From d1220afe4cf7079a82981727313d014f4981343d Mon Sep 17 00:00:00 2001 From: "Maria Odea B. Ching" Date: Mon, 6 Oct 2008 06:22:49 +0000 Subject: [PATCH] added test cases for ArchivaServletAuthenticator git-svn-id: https://svn.apache.org/repos/asf/archiva/branches@701955 13f79535-47bb-0310-9956-ffa450edef68 --- .../security/ServletAuthenticator.java | 34 +++ .../security/AbstractSecurityTest.java | 126 +++++++++++ .../ArchivaServletAuthenticatorTest.java | 188 +++++++++++++++- .../security/DefaultUserRepositoriesTest.java | 105 +-------- .../ArchivaServletAuthenticatorTest.xml | 202 ++++++++++++++++++ 5 files changed, 551 insertions(+), 104 deletions(-) create mode 100644 archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java create mode 100644 archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml diff --git a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java index 407d7d0ee..adc6ad1ab 100644 --- a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java +++ b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java @@ -35,12 +35,46 @@ import org.codehaus.plexus.redback.system.SecuritySession; */ public interface ServletAuthenticator { + /** + * Authentication check for users. + * + * @param request + * @param result + * @return + * @throws AuthenticationException + * @throws AccountLockedException + * @throws MustChangePasswordException + */ public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result ) throws AuthenticationException, AccountLockedException, MustChangePasswordException; + /** + * Authorization check for valid users. + * + * @param request + * @param securitySession + * @param repositoryId + * @param isWriteRequest + * @return + * @throws AuthorizationException + * @throws UnauthorizedException + */ public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException; + /** + * Authorization check specific for user guest, which doesn't go through + * HttpBasicAuthentication#getAuthenticationResult( HttpServletRequest request, HttpServletResponse response ) + * since no credentials are attached to the request. + * + * See also MRM-911 + * + * @param principal + * @param repoId + * @param isWriteRequest + * @return + * @throws UnauthorizedException + */ public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) throws UnauthorizedException; } diff --git a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java new file mode 100644 index 000000000..399c87eed --- /dev/null +++ b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java @@ -0,0 +1,126 @@ +package org.apache.maven.archiva.security; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import java.io.File; + +import org.apache.commons.io.FileUtils; +import org.apache.maven.archiva.configuration.ArchivaConfiguration; +import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; +import org.codehaus.plexus.redback.rbac.RBACManager; +import org.codehaus.plexus.redback.role.RoleManager; +import org.codehaus.plexus.redback.system.SecuritySystem; +import org.codehaus.plexus.redback.users.User; +import org.codehaus.plexus.redback.users.UserManager; +import org.codehaus.plexus.spring.PlexusInSpringTestCase; + +/** + * AbstractSecurityTest + * + * @author Maria Odea Ching + * @version $Id: AbstractSecurityTest + */ +public abstract class AbstractSecurityTest + extends PlexusInSpringTestCase +{ + protected static final String USER_GUEST = "guest"; + + protected static final String USER_ADMIN = "admin"; + + protected static final String USER_ALPACA = "alpaca"; + + protected SecuritySystem securitySystem; + + private RBACManager rbacManager; + + protected RoleManager roleManager; + + private ArchivaConfiguration archivaConfiguration; + + protected UserRepositories userRepos; + + protected void setupRepository( String repoId ) + throws Exception + { + // Add repo to configuration. + ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration(); + repoConfig.setId( repoId ); + repoConfig.setName( "Testable repo <" + repoId + ">" ); + repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) ); + archivaConfiguration.getConfiguration().addManagedRepository( repoConfig ); + + // Add repo roles to security. + userRepos.createMissingRepositoryRoles( repoId ); + } + + protected void assignRepositoryObserverRole( String principal, String repoId ) + throws Exception + { + roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal ); + } + + protected User createUser( String principal, String fullname ) + { + UserManager userManager = securitySystem.getUserManager(); + + User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" ); + securitySystem.getPolicy().setEnabled( false ); + userManager.addUser( user ); + securitySystem.getPolicy().setEnabled( true ); + + return user; + } + + @Override + public void setUp() + throws Exception + { + super.setUp(); + + File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" ); + File destConfig = getTestFile( "target/test-conf/archiva.xml" ); + + destConfig.getParentFile().mkdirs(); + destConfig.delete(); + + FileUtils.copyFile( srcConfig, destConfig ); + + securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" ); + rbacManager = (RBACManager) lookup( RBACManager.class, "memory" ); + roleManager = (RoleManager) lookup( RoleManager.class, "default" ); + userRepos = (UserRepositories) lookup( UserRepositories.class, "default" ); + archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class ); + + // Some basic asserts. + assertNotNull( securitySystem ); + assertNotNull( rbacManager ); + assertNotNull( roleManager ); + assertNotNull( userRepos ); + assertNotNull( archivaConfiguration ); + + // Setup Admin User. + User adminUser = createUser( USER_ADMIN, "Admin User" ); + roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() ); + + // Setup Guest User. + User guestUser = createUser( USER_GUEST, "Guest User" ); + roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() ); + } +} diff --git a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java index f0ec649d1..0eeaedc72 100644 --- a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java +++ b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java @@ -19,7 +19,17 @@ package org.apache.maven.archiva.security; * under the License. */ -import org.codehaus.plexus.spring.PlexusInSpringTestCase; +import javax.servlet.http.HttpServletRequest; + +import org.codehaus.plexus.redback.authentication.AuthenticationException; +import org.codehaus.plexus.redback.authentication.AuthenticationResult; +import org.codehaus.plexus.redback.authorization.UnauthorizedException; +import org.codehaus.plexus.redback.system.DefaultSecuritySession; +import org.codehaus.plexus.redback.system.SecuritySession; +import org.codehaus.plexus.redback.users.User; +import org.codehaus.plexus.redback.users.UserManager; + +import org.easymock.MockControl; /** * ArchivaServletAuthenticatorTest @@ -28,23 +38,187 @@ import org.codehaus.plexus.spring.PlexusInSpringTestCase; * @version */ public class ArchivaServletAuthenticatorTest - extends PlexusInSpringTestCase -{ + extends AbstractSecurityTest +{ + private ServletAuthenticator servletAuth; + + private MockControl httpServletRequestControl; + + private HttpServletRequest request; + + @Override public void setUp() throws Exception { super.setUp(); + + servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" ); + + httpServletRequestControl = MockControl.createControl( HttpServletRequest.class ); + request = ( HttpServletRequest ) httpServletRequestControl.getMock(); + + setupRepository( "corporate" ); + } + + @Override + protected String getPlexusConfigLocation() + { + return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml"; + } + + protected void assignRepositoryManagerRole( String principal, String repoId ) + throws Exception + { + roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal ); } - public void testIsAuthenticated() + public void testIsAuthenticatedUserExists() throws Exception { - //TODO + AuthenticationResult result = new AuthenticationResult( true, "user", null ); + boolean isAuthenticated = servletAuth.isAuthenticated( request, result ); + + assertTrue( isAuthenticated ); } - public void testIsAuthorized() + public void testIsAuthenticatedUserDoesNotExist() throws Exception { - //TODO + AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null ); + try + { + servletAuth.isAuthenticated( request, result ); + fail( "Authentication exception should have been thrown." ); + } + catch ( AuthenticationException e ) + { + assertEquals( "User Credentials Invalid", e.getMessage() ); + } + } + + public void testIsAuthorizedUserHasWriteAccess() + throws Exception + { + createUser( USER_ALPACA, "Al 'Archiva' Paca" ); + + assignRepositoryManagerRole( USER_ALPACA, "corporate" ); + + UserManager userManager = securitySystem.getUserManager(); + User user = userManager.findUser( USER_ALPACA ); + + AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); + + SecuritySession session = new DefaultSecuritySession( result, user ); + boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true ); + + assertTrue( isAuthorized ); + } + + public void testIsAuthorizedUserHasNoWriteAccess() + throws Exception + { + createUser( USER_ALPACA, "Al 'Archiva' Paca" ); + + assignRepositoryObserverRole( USER_ALPACA, "corporate" ); + + httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" ); + + UserManager userManager = securitySystem.getUserManager(); + User user = userManager.findUser( USER_ALPACA ); + + AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); + + SecuritySession session = new DefaultSecuritySession( result, user ); + + httpServletRequestControl.replay(); + + try + { + servletAuth.isAuthorized( request, session, "corporate", true ); + fail( "UnauthorizedException should have been thrown." ); + } + catch ( UnauthorizedException e ) + { + assertEquals( "Access denied for repository corporate", e.getMessage() ); + } + + httpServletRequestControl.verify(); + } + + + public