View Javadoc

1   package org.apache.maven.archiva.webdav;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   *  http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  import java.io.File;
23  import java.io.IOException;
24  import java.io.InputStream;
25  import java.util.List;
26  
27  import javax.servlet.http.HttpServletResponse;
28  
29  import net.sf.ehcache.CacheManager;
30  
31  import org.apache.commons.io.FileUtils;
32  import org.apache.jackrabbit.webdav.DavSessionProvider;
33  import org.apache.maven.archiva.configuration.ArchivaConfiguration;
34  import org.apache.maven.archiva.configuration.Configuration;
35  import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
36  import org.apache.maven.archiva.database.ArchivaAuditLogsDao;
37  import org.apache.maven.archiva.database.constraints.MostRecentArchivaAuditLogsConstraint;
38  import org.apache.maven.archiva.model.ArchivaAuditLogs;
39  import org.apache.maven.archiva.repository.audit.AuditLog;
40  import org.apache.maven.archiva.security.ArchivaRoleConstants;
41  import org.apache.maven.archiva.security.ServletAuthenticator;
42  import org.codehaus.plexus.redback.authentication.AuthenticationException;
43  import org.codehaus.plexus.redback.authentication.AuthenticationResult;
44  import org.codehaus.plexus.redback.authorization.UnauthorizedException;
45  import org.codehaus.plexus.redback.system.DefaultSecuritySession;
46  import org.codehaus.plexus.redback.system.SecuritySession;
47  import org.codehaus.plexus.redback.users.User;
48  import org.codehaus.plexus.redback.users.memory.SimpleUser;
49  import org.codehaus.plexus.spring.PlexusInSpringTestCase;
50  import org.codehaus.redback.integration.filter.authentication.HttpAuthenticator;
51  import org.codehaus.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
52  import org.easymock.MockControl;
53  import org.easymock.classextension.MockClassControl;
54  
55  import com.meterware.httpunit.GetMethodWebRequest;
56  import com.meterware.httpunit.HttpUnitOptions;
57  import com.meterware.httpunit.PutMethodWebRequest;
58  import com.meterware.httpunit.WebRequest;
59  import com.meterware.httpunit.WebResponse;
60  import com.meterware.servletunit.InvocationContext;
61  import com.meterware.servletunit.ServletRunner;
62  import com.meterware.servletunit.ServletUnitClient;
63  
64  /**
65   * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
66   * perform redback security checking.
67   * 
68   * @version $Id: RepositoryServletSecurityTest.java 918857 2010-03-04 05:18:44Z brett $
69   */
70  public class RepositoryServletSecurityTest
71      extends PlexusInSpringTestCase
72  {
73      protected static final String REPOID_INTERNAL = "internal";
74  
75      protected ServletUnitClient sc;
76  
77      protected File repoRootInternal;
78  
79      private ServletRunner sr;
80  
81      protected ArchivaConfiguration archivaConfiguration;
82  
83      private DavSessionProvider davSessionProvider;
84  
85      private MockControl servletAuthControl;
86  
87      private ServletAuthenticator servletAuth;
88  
89      private MockClassControl httpAuthControl;
90  
91      private HttpAuthenticator httpAuth;
92  
93      private RepositoryServlet servlet;
94  
95      public void setUp()
96          throws Exception
97      {
98          super.setUp();
99  
100         String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
101         System.setProperty( "appserver.base", appserverBase );
102 
103         File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
104         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
105         FileUtils.copyFile( testConf, testConfDest );
106 
107         archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
108         repoRootInternal = new File( appserverBase, "data/repositories/internal" );
109         Configuration config = archivaConfiguration.getConfiguration();
110 
111         config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
112         saveConfiguration( archivaConfiguration );
113 
114         CacheManager.getInstance().removeCache( "url-failures-cache" );
115 
116         HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
117 
118         sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
119         sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
120         sc = sr.newClient();
121 
122         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
123         servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
124         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
125 
126         httpAuthControl =
127             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
128         httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
129         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
130 
131         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
132     }
133 
134     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
135     {
136         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
137         repo.setId( id );
138         repo.setName( name );
139         repo.setLocation( location.getAbsolutePath() );
140         return repo;
141     }
142 
143     protected void saveConfiguration()
144         throws Exception
145     {
146         saveConfiguration( archivaConfiguration );
147     }
148 
149     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
150         throws Exception
151     {
152         archivaConfiguration.save( archivaConfiguration.getConfiguration() );
153     }
154 
155     protected void setupCleanRepo( File repoRootDir )
156         throws IOException
157     {
158         FileUtils.deleteDirectory( repoRootDir );
159         if ( !repoRootDir.exists() )
160         {
161             repoRootDir.mkdirs();
162         }
163     }
164 
165     @Override
166     protected String getPlexusConfigLocation()
167     {
168         return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
169     }
170 
171     @Override
172     protected void tearDown()
173         throws Exception
174     {
175         if ( sc != null )
176         {
