mirrors
/
archiva
mirror of https://github.com/apache/archiva.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 70 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8675 Commits
73 Branches
Tree: bf219edd16
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bf219edd16'
${ noResults }
archiva/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/archiva/webdav/RepositoryServletSecurityTe...

RepositoryServletSecurityTest.java 32KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750 
  1. package org.apache.archiva.webdav;

  2. 

  3. /*

  4.  * Licensed to the Apache Software Foundation (ASF) under one

  5.  * or more contributor license agreements.  See the NOTICE file

  6.  * distributed with this work for additional information

  7.  * regarding copyright ownership.  The ASF licenses this file

  8.  * to you under the Apache License, Version 2.0 (the

  9.  * "License"); you may not use this file except in compliance

  10.  * with the License.  You may obtain a copy of the License at

  11.  *

  12.  *  http://www.apache.org/licenses/LICENSE-2.0

  13.  *

  14.  * Unless required by applicable law or agreed to in writing,

  15.  * software distributed under the License is distributed on an

  16.  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY

  17.  * KIND, either express or implied.  See the License for the

  18.  * specific language governing permissions and limitations

  19.  * under the License.

  20.  */

  21. 

  22. 

  23. import junit.framework.TestCase;

  24. import net.sf.ehcache.CacheManager;

  25. import org.apache.archiva.configuration.ArchivaConfiguration;

  26. import org.apache.archiva.configuration.Configuration;

  27. import org.apache.archiva.configuration.ManagedRepositoryConfiguration;

  28. import org.apache.archiva.redback.authentication.AuthenticationException;

  29. import org.apache.archiva.redback.authentication.AuthenticationResult;

  30. import org.apache.archiva.redback.authorization.UnauthorizedException;

  31. import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;

  32. import org.apache.archiva.redback.system.DefaultSecuritySession;

  33. import org.apache.archiva.redback.system.SecuritySession;

  34. import org.apache.archiva.redback.users.User;

  35. import org.apache.archiva.redback.users.memory.SimpleUser;

  36. import org.apache.archiva.repository.RepositoryRegistry;

  37. import org.apache.archiva.metadata.audit.TestAuditListener;

  38. import org.apache.archiva.repository.base.group.RepositoryGroupHandler;

  39. import org.apache.archiva.security.ServletAuthenticator;

  40. import org.apache.archiva.security.common.ArchivaRoleConstants;

  41. import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;

  42. import org.apache.commons.io.FileUtils;

  43. import org.apache.commons.io.IOUtils;

  44. import org.apache.commons.lang3.StringUtils;

  45. import org.apache.jackrabbit.webdav.DavSessionProvider;

  46. import org.easymock.EasyMock;

  47. import org.easymock.IMocksControl;

  48. import org.junit.After;

  49. import org.junit.Before;

  50. import org.junit.Rule;

  51. import org.junit.Test;

  52. import org.junit.runner.RunWith;

  53. import org.springframework.context.ApplicationContext;

  54. import org.springframework.mock.web.MockHttpServletRequest;

  55. import org.springframework.mock.web.MockHttpServletResponse;

  56. import org.springframework.mock.web.MockServletConfig;

  57. import org.springframework.mock.web.MockServletContext;

  58. import org.springframework.test.context.ContextConfiguration;

  59. import org.springframework.web.context.WebApplicationContext;

  60. 

  61. import javax.inject.Inject;

  62. import javax.servlet.ServletContext;

  63. import javax.servlet.http.HttpServletRequest;

  64. import javax.servlet.http.HttpServletResponse;

  65. import javax.servlet.http.HttpSession;

  66. import java.io.InputStream;

  67. import java.nio.charset.Charset;

  68. import java.nio.file.Files;

  69. import java.nio.file.Path;

  70. import java.nio.file.Paths;

  71. import java.util.ArrayList;

  72. import java.util.List;

  73. import java.util.concurrent.atomic.AtomicReference;

  74. 

  75. import static org.easymock.EasyMock.anyObject;

  76. import static org.easymock.EasyMock.eq;

  77. 

  78. /**

  79.  * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily

  80.  * perform redback security checking.

  81.  */

  82. @RunWith( ArchivaSpringJUnit4ClassRunner.class )

  83. @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )

  84. public class RepositoryServletSecurityTest

  85.     extends TestCase

  86. {

  87.     protected static final String REPOID_INTERNAL = "internal";

  88. 