void testIsAuthorizedUserHasReadAccess() + throws Exception + { + createUser( USER_ALPACA, "Al 'Archiva' Paca" ); + + assignRepositoryObserverRole( USER_ALPACA, "corporate" ); + + UserManager userManager = securitySystem.getUserManager(); + User user = userManager.findUser( USER_ALPACA ); + + AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); + + SecuritySession session = new DefaultSecuritySession( result, user ); + boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false ); + + assertTrue( isAuthorized ); + } + + public void testIsAuthorizedUserHasNoReadAccess() + throws Exception + { + createUser( USER_ALPACA, "Al 'Archiva' Paca" ); + + UserManager userManager = securitySystem.getUserManager(); + User user = userManager.findUser( USER_ALPACA ); + + AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); + + SecuritySession session = new DefaultSecuritySession( result, user ); + try + { + servletAuth.isAuthorized( request, session, "corporate", false ); + fail( "UnauthorizedException should have been thrown." ); + } + catch ( UnauthorizedException e ) + { + assertEquals( "Access denied for repository corporate", e.getMessage() ); + } + } + + public void testIsAuthorizedGustUserHasWriteAccess() + throws Exception + { + assignRepositoryManagerRole( USER_GUEST, "corporate" ); + boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); + + assertTrue( isAuthorized ); + } + + public void testIsAuthorizedGustUserHasNoWriteAccess() + throws Exception + { + assignRepositoryObserverRole( USER_GUEST, "corporate" ); + + boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); + assertFalse( isAuthorized ); + } + + public void testIsAuthorizedGustUserHasReadAccess() + throws Exception + { + assignRepositoryObserverRole( USER_GUEST, "corporate" ); + + boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); + + assertTrue( isAuthorized ); + } + + public void testIsAuthorizedGustUserHasNoReadAccess() + throws Exception + { + boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); + + assertFalse( isAuthorized ); } } diff --git a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java index ceb0a357c..a9f8c1897 100644 --- a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java +++ b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java @@ -19,19 +19,9 @@ package org.apache.maven.archiva.security; * under the License. */ -import java.io.File; import java.util.List; -import org.apache.commons.io.FileUtils; import org.apache.commons.lang.StringUtils; -import org.apache.maven.archiva.configuration.ArchivaConfiguration; -import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; -import org.codehaus.plexus.spring.PlexusInSpringTestCase; -import org.codehaus.plexus.redback.rbac.RBACManager; -import org.codehaus.plexus.redback.role.RoleManager; -import org.codehaus.plexus.redback.system.SecuritySystem; -import org.codehaus.plexus.redback.users.User; -import org.codehaus.plexus.redback.users.UserManager; /** * DefaultUserRepositoriesTest @@ -40,24 +30,14 @@ import org.codehaus.plexus.redback.users.UserManager; * @version $Id$ */ public class DefaultUserRepositoriesTest - extends PlexusInSpringTestCase -{ - private static final String USER_GUEST = "guest"; - - private static final String USER_ADMIN = "admin"; - - private static final String USER_ALPACA = "alpaca"; - - private SecuritySystem securitySystem; - - private RBACManager rbacManager; - - private RoleManager roleManager; - - private ArchivaConfiguration archivaConfiguration; - - private UserRepositories userRepos; - + extends AbstractSecurityTest +{ + @Override + protected String getPlexusConfigLocation() + { + return "org/apache/maven/archiva/security/DefaultUserRepositoriesTest.xml"; + } + public void testGetObservableRepositoryIds() throws Exception { @@ -98,78 +78,9 @@ public class DefaultUserRepositoriesTest } } - private void setupRepository( String repoId ) - throws Exception - { - // Add repo to configuration. - ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration(); - repoConfig.setId( repoId ); - repoConfig.setName( "Testable repo <" + repoId + ">" ); - repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) ); - archivaConfiguration.getConfiguration().addManagedRepository( repoConfig ); - - // Add repo roles to security. - userRepos.createMissingRepositoryRoles( repoId ); - } - private void assignGlobalRepositoryObserverRole( String principal ) throws Exception { roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GLOBAL_REPOSITORY_OBSERVER, principal ); } - - private void assignRepositoryObserverRole( String principal, String repoId ) - throws Exception - { - roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal ); - } - - private User createUser( String principal, String fullname ) - { - UserManager userManager = securitySystem.getUserManager(); - - User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" ); - securitySystem.getPolicy().setEnabled( false ); - userManager.addUser( user ); - securitySystem.getPolicy().setEnabled( true ); - - return user; - } - - @Override - protected void setUp() - throws Exception - { - super.setUp(); - - File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" ); - File destConfig = getTestFile( "target/test-conf/archiva.xml" ); - - destConfig.getParentFile().mkdirs(); - destConfig.delete(); - - FileUtils.copyFile( srcConfig, destConfig ); - - securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" ); - rbacManager = (RBACManager) lookup( RBACManager.class, "memory" ); - roleManager = (RoleManager) lookup( RoleManager.class, "default" ); - userRepos = (UserRepositories) lookup( UserRepositories.class, "default" ); - archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class ); - - // Some basic asserts. - assertNotNull( securitySystem ); - assertNotNull( rbacManager ); - assertNotNull( roleManager ); - assertNotNull( userRepos ); - assertNotNull( archivaConfiguration ); - - // Setup Admin User. - User adminUser = createUser( USER_ADMIN, "Admin User" ); - roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() ); - - // Setup Guest User. - User guestUser = createUser( USER_GUEST, "Guest User" ); - roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() ); - - } } diff --git a/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml new file mode 100644 index 000000000..adfb9b2b4 --- /dev/null +++ b/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml @@ -0,0 +1,202 @@ + + + + + + org.apache.maven.archiva.security.ServletAuthenticator + default + org.apache.maven.archiva.security.ArchivaServletAuthenticator + ArchivaServletAuthenticator + + + org.codehaus.plexus.redback.system.SecuritySystem + testable + securitySystem + + + + + + org.apache.maven.archiva.security.UserRepositories + default + org.apache.maven.archiva.security.DefaultUserRepositories + DefaultUserRepositories + + + org.codehaus.plexus.redback.system.SecuritySystem + testable + securitySystem + + + org.codehaus.plexus.redback.rbac.RBACManager + memory + rbacManager + + + org.codehaus.plexus.redback.role.RoleManager + default + roleManager + + + org.apache.maven.archiva.configuration.ArchivaConfiguration + archivaConfiguration + + + + + + org.codehaus.plexus.redback.system.SecuritySystem + testable + org.codehaus.plexus.redback.system.DefaultSecuritySystem + DefaultSecuritySystem: + + + org.codehaus.plexus.redback.authentication.AuthenticationManager + authnManager + + + org.codehaus.plexus.redback.authorization.Authorizer + rbac + authorizer + + + org.codehaus.plexus.redback.users.UserManager + memory + userManager + + + org.codehaus.plexus.redback.keys.KeyManager + memory + keyManager + + + org.codehaus.plexus.redback.policy.UserSecurityPolicy + policy + + + + + + org.codehaus.plexus.redback.authorization.Authorizer + rbac + org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer + RbacAuthorizer: + + + org.codehaus.plexus.redback.rbac.RBACManager + memory + manager + + + org.codehaus.plexus.redback.users.UserManager + memory + userManager + + + org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator + default + evaluator + + + org.codehaus.plexus.redback.configuration.UserConfiguration + default + config + + + + + + org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator + default + org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator + + + org.codehaus.plexus.redback.users.UserManager + memory + userManager + + + + + + org.codehaus.plexus.redback.role.RoleManager + default + org.codehaus.plexus.redback.role.DefaultRoleManager + RoleProfileManager: + + + org.codehaus.plexus.redback.role.validator.RoleModelValidator + default + modelValidator + + + org.codehaus.plexus.redback.role.processor.RoleModelProcessor + default + modelProcessor + + + org.codehaus.plexus.redback.role.template.RoleTemplateProcessor + default + templateProcessor + + + org.codehaus.plexus.redback.rbac.RBACManager + memory + rbacManager + + + + + + org.codehaus.plexus.redback.role.processor.RoleModelProcessor + default + org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor + DefaultRoleModelProcessor: inserts the components of the model that can be populated into the rbac manager + + + org.codehaus.plexus.redback.rbac.RBACManager + memory + rbacManager + + + + + + org.codehaus.plexus.redback.role.template.RoleTemplateProcessor + default + org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor + DefaultRoleTemplateProcessor: inserts the components of a template into the rbac manager + + + org.codehaus.plexus.redback.rbac.RBACManager + memory + rbacManager + + + + + + org.apache.maven.archiva.configuration.ArchivaConfiguration + org.apache.maven.archiva.configuration.DefaultArchivaConfiguration + + + org.codehaus.plexus.registry.Registry + configured + + + + + org.codehaus.plexus.registry.Registry + configured + org.codehaus.plexus.registry.commons.CommonsConfigurationRegistry + + + + + + + + + + -- 2.39.5