</implementation>
+ <description>RoleProfileManager:</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.role.validator.RoleModelValidator</role>
+ <role-hint>default</role-hint>
+ <field-name>modelValidator</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
+ <role-hint>default</role-hint>
+ <field-name>modelProcessor</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
+ <role-hint>default</role-hint>
+ <field-name>templateProcessor</field-name>
+ </requirement>
+ <requirement>
+ <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>rbacManager</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor</implementation>
+ <description>DefaultRoleModelProcessor: inserts the components of the model that can be populated into the rbac manager</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>rbacManager</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
+ <role-hint>default</role-hint>
+ <implementation>org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor</implementation>
+ <description>DefaultRoleTemplateProcessor: inserts the components of a template into the rbac manager</description>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
+ <role-hint>memory</role-hint>
+ <field-name>rbacManager</field-name>
+ </requirement>
+ </requirements>
+ </component>
+
+ <component>
+ <role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
+ <implementation>org.apache.maven.archiva.configuration.DefaultArchivaConfiguration</implementation>
+ <requirements>
+ <requirement>
+ <role>org.codehaus.plexus.registry.Registry</role>
+ <role-hint>configured</role-hint>
+ </requirement>
+ </requirements>
+ </component>
+ <component>
+ <role>org.codehaus.plexus.registry.Registry</role>
+ <role-hint>configured</role-hint>
+ <implementation>org.codehaus.plexus.registry.commons.CommonsConfigurationRegistry</implementation>
+ <configuration>
+ <properties>
+ <system/>
+ <xml fileName="${basedir}/target/test-conf/archiva.xml"
+ config-name="org.apache.maven.archiva.base" config-at="org.apache.maven.archiva"/>
+ </properties>
+ </configuration>
+ </component>
+
+ </components>
+</component-set>
{
checkLocatorIsInstanceOfRepositoryLocator( locator );
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
-
+
RepositoryGroupConfiguration repoGroupConfig =
archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() );
List<String> repositories = new ArrayList<String>();
boolean isGet = WebdavMethodUtil.isReadMethod( request.getMethod() );
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
-
+
if ( repoGroupConfig != null )
{
if( WebdavMethodUtil.isWriteMethod( request.getMethod() ) )
try
{
- managedRepository = getManagedRepository( repositoryId );
+ managedRepository = getManagedRepository( repositoryId );
}
catch ( DavException de )
{
DavResource resource = null;
if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) )
- {
+ {
if ( managedRepository != null )
{
try
{
if( isAuthorized( request, repositoryId ) )
- {
+ {
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
if ( isPut )
{
- resource = doPut( managedRepository, request, archivaLocator, logicalResource );
+ resource = doPut( managedRepository, request, archivaLocator, logicalResource );
}
}
}
catch ( DavException de )
- {
+ {
e = de;
continue;
}
e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
}
else
- {
+ {
availableResources.add( resource );
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
- resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
+ resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
}
}
else
File rootDirectory = new File( managedRepository.getRepoRoot() );
File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile();
+
if ( request.getMethod().equals(HTTP_PUT_METHOD) && !destDir.exists() )
{
destDir.mkdirs();
String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir );
triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath, AuditEvent.CREATE_DIR );
}
-
- File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
-
+
+ File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
+
return new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(),
request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers, archivaXworkUser );
protected boolean isAuthorized( DavServletRequest request, String repositoryId )
throws DavException
- {
+ {
try
- {
+ {