  89.     @Inject

  90.     protected ArchivaConfiguration archivaConfiguration;

  91. 

  92.     @Inject

  93.     protected RepositoryRegistry repositoryRegistry;

  94. 

  95.     @SuppressWarnings( "unused" )

  96.     @Inject

  97.     RepositoryGroupHandler repositoryGroupHandler;

  98. 

  99.     private DavSessionProvider davSessionProvider;

  100. 

  101.     private IMocksControl servletAuthControl;

  102. 

  103.     private ServletAuthenticator servletAuth;

  104. 

  105.     private IMocksControl httpAuthControl;

  106. 

  107.     private HttpAuthenticator httpAuth;

  108. 

  109.     private RepositoryServlet servlet;

  110. 

  111.     @Inject

  112.     ApplicationContext applicationContext;

  113.    

  114. 

  115.     @Rule

  116.     public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();

  117. 

  118.     private AtomicReference<Path> projectBase = new AtomicReference<>( );

  119. 

  120.     public Path getProjectBase() {

  121.         if (this.projectBase.get()==null) {

  122.             String pathVal = System.getProperty("mvn.project.base.dir");

  123.             Path baseDir;

  124.             if ( StringUtils.isEmpty(pathVal)) {

  125.                 baseDir= Paths.get("").toAbsolutePath();

  126.             } else {

  127.                 baseDir = Paths.get(pathVal).toAbsolutePath();

  128.             }

  129.             this.projectBase.compareAndSet(null, baseDir);

  130.         }

  131.         return this.projectBase.get();

  132.     }

  133. 

  134.     @Before

  135.     @Override

  136.     public void setUp()

  137.         throws Exception

  138.     {

  139.         

  140.         super.setUp();

  141. 

  142.         String appserverBase =

  143.             System.getProperty( "appserver.base", getProjectBase().resolve( "target/appserver-base" ).toAbsolutePath().toString() );

  144. 

  145.         Path testConf = getProjectBase().resolve( "src/test/resources/repository-archiva.xml" );

  146.         Path testConfDest = Paths.get(appserverBase, "conf/archiva.xml" );

  147.         FileUtils.copyFile( testConf.toFile(), testConfDest.toFile() );

  148.         

  149.         

  150.  

  151.         Configuration config = archivaConfiguration.getConfiguration();

  152.         // clear managed repository

  153.         List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());

  154.         for (ManagedRepositoryConfiguration f: f1 ) {

  155.             config.removeManagedRepository(f);

  156.         }

  157.         assertEquals(0,config.getManagedRepositories().size());

  158.         // add internal repo

  159.         config.addManagedRepository(

  160.                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );

  161.         

  162.         saveConfiguration( archivaConfiguration );

  163. 

  164.         CacheManager.getInstance().clearAll();

  165. 

  166. 

  167.         servletAuthControl = EasyMock.createControl();

  168. 

  169.         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );

  170. 

  171.         httpAuthControl = EasyMock.createControl();

  172. 

  173.         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );

  174. 

  175.         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );

  176. 

  177.         final MockServletContext mockServletContext = new MockServletContext();

  178. 

  179.         WebApplicationContext webApplicationContext =

  180.             new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );

  181. 

  182.         mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,

  183.                                          webApplicationContext );

  184. 

  185.         MockServletConfig mockServletConfig = new MockServletConfig()

  186.         {

  187.             @Override

  188.             public ServletContext getServletContext()

  189.             {

  190.                 return mockServletContext;

  191.             }

  192.         };

  193. 

  194.         servlet = new RepositoryServlet();

  195. 

  196.         servlet.init( mockServletConfig );

  197.     }

  198. 

  199.     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, Path location )

  200.     {

  201.         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

  202.         repo.setId( id );

  203.         repo.setName( name );

  204.         repo.setLocation( location.toAbsolutePath().toString() );

  205.         return repo;

  206.     }

  207. 

  208.     /*protected void saveConfiguration()

  209.         throws Exception

  210.     {

  211.         saveConfiguration( archivaConfiguration );

  212.     }*/

  213. 

  214.     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )

  215.         throws Exception

  216.     {

  217.         repositoryRegistry.reload();

  218.         archivaConfiguration.save( archivaConfiguration.getConfiguration() );        

  219.     }

  220. 

  221.     /*protected void setupCleanRepo( File repoRootDir )

  222.         throws IOException

  223.     {

  224.     }*/

  225. 

  226.     @Override

  227.     @After

  228.     public void tearDown()

  229.         throws Exception

  230.     {

  231. 

  232.        /* if ( repoRootInternal.exists() )

  233.         {

  234.             FileUtils.deleteDirectory( repoRootInternal );

  235.         }*/

  236. 

  237.         super.tearDown();

  238.         String appBaseProp = System.getProperty( "appserver.base" );

  239.         if (StringUtils.isNotEmpty( appBaseProp )) {

  240.             org.apache.archiva.common.utils.FileUtils.deleteDirectory( Paths.get(appBaseProp) );

  241.         }

  242.     }

  243. 

  244. 

  245. 

  246.     // test deploy with invalid user, and guest has no write access to repo

  247.     // 401 must be returned

  248.     @Test

  249.     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()

  250.         throws Exception

  251.     {

  252.         

  253.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  254.         assertNotNull( "artifact.jar inputstream", is );

  255. 

  256.         servlet.setDavSessionProvider( davSessionProvider );

  257. 

  258.         AuthenticationResult result = new AuthenticationResult();

  259. 

  260.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  261.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  262.             result );

  263. 

  264.         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),

  265.                                      EasyMock.anyObject( AuthenticationResult.class ) );

  266.         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );

  267. 

  268.         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );

  269. 

  270.         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );

  271. 

  272.         httpAuthControl.replay();

  273.         servletAuthControl.replay();

  274.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  275.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  276.         mockHttpServletRequest.setMethod( "PUT" );

  277.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  278.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  279.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  280. 

  281.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  282. 

  283.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  284. 

  285.         httpAuthControl.verify();

  286.         servletAuthControl.verify();

  287. 

  288.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  289.     }

  290. 

  291.     // test deploy with invalid user, but guest has write access to repo

  292.     @Test

  293.     public void testPutWithInvalidUserAndGuestHasWriteAccess()

  294.         throws Exception

  295.     {

  296.         

  297.         servlet.setDavSessionProvider( davSessionProvider );

  298. 

  299.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  300.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  301.         archivaDavResourceFactory.setServletAuth( servletAuth );

  302. 

  303.         servlet.setResourceFactory( archivaDavResourceFactory );

  304. 

  305.         AuthenticationResult result = new AuthenticationResult();

  306. 

  307.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  308.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  309.             result );

  310. 

  311.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  312.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  313.             new AuthenticationException( "Authentication error" ) );

  314. 

  315.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  316.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(

  317.             true );

  318. 

  319.         // ArchivaDavResourceFactory#isAuthorized()

  320.         SecuritySession session = new DefaultSecuritySession();

  321. 

  322.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  323.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  324.             result );

  325. 

  326.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  327. 

  328.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(

  329.             new AuthenticationException( "Authentication error" ) );

  330. 

  331.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );

  332. 

  333.         // check if guest has write access

  334.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  335.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(

  336.             true );

  337. 

  338.         httpAuthControl.replay();

  339.         servletAuthControl.replay();

  340. 

  341.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  342.         assertNotNull( "artifact.jar inputstream", is );

  343. 

  344.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  345.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  346.         mockHttpServletRequest.setMethod( "PUT" );

  347.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  348.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  349.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  350. 

  351.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  352. 

  353.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  354. 

  355.         httpAuthControl.verify();

  356.         servletAuthControl.verify();

  357. 

  358.         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );

  359.     }

  360. 

  361.     // test deploy with a valid user with no write access

  362.     @Test

  363.     public void testPutWithValidUserWithNoWriteAccess()

  364.         throws Exception

  365.     {

  366.         

  367.         servlet.setDavSessionProvider( davSessionProvider );

  368. 

  369.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  370.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  371.         archivaDavResourceFactory.setServletAuth( servletAuth );

  372.         servlet.setResourceFactory( archivaDavResourceFactory );

  373. 

  374.         AuthenticationResult result = new AuthenticationResult();

  375. 

  376.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  377.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  378.             result );

  379. 

  380.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  381.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  382. 

  383.         // ArchivaDavResourceFactory#isAuthorized()

  384.         SecuritySession session = new DefaultSecuritySession();

  385. 

  386.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  387.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  388.             result );

  389. 

  390.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  391. 

  392.         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(

  393.             session );

  394. 

  395.         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );

  396. 

  397.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  398.             true );

  399. 

