mirrors
/
archiva
spegling av https://github.com/apache/archiva.git
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 70 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
2560 Incheckningar
73 Grenar
Träd: 6681581426
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '6681581426'
${ noResults }
archiva/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTe...

RepositoryServletSecurityTest.java 26KB
Blame Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567 
  1. package org.apache.maven.archiva.webdav;

  2. 

  3. /*

  4.  * Licensed to the Apache Software Foundation (ASF) under one

  5.  * or more contributor license agreements.  See the NOTICE file

  6.  * distributed with this work for additional information

  7.  * regarding copyright ownership.  The ASF licenses this file

  8.  * to you under the Apache License, Version 2.0 (the

  9.  * "License"); you may not use this file except in compliance

  10.  * with the License.  You may obtain a copy of the License at

  11.  *

  12.  *  http://www.apache.org/licenses/LICENSE-2.0

  13.  *

  14.  * Unless required by applicable law or agreed to in writing,

  15.  * software distributed under the License is distributed on an

  16.  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

  17.  * KIND, either express or implied.  See the License for the

  18.  * specific language governing permissions and limitations

  19.  * under the License.

  20.  */

  21. 

  22. import java.io.File;

  23. import java.io.IOException;

  24. import java.io.InputStream;

  25. 

  26. import javax.servlet.http.HttpServletResponse;

  27. 

  28. import net.sf.ehcache.CacheManager;

  29. 

  30. import org.apache.commons.io.FileUtils;

  31. import org.apache.jackrabbit.webdav.DavSessionProvider;

  32. import org.apache.maven.archiva.configuration.ArchivaConfiguration;

  33. import org.apache.maven.archiva.configuration.Configuration;

  34. import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;

  35. import org.apache.maven.archiva.security.ArchivaRoleConstants;

  36. import org.apache.maven.archiva.security.ServletAuthenticator;

  37. import org.codehaus.plexus.redback.authentication.AuthenticationException;

  38. import org.codehaus.plexus.redback.authentication.AuthenticationResult;

  39. import org.codehaus.plexus.redback.authorization.UnauthorizedException;

  40. import org.codehaus.plexus.redback.system.DefaultSecuritySession;

  41. import org.codehaus.plexus.redback.system.SecuritySession;

  42. import org.codehaus.plexus.redback.users.memory.SimpleUser;

  43. import org.codehaus.plexus.spring.PlexusInSpringTestCase;

  44. import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;

  45. import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;

  46. import org.easymock.MockControl;

  47. import org.easymock.classextension.MockClassControl;

  48. 

  49. import com.meterware.httpunit.GetMethodWebRequest;

  50. import com.meterware.httpunit.HttpUnitOptions;

  51. import com.meterware.httpunit.PutMethodWebRequest;

  52. import com.meterware.httpunit.WebRequest;

  53. import com.meterware.httpunit.WebResponse;

  54. import com.meterware.servletunit.InvocationContext;

  55. import com.meterware.servletunit.ServletRunner;

  56. import com.meterware.servletunit.ServletUnitClient;

  57. 

  58. /**

  59.  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily

  60.  * perform redback security checking.

  61.  * 

  62.  * @version $Id$

  63.  */

  64. public class RepositoryServletSecurityTest

  65.     extends PlexusInSpringTestCase

  66. {

  67.     protected static final String REPOID_INTERNAL = "internal";

  68. 

  69.     protected ServletUnitClient sc;

  70. 

  71.     protected File repoRootInternal;

  72. 

  73.     private ServletRunner sr;

  74. 

  75.     protected ArchivaConfiguration archivaConfiguration;

  76. 

  77.     private DavSessionProvider davSessionProvider;

  78. 

  79.     private MockControl servletAuthControl;

  80. 

  81.     private ServletAuthenticator servletAuth;

  82. 

  83.     private MockClassControl httpAuthControl;

  84. 

  85.     private HttpAuthenticator httpAuth;

  86. 

  87.     private RepositoryServlet servlet;

  88. 

  89.     public void setUp()

  90.         throws Exception

  91.     {

  92.         super.setUp();

  93. 

  94.         String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();

  95.         System.setProperty( "appserver.base", appserverBase );

  96. 

  97.         File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );

  98.         File testConfDest = new File( appserverBase, "conf/archiva.xml" );

  99.         FileUtils.copyFile( testConf, testConfDest );

  100. 

  101.         archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );

  102.         repoRootInternal = new File( appserverBase, "data/repositories/internal" );

  103.         Configuration config = archivaConfiguration.getConfiguration();

  104. 

  105.         config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );

  106.         saveConfiguration( archivaConfiguration );

  107. 

  108.         CacheManager.getInstance().removeCache( "url-failures-cache" );

  109. 

