1 package org.apache.maven.archiva.security;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 import javax.servlet.http.HttpServletRequest;
23
24 import org.codehaus.plexus.redback.authentication.AuthenticationException;
25 import org.codehaus.plexus.redback.authentication.AuthenticationResult;
26 import org.codehaus.plexus.redback.authorization.UnauthorizedException;
27 import org.codehaus.plexus.redback.system.DefaultSecuritySession;
28 import org.codehaus.plexus.redback.system.SecuritySession;
29 import org.codehaus.plexus.redback.users.User;
30 import org.codehaus.plexus.redback.users.UserManager;
31
32 import org.easymock.MockControl;
33
34
35
36
37
38
39 public class ArchivaServletAuthenticatorTest
40 extends AbstractSecurityTest
41 {
42 private ServletAuthenticator servletAuth;
43
44 private MockControl httpServletRequestControl;
45
46 private HttpServletRequest request;
47
48 @Override
49 public void setUp()
50 throws Exception
51 {
52 super.setUp();
53
54 servletAuth = (ServletAuthenticator) lookup( ServletAuthenticator.class, "default" );
55
56 httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
57 request = (HttpServletRequest) httpServletRequestControl.getMock();
58
59 setupRepository( "corporate" );
60 }
61
62 @Override
63 protected String getPlexusConfigLocation()
64 {
65 return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
66 }
67
68 protected void assignRepositoryManagerRole( String principal, String repoId )
69 throws Exception
70 {
71 roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
72 }
73
74 public void testIsAuthenticatedUserExists()
75 throws Exception
76 {
77 AuthenticationResult result = new AuthenticationResult( true, "user", null );
78 boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
79
80 assertTrue( isAuthenticated );
81 }
82
83 public void testIsAuthenticatedUserDoesNotExist()
84 throws Exception
85 {
86 AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
87 try
88 {
89 servletAuth.isAuthenticated( request, result );
90 fail( "Authentication exception should have been thrown." );
91 }
92 catch ( AuthenticationException e )
93 {
94 assertEquals( "User Credentials Invalid", e.getMessage() );
95 }
96 }
97
98 public void testIsAuthorizedUserHasWriteAccess()
99 throws Exception
100 {
101 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
102
103 assignRepositoryManagerRole( USER_ALPACA, "corporate" );
104
105 UserManager userManager = securitySystem.getUserManager();
106 User user = userManager.findUser( USER_ALPACA );
107
108 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
109
110 SecuritySession session = new DefaultSecuritySession( result, user );
111 boolean isAuthorized =
112 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
113
114 assertTrue( isAuthorized );
115 }
116
117 public void testIsAuthorizedUserHasNoWriteAccess()
118 throws Exception
119 {
120 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
121
122 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
123
124 httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
125
126 UserManager userManager = securitySystem.getUserManager();
127 User user = userManager.findUser( USER_ALPACA );
128
129 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
130
131 SecuritySession session = new DefaultSecuritySession( result, user );
132
133 httpServletRequestControl.replay();
134
135 try
136 {
137 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
138 fail( "UnauthorizedException should have been thrown." );
139 }
140 catch ( UnauthorizedException e )
141 {
142 assertEquals( "Access denied for repository corporate", e.getMessage() );
143 }
144
145 httpServletRequestControl.verify();
146 }
147
148 public void testIsAuthorizedUserHasReadAccess()
149 throws Exception
150 {
151 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
152
153 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
154
155 UserManager userManager = securitySystem.getUserManager();
156 User user = userManager.findUser( USER_ALPACA );
157
158 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
159
160 SecuritySession session = new DefaultSecuritySession( result, user );
161 boolean isAuthorized =
162 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
163
164 assertTrue( isAuthorized );
165 }
166
167 public void testIsAuthorizedUserHasNoReadAccess()
168 throws Exception
169 {
170 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
171
172 UserManager userManager = securitySystem.getUserManager();
173 User user = userManager.findUser( USER_ALPACA );
174
175 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
176
177 SecuritySession session = new DefaultSecuritySession( result, user );
178 try
179 {
180 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
181 fail( "UnauthorizedException should have been thrown." );
182 }
183 catch ( UnauthorizedException e )
184 {
185 assertEquals( "Access denied for repository corporate", e.getMessage() );
186 }
187 }
188
189 public void testIsAuthorizedGuestUserHasWriteAccess()
190 throws Exception
191 {
192 assignRepositoryManagerRole( USER_GUEST, "corporate" );
193 boolean isAuthorized =
194 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
195
196 assertTrue( isAuthorized );
197 }
198
199 public void testIsAuthorizedGuestUserHasNoWriteAccess()
200 throws Exception
201 {
202 assignRepositoryObserverRole( USER_GUEST, "corporate" );
203
204 boolean isAuthorized =
205 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
206 assertFalse( isAuthorized );
207 }
208
209 public void testIsAuthorizedGuestUserHasReadAccess()
210 throws Exception
211 {
212 assignRepositoryObserverRole( USER_GUEST, "corporate" );
213
214 boolean isAuthorized =
215 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
216
217 assertTrue( isAuthorized );
218 }
219
220 public void testIsAuthorizedGuestUserHasNoReadAccess()
221 throws Exception
222 {
223 boolean isAuthorized =
224 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
225
226 assertFalse( isAuthorized );
227 }
228 }