  400.         EasyMock.expect(

  401.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  402.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(

  403.             new UnauthorizedException( "User not authorized" ) );

  404.         httpAuthControl.replay();

  405.         servletAuthControl.replay();

  406. 

  407.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  408.         assertNotNull( "artifact.jar inputstream", is );

  409. 

  410.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  411.         mockHttpServletRequest.setMethod( "PUT" );

  412.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  413.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  414.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  415. 

  416.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  417. 

  418.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  419. 

  420.         httpAuthControl.verify();

  421.         servletAuthControl.verify();

  422. 

  423.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  424.     }

  425. 

  426.     // test deploy with a valid user with write access

  427.     @Test

  428.     public void testPutWithValidUserWithWriteAccess()

  429.         throws Exception

  430.     {

  431.         assertTrue( Files.exists(repoRootInternal.getRoot()) );

  432. 

  433.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  434.         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";

  435.         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );

  436.         assertNotNull( "artifact.jar inputstream", is );

  437. 

  438.         servlet.setDavSessionProvider( davSessionProvider );

  439. 

  440.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  441.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  442.         archivaDavResourceFactory.setServletAuth( servletAuth );

  443. 

  444.         TestAuditListener listener = new TestAuditListener();

  445.         archivaDavResourceFactory.addAuditListener( listener );

  446.         servlet.setResourceFactory( archivaDavResourceFactory );

  447. 

  448.         AuthenticationResult result = new AuthenticationResult();

  449. 

  450.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  451.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  452.             result );

  453. 

  454.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  455.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  456. 

  457.         User user = new SimpleUser();

  458.         user.setUsername( "admin" );

  459. 

  460.         // ArchivaDavResourceFactory#isAuthorized()

  461.         SecuritySession session = new DefaultSecuritySession();

  462. 

  463.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  464.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  465.             result );

  466. 

  467.         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );

  468. 

  469.         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );

  470. 

  471.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  472.             true );

  473. 

  474.         EasyMock.expect(

  475.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  476.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );

  477. 

  478.         httpAuthControl.replay();

  479.         servletAuthControl.replay();

  480. 

  481.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  482.         mockHttpServletRequest.setMethod( "PUT" );

  483.         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );

  484.         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );

  485.         mockHttpServletRequest.setContentType( "application/octet-stream" );

  486. 

  487.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  488. 

  489.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  490. 

  491.         httpAuthControl.verify();

  492.         servletAuthControl.verify();

  493. 

  494.         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );

  495. 

  496.         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );

  497.     }

  498. 

  499.     // test get with invalid user, and guest has read access to repo

  500.     @Test

  501.     public void testGetWithInvalidUserAndGuestHasReadAccess()

  502.         throws Exception

  503.     {

  504.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  505.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  506. 

  507.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  508.         Files.createDirectories(artifactFile.getParent());

  509. 

  510.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  511. 

  512.         servlet.setDavSessionProvider( davSessionProvider );

  513. 

  514.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  515.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  516.         archivaDavResourceFactory.setServletAuth( servletAuth );

  517. 

  518.         servlet.setResourceFactory( archivaDavResourceFactory );

  519. 

  520.         AuthenticationResult result = new AuthenticationResult();

  521. 

  522.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  523.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  524.             result );

  525. 

  526.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  527.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  528.             new AuthenticationException( "Authentication error" ) );

  529. 

  530.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  531.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(

  532.             true );

  533. 

  534.         // ArchivaDavResourceFactory#isAuthorized()

  535.         SecuritySession session = new DefaultSecuritySession();

  536. 

  537.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  538.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  539.             result );

  540. 

  541.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  542. 

  543.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );

  544. 

  545.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  546.             true );

  547. 

  548.         EasyMock.expect(

  549.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  550.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );

  551.         httpAuthControl.replay();

  552.         servletAuthControl.replay();

  553. 

  554.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  555.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  556.         mockHttpServletRequest.setMethod( "GET" );

  557.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  558. 

  559.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  560. 

  561.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  562. 

  563.         httpAuthControl.verify();

  564.         servletAuthControl.verify();

  565. 

  566.         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );

  567. 

  568.         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );

  569.     }

  570. 

  571.     // test get with invalid user, and guest has no read access to repo

  572.     @Test

  573.     public void testGetWithInvalidUserAndGuestHasNoReadAccess()

  574.         throws Exception

  575.     {

  576.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  577.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  578. 

  579.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  580.         Files.createDirectories(artifactFile.getParent());

  581. 

  582.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  583. 