AuthenticationResult result = httpAuth.getAuthenticationResult( request, null );
SecuritySession securitySession = httpAuth.getSecuritySession();
WebdavMethodUtil.isWriteMethod( request.getMethod() ) );
}
catch ( AuthenticationException e )
- {
+ {
+ boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+
// safety check for MRM-911
String guest = archivaXworkUser.getGuest();
try
{
if( servletAuth.isAuthorized( guest,
- ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
+ ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) )
{
return true;
}
if( allow )
{
+ boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+
for( String repository : repositories )
{
// for prompted authentication
// for the current user logged in
try
{
- if( servletAuth.isAuthorized( activePrincipal, repository ) )
+ if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) )
{
getResource( locator, mergedRepositoryContents, logicalResource, repository );
}
}
else
{
+ boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
for( String repository : repositories )
{
try
- {
- if( servletAuth.isAuthorized( activePrincipal, repository ) )
+ {
+ if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) )
{
allow = true;
break;
return true;
}
}
+
+ public void setServletAuth( ServletAuthenticator servletAuth )
+ {
+ this.servletAuth = servletAuth;
+ }
+
+ public void setHttpAuth( HttpAuthenticator httpAuth )
+ {
+ this.httpAuth = httpAuth;
+ }
}
import org.apache.jackrabbit.webdav.DavException;
import org.apache.jackrabbit.webdav.DavServletRequest;
import org.apache.maven.archiva.webdav.util.RepositoryPathUtil;
+import org.apache.maven.archiva.webdav.util.WebdavMethodUtil;
import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException;
}
catch ( AuthenticationException e )
{
+ boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+
// safety check for MRM-911
String guest = archivaXworkUser.getGuest();
try
{
if( servletAuth.isAuthorized( guest,
- ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
+ ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) )
{
request.setDavSession(new ArchivaDavSession());
return true;
return true;
}
- public boolean isAuthorized(String arg0, String arg1)
+ public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest)
throws UnauthorizedException
{
return true;
package org.apache.maven.archiva.webdav;
-/**
- * RepositoryServletSecurityTest
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
*
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+
+import javax.servlet.http.HttpServletResponse;
+
+import net.sf.ehcache.CacheManager;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.jackrabbit.webdav.DavResourceFactory;
+import org.apache.jackrabbit.webdav.DavSessionProvider;
+import org.apache.maven.archiva.configuration.ArchivaConfiguration;
+import org.apache.maven.archiva.configuration.Configuration;
+import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
+import org.apache.maven.archiva.security.ArchivaXworkUser;
+import org.apache.maven.archiva.security.ServletAuthenticator;
+import org.codehaus.plexus.redback.authentication.AuthenticationException;
+import org.codehaus.plexus.redback.authentication.AuthenticationResult;
+import org.codehaus.plexus.redback.authorization.UnauthorizedException;
+import org.codehaus.plexus.redback.system.DefaultSecuritySession;
+import org.codehaus.plexus.redback.system.SecuritySession;
+import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator;
+import org.codehaus.plexus.redback.xwork.filter.authentication.basic.HttpBasicAuthentication;
+import org.codehaus.plexus.spring.PlexusInSpringTestCase;
+import org.easymock.MockControl;
+import org.easymock.classextension.MockClassControl;
+import org.easymock.internal.AlwaysMatcher;
+
+import com.meterware.httpunit.GetMethodWebRequest;
+import com.meterware.httpunit.HttpUnitOptions;
+import com.meterware.httpunit.PutMethodWebRequest;
+import com.meterware.httpunit.WebRequest;
+import com.meterware.httpunit.WebResponse;
+import com.meterware.servletunit.InvocationContext;
+import com.meterware.servletunit.ServletRunner;
+import com.meterware.servletunit.ServletUnitClient;
+
+/**
+ * RepositoryServletSecurityTest
+ *
+ * Test the flow of the authentication and authorization checks. This does not necessarily
+ * perform redback security checking.