  110.         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );

  111. 

  112.         sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );

  113.         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );

  114.         sc = sr.newClient();

  115. 

  116.         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );

  117.         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );

  118.         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();

  119. 

  120.         httpAuthControl =

  121.             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );

  122.         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );

  123.         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();

  124. 

  125.         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );

  126.     }

  127. 

  128.     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )

  129.     {

  130.         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

  131.         repo.setId( id );

  132.         repo.setName( name );

  133.         repo.setLocation( location.getAbsolutePath() );

  134.         return repo;

  135.     }

  136. 

  137.     protected void saveConfiguration()

  138.         throws Exception

  139.     {

  140.         saveConfiguration( archivaConfiguration );

  141.     }

  142. 

  143.     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )

  144.         throws Exception

  145.     {

  146.         archivaConfiguration.save( archivaConfiguration.getConfiguration() );

  147.     }

  148. 

  149.     protected void setupCleanRepo( File repoRootDir )

  150.         throws IOException

  151.     {

  152.         FileUtils.deleteDirectory( repoRootDir );

  153.         if ( !repoRootDir.exists() )

  154.         {

  155.             repoRootDir.mkdirs();

  156.         }

  157.     }

  158. 

  159.     @Override

  160.     protected String getPlexusConfigLocation()

  161.     {

  162.         return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";

  163.     }

  164. 

  165.     @Override

  166.     protected void tearDown()

  167.         throws Exception

  168.     {

  169.         if ( sc != null )

  170.         {

  171.             sc.clearContents();

  172.         }

  173. 

  174.         if ( sr != null )

  175.         {

  176.             sr.shutDown();

  177.         }

  178. 

  179.         if ( repoRootInternal.exists() )

  180.         {

  181.             FileUtils.deleteDirectory( repoRootInternal );

  182.         }

  183. 

  184.         servlet = null;

  185. 

  186.         super.tearDown();

  187.     }

  188. 

  189.     // test deploy with invalid user, and guest has no write access to repo

  190.     // 401 must be returned

  191.     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()

  192.         throws Exception

  193.     {

  194.         setupCleanRepo( repoRootInternal );

  195. 

  196.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  197.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  198.         assertNotNull( "artifact.jar inputstream", is );

  199. 

  200.         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );

  201.         InvocationContext ic = sc.newInvocation( request );

  202.         servlet = (RepositoryServlet) ic.getServlet();

  203.         servlet.setDavSessionProvider( davSessionProvider );

  204. 

  205.         AuthenticationResult result = new AuthenticationResult();

  206.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  207.         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),

  208.                                            new AuthenticationException( "Authentication error" ) );

  209. 

  210.         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );

  211.         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );

  212.         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );

  213. 

  214.         httpAuthControl.replay();

  215.         servletAuthControl.replay();

  216. 

  217.         servlet.service( ic.getRequest(), ic.getResponse() );

  218. 

  219.         httpAuthControl.verify();

  220.         servletAuthControl.verify();

  221. 

  222.         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());

  223.     }

  224. 

  225.     // test deploy with invalid user, but guest has write access to repo

  226.     public void testPutWithInvalidUserAndGuestHasWriteAccess()

  227.         throws Exception

  228.     {

  229.         setupCleanRepo( repoRootInternal );

  230. 

  231.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  232.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  233.         assertNotNull( "artifact.jar inputstream", is );

  234. 

  235.         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );

  236. 

  237.         InvocationContext ic = sc.newInvocation( request );

  238.         servlet = (RepositoryServlet) ic.getServlet();

  239.         servlet.setDavSessionProvider( davSessionProvider );

  240. 

  241.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  242.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  243.         archivaDavResourceFactory.setServletAuth( servletAuth );

  244. 

  245.         servlet.setResourceFactory( archivaDavResourceFactory );

  246. 

  247.         AuthenticationResult result = new AuthenticationResult();

  248.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  249.         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),

  250.                                            new AuthenticationException( "Authentication error" ) );

  251. 

  252.         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );

  253.         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );

  254.         servletAuthControl.setReturnValue( true );

  255. 

  256.         // ArchivaDavResourceFactory#isAuthorized()

  257.         SecuritySession session = new DefaultSecuritySession();

  258.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  259.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  260.         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),

  261.                                            new AuthenticationException( "Authentication error" ) );

  262. 

  263.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );

  264. 

  265.         // check if guest has write access

  266.         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );

  267.         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );

  268.         servletAuthControl.setReturnValue( true );

  269. 

  270.         httpAuthControl.replay();

  271.         servletAuthControl.replay();

  272. 

  273.         servlet.service( ic.getRequest(), ic.getResponse() );

  274. 

  275.         httpAuthControl.verify();

  276.         servletAuthControl.verify();

  277. 

