View Javadoc

1   package org.apache.maven.archiva.security;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   *  http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  import javax.servlet.http.HttpServletRequest;
23  
24  import org.codehaus.plexus.redback.authentication.AuthenticationException;
25  import org.codehaus.plexus.redback.authentication.AuthenticationResult;
26  import org.codehaus.plexus.redback.authorization.UnauthorizedException;
27  import org.codehaus.plexus.redback.system.DefaultSecuritySession;
28  import org.codehaus.plexus.redback.system.SecuritySession;
29  import org.codehaus.plexus.redback.users.User;
30  import org.codehaus.plexus.redback.users.UserManager;
31  
32  import org.easymock.MockControl;
33  
34  /**
35   * ArchivaServletAuthenticatorTest
36   * 
37   * @version
38   */
39  public class ArchivaServletAuthenticatorTest
40      extends AbstractSecurityTest
41  {
42      private ServletAuthenticator servletAuth;
43  
44      private MockControl httpServletRequestControl;
45  
46      private HttpServletRequest request;
47  
48      @Override
49      public void setUp()
50          throws Exception
51      {
52          super.setUp();
53  
54          servletAuth = (ServletAuthenticator) lookup( ServletAuthenticator.class, "default" );
55  
56          httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
57          request = (HttpServletRequest) httpServletRequestControl.getMock();
58  
59          setupRepository( "corporate" );
60      }
61  
62      @Override
63      protected String getPlexusConfigLocation()
64      {
65          return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
66      }
67  
68      protected void assignRepositoryManagerRole( String principal, String repoId )
69          throws Exception
70      {
71          roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
72      }
73  
74      public void testIsAuthenticatedUserExists()
75          throws Exception
76      {
77          AuthenticationResult result = new AuthenticationResult( true, "user", null );
78          boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
79  
80          assertTrue( isAuthenticated );
81      }
82  
83      public void testIsAuthenticatedUserDoesNotExist()
84          throws Exception
85      {
86          AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
87          try
88          {
89              servletAuth.isAuthenticated( request, result );
90              fail( "Authentication exception should have been thrown." );
91          }
92          catch ( AuthenticationException e )
93          {
94              assertEquals( "User Credentials Invalid", e.getMessage() );
95          }
96      }
97  
98      public void testIsAuthorizedUserHasWriteAccess()
99          throws Exception
100     {
101         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
102 
103         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
104 
105         UserManager userManager = securitySystem.getUserManager();
106         User user = userManager.findUser( USER_ALPACA );
107 
108         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
109 
110         SecuritySession session = new DefaultSecuritySession( result, user );
111         boolean isAuthorized =
112             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
113 
114         assertTrue( isAuthorized );
115     }
116 
117     public void testIsAuthorizedUserHasNoWriteAccess()
118         throws Exception
119     {
120         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
121 
122         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
123 
124         httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
125 
126         UserManager userManager = securitySystem.getUserManager();
127         User user = userManager.findUser( USER_ALPACA );
128 
129         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
130 
131         SecuritySession session = new DefaultSecuritySession( result, user );
132 
133         httpServletRequestControl.replay();
134 
135         try
136         {
137             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
138             fail( "UnauthorizedException should have been thrown." );
139         }
140         catch ( UnauthorizedException e )
141         {
142             assertEquals( "Access denied for repository corporate", e.getMessage() );
143         }
144 
145         httpServletRequestControl.verify();
146     }
147 
148     public void testIsAuthorizedUserHasReadAccess()
149         throws Exception
150     {
151         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
152 
153         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
154 
155         UserManager userManager = securitySystem.getUserManager();
156         User user = userManager.findUser( USER_ALPACA );
157 
158         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
159 
160         SecuritySession session = new DefaultSecuritySession( result, user );
161         boolean isAuthorized =
162             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
163 
164         assertTrue( isAuthorized );
165     }
166 
167     public void testIsAuthorizedUserHasNoReadAccess()
168         throws Exception
169     {
170         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
171 
172         UserManager userManager = securitySystem.getUserManager();
173         User user = userManager.findUser( USER_ALPACA );
174 
175         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
176 
177         SecuritySession session = new DefaultSecuritySession( result, user );
178         try
179         {
180             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
181             fail( "UnauthorizedException should have been thrown." );
182         }
183         catch ( UnauthorizedException e )
184         {
185             assertEquals( "Access denied for repository corporate", e.getMessage() );
186         }
187     }
188 
189     public void testIsAuthorizedGuestUserHasWriteAccess()
190         throws Exception
191     {
192         assignRepositoryManagerRole( USER_GUEST, "corporate" );
193         boolean isAuthorized =
194             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
195 
196         assertTrue( isAuthorized );
197     }
198 
199     public void testIsAuthorizedGuestUserHasNoWriteAccess()
200         throws Exception
201     {
202         assignRepositoryObserverRole( USER_GUEST, "corporate" );
203 
204         boolean isAuthorized =
205             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
206         assertFalse( isAuthorized );
207     }
208 
209     public void testIsAuthorizedGuestUserHasReadAccess()
210         throws Exception
211     {
212         assignRepositoryObserverRole( USER_GUEST, "corporate" );
213 
214         boolean isAuthorized =
215             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
216 
217         assertTrue( isAuthorized );
218     }
219 
220     public void testIsAuthorizedGuestUserHasNoReadAccess()
221         throws Exception
222     {
223         boolean isAuthorized =
224             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
225 
226         assertFalse( isAuthorized );
227     }
228 }