Coverage Report

Coverage Report - org.apache.archiva.web.xmlrpc.security.XmlRpcAuthenticator

Classes in this File

0/36

0/14

 package org.apache.archiva.web.xmlrpc.security;
 
 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *  http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 
 import java.util.List;
 
 import org.apache.maven.archiva.security.ArchivaRoleConstants;
 import org.apache.maven.archiva.security.ArchivaSecurityException;
 import org.apache.maven.archiva.security.UserRepositories;
 import org.apache.xmlrpc.XmlRpcException;
 import org.apache.xmlrpc.XmlRpcRequest;
 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
 import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;
 import org.codehaus.plexus.redback.authentication.AuthenticationException;
 import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;
 import org.codehaus.plexus.redback.authorization.AuthorizationException;
 import org.codehaus.plexus.redback.authorization.AuthorizationResult;
 import org.codehaus.plexus.redback.policy.PolicyViolationException;
 import org.codehaus.plexus.redback.system.SecuritySession;
 import org.codehaus.plexus.redback.system.SecuritySystem;
 import org.codehaus.plexus.redback.users.UserNotFoundException;
 
 /**
  * XmlRpcAuthenticator
  * 
  * Custom authentication and authorization handler for xmlrpc requests.
  * 
  * @version $Id 
  */
 public class XmlRpcAuthenticator
     implements AuthenticationHandler
 {
     private final SecuritySystem securitySystem;
     
     private UserRepositories userRepositories;
     
     private String username;
         
     public XmlRpcAuthenticator( SecuritySystem securitySystem, UserRepositories userRepositories )
     {
         this.securitySystem = securitySystem;
         this.userRepositories = userRepositories;
     }
     
     public boolean isAuthorized( XmlRpcRequest pRequest )
         throws XmlRpcException
     {   
         if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )
         {
             XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();
             username = config.getBasicUserName();
             SecuritySession session =
                 authenticate( new PasswordBasedAuthenticationDataSource( username,
                                                                          config.getBasicPassword() ) );
             
             String method = pRequest.getMethodName();            
             AuthorizationResult result = authorize( session, method, username );
             
             return result.isAuthorized();
         }
 
         throw new XmlRpcException( "Unsupported transport (must be http)" );
     }
 
     private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )
         throws XmlRpcException
     {
         try
         {
             return securitySystem.authenticate( authenticationDataSource );
         }
         catch ( PolicyViolationException e )
         {
             throw new XmlRpcException( 401, e.getMessage(), e );
         }
         catch ( AuthenticationException e )
         {
             throw new XmlRpcException( 401, e.getMessage(), e );
         }
         catch ( UserNotFoundException e )
         {
             throw new XmlRpcException( 401, e.getMessage(), e );
         }
     }
 
     private AuthorizationResult authorize( SecuritySession session, String methodName, String username )
         throws XmlRpcException
     {   
         try
         {   
             // sample attempt at simplifying authorization checking of requested service method
             if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )
             {                
                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
             }
             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )
             {                
                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );
             }
             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS.contains( methodName ) )
             {   
                 try
                 {
                     List<String> observableRepos = userRepositories.getObservableRepositoryIds( username );
                     if( observableRepos != null && observableRepos.size() > 1 )
                     {
                         return new AuthorizationResult( true, username, null );
                     }
                     else
                     {
                         return new AuthorizationResult( false, username, null );
                     }
                 }
                 catch ( ArchivaSecurityException e )
                 {
                     throw new XmlRpcException( 401, e.getMessage() );
                 }
             }
             else if ( methodName.equals( ServiceMethodsPermissionsMapping.PING ) )
             {
                 return new AuthorizationResult( true, username, null );
             }
             else
             {
                 return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
             }
         }
         catch ( AuthorizationException e )
         {
             throw new XmlRpcException( 401, e.getMessage(), e );
         }
     }
     
