View Javadoc
1   package org.apache.archiva.security;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   *  http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  import org.apache.archiva.redback.authentication.AuthenticationException;
23  import org.apache.archiva.redback.authentication.AuthenticationResult;
24  import org.apache.archiva.redback.authorization.UnauthorizedException;
25  import org.apache.archiva.redback.system.DefaultSecuritySession;
26  import org.apache.archiva.redback.system.SecuritySession;
27  import org.apache.archiva.redback.users.User;
28  import org.apache.archiva.redback.users.UserManager;
29  import org.apache.archiva.security.common.ArchivaRoleConstants;
30  import org.easymock.EasyMock;
31  import org.easymock.IMocksControl;
32  import org.junit.Before;
33  import org.junit.Test;
34  
35  import javax.inject.Inject;
36  import javax.inject.Named;
37  import javax.servlet.http.HttpServletRequest;
38  
39  /**
40   * ArchivaServletAuthenticatorTest
41   */
42  public class ArchivaServletAuthenticatorTest
43      extends AbstractSecurityTest
44  {
45      @Inject
46      @Named( value = "servletAuthenticator#test" )
47      private ServletAuthenticator servletAuth;
48  
49      private IMocksControl httpServletRequestControl;
50  
51      private HttpServletRequest request;
52  
53      @Before
54      @Override
55      public void setUp()
56          throws Exception
57      {
58          super.setUp();
59  
60          httpServletRequestControl = EasyMock.createControl( );
61          request = httpServletRequestControl.createMock( HttpServletRequest.class );
62  
63          setupRepository( "corporate" );
64      }
65  
66      protected void assignRepositoryManagerRole( String principal, String repoId )
67          throws Exception
68      {
69          roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
70      }
71  
72      @Test
73      public void testIsAuthenticatedUserExists()
74          throws Exception
75      {
76          AuthenticationResult result = new AuthenticationResult( true, "user", null );
77          boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
78  
79          assertTrue( isAuthenticated );
80      }
81  
82      @Test
83      public void testIsAuthenticatedUserDoesNotExist()
84          throws Exception
85      {
86          AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
87          try
88          {
89              servletAuth.isAuthenticated( request, result );
90              fail( "Authentication exception should have been thrown." );
91          }
92          catch ( AuthenticationException e )
93          {
94              assertEquals( "User Credentials Invalid", e.getMessage() );
95          }
96      }
97  
98      @Test
99      public void testIsAuthorizedUserHasWriteAccess()
100         throws Exception
101     {
102         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
103 
104         assignRepositoryManagerRole( USER_ALPACA, "corporate" );
105 
106         UserManager userManager = securitySystem.getUserManager();
107         User user = userManager.findUser( USER_ALPACA );
108 
109         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
110 
111         SecuritySession session = new DefaultSecuritySession( result, user );
112         boolean isAuthorized =
113             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
114 
115         assertTrue( isAuthorized );
116 
117         restoreGuestInitialValues( USER_ALPACA );
118     }
119 
120     @Test
121     public void testIsAuthorizedUserHasNoWriteAccess()
122         throws Exception
123     {
124         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
125 
126         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
127 
128         //httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
129         EasyMock.expect( request.getRemoteAddr() ).andReturn( "192.168.111.111" );
130 
131         UserManager userManager = securitySystem.getUserManager();
132         User user = userManager.findUser( USER_ALPACA );
133 
134         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
135 
136         SecuritySession session = new DefaultSecuritySession( result, user );
137 
138         httpServletRequestControl.replay();
139 
140         try
141         {
142             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
143             fail( "UnauthorizedException should have been thrown." );
144         }
145         catch ( UnauthorizedException e )
146         {
147             assertEquals( "Access denied for repository corporate", e.getMessage() );
148         }
149 
150         httpServletRequestControl.verify();
151 
152         restoreGuestInitialValