1 package org.apache.archiva.security;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22 import org.apache.archiva.redback.authentication.AuthenticationException;
23 import org.apache.archiva.redback.authentication.AuthenticationResult;
24 import org.apache.archiva.redback.authorization.UnauthorizedException;
25 import org.apache.archiva.redback.system.DefaultSecuritySession;
26 import org.apache.archiva.redback.system.SecuritySession;
27 import org.apache.archiva.redback.users.User;
28 import org.apache.archiva.redback.users.UserManager;
29 import org.apache.archiva.security.common.ArchivaRoleConstants;
30 import org.easymock.EasyMock;
31 import org.easymock.IMocksControl;
32 import org.junit.Before;
33 import org.junit.Test;
34
35 import javax.inject.Inject;
36 import javax.inject.Named;
37 import javax.servlet.http.HttpServletRequest;
38
39
40
41
42 public class ArchivaServletAuthenticatorTest
43 extends AbstractSecurityTest
44 {
45 @Inject
46 @Named( value = "servletAuthenticator#test" )
47 private ServletAuthenticator servletAuth;
48
49 private IMocksControl httpServletRequestControl;
50
51 private HttpServletRequest request;
52
53 @Before
54 @Override
55 public void setUp()
56 throws Exception
57 {
58 super.setUp();
59
60 httpServletRequestControl = EasyMock.createControl( );
61 request = httpServletRequestControl.createMock( HttpServletRequest.class );
62
63 setupRepository( "corporate" );
64 }
65
66 protected void assignRepositoryManagerRole( String principal, String repoId )
67 throws Exception
68 {
69 roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
70 }
71
72 @Test
73 public void testIsAuthenticatedUserExists()
74 throws Exception
75 {
76 AuthenticationResult result = new AuthenticationResult( true, "user", null );
77 boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
78
79 assertTrue( isAuthenticated );
80 }
81
82 @Test
83 public void testIsAuthenticatedUserDoesNotExist()
84 throws Exception
85 {
86 AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
87 try
88 {
89 servletAuth.isAuthenticated( request, result );
90 fail( "Authentication exception should have been thrown." );
91 }
92 catch ( AuthenticationException e )
93 {
94 assertEquals( "User Credentials Invalid", e.getMessage() );
95 }
96 }
97
98 @Test
99 public void testIsAuthorizedUserHasWriteAccess()
100 throws Exception
101 {
102 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
103
104 assignRepositoryManagerRole( USER_ALPACA, "corporate" );
105
106 UserManager userManager = securitySystem.getUserManager();
107 User user = userManager.findUser( USER_ALPACA );
108
109 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
110
111 SecuritySession session = new DefaultSecuritySession( result, user );
112 boolean isAuthorized =
113 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
114
115 assertTrue( isAuthorized );
116
117 restoreGuestInitialValues( USER_ALPACA );
118 }
119
120 @Test
121 public void testIsAuthorizedUserHasNoWriteAccess()
122 throws Exception
123 {
124 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
125
126 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
127
128
129 EasyMock.expect( request.getRemoteAddr() ).andReturn( "192.168.111.111" );
130
131 UserManager userManager = securitySystem.getUserManager();
132 User user = userManager.findUser( USER_ALPACA );
133
134 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
135
136 SecuritySession session = new DefaultSecuritySession( result, user );
137
138 httpServletRequestControl.replay();
139
140 try
141 {
142 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
143 fail( "UnauthorizedException should have been thrown." );
144 }
145 catch ( UnauthorizedException e )
146 {
147 assertEquals( "Access denied for repository corporate", e.getMessage() );
148 }
149
150 httpServletRequestControl.verify();
151
152 restoreGuestInitialValues( USER_ALPACA );
153 }
154
155 @Test
156 public void testIsAuthorizedUserHasReadAccess()
157 throws Exception
158 {
159 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
160
161 assignRepositoryObserverRole( USER_ALPACA, "corporate" );
162
163 UserManager userManager = securitySystem.getUserManager();
164 User user = userManager.findUser( USER_ALPACA );
165
166 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
167
168 SecuritySession session = new DefaultSecuritySession( result, user );
169 boolean isAuthorized =
170 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
171
172 assertTrue( isAuthorized );
173
174 restoreGuestInitialValues( USER_ALPACA );
175 }
176
177 @Test
178 public void testIsAuthorizedUserHasNoReadAccess()
179 throws Exception
180 {
181 createUser( USER_ALPACA, "Al 'Archiva' Paca" );
182
183 UserManager userManager = securitySystem.getUserManager();
184 User user = userManager.findUser( USER_ALPACA );
185
186 AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
187
188 SecuritySession session = new DefaultSecuritySession( result, user );
189 try
190 {
191 servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
192 fail( "UnauthorizedException should have been thrown." );
193 }
194 catch ( UnauthorizedException e )
195 {
196 assertEquals( "Access denied for repository corporate", e.getMessage() );
197 }
198
199 restoreGuestInitialValues( USER_ALPACA );
200 }
201
202 @Test
203 public void testIsAuthorizedGuestUserHasWriteAccess()
204 throws Exception
205 {
206 assignRepositoryManagerRole( USER_GUEST, "corporate" );
207 boolean isAuthorized =
208 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
209
210 assertTrue( isAuthorized );
211
212
213 restoreGuestInitialValues(USER_GUEST);
214
215 }
216
217 @Test
218 public void testIsAuthorizedGuestUserHasNoWriteAccess()
219 throws Exception
220 {
221 assignRepositoryObserverRole( USER_GUEST, "corporate" );
222
223 boolean isAuthorized =
224 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
225 assertFalse( isAuthorized );
226
227
228 restoreGuestInitialValues(USER_GUEST);
229
230 }
231
232 @Test
233 public void testIsAuthorizedGuestUserHasReadAccess()
234 throws Exception
235 {
236 assignRepositoryObserverRole( USER_GUEST, "corporate" );
237
238 boolean isAuthorized =
239 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
240
241 assertTrue( isAuthorized );
242
243
244 restoreGuestInitialValues(USER_GUEST);
245 }
246
247 @Test
248 public void testIsAuthorizedGuestUserHasNoReadAccess()
249 throws Exception
250 {
251 boolean isAuthorized =
252 servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
253
254 assertFalse( isAuthorized );
255 }
256
257 }