123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567 |
- package org.apache.maven.archiva.webdav;
-
- /*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- import java.io.File;
- import java.io.IOException;
- import java.io.InputStream;
-
- import javax.servlet.http.HttpServletResponse;
-
- import net.sf.ehcache.CacheManager;
-
- import org.apache.commons.io.FileUtils;
- import org.apache.jackrabbit.webdav.DavSessionProvider;
- import org.apache.maven.archiva.configuration.ArchivaConfiguration;
- import org.apache.maven.archiva.configuration.Configuration;
- import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
- import org.apache.maven.archiva.security.ArchivaRoleConstants;
- import org.apache.maven.archiva.security.ServletAuthenticator;
- import org.codehaus.plexus.redback.authentication.AuthenticationException;
- import org.codehaus.plexus.redback.authentication.AuthenticationResult;
- import org.codehaus.plexus.redback.authorization.UnauthorizedException;
- import org.codehaus.plexus.redback.system.DefaultSecuritySession;
- import org.codehaus.plexus.redback.system.SecuritySession;
- import org.codehaus.plexus.redback.users.memory.SimpleUser;
- import org.codehaus.plexus.spring.PlexusInSpringTestCase;
- import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
- import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
- import org.easymock.MockControl;
- import org.easymock.classextension.MockClassControl;
-
- import com.meterware.httpunit.GetMethodWebRequest;
- import com.meterware.httpunit.HttpUnitOptions;
- import com.meterware.httpunit.PutMethodWebRequest;
- import com.meterware.httpunit.WebRequest;
- import com.meterware.httpunit.WebResponse;
- import com.meterware.servletunit.InvocationContext;
- import com.meterware.servletunit.ServletRunner;
- import com.meterware.servletunit.ServletUnitClient;
-
- /**
- * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
- * perform redback security checking.
- *
- * @version $Id$
- */
- public class RepositoryServletSecurityTest
- extends PlexusInSpringTestCase
- {
- protected static final String REPOID_INTERNAL = "internal";
-
- protected ServletUnitClient sc;
-
- protected File repoRootInternal;
-
- private ServletRunner sr;
-
- protected ArchivaConfiguration archivaConfiguration;
-
- private DavSessionProvider davSessionProvider;
-
- private MockControl servletAuthControl;
-
- private ServletAuthenticator servletAuth;
-
- private MockClassControl httpAuthControl;
-
- private HttpAuthenticator httpAuth;
-
- private RepositoryServlet servlet;
-
- public void setUp()
- throws Exception
- {
- super.setUp();
-
- String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
- System.setProperty( "appserver.base", appserverBase );
-
- File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
- File testConfDest = new File( appserverBase, "conf/archiva.xml" );
- FileUtils.copyFile( testConf, testConfDest );
-
- archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
- repoRootInternal = new File( appserverBase, "data/repositories/internal" );
- Configuration config = archivaConfiguration.getConfiguration();
-
- config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
- saveConfiguration( archivaConfiguration );
-
- CacheManager.getInstance().removeCache( "url-failures-cache" );
-
- HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
-
- sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
- sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
- sc = sr.newClient();
-
- servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
- servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
- servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
-
- httpAuthControl =
- MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
- httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
- httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
-
- davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
- }
-
- protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
- {
- ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
- repo.setId( id );
- repo.setName( name );
- repo.setLocation( location.getAbsolutePath() );
- return repo;
- }
-
- protected void saveConfiguration()
- throws Exception
- {
- saveConfiguration( archivaConfiguration );
- }
-
- protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
- throws Exception
- {
- archivaConfiguration.save( archivaConfiguration.getConfiguration() );
- }
-
- protected void setupCleanRepo( File repoRootDir )
- throws IOException
- {
- FileUtils.deleteDirectory( repoRootDir );
- if ( !repoRootDir.exists() )
- {
- repoRootDir.mkdirs();
- }
- }
-
- @Override
- protected String getPlexusConfigLocation()
- {
- return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
- }
-
- @Override
- protected void tearDown()
- throws Exception
- {
- if ( sc != null )
- {
- sc.clearContents();
- }
-
- if ( sr != null )
- {
- sr.shutDown();
- }
-
- if ( repoRootInternal.exists() )
- {
- FileUtils.deleteDirectory( repoRootInternal );
- }
-
- servlet = null;
-
- super.tearDown();
- }
-
- // test deploy with invalid user, and guest has no write access to repo
- // 401 must be returned
- public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
- throws Exception
- {
- setupCleanRepo( repoRootInternal );
-
- String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
- InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
- assertNotNull( "artifact.jar inputstream", is );
-
- WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
- new AuthenticationException( "Authentication error" ) );
-
- servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
- servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
- servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- servlet.service( ic.getRequest(), ic.getResponse() );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
- }
-
- // test deploy with invalid user, but guest has write access to repo
- public void testPutWithInvalidUserAndGuestHasWriteAccess()
- throws Exception
- {
- setupCleanRepo( repoRootInternal );
-
- String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
- InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
- assertNotNull( "artifact.jar inputstream", is );
-
- WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
-
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
-
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
- new AuthenticationException( "Authentication error" ) );
-
- servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
- servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
- servletAuthControl.setReturnValue( true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
- new AuthenticationException( "Authentication error" ) );
-
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
-
