mirrors
/
archiva
spogulis no https://github.com/apache/archiva.git
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Kods Problēmas 0 Laidieni 70 Vikivietne Aktivitāte
Nevar pievienot vairāk kā 25 tēmas Tēmai ir jāsākas ar burtu vai ciparu, tā var saturēt domu zīmes ('-') un var būt līdz 35 simboliem gara.
8202 Revīzijas
73 Atzari
Koks: 7adddbe141
Atzari Tagi
${ item.name }
Izveidot atzaru ${ searchTerm }
no '7adddbe141'
${ noResults }
archiva/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/archiva/webdav/RepositoryServletSecurityTe...

RepositoryServletSecurityTest.java 32KB
Neapstrādāts Vainot Vēsture

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745 
  1. package org.apache.archiva.webdav;

  2. 

  3. /*

  4.  * Licensed to the Apache Software Foundation (ASF) under one

  5.  * or more contributor license agreements.  See the NOTICE file

  6.  * distributed with this work for additional information

  7.  * regarding copyright ownership.  The ASF licenses this file

  8.  * to you under the Apache License, Version 2.0 (the

  9.  * "License"); you may not use this file except in compliance

  10.  * with the License.  You may obtain a copy of the License at

  11.  *

  12.  *  http://www.apache.org/licenses/LICENSE-2.0

  13.  *

  14.  * Unless required by applicable law or agreed to in writing,

  15.  * software distributed under the License is distributed on an

  16.  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

  17.  * KIND, either express or implied.  See the License for the

  18.  * specific language governing permissions and limitations

  19.  * under the License.

  20.  */

  21. 

  22. 

  23. import junit.framework.TestCase;

  24. import net.sf.ehcache.CacheManager;

  25. import org.apache.archiva.configuration.ArchivaConfiguration;

  26. import org.apache.archiva.configuration.Configuration;

  27. import org.apache.archiva.configuration.ManagedRepositoryConfiguration;

  28. import org.apache.archiva.redback.authentication.AuthenticationException;

  29. import org.apache.archiva.redback.authentication.AuthenticationResult;

  30. import org.apache.archiva.redback.authorization.UnauthorizedException;

  31. import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;

  32. import org.apache.archiva.redback.system.DefaultSecuritySession;

  33. import org.apache.archiva.redback.system.SecuritySession;

  34. import org.apache.archiva.redback.users.User;

  35. import org.apache.archiva.redback.users.memory.SimpleUser;

  36. import org.apache.archiva.repository.RepositoryRegistry;

  37. import org.apache.archiva.repository.audit.TestAuditListener;

  38. import org.apache.archiva.security.ServletAuthenticator;

  39. import org.apache.archiva.security.common.ArchivaRoleConstants;

  40. import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;

  41. import org.apache.commons.io.FileUtils;

  42. import org.apache.commons.io.IOUtils;

  43. import org.apache.commons.lang.StringUtils;

  44. import org.apache.jackrabbit.webdav.DavSessionProvider;

  45. import org.easymock.EasyMock;

  46. import org.easymock.IMocksControl;

  47. import org.junit.After;

  48. import org.junit.Before;

  49. import org.junit.Rule;

  50. import org.junit.Test;

  51. import org.junit.runner.RunWith;

  52. import org.springframework.context.ApplicationContext;

  53. import org.springframework.mock.web.MockHttpServletRequest;

  54. import org.springframework.mock.web.MockHttpServletResponse;

  55. import org.springframework.mock.web.MockServletConfig;

  56. import org.springframework.mock.web.MockServletContext;

  57. import org.springframework.test.context.ContextConfiguration;

  58. import org.springframework.web.context.WebApplicationContext;

  59. 

  60. import javax.inject.Inject;

  61. import javax.servlet.ServletContext;

  62. import javax.servlet.http.HttpServletRequest;

  63. import javax.servlet.http.HttpServletResponse;

  64. import javax.servlet.http.HttpSession;

  65. import java.io.InputStream;

  66. import java.nio.charset.Charset;

  67. import java.nio.file.Files;

  68. import java.nio.file.Path;

  69. import java.nio.file.Paths;

  70. import java.util.ArrayList;

  71. import java.util.List;

  72. import java.util.concurrent.atomic.AtomicReference;

  73. 