+ *
* @author <a href="mailto:joakime@apache.org">Joakim Erdfelt</a>
* @version $Id$
*/
public class RepositoryServletSecurityTest
- extends AbstractRepositoryServletTestCase
+ extends PlexusInSpringTestCase
{
- public void testSecuredGet()
+ protected static final String REPOID_INTERNAL = "internal";
+
+ protected ServletUnitClient sc;
+
+ protected File repoRootInternal;
+
+ private ServletRunner sr;
+
+ protected ArchivaConfiguration archivaConfiguration;
+
+ private DavSessionProvider davSessionProvider;
+
+ private MockControl servletAuthControl;
+
+ private ServletAuthenticator servletAuth;
+
+ private MockClassControl httpAuthControl;
+
+ private HttpAuthenticator httpAuth;
+
+ private ArchivaXworkUser archivaXworkUser;
+
+ private RepositoryServlet servlet;
+
+ public void setUp()
+ throws Exception
+ {
+ super.setUp();
+
+ String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
+ System.setProperty( "appserver.base", appserverBase );
+
+ File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
+ File testConfDest = new File( appserverBase, "conf/archiva.xml" );
+ FileUtils.copyFile( testConf, testConfDest );
+
+ archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
+ repoRootInternal = new File( appserverBase, "data/repositories/internal" );
+ Configuration config = archivaConfiguration.getConfiguration();
+
+ config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
+ saveConfiguration( archivaConfiguration );
+
+ CacheManager.getInstance().removeCache( "url-failures-cache" );
+
+ HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
+
+ sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
+ sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
+ sc = sr.newClient();
+
+ servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
+ servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
+ servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
+
+ httpAuthControl =
+ MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
+ httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
+ httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
+
+ archivaXworkUser = new ArchivaXworkUser();
+ archivaXworkUser.setGuest( "guest" );
+
+ davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );
+ }
+
+ protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{
+ ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
+ repo.setId( id );
+ repo.setName( name );
+ repo.setLocation( location.getAbsolutePath() );
+ return repo;
+ }
+
+ protected void saveConfiguration()
+ throws Exception
+ {
+ saveConfiguration( archivaConfiguration );
+ }
+
+ protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
+ throws Exception
+ {
+ archivaConfiguration.save( archivaConfiguration.getConfiguration() );
+ }
+
+ protected void setupCleanRepo( File repoRootDir )
+ throws IOException
+ {
+ FileUtils.deleteDirectory( repoRootDir );
+ if ( !repoRootDir.exists() )
+ {
+ repoRootDir.mkdirs();
+ }
+ }
+
+ @Override
+ protected String getPlexusConfigLocation()
+ {
+ return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
+ }
+
+ @Override
+ protected void tearDown()
+ throws Exception
+ {
+ if ( sc != null )
+ {
+ sc.clearContents();
+ }
+
+ if ( sr != null )
+ {
+ sr.shutDown();
+ }
+
+ if ( repoRootInternal.exists() )
+ {
+ FileUtils.deleteDirectory(repoRootInternal);
+ }
+
+ servlet = null;
+ super.tearDown();
}
-
- public void testSecuredBrowse()
+
+ // test deploy with invalid user, and guest has no write access to repo
+ // 401 must be returned
+ public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
+ throws Exception
{
+ setupCleanRepo( repoRootInternal );
+
+ String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+ InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+ assertNotNull( "artifact.jar inputstream", is );
+
+ WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
+ new AuthenticationException( "Authentication error" ) );
+
+ servletAuth.isAuthorized( "guest", "internal", true );
+ servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+ servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ servlet.service( ic.getRequest(), ic.getResponse() );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
+ }
+
+ // test deploy with invalid user, but guest has write access to repo
+ public void testPutWithInvalidUserAndGuestHasWriteAccess()
+ throws Exception
+ {
+ setupCleanRepo( repoRootInternal );
+
+ String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+ InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+ assertNotNull( "artifact.jar inputstream", is );
+
+ WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
+
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
+ new AuthenticationException( "Authentication error" ) );
+
