1 package org.apache.archiva.xmlrpc.security;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 import org.apache.archiva.web.xmlrpc.security.XmlRpcAuthenticator;
23 import org.apache.maven.archiva.security.ArchivaRoleConstants;
24 import org.apache.xmlrpc.XmlRpcRequest;
25 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
26 import org.codehaus.plexus.redback.role.RoleManager;
27 import org.codehaus.plexus.redback.system.SecuritySystem;
28 import org.codehaus.plexus.redback.users.User;
29 import org.codehaus.plexus.redback.users.UserManager;
30 import org.codehaus.plexus.redback.users.UserNotFoundException;
31 import org.codehaus.plexus.spring.PlexusInSpringTestCase;
32 import org.easymock.MockControl;
33 import org.easymock.classextension.MockClassControl;
34
35
36
37
38
39
40 public class XmlRpcAuthenticatorTest
41
42 extends PlexusInSpringTestCase
43 {
44 protected static final String USER_GUEST = "guest";
45
46 protected static final String USER_ADMIN = "admin";
47
48 protected static final String USER_ALPACA = "alpaca";
49
50 private static final String PASSWORD = "password123";
51
52 protected SecuritySystem securitySystem;
53
54 protected RoleManager roleManager;
55
56 private MockControl xmlRpcRequestControl;
57
58 private XmlRpcRequest xmlRpcRequest;
59
60 private XmlRpcAuthenticator authenticator;
61
62 private MockControl configControl;
63
64 private XmlRpcHttpRequestConfigImpl config;
65
66 public void setUp()
67 throws Exception
68 {
69 super.setUp();
70
71 securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" );
72 roleManager = (RoleManager) lookup( RoleManager.class, "default" );
73
74
75 assertNotNull( securitySystem );
76 assertNotNull( roleManager );
77
78
79 User adminUser = createUser( USER_ADMIN, "Admin User", null );
80 roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() );
81
82
83 User guestUser = createUser( USER_GUEST, "Guest User", null );
84 roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() );
85
86 configControl = MockClassControl.createControl( XmlRpcHttpRequestConfigImpl.class );
87 config = ( XmlRpcHttpRequestConfigImpl ) configControl.getMock();
88
89 xmlRpcRequestControl = MockControl.createControl( XmlRpcRequest.class );
90 xmlRpcRequest = ( XmlRpcRequest ) xmlRpcRequestControl.getMock();
91
92 authenticator = new XmlRpcAuthenticator( securitySystem, null );
93 }
94
95 private User createUser( String principal, String fullname, String password )
96 throws UserNotFoundException
97 {
98 UserManager userManager = securitySystem.getUserManager();
99
100 User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" );
101 securitySystem.getPolicy().setEnabled( false );
102 userManager.addUser( user );
103 securitySystem.getPolicy().setEnabled( true );
104
105 user.setPassword( password );
106 userManager.updateUser( user );
107
108 return user;
109 }
110
111 public void testIsAuthorizedUserExistsButNotAuthorized()
112 throws Exception
113 {
114 createUser( USER_ALPACA, "Al 'Archiva' Paca", PASSWORD );
115
116 UserManager userManager = securitySystem.getUserManager();
117 try
118 {
119 User user = userManager.findUser( USER_ALPACA );
120 assertEquals( USER_ALPACA, user.getPrincipal() );
121 }
122 catch ( UserNotFoundException e )
123 {
124 fail( "User should exist in the database." );
125 }
126
127 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getConfig(), config, 2 );
128
129 configControl.expectAndReturn( config.getBasicUserName(), USER_ALPACA );
130
131 configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );
132
133 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),
134 "AdministrationService.getAllManagedRepositories" );
135
136 xmlRpcRequestControl.replay();
137 configControl.replay();
138
139 boolean isAuthorized = authenticator.isAuthorized( xmlRpcRequest );
140
141 xmlRpcRequestControl.verify();
142 configControl.verify();
143
144 assertFalse( isAuthorized );
145 }
146
147 public void testIsAuthorizedUserExistsAndAuthorized()
148 throws Exception
149 {
150 createUser( USER_ALPACA, "Al 'Archiva' Paca", PASSWORD );
151
152 UserManager userManager = securitySystem.getUserManager();
153 try
154 {
155 User user = userManager.findUser( USER_ALPACA );
156 assertEquals( USER_ALPACA, user.getPrincipal() );
157 }
158 catch ( UserNotFoundException e )
159 {
160 fail( "User should exist in the database." );
161 }
162
163
164
165
166
167 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getConfig(), config, 2 );
168
169 configControl.expectAndReturn( config.getBasicUserName(), USER_ALPACA );
170
171 configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );
172
173 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),
174 "AdministrationService.getAllManagedRepositories" );
175
176 xmlRpcRequestControl.replay();
177 configControl.replay();
178
179 @SuppressWarnings("unused")
180 boolean isAuthorized = authenticator.isAuthorized( xmlRpcRequest );
181
182
183
184 xmlRpcRequestControl.verify();
185 configControl.verify();
186 }
187
188 public void testIsAuthorizedUserDoesNotExist()
189 throws Exception
190 {
191 UserManager userManager = securitySystem.getUserManager();
192 try
193 {
194 userManager.findUser( USER_ALPACA );
195 fail( "User should not exist in the database." );
196 }
197 catch ( UserNotFoundException e )
198 {
199 assertEquals( "Unable to find user 'alpaca'", e.getMessage() );
200 }
201
202 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getConfig(), config, 2 );
203
204 configControl.expectAndReturn( config.getBasicUserName(), USER_ALPACA );
205
206 configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );
207
208 xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),
209 "AdministrationService.getAllManagedRepositories" );
210
211 xmlRpcRequestControl.replay();
212 configControl.replay();
213
214 boolean isAuthorized = authenticator.isAuthorized( xmlRpcRequest );
215
216 xmlRpcRequestControl.verify();
217 configControl.verify();
218
219 assertFalse( isAuthorized );
220 }
221 }