177             sc.clearContents();
178         }
179 
180         if ( sr != null )
181         {
182             sr.shutDown();
183         }
184 
185         if ( repoRootInternal.exists() )
186         {
187             FileUtils.deleteDirectory( repoRootInternal );
188         }
189 
190         servlet = null;
191 
192         super.tearDown();
193     }
194 
195     // test deploy with invalid user, and guest has no write access to repo
196     // 401 must be returned
197     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
198         throws Exception
199     {
200         setupCleanRepo( repoRootInternal );
201 
202         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
203         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
204         assertNotNull( "artifact.jar inputstream", is );
205 
206         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
207         InvocationContext ic = sc.newInvocation( request );
208         servlet = (RepositoryServlet) ic.getServlet();
209         servlet.setDavSessionProvider( davSessionProvider );
210 
211         AuthenticationResult result = new AuthenticationResult();
212         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
213         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
214                                            new AuthenticationException( "Authentication error" ) );
215 
216         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
217         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
218         servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
219 
220         httpAuthControl.replay();
221         servletAuthControl.replay();
222 
223         servlet.service( ic.getRequest(), ic.getResponse() );
224 
225         httpAuthControl.verify();
226         servletAuthControl.verify();
227 
228         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
229     }
230 
231     // test deploy with invalid user, but guest has write access to repo
232     public void testPutWithInvalidUserAndGuestHasWriteAccess()
233         throws Exception
234     {
235         setupCleanRepo( repoRootInternal );
236 
237         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
238         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
239         assertNotNull( "artifact.jar inputstream", is );
240 
241         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
242 
243         InvocationContext ic = sc.newInvocation( request );
244         servlet = (RepositoryServlet) ic.getServlet();
245         servlet.setDavSessionProvider( davSessionProvider );
246 
247         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
248         archivaDavResourceFactory.setHttpAuth( httpAuth );
249         archivaDavResourceFactory.setServletAuth( servletAuth );
250 
251         servlet.setResourceFactory( archivaDavResourceFactory );
252 
253         AuthenticationResult result = new AuthenticationResult();
254         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
255         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
256                                            new AuthenticationException( "Authentication error" ) );
257 
258         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
259         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
260         servletAuthControl.setReturnValue( true );
261 
262         // ArchivaDavResourceFactory#isAuthorized()
263         SecuritySession session = new DefaultSecuritySession();
264         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
265         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
266         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
267                                            new AuthenticationException( "Authentication error" ) );
268 
269         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
270 
271         // check if guest has write access
272         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
273         servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
274         servletAuthControl.setReturnValue( true );
275 
276         httpAuthControl.replay();
277         servletAuthControl.replay();
278 
279         servlet.service( ic.getRequest(), ic.getResponse() );
280 
281         httpAuthControl.verify();
282         servletAuthControl.verify();
283 
284         // assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
285     }
286 
287     // test deploy with a valid user with no write access
288     public void testPutWithValidUserWithNoWriteAccess()
289         throws Exception
290     {
291         setupCleanRepo( repoRootInternal );
292 
293         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
294         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
295         assertNotNull( "artifact.jar inputstream", is );
296 
297         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
298 
299         InvocationContext ic = sc.newInvocation( request );
300         servlet = (RepositoryServlet) ic.getServlet();
301         servlet.setDavSessionProvider( davSessionProvider );
302 
303         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
304         archivaDavResourceFactory.setHttpAuth( httpAuth );
305         archivaDavResourceFactory.setServletAuth( servletAuth );
306         servlet.setResourceFactory( archivaDavResourceFactory );
307 
308         AuthenticationResult result = new AuthenticationResult();
309         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
310         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
311 
312         // ArchivaDavResourceFactory#isAuthorized()
313         SecuritySession session = new DefaultSecuritySession();
314         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
315         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
316         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
317         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
318         servletAuthControl.expectAndThrow(
319                                            servletAuth.isAuthorized( null, session, "internal",