  278.         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );

  279.     }

  280. 

  281.     // test deploy with a valid user with no write access

  282.     public void testPutWithValidUserWithNoWriteAccess()

  283.         throws Exception

  284.     {

  285.         setupCleanRepo( repoRootInternal );

  286. 

  287.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  288.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  289.         assertNotNull( "artifact.jar inputstream", is );

  290. 

  291.         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );

  292. 

  293.         InvocationContext ic = sc.newInvocation( request );

  294.         servlet = (RepositoryServlet) ic.getServlet();

  295.         servlet.setDavSessionProvider( davSessionProvider );

  296. 

  297.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  298.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  299.         archivaDavResourceFactory.setServletAuth( servletAuth );

  300.         servlet.setResourceFactory( archivaDavResourceFactory );

  301. 

  302.         AuthenticationResult result = new AuthenticationResult();

  303.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  304.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );

  305. 

  306.         // ArchivaDavResourceFactory#isAuthorized()

  307.         SecuritySession session = new DefaultSecuritySession();

  308.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  309.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  310.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );

  311.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );

  312.         servletAuthControl.expectAndThrow(

  313.                                            servletAuth.isAuthorized( null, session, "internal",

  314.                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),

  315.                                            new UnauthorizedException( "User not authorized" ) );

  316. 

  317.         httpAuthControl.replay();

  318.         servletAuthControl.replay();

  319. 

  320.         servlet.service( ic.getRequest(), ic.getResponse() );

  321. 

  322.         httpAuthControl.verify();

  323.         servletAuthControl.verify();

  324. 

  325.         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());

  326.     }

  327. 

  328.     // test deploy with a valid user with write access

  329.     public void testPutWithValidUserWithWriteAccess()

  330.         throws Exception

  331.     {

  332.         setupCleanRepo( repoRootInternal );

  333.         assertTrue( repoRootInternal.exists() );

  334. 

  335.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  336.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  337.         assertNotNull( "artifact.jar inputstream", is );

  338. 

  339.         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );

  340. 

  341.         InvocationContext ic = sc.newInvocation( request );

  342.         servlet = (RepositoryServlet) ic.getServlet();

  343.         servlet.setDavSessionProvider( davSessionProvider );

  344. 

  345.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  346.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  347.         archivaDavResourceFactory.setServletAuth( servletAuth );

  348. 

  349.         servlet.setResourceFactory( archivaDavResourceFactory );

  350. 

  351.         AuthenticationResult result = new AuthenticationResult();

  352.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  353.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );

  354. 

  355.         // ArchivaDavResourceFactory#isAuthorized()

  356.         SecuritySession session = new DefaultSecuritySession();

  357.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  358.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  359.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );

  360.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );

  361.         servletAuthControl.expectAndReturn(

  362.                                             servletAuth.isAuthorized( null, session, "internal",

  363.                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),

  364.                                             true );

  365. 

  366.         httpAuthControl.replay();

  367.         servletAuthControl.replay();

  368. 

  369.         servlet.service( ic.getRequest(), ic.getResponse() );

  370. 

  371.         httpAuthControl.verify();

  372.         servletAuthControl.verify();

  373. 

  374.         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());

  375.     }

  376. 

  377.     // test get with invalid user, and guest has read access to repo

  378.     public void testGetWithInvalidUserAndGuestHasReadAccess()

  379.         throws Exception

  380.     {

  381.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  382.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  383. 

  384.         File artifactFile = new File( repoRootInternal, commonsLangJar );

  385.         artifactFile.getParentFile().mkdirs();

  386. 

  387.         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );

  388. 

  389.         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );

  390.         InvocationContext ic = sc.newInvocation( request );

  391.         servlet = (RepositoryServlet) ic.getServlet();

  392.         servlet.setDavSessionProvider( davSessionProvider );

  393. 

  394.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  395.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  396.         archivaDavResourceFactory.setServletAuth( servletAuth );

  397. 

  398.         servlet.setResourceFactory( archivaDavResourceFactory );

  399. 

  400.         AuthenticationResult result = new AuthenticationResult();

  401.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  402.         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),

  403.                                            new AuthenticationException( "Authentication error" ) );

  404.         servletAuthControl.expectAndReturn(

  405.                                             servletAuth.isAuthorized( "guest", "internal",

  406.                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),

  407.                                             true );

  408. 

  409.         // ArchivaDavResourceFactory#isAuthorized()

  410.         SecuritySession session = new DefaultSecuritySession();

  411.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  412.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  413.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );

  414.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );

  415.         servletAuthControl.expectAndReturn(

  416.                                             servletAuth.isAuthorized( null, session, "internal",

  417.                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),

  418.                                             true );

  419. 