  74. import static org.easymock.EasyMock.anyObject;

  75. import static org.easymock.EasyMock.eq;

  76. 

  77. /**

  78.  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily

  79.  * perform redback security checking.

  80.  */

  81. @RunWith( ArchivaSpringJUnit4ClassRunner.class )

  82. @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )

  83. public class RepositoryServletSecurityTest

  84.     extends TestCase

  85. {

  86.     protected static final String REPOID_INTERNAL = "internal";

  87. 

  88.     @Inject

  89.     protected ArchivaConfiguration archivaConfiguration;

  90. 

  91.     @Inject

  92.     protected RepositoryRegistry repositoryRegistry;

  93. 

  94.     private DavSessionProvider davSessionProvider;

  95. 

  96.     private IMocksControl servletAuthControl;

  97. 

  98.     private ServletAuthenticator servletAuth;

  99. 

  100.     private IMocksControl httpAuthControl;

  101. 

  102.     private HttpAuthenticator httpAuth;

  103. 

  104.     private RepositoryServlet servlet;

  105. 

  106.     @Inject

  107.     ApplicationContext applicationContext;

  108.    

  109. 

  110.     @Rule

  111.     public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();

  112. 

  113.     private AtomicReference<Path> projectBase = new AtomicReference<>( );

  114. 

  115.     public Path getProjectBase() {

  116.         if (this.projectBase.get()==null) {

  117.             String pathVal = System.getProperty("mvn.project.base.dir");

  118.             Path baseDir;

  119.             if ( StringUtils.isEmpty(pathVal)) {

  120.                 baseDir= Paths.get("").toAbsolutePath();

  121.             } else {

  122.                 baseDir = Paths.get(pathVal).toAbsolutePath();

  123.             }

  124.             this.projectBase.compareAndSet(null, baseDir);

  125.         }

  126.         return this.projectBase.get();

  127.     }

  128. 

  129.     @Before

  130.     @Override

  131.     public void setUp()

  132.         throws Exception

  133.     {

  134.         

  135.         super.setUp();

  136. 

  137.         String appserverBase =

  138.             System.getProperty( "appserver.base", getProjectBase().resolve( "target/appserver-base" ).toAbsolutePath().toString() );

  139. 

  140.         Path testConf = getProjectBase().resolve( "src/test/resources/repository-archiva.xml" );

  141.         Path testConfDest = Paths.get(appserverBase, "conf/archiva.xml" );

  142.         FileUtils.copyFile( testConf.toFile(), testConfDest.toFile() );

  143.         

  144.         

  145.  

  146.         Configuration config = archivaConfiguration.getConfiguration();

  147.         // clear managed repository

  148.         List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());

  149.         for (ManagedRepositoryConfiguration f: f1 ) {

  150.             config.removeManagedRepository(f);

  151.         }

  152.         assertEquals(0,config.getManagedRepositories().size());

  153.         // add internal repo

  154.         config.addManagedRepository(

  155.                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );

  156.         

  157.         saveConfiguration( archivaConfiguration );

  158. 

  159.         CacheManager.getInstance().clearAll();

  160. 

  161. 

  162.         servletAuthControl = EasyMock.createControl();

  163. 

  164.         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );

  165. 

  166.         httpAuthControl = EasyMock.createControl();

  167. 

  168.         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );

  169. 

  170.         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );

  171. 

  172.         final MockServletContext mockServletContext = new MockServletContext();

  173. 

  174.         WebApplicationContext webApplicationContext =

  175.             new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );

  176. 

  177.         mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,

  178.                                          webApplicationContext );

  179. 

  180.         MockServletConfig mockServletConfig = new MockServletConfig()

  181.         {

  182.             @Override

  183.             public ServletContext getServletContext()

  184.             {

  185.                 return mockServletContext;

  186.             }

  187.         };

  188. 

  189.         servlet = new RepositoryServlet();

  190. 

  191.         servlet.init( mockServletConfig );

  192.     }

  193. 

  194.     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, Path location )

  195.     {

  196.         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

  197.         repo.setId( id );

  198.         repo.setName( name );

  199.         repo.setLocation( location.toAbsolutePath().toString() );

  200.         return repo;

  201.     }

  202. 

  203.     /*protected void saveConfiguration()

  204.         throws Exception

  205.     {

  206.         saveConfiguration( archivaConfiguration );

  207.     }*/

  208. 