+ servletAuth.isAuthorized( "guest", "internal", true );
+ servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+ servletAuthControl.setReturnValue( true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
+ new AuthenticationException( "Authentication error" ) );
+
+ // check if guest has write access
+ servletAuth.isAuthorized( "guest", "internal", true );
+ servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+ servletAuthControl.setReturnValue( true );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ servlet.service( ic.getRequest(), ic.getResponse() );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
+ }
+
+ // test deploy with a valid user with no write access
+ public void testPutWithValidUserWithNoWriteAccess()
+ throws Exception
+ {
+ setupCleanRepo( repoRootInternal );
+
+ String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+ InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+ assertNotNull( "artifact.jar inputstream", is );
+
+ WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
+
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
+ new UnauthorizedException( "User not authorized" ) );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ servlet.service( ic.getRequest(), ic.getResponse() );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
+ }
+
+ // test deploy with a valid user with write access
+ public void testPutWithValidUserWithWriteAccess()
+ throws Exception
+ {
+ setupCleanRepo( repoRootInternal );
+ assertTrue( repoRootInternal.exists() );
+
+ String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+ InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+ assertNotNull( "artifact.jar inputstream", is );
+
+ WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
+
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ servlet.service( ic.getRequest(), ic.getResponse() );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
+ }
+
+ // test get with invalid user, and guest has read access to repo
+ public void testGetWithInvalidUserAndGuestHasReadAccess()
+ throws Exception
+ {
+ String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
+ String expectedArtifactContents = "dummy-commons-lang-artifact";
+
+ File artifactFile = new File( repoRootInternal, commonsLangJar );
+ artifactFile.getParentFile().mkdirs();
+
+ FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
+
+ WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
+ new AuthenticationException( "Authentication error" ) );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ WebResponse response = sc.getResponse( request );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
+ assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
+ }
+
+ // test get with invalid user, and guest has no read access to repo
+ public void testGetWithInvalidUserAndGuestHasNoReadAccess()
+ throws Exception
+ {
+ String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
+ String expectedArtifactContents = "dummy-commons-lang-artifact";
+
+ File artifactFile = new File( repoRootInternal, commonsLangJar );
+ artifactFile.getParentFile().mkdirs();
+
+ FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
+
+ WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
+ new AuthenticationException( "Authentication error" ) );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ WebResponse response = sc.getResponse( request );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
+ }
+
+ // test get with valid user with read access to repo
+ public void testGetWithAValidUserWithReadAccess()
+ throws Exception
+ {
+ String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
+ String expectedArtifactContents = "dummy-commons-lang-artifact";
+
+ File artifactFile = new File( repoRootInternal, commonsLangJar );
+ artifactFile.getParentFile().mkdirs();
+
+ FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
+
+ WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ WebResponse response = sc.getResponse( request );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+
+ assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
+ assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
+ }
+
+ // test get with valid user with no read access to repo
+ public void testGetWithAValidUserWithNoReadAccess()
+ throws Exception
+ {
+ String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
+ String expectedArtifactContents = "dummy-commons-lang-artifact";
+
+ File artifactFile = new File( repoRootInternal, commonsLangJar );
+ artifactFile.getParentFile().mkdirs();
+
+ FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
+
+ WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
+ InvocationContext ic = sc.newInvocation( request );
+ servlet = (RepositoryServlet) ic.getServlet();