- // check if guest has write access
- servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
- servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
- servletAuthControl.setReturnValue( true );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- servlet.service( ic.getRequest(), ic.getResponse() );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
- }
-
- // test deploy with a valid user with no write access
- public void testPutWithValidUserWithNoWriteAccess()
- throws Exception
- {
- setupCleanRepo( repoRootInternal );
-
- String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
- InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
- assertNotNull( "artifact.jar inputstream", is );
-
- WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
-
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
- servletAuthControl.expectAndThrow(
- servletAuth.isAuthorized( null, session, "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
- new UnauthorizedException( "User not authorized" ) );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- servlet.service( ic.getRequest(), ic.getResponse() );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
- }
-
- // test deploy with a valid user with write access
- public void testPutWithValidUserWithWriteAccess()
- throws Exception
- {
- setupCleanRepo( repoRootInternal );
- assertTrue( repoRootInternal.exists() );
-
- String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
- InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
- assertNotNull( "artifact.jar inputstream", is );
-
- WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
-
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
-
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
- servletAuthControl.expectAndReturn(
- servletAuth.isAuthorized( null, session, "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
- true );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- servlet.service( ic.getRequest(), ic.getResponse() );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
- }
-
- // test get with invalid user, and guest has read access to repo
- public void testGetWithInvalidUserAndGuestHasReadAccess()
- throws Exception
- {
- String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
- String expectedArtifactContents = "dummy-commons-lang-artifact";
-
- File artifactFile = new File( repoRootInternal, commonsLangJar );
- artifactFile.getParentFile().mkdirs();
-
- FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
-
- WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
-
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
- new AuthenticationException( "Authentication error" ) );
- servletAuthControl.expectAndReturn(
- servletAuth.isAuthorized( "guest", "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
- true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
- servletAuthControl.expectAndReturn(
- servletAuth.isAuthorized( null, session, "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
- true );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- WebResponse response = sc.getResponse( request );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
- assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
- }
-
- // test get with invalid user, and guest has no read access to repo
- public void testGetWithInvalidUserAndGuestHasNoReadAccess()
- throws Exception
- {
- String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
- String expectedArtifactContents = "dummy-commons-lang-artifact";
-
- File artifactFile = new File( repoRootInternal, commonsLangJar );
- artifactFile.getParentFile().mkdirs();
-
- FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
-
- WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
- new AuthenticationException( "Authentication error" ) );
- servletAuthControl.expectAndReturn(
- servletAuth.isAuthorized( "guest", "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
- false );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- WebResponse response = sc.getResponse( request );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
- }
-
- // test get with valid user with read access to repo
- public void testGetWithAValidUserWithReadAccess()
- throws Exception
- {
- String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
- String expectedArtifactContents = "dummy-commons-lang-artifact";
-
- File artifactFile = new File( repoRootInternal, commonsLangJar );
- artifactFile.getParentFile().mkdirs();
-
- FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
-
- WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
-
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
- servletAuthControl.expectAndReturn(
- servletAuth.isAuthorized( null, session, "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
- true );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- WebResponse response = sc.getResponse( request );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
- assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
- }
-
- // test get with valid user with no read access to repo
- public void testGetWithAValidUserWithNoReadAccess()
- throws Exception
- {
- String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
- String expectedArtifactContents = "dummy-commons-lang-artifact";
-
- File artifactFile = new File( repoRootInternal, commonsLangJar );
- artifactFile.getParentFile().mkdirs();
-
- FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
-
- WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
- InvocationContext ic = sc.newInvocation( request );
- servlet = (RepositoryServlet) ic.getServlet();
- servlet.setDavSessionProvider( davSessionProvider );
-
- ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
- archivaDavResourceFactory.setHttpAuth( httpAuth );
- archivaDavResourceFactory.setServletAuth( servletAuth );
-
- servlet.setResourceFactory( archivaDavResourceFactory );
-
- AuthenticationResult result = new AuthenticationResult();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
-
- // ArchivaDavResourceFactory#isAuthorized()
- SecuritySession session = new DefaultSecuritySession();
- httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
- httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
- httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
- servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
- servletAuthControl.expectAndThrow(
- servletAuth.isAuthorized( null, session, "internal",
- ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
- new UnauthorizedException( "User not authorized to read repository." ) );
-
- httpAuthControl.replay();
- servletAuthControl.replay();
-
- WebResponse response = sc.getResponse( request );
-
- httpAuthControl.verify();
- servletAuthControl.verify();
-
- assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
- }
- }
|