  209.     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )

  210.         throws Exception

  211.     {

  212.         repositoryRegistry.reload();

  213.         archivaConfiguration.save( archivaConfiguration.getConfiguration() );        

  214.     }

  215. 

  216.     /*protected void setupCleanRepo( File repoRootDir )

  217.         throws IOException

  218.     {

  219.     }*/

  220. 

  221.     @Override

  222.     @After

  223.     public void tearDown()

  224.         throws Exception

  225.     {

  226. 

  227.        /* if ( repoRootInternal.exists() )

  228.         {

  229.             FileUtils.deleteDirectory( repoRootInternal );

  230.         }*/

  231. 

  232.         super.tearDown();

  233.         String appBaseProp = System.getProperty( "appserver.base" );

  234.         if (StringUtils.isNotEmpty( appBaseProp )) {

  235.             org.apache.archiva.common.utils.FileUtils.deleteDirectory( Paths.get(appBaseProp) );

  236.         }

  237.     }

  238. 

  239. 

  240. 

  241.     // test deploy with invalid user, and guest has no write access to repo

  242.     // 401 must be returned

  243.     @Test

  244.     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()

  245.         throws Exception

  246.     {

  247.         

  248.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  249.         assertNotNull( "artifact.jar inputstream", is );

  250. 

  251.         servlet.setDavSessionProvider( davSessionProvider );

  252. 

  253.         AuthenticationResult result = new AuthenticationResult();

  254. 

  255.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  256.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  257.             result );

  258. 

  259.         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),

  260.                                      EasyMock.anyObject( AuthenticationResult.class ) );

  261.         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );

  262. 

  263.         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );

  264. 

  265.         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );

  266. 

  267.         httpAuthControl.replay();

  268.         servletAuthControl.replay();

  269.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  270.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  271.         mockHttpServletRequest.setMethod( "PUT" );

  272.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  273.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  274.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  275. 

  276.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  277. 

  278.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  279. 

  280.         httpAuthControl.verify();

  281.         servletAuthControl.verify();

  282. 

  283.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  284.     }

  285. 

  286.     // test deploy with invalid user, but guest has write access to repo

  287.     @Test

  288.     public void testPutWithInvalidUserAndGuestHasWriteAccess()

  289.         throws Exception

  290.     {

  291.         

  292.         servlet.setDavSessionProvider( davSessionProvider );

  293. 

  294.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  295.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  296.         archivaDavResourceFactory.setServletAuth( servletAuth );

  297. 

  298.         servlet.setResourceFactory( archivaDavResourceFactory );

  299. 

  300.         AuthenticationResult result = new AuthenticationResult();

  301. 

  302.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  303.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  304.             result );

  305. 

  306.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  307.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  308.             new AuthenticationException( "Authentication error" ) );

  309. 

  310.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  311.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(

  312.             true );

  313. 

  314.         // ArchivaDavResourceFactory#isAuthorized()

  315.         SecuritySession session = new DefaultSecuritySession();

  316. 

  317.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  318.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  319.             result );

  320. 

  321.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  322. 

  323.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(

  324.             new AuthenticationException( "Authentication error" ) );

  325. 

  326.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );

  327. 

  328.         // check if guest has write access

  329.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  330.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(

  331.             true );

  332. 

  333.         httpAuthControl.replay();

  334.         servletAuthControl.replay();

  335. 

  336.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  337.         assertNotNull( "artifact.jar inputstream", is );

  338. 

  339.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  340.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  341.         mockHttpServletRequest.setMethod( "PUT" );

  342.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  343.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  344.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  345. 

  346.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  347. 

  348.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  349. 

  350.         httpAuthControl.verify();

  351.         servletAuthControl.verify();

  352. 

  353.         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );

  354.     }

  355. 

  356.     // test deploy with a valid user with no write access

  357.     @Test

  358.     public void testPutWithValidUserWithNoWriteAccess()

  359.         throws Exception

  360.     {

  361.         

  362.         servlet.setDavSessionProvider( davSessionProvider );

  363. 

  364.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  365.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  366.         archivaDavResourceFactory.setServletAuth( servletAuth );

  367.         servlet.setResourceFactory( archivaDavResourceFactory );

  368. 

  369.         AuthenticationResult result = new AuthenticationResult();

  370. 