+ servlet.setDavSessionProvider( davSessionProvider );
+
+ ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
+ archivaDavResourceFactory.setHttpAuth( httpAuth );
+ archivaDavResourceFactory.setServletAuth( servletAuth );
+
+ servlet.setResourceFactory( archivaDavResourceFactory );
+
+ AuthenticationResult result = new AuthenticationResult();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
+
+ // ArchivaDavResourceFactory#isAuthorized()
+ SecuritySession session = new DefaultSecuritySession();
+ httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
+ httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+ servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
+ servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
+ new UnauthorizedException( "User not authorized to read repository." ) );
+
+ httpAuthControl.replay();
+ servletAuthControl.replay();
+
+ WebResponse response = sc.getResponse( request );
+
+ httpAuthControl.verify();
+ servletAuthControl.verify();
+ assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
}
}
--- /dev/null
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+
+<web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+
+ <display-name>Apache Archiva</display-name>
+
+ <listener>
+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+ </listener>
+
+ <context-param>
+ <param-name>contextClass</param-name>
+ <param-value>org.codehaus.plexus.spring.PlexusWebApplicationContext</param-value>
+ </context-param>
+
+ <context-param>
+ <param-name>contextConfigLocation</param-name>
+ <param-value>
+ classpath*:/META-INF/plexus/components.xml
+ classpath*:/META-INF/spring-context.xml
+ target/test-classes/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml
+ </param-value>
+ </context-param>
+
+</web-app>
<role-hint>default</role-hint>
<implementation>org.apache.maven.archiva.webdav.DefaultDavServerManager</implementation>
<description>DefaultDavServerManager</description>
- <configuration>
- <provider-hint>proxied</provider-hint>
- </configuration>
+ <requirements>
+ <requirement>
+ <role>org.apache.maven.archiva.webdav.DavServerComponent</role>
+ <role-hint>proxied</role-hint>
+ </requirement>
+ </requirements>
</component>
<component>
<component>
<role>org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers</role>
<role-hint>default</role-hint>
- <implementation>org.apache.maven.archiva.web.repository.StubRepositoryContentConsumers</implementation>
+ <implementation>org.apache.maven.archiva.webdav.StubRepositoryContentConsumers</implementation>
</component>
-
- <!-- TODO: shouldn't need so many components just to use in-memory - is flaky since these are auto-generated -->
+
<component>
<role>org.codehaus.plexus.redback.system.SecuritySystem</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.system.DefaultSecuritySystem</implementation>
- <requirements>
- <requirement>
- <role>org.codehaus.plexus.redback.authentication.AuthenticationManager</role>
- <field-name>authnManager</field-name>
- </requirement>
- <requirement>
- <role>org.codehaus.plexus.redback.authorization.Authorizer</role>
- <role-hint>rbac</role-hint>
- <field-name>authorizer</field-name>
- </requirement>
- <requirement>
- <role>org.codehaus.plexus.redback.users.UserManager</role>
- <role-hint>memory</role-hint>
- <field-name>userManager</field-name>
- </requirement>
- <requirement>
- <role>org.codehaus.plexus.redback.keys.KeyManager</role>
- <role-hint>memory</role-hint>
- <field-name>keyManager</field-name>
- </requirement>
- <requirement>
- <role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
- <field-name>policy</field-name>
- </requirement>
- </requirements>
</component>
-
- <component>
- <role>org.codehaus.plexus.redback.authentication.Authenticator</role>
- <role-hint>user-manager</role-hint>
- <implementation>org.codehaus.plexus.redback.authentication.users.UserManagerAuthenticator</implementation>
+
+ <component>
+ <role>org.apache.maven.archiva.webdav.ArchivaDavResourceFactory</role>
+ <implementation>org.apache.maven.archiva.webdav.ArchivaDavResourceFactory</implementation>
<requirements>
<requirement>
- <role>org.codehaus.plexus.redback.users.UserManager</role>
- <role-hint>memory</role-hint>
- <field-name>userManager</field-name>
+ <role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
+ <field-name>archivaConfiguration</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
- <field-name>securityPolicy</field-name>
- </requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.authentication.Authenticator</role>
- <role-hint>keystore</role-hint>
- <implementation>org.codehaus.plexus.redback.authentication.keystore.KeyStoreAuthenticator</implementation>
- <requirements>
- <requirement>
- <role>org.codehaus.plexus.redback.keys.KeyManager</role>