  584.         servlet.setDavSessionProvider( davSessionProvider );

  585. 

  586.         AuthenticationResult result = new AuthenticationResult();

  587. 

  588.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  589.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  590.             result );

  591. 

  592.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  593.                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(

  594.             new AuthenticationException( "Authentication error" ) );

  595. 

  596.         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",

  597.                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(

  598.             false );

  599.         httpAuthControl.replay();

  600.         servletAuthControl.replay();

  601. 

  602.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  603.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  604.         mockHttpServletRequest.setMethod( "GET" );

  605.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  606. 

  607.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  608. 

  609.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  610. 

  611.         httpAuthControl.verify();

  612.         servletAuthControl.verify();

  613. 

  614.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  615.     }

  616. 

  617.     // test get with valid user with read access to repo

  618.     @Test

  619.     public void testGetWithAValidUserWithReadAccess()

  620.         throws Exception

  621.     {

  622.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  623.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  624. 

  625.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  626.         Files.createDirectories(artifactFile.getParent());

  627. 

  628.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  629. 

  630.         servlet.setDavSessionProvider( davSessionProvider );

  631. 

  632.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  633.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  634.         archivaDavResourceFactory.setServletAuth( servletAuth );

  635. 

  636.         servlet.setResourceFactory( archivaDavResourceFactory );

  637. 

  638.         AuthenticationResult result = new AuthenticationResult();

  639. 

  640.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  641.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  642.             result );

  643. 

  644.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  645.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  646.         // ArchivaDavResourceFactory#isAuthorized()

  647.         SecuritySession session = new DefaultSecuritySession();

  648. 

  649.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  650.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  651.             result );

  652. 

  653.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  654. 

  655.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );

  656. 

  657.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  658.             true );

  659. 

  660.         EasyMock.expect(

  661.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  662.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );

  663. 

  664.         httpAuthControl.replay();

  665.         servletAuthControl.replay();

  666. 

  667.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  668.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  669.         mockHttpServletRequest.setMethod( "GET" );

  670.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  671. 

  672.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  673. 

  674.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  675. 

  676.         httpAuthControl.verify();

  677.         servletAuthControl.verify();

  678. 

  679.         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );

  680.         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );

  681.     }

  682. 

  683.     // test get with valid user with no read access to repo

  684.     @Test

  685.     public void testGetWithAValidUserWithNoReadAccess()

  686.         throws Exception

  687.     {

  688.         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";

  689.         String expectedArtifactContents = "dummy-commons-lang-artifact";

  690. 

  691.         Path artifactFile = repoRootInternal.getRoot().resolve( commonsLangJar );

  692.         Files.createDirectories(artifactFile.getParent());

  693. 

  694.         org.apache.archiva.common.utils.FileUtils.writeStringToFile( artifactFile, Charset.defaultCharset() , expectedArtifactContents);

  695. 

  696.         servlet.setDavSessionProvider( davSessionProvider );

  697. 

  698.         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();

  699.         archivaDavResourceFactory.setHttpAuth( httpAuth );

  700.         archivaDavResourceFactory.setServletAuth( servletAuth );

  701. 

  702.         servlet.setResourceFactory( archivaDavResourceFactory );

  703. 

  704.         AuthenticationResult result = new AuthenticationResult();

  705. 

  706.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  707.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  708.             result );

  709. 

  710.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),

  711.                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );

  712. 

  713.         // ArchivaDavResourceFactory#isAuthorized()

  714.         SecuritySession session = new DefaultSecuritySession();

  715. 

  716.         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),

  717.                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(

  718.             result );

  719. 

  720.         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );

  721. 

  722.         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );

  723. 

  724.         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(

  725.             true );

  726. 

  727.         EasyMock.expect(

  728.             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),

  729.                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(

  730.             new UnauthorizedException( "User not authorized to read repository." ) );

  731.         httpAuthControl.replay();

  732.         servletAuthControl.replay();

  733. 

  734.         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();

  735.         mockHttpServletRequest.addHeader( "User-Agent", "foo" );

  736.         mockHttpServletRequest.setMethod( "GET" );

  737.         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );

  738. 

  739. 

  740.         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();

  741. 

  742.         servlet.service( mockHttpServletRequest, mockHttpServletResponse );

  743. 

  744.         httpAuthControl.verify();

  745.         servletAuthControl.verify();

  746. 

  747.         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );

  748.     }

  749. 

  750. }