  371.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  372.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  373.             result );

  374. 

  375.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  376.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  377. 

  378.         // ArchivaDavResourceFactory#isAuthorized()

  379.         SecuritySession session = new DefaultSecuritySession();

  380. 

  381.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  382.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  383.             result );

  384. 

  385.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  386. 

  387.         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(

  388.             session );

  389. 

  390.         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );

  391. 

  392.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  393.             true );

  394. 

  395.         EasyMock.expect(

  396.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  397.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(

  398.             new UnauthorizedException( "User not authorized" ) );

  399.         httpAuthControl.replay();

  400.         servletAuthControl.replay();

  401. 

  402.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  403.         assertNotNull( "artifact.jar inputstream", is );

  404. 

  405.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  406.         mockHttpServletRequest.setMethod( "PUT" );

  407.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  408.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  409.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  410. 

  411.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  412. 

  413.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  414. 

  415.         httpAuthControl.verify();

  416.         servletAuthControl.verify();

  417. 

  418.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  419.     }

  420. 

  421.     // test deploy with a valid user with write access

  422.     @Test

  423.     public void testPutWithValidUserWithWriteAccess()

  424.         throws Exception

  425.     {

  426.         assertTrue( Files.exists(repoRootInternal.getRoot()) );

  427. 

  428.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  429.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  430.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  431.         assertNotNull( "artifact.jar inputstream", is );

  432. 

  433.         servlet.setDavSessionProvider( davSessionProvider );

  434. 

  435.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  436.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  437.         archivaDavResourceFactory.setServletAuth( servletAuth );

  438. 

  439.         TestAuditListener listener = new TestAuditListener();

  440.         archivaDavResourceFactory.addAuditListener( listener );

  441.         servlet.setResourceFactory( archivaDavResourceFactory );

  442. 

  443.         AuthenticationResult result = new AuthenticationResult();

  444. 

  445.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  446.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  447.             result );

  448. 

  449.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  450.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  451. 

  452.         User user = new SimpleUser();

  453.         user.setUsername( "admin" );

  454. 

  455.         // ArchivaDavResourceFactory#isAuthorized()

  456.         SecuritySession session = new DefaultSecuritySession();

  457. 

  458.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  459.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  460.             result );

  461. 

  462.         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );

  463. 

  464.         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );

  465. 

  466.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  467.             true );

  468. 

  469.         EasyMock.expect(

  470.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  471.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );

  472. 

  473.         httpAuthControl.replay();

  474.         servletAuthControl.replay();

  475. 

  476.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  477.         mockHttpServletRequest.setMethod( "PUT" );

  478.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  479.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  480.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  481. 

  482.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  483. 

  484.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  485. 

  486.         httpAuthControl.verify();

  487.         servletAuthControl.verify();

  488. 

  489.         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );

  490. 

  491.         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );

  492.     }

  493. 

  494.     // test get with invalid user, and guest has read access to repo

  495.     @Test

  496.     public void testGetWithInvalidUserAndGuestHasReadAccess()

  497.         throws Exception

  498.     {

  499.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  500.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  501. 

  502.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  503.         Files.createDirectories(artifactFile.getParent());

  504. 

  505.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  506. 

  507.         servlet.setDavSessionProvider( davSessionProvider );

  508. 

  509.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  510.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  511.         archivaDavResourceFactory.setServletAuth( servletAuth );

  512. 

  513.         servlet.setResourceFactory( archivaDavResourceFactory );

  514. 

  515.         AuthenticationResult result = new AuthenticationResult();

  516. 

  517.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  518.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  519.             result );

  520. 

  521.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  522.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  523.             new AuthenticationException( "Authentication error" ) );

  524. 

  525.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  526.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(

  527.             true );

  528. 

  529.         // ArchivaDavResourceFactory#isAuthorized()

  530.         SecuritySession session = new DefaultSecuritySession();

  531. 

  532.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  533.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  534.             result );

  535. 

  536.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  537. 

  538.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );

  539. 

  540.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  541.             true );

  542. 

  543.         EasyMock.expect(

  544.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  545.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );

  546.         httpAuthControl.replay();

  547.         servletAuthControl.replay();

  548. 

  549.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  550.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  551.         mockHttpServletRequest.setMethod( "GET" );

  552.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  553. 

  554.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  555. 