- <role-hint>memory</role-hint>
- <field-name>keystore</field-name>
- </requirement>
- <requirement>
- <role>org.codehaus.plexus.redback.users.UserManager</role>
- <role-hint>memory</role-hint>
- <field-name>userManager</field-name>
- </requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
- <role-hint>default</role-hint>
- <implementation>org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator
- </implementation>
- <requirements>
- <requirement>
- <role>org.codehaus.plexus.redback.users.UserManager</role>
- <role-hint>memory</role-hint>
- <field-name>userManager</field-name>
- </requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.authorization.Authorizer</role>
- <role-hint>rbac</role-hint>
- <implementation>org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer</implementation>
- <requirements>
+ <role>org.apache.maven.archiva.repository.RepositoryContentFactory</role>
+ <field-name>repositoryFactory</field-name>
+ </requirement>
<requirement>
- <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
- <role-hint>memory</role-hint>
- <field-name>manager</field-name>
+ <role>org.apache.maven.archiva.repository.content.RepositoryRequest</role>
+ <field-name>repositoryRequest</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.users.UserManager</role>
- <role-hint>memory</role-hint>
- <field-name>userManager</field-name>
+ <role>org.apache.maven.archiva.proxy.RepositoryProxyConnectors</role>
+ <field-name>connectors</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
- <role-hint>default</role-hint>
- <field-name>evaluator</field-name>
+ <role>org.apache.maven.archiva.repository.metadata.MetadataTools</role>
+ <field-name>metadataTools</field-name>
</requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.role.RoleManager</role>
- <role-hint>default</role-hint>
- <implementation>org.codehaus.plexus.redback.role.DefaultRoleManager</implementation>
- <instantiation-strategy>singleton</instantiation-strategy>
- <requirements>
<requirement>
- <role>org.codehaus.plexus.redback.role.merger.RoleModelMerger</role>
- <role-hint>default</role-hint>
- <field-name>modelMerger</field-name>
+ <role>org.apache.maven.archiva.security.ServletAuthenticator</role>
+ <field-name>servletAuth</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.role.validator.RoleModelValidator</role>
- <role-hint>default</role-hint>
- <field-name>modelValidator</field-name>
+ <role>org.apache.maven.archiva.webdav.util.MimeTypes</role>
+ <field-name>mimeTypes</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
- <role-hint>default</role-hint>
- <field-name>modelProcessor</field-name>
+ <role>org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator</role>
+ <role-hint>basic</role-hint>
+ <field-name>httpAuth</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
+ <role>org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers</role>
<role-hint>default</role-hint>
- <field-name>templateProcessor</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
- <role-hint>memory</role-hint>
- <field-name>rbacManager</field-name>
+ <role>org.codehaus.plexus.digest.ChecksumFile</role>
+ <field-name>checksum</field-name>
</requirement>
<requirement>
- <role>org.codehaus.plexus.PlexusContainer</role>
- <field-name>container</field-name>
+ <role>org.codehaus.plexus.digest.Digester</role>
+ <role-hint>sha1</role-hint>
+ <field-name>digestSha1</field-name>
</requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
- <role-hint>default</role-hint>
- <implementation>org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor</implementation>
- <requirements>
<requirement>
- <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
- <role-hint>memory</role-hint>
- <field-name>rbacManager</field-name>
+ <role>org.codehaus.plexus.digest.Digester</role>
+ <role-hint>md5</role-hint>
+ <field-name>digestMd5</field-name>
</requirement>
- </requirements>
- </component>
-
- <component>
- <role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
- <role-hint>default</role-hint>
- <implementation>org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor</implementation>
- <requirements>
<requirement>
- <role>org.codehaus.plexus.redback.rbac.RBACManager</role>
- <role-hint>memory</role-hint>
- <field-name>rbacManager</field-name>
- </requirement>
+ <role>org.apache.maven.archiva.security.ArchivaXworkUser</role>
+ <field-name>archivaXworkUser</field-name>
+ </requirement>
</requirements>
</component>
</components>
<version>1.2_Java1.3</version>
<scope>test</scope>
</dependency>
+ <dependency>
+ <groupId>easymock</groupId>
+ <artifactId>easymockclassextension</artifactId>
+ <version>1.2</version>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl104-over-slf4j</artifactId>
projects / archiva.git / commitdiff