  420.         httpAuthControl.replay();

  421.         servletAuthControl.replay();

  422. 

  423.         WebResponse response = sc.getResponse( request );

  424. 

  425.         httpAuthControl.verify();

  426.         servletAuthControl.verify();

  427. 

  428.         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );

  429.         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );

  430.     }

  431. 

  432.     // test get with invalid user, and guest has no read access to repo

  433.     public void testGetWithInvalidUserAndGuestHasNoReadAccess()

  434.         throws Exception

  435.     {

  436.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  437.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  438. 

  439.         File artifactFile = new File( repoRootInternal, commonsLangJar );

  440.         artifactFile.getParentFile().mkdirs();

  441. 

  442.         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );

  443. 

  444.         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );

  445.         InvocationContext ic = sc.newInvocation( request );

  446.         servlet = (RepositoryServlet) ic.getServlet();

  447.         servlet.setDavSessionProvider( davSessionProvider );

  448. 

  449.         AuthenticationResult result = new AuthenticationResult();

  450.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  451.         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),

  452.                                            new AuthenticationException( "Authentication error" ) );

  453.         servletAuthControl.expectAndReturn(

  454.                                             servletAuth.isAuthorized( "guest", "internal",

  455.                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),

  456.                                             false );

  457. 

  458.         httpAuthControl.replay();

  459.         servletAuthControl.replay();

  460. 

  461.         WebResponse response = sc.getResponse( request );

  462. 

  463.         httpAuthControl.verify();

  464.         servletAuthControl.verify();

  465. 

  466.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );

  467.     }

  468. 

  469.     // test get with valid user with read access to repo

  470.     public void testGetWithAValidUserWithReadAccess()

  471.         throws Exception

  472.     {

  473.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  474.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  475. 

  476.         File artifactFile = new File( repoRootInternal, commonsLangJar );

  477.         artifactFile.getParentFile().mkdirs();

  478. 

  479.         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );

  480. 

  481.         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );

  482.         InvocationContext ic = sc.newInvocation( request );

  483.         servlet = (RepositoryServlet) ic.getServlet();

  484.         servlet.setDavSessionProvider( davSessionProvider );

  485. 

  486.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  487.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  488.         archivaDavResourceFactory.setServletAuth( servletAuth );

  489. 

  490.         servlet.setResourceFactory( archivaDavResourceFactory );

  491. 

  492.         AuthenticationResult result = new AuthenticationResult();

  493.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  494.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );

  495. 

  496.         // ArchivaDavResourceFactory#isAuthorized()

  497.         SecuritySession session = new DefaultSecuritySession();

  498.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  499.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  500.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );

  501.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );

  502.         servletAuthControl.expectAndReturn(

  503.                                             servletAuth.isAuthorized( null, session, "internal",

  504.                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),

  505.                                             true );

  506. 

  507.         httpAuthControl.replay();

  508.         servletAuthControl.replay();

  509. 

  510.         WebResponse response = sc.getResponse( request );

  511. 

  512.         httpAuthControl.verify();

  513.         servletAuthControl.verify();

  514. 

  515.         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );

  516.         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );

  517.     }

  518. 

  519.     // test get with valid user with no read access to repo

  520.     public void testGetWithAValidUserWithNoReadAccess()

  521.         throws Exception

  522.     {

  523.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  524.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  525. 

  526.         File artifactFile = new File( repoRootInternal, commonsLangJar );

  527.         artifactFile.getParentFile().mkdirs();

  528. 

  529.         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );

  530. 

  531.         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );

  532.         InvocationContext ic = sc.newInvocation( request );

  533.         servlet = (RepositoryServlet) ic.getServlet();

  534.         servlet.setDavSessionProvider( davSessionProvider );

  535. 

  536.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  537.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  538.         archivaDavResourceFactory.setServletAuth( servletAuth );

  539. 

  540.         servlet.setResourceFactory( archivaDavResourceFactory );

  541. 

  542.         AuthenticationResult result = new AuthenticationResult();

  543.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  544.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );

  545. 

  546.         // ArchivaDavResourceFactory#isAuthorized()

  547.         SecuritySession session = new DefaultSecuritySession();

  548.         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );

  549.         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );

  550.         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );

  551.         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );

  552.         servletAuthControl.expectAndThrow(

  553.                                            servletAuth.isAuthorized( null, session, "internal",

  554.                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),

  555.                                            new UnauthorizedException( "User not authorized to read repository." ) );

  556. 

  557.         httpAuthControl.replay();

  558.         servletAuthControl.replay();

  559. 

  560.         WebResponse response = sc.getResponse( request );

  561. 

  562.         httpAuthControl.verify();

  563.         servletAuthControl.verify();

  564. 

  565.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );

  566.     }

  567. }