320                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
321                                            new UnauthorizedException( "User not authorized" ) );
322 
323         httpAuthControl.replay();
324         servletAuthControl.replay();
325 
326         servlet.service( ic.getRequest(), ic.getResponse() );
327 
328         httpAuthControl.verify();
329         servletAuthControl.verify();
330 
331         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
332     }
333 
334     // test deploy with a valid user with write access
335     public void testPutWithValidUserWithWriteAccess()
336         throws Exception
337     {
338         setupCleanRepo( repoRootInternal );
339         assertTrue( repoRootInternal.exists() );
340 
341         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
342         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
343         assertNotNull( "artifact.jar inputstream", is );
344 
345         WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
346 
347         InvocationContext ic = sc.newInvocation( request );
348         servlet = (RepositoryServlet) ic.getServlet();
349         servlet.setDavSessionProvider( davSessionProvider );
350 
351         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
352         archivaDavResourceFactory.setHttpAuth( httpAuth );
353         archivaDavResourceFactory.setServletAuth( servletAuth );
354 
355         servlet.setResourceFactory( archivaDavResourceFactory );
356 
357         AuthenticationResult result = new AuthenticationResult();
358         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
359         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
360 
361         User user = new SimpleUser();
362         user.setUsername( "admin" );
363         
364         // ArchivaDavResourceFactory#isAuthorized()
365         SecuritySession session = new DefaultSecuritySession();
366         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
367         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
368         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), user );
369         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
370         servletAuthControl.expectAndReturn(
371                                             servletAuth.isAuthorized( null, session, "internal",
372                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
373                                             true );
374 
375         httpAuthControl.replay();
376         servletAuthControl.replay();
377 
378         servlet.service( ic.getRequest(), ic.getResponse() );
379 
380         httpAuthControl.verify();
381         servletAuthControl.verify();
382 
383         // assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
384 
385         ArchivaAuditLogsDao auditLogsDao = archivaDavResourceFactory.getAuditLogsDao();
386         List<ArchivaAuditLogs> auditLogs = auditLogsDao.queryAuditLogs( new MostRecentArchivaAuditLogsConstraint() );
387         assertEquals( "admin", auditLogs.get( 0 ).getUsername() );
388     }
389 
390     // test get with invalid user, and guest has read access to repo
391     public void testGetWithInvalidUserAndGuestHasReadAccess()
392         throws Exception
393     {
394         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
395         String expectedArtifactContents = "dummy-commons-lang-artifact";
396 
397         File artifactFile = new File( repoRootInternal, commonsLangJar );
398         artifactFile.getParentFile().mkdirs();
399 
400         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
401 
402         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
403         InvocationContext ic = sc.newInvocation( request );
404         servlet = (RepositoryServlet) ic.getServlet();
405         servlet.setDavSessionProvider( davSessionProvider );
406 
407         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
408         archivaDavResourceFactory.setHttpAuth( httpAuth );
409         archivaDavResourceFactory.setServletAuth( servletAuth );
410 
411         servlet.setResourceFactory( archivaDavResourceFactory );
412 
413         AuthenticationResult result = new AuthenticationResult();
414         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
415         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
416                                            new AuthenticationException( "Authentication error" ) );
417         servletAuthControl.expectAndReturn(
418                                             servletAuth.isAuthorized( "guest", "internal",
419                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
420                                             true );
421 
422         // ArchivaDavResourceFactory#isAuthorized()
423         SecuritySession session = new DefaultSecuritySession();
424         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
425         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
426         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
427         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
428         servletAuthControl.expectAndReturn(
429                                             servletAuth.isAuthorized( null, session, "internal",
430                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
431                                             true );
432 
433         httpAuthControl.replay();
434         servletAuthControl.replay();
435 
436         WebResponse response = sc.getResponse( request );
437 
438         httpAuthControl.verify();
439         servletAuthControl.verify();
440 
441         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
442         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
443     }
444 
445     // test get with invalid user, and guest has no read access to repo
446     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
447         throws Exception
448     {
449         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
450         String expectedArtifactContents = "dummy-commons-lang-artifact";