  556.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  557. 

  558.         httpAuthControl.verify();

  559.         servletAuthControl.verify();

  560. 

  561.         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );

  562. 

  563.         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );

  564.     }

  565. 

  566.     // test get with invalid user, and guest has no read access to repo

  567.     @Test

  568.     public void testGetWithInvalidUserAndGuestHasNoReadAccess()

  569.         throws Exception

  570.     {

  571.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  572.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  573. 

  574.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  575.         Files.createDirectories(artifactFile.getParent());

  576. 

  577.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  578. 

  579.         servlet.setDavSessionProvider( davSessionProvider );

  580. 

  581.         AuthenticationResult result = new AuthenticationResult();

  582. 

  583.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  584.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  585.             result );

  586. 

  587.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  588.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  589.             new AuthenticationException( "Authentication error" ) );

  590. 

  591.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  592.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(

  593.             false );

  594.         httpAuthControl.replay();

  595.         servletAuthControl.replay();

  596. 

  597.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  598.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  599.         mockHttpServletRequest.setMethod( "GET" );

  600.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  601. 

  602.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  603. 

  604.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  605. 

  606.         httpAuthControl.verify();

  607.         servletAuthControl.verify();

  608. 

  609.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  610.     }

  611. 

  612.     // test get with valid user with read access to repo

  613.     @Test

  614.     public void testGetWithAValidUserWithReadAccess()

  615.         throws Exception

  616.     {

  617.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  618.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  619. 

  620.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  621.         Files.createDirectories(artifactFile.getParent());

  622. 

  623.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  624. 

  625.         servlet.setDavSessionProvider( davSessionProvider );

  626. 

  627.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  628.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  629.         archivaDavResourceFactory.setServletAuth( servletAuth );

  630. 

  631.         servlet.setResourceFactory( archivaDavResourceFactory );

  632. 

  633.         AuthenticationResult result = new AuthenticationResult();

  634. 

  635.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  636.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  637.             result );

  638. 

  639.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  640.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  641.         // ArchivaDavResourceFactory#isAuthorized()

  642.         SecuritySession session = new DefaultSecuritySession();

  643. 

  644.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  645.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  646.             result );

  647. 

  648.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  649. 

  650.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );

  651. 

  652.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  653.             true );

  654. 

  655.         EasyMock.expect(

  656.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  657.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );

  658. 

  659.         httpAuthControl.replay();

  660.         servletAuthControl.replay();

  661. 

  662.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  663.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  664.         mockHttpServletRequest.setMethod( "GET" );

  665.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  666. 

  667.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  668. 

  669.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  670. 

  671.         httpAuthControl.verify();

  672.         servletAuthControl.verify();

  673. 

  674.         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );

  675.         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );

  676.     }

  677. 

  678.     // test get with valid user with no read access to repo

  679.     @Test

  680.     public void testGetWithAValidUserWithNoReadAccess()

  681.         throws Exception

  682.     {

  683.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  684.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  685. 

  686.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  687.         Files.createDirectories(artifactFile.getParent());

  688. 

  689.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  690. 

  691.         servlet.setDavSessionProvider( davSessionProvider );

  692. 

  693.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  694.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  695.         archivaDavResourceFactory.setServletAuth( servletAuth );

  696. 

  697.         servlet.setResourceFactory( archivaDavResourceFactory );

  698. 

  699.         AuthenticationResult result = new AuthenticationResult();

  700. 

  701.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  702.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  703.             result );

  704. 

  705.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  706.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  707. 

  708.         // ArchivaDavResourceFactory#isAuthorized()

  709.         SecuritySession session = new DefaultSecuritySession();

  710. 

  711.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  712.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  713.             result );

  714. 

  715.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  716. 

  717.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );

  718. 

  719.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  720.             true );

  721. 

  722.         EasyMock.expect(

  723.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  724.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(

  725.             new UnauthorizedException( "User not authorized to read repository." ) );

  726.         httpAuthControl.replay();

  727.         servletAuthControl.replay();

  728. 

  729.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  730.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  731.         mockHttpServletRequest.setMethod( "GET" );

  732.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  733. 

  734. 

  735.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  736. 

  737.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  738. 

  739.         httpAuthControl.verify();

  740.         servletAuthControl.verify();

  741. 

  742.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  743.     }

  744. 

  745. }