     public String getActiveUser()
     {
         return username;
     }
 }

1		package org.apache.archiva.web.xmlrpc.security;
2
3		/*
4		* Licensed to the Apache Software Foundation (ASF) under one
5		* or more contributor license agreements. See the NOTICE file
6		* distributed with this work for additional information
7		* regarding copyright ownership. The ASF licenses this file
8		* to you under the Apache License, Version 2.0 (the
9		* "License"); you may not use this file except in compliance
10		* with the License. You may obtain a copy of the License at
11		*
12		* http://www.apache.org/licenses/LICENSE-2.0
13		*
14		* Unless required by applicable law or agreed to in writing,
15		* software distributed under the License is distributed on an
16		* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17		* KIND, either express or implied. See the License for the
18		* specific language governing permissions and limitations
19		* under the License.
20		*/
21
22		import java.util.List;
23
24		import org.apache.maven.archiva.security.ArchivaRoleConstants;
25		import org.apache.maven.archiva.security.ArchivaSecurityException;
26		import org.apache.maven.archiva.security.UserRepositories;
27		import org.apache.xmlrpc.XmlRpcException;
28		import org.apache.xmlrpc.XmlRpcRequest;
29		import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
30		import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;
31		import org.codehaus.plexus.redback.authentication.AuthenticationException;
32		import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;
33		import org.codehaus.plexus.redback.authorization.AuthorizationException;
34		import org.codehaus.plexus.redback.authorization.AuthorizationResult;
35		import org.codehaus.plexus.redback.policy.PolicyViolationException;
36		import org.codehaus.plexus.redback.system.SecuritySession;
37		import org.codehaus.plexus.redback.system.SecuritySystem;
38		import org.codehaus.plexus.redback.users.UserNotFoundException;
39
40		/**
41		* XmlRpcAuthenticator
42		*
43		* Custom authentication and authorization handler for xmlrpc requests.
44		*
45		* @version $Id
46		*/
47		public class XmlRpcAuthenticator
48		implements AuthenticationHandler
49		{
50		private final SecuritySystem securitySystem;
51
52		private UserRepositories userRepositories;
53
54		private String username;
55
56		public XmlRpcAuthenticator( SecuritySystem securitySystem, UserRepositories userRepositories )
57	0	{
58	0	this.securitySystem = securitySystem;
59	0	this.userRepositories = userRepositories;
60	0	}
61
62		public boolean isAuthorized( XmlRpcRequest pRequest )
63		throws XmlRpcException
64		{
65	0	if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )
66		{
67	0	XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();
68	0	username = config.getBasicUserName();
69	0	SecuritySession session =
70		authenticate( new PasswordBasedAuthenticationDataSource( username,
71		config.getBasicPassword() ) );
72
73	0	String method = pRequest.getMethodName();
74	0	AuthorizationResult result = authorize( session, method, username );
75
76	0	return result.isAuthorized();
77		}
78
79	0	throw new XmlRpcException( "Unsupported transport (must be http)" );
80		}
81
82		private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )
83		throws XmlRpcException
84		{
85		try
86		{
87	0	return securitySystem.authenticate( authenticationDataSource );
88		}
89	0	catch ( PolicyViolationException e )
90		{
91	0	throw new XmlRpcException( 401, e.getMessage(), e );
92		}
93	0	catch ( AuthenticationException e )
94		{
95	0	throw new XmlRpcException( 401, e.getMessage(), e );
96		}
97	0	catch ( UserNotFoundException e )
98		{
99	0	throw new XmlRpcException( 401, e.getMessage(), e );
100		}
101		}
102
103		private AuthorizationResult authorize( SecuritySession session, String methodName, String username )
104		throws XmlRpcException
105		{
106		try
107		{
108		// sample attempt at simplifying authorization checking of requested service method
109	0	if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )
110		{
111	0	return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
112		}
113	0	else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )
114		{
115	0	return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );
116		}
117	0	else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS.contains( methodName ) )
118		{
119		try
120		{
121	0	List<String> observableRepos = userRepositories.getObservableRepositoryIds( username );
122	0	if( observableRepos != null && observableRepos.size() > 1 )
123		{
124	0	return new AuthorizationResult( true, username, null );
125		}
126		else
127		{
128	0	return new AuthorizationResult( false, username, null );
129		}
130		}
131	0	catch ( ArchivaSecurityException e )
132		{
133	0	throw new XmlRpcException( 401, e.getMessage() );
134		}
135		}
136	0	else if ( methodName.equals( ServiceMethodsPermissionsMapping.PING ) )
137		{
138	0	return new AuthorizationResult( true, username, null );
139		}
140		else
141		{
142	0	return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
143		}
144		}
145	0	catch ( AuthorizationException e )
146		{
147	0	throw new XmlRpcException( 401, e.getMessage(), e );
148		}
149		}
150
151		public String getActiveUser()
152		{
153	0	return username;
154		}
155		}