451 
452         File artifactFile = new File( repoRootInternal, commonsLangJar );
453         artifactFile.getParentFile().mkdirs();
454 
455         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
456 
457         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
458         InvocationContext ic = sc.newInvocation( request );
459         servlet = (RepositoryServlet) ic.getServlet();
460         servlet.setDavSessionProvider( davSessionProvider );
461 
462         AuthenticationResult result = new AuthenticationResult();
463         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
464         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
465                                            new AuthenticationException( "Authentication error" ) );
466         servletAuthControl.expectAndReturn(
467                                             servletAuth.isAuthorized( "guest", "internal",
468                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
469                                             false );
470 
471         httpAuthControl.replay();
472         servletAuthControl.replay();
473 
474         WebResponse response = sc.getResponse( request );
475 
476         httpAuthControl.verify();
477         servletAuthControl.verify();
478 
479         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
480     }
481 
482     // test get with valid user with read access to repo
483     public void testGetWithAValidUserWithReadAccess()
484         throws Exception
485     {
486         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
487         String expectedArtifactContents = "dummy-commons-lang-artifact";
488 
489         File artifactFile = new File( repoRootInternal, commonsLangJar );
490         artifactFile.getParentFile().mkdirs();
491 
492         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
493 
494         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
495         InvocationContext ic = sc.newInvocation( request );
496         servlet = (RepositoryServlet) ic.getServlet();
497         servlet.setDavSessionProvider( davSessionProvider );
498 
499         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
500         archivaDavResourceFactory.setHttpAuth( httpAuth );
501         archivaDavResourceFactory.setServletAuth( servletAuth );
502 
503         servlet.setResourceFactory( archivaDavResourceFactory );
504 
505         AuthenticationResult result = new AuthenticationResult();
506         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
507         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
508 
509         // ArchivaDavResourceFactory#isAuthorized()
510         SecuritySession session = new DefaultSecuritySession();
511         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
512         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
513         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
514         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
515         servletAuthControl.expectAndReturn(
516                                             servletAuth.isAuthorized( null, session, "internal",
517                                                                       ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
518                                             true );
519 
520         httpAuthControl.replay();
521         servletAuthControl.replay();
522 
523         WebResponse response = sc.getResponse( request );
524 
525         httpAuthControl.verify();
526         servletAuthControl.verify();
527 
528         assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
529         assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
530     }
531 
532     // test get with valid user with no read access to repo
533     public void testGetWithAValidUserWithNoReadAccess()
534         throws Exception
535     {
536         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
537         String expectedArtifactContents = "dummy-commons-lang-artifact";
538 
539         File artifactFile = new File( repoRootInternal, commonsLangJar );
540         artifactFile.getParentFile().mkdirs();
541 
542         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
543 
544         WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
545         InvocationContext ic = sc.newInvocation( request );
546         servlet = (RepositoryServlet) ic.getServlet();
547         servlet.setDavSessionProvider( davSessionProvider );
548 
549         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
550         archivaDavResourceFactory.setHttpAuth( httpAuth );
551         archivaDavResourceFactory.setServletAuth( servletAuth );
552 
553         servlet.setResourceFactory( archivaDavResourceFactory );
554 
555         AuthenticationResult result = new AuthenticationResult();
556         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
557         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
558 
559         // ArchivaDavResourceFactory#isAuthorized()
560         SecuritySession session = new DefaultSecuritySession();
561         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
562         httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
563         httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
564         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
565         servletAuthControl.expectAndThrow(
566                                            servletAuth.isAuthorized( null, session, "internal",
567                                                                      ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
568                                            new UnauthorizedException( "User not authorized to read repository." ) );
569 
570         httpAuthControl.replay();
571         servletAuthControl.replay();
572 
573         WebResponse response = sc.getResponse( request );
574 
575         httpAuthControl.verify();
576         servletAuthControl.verify();
577 
578         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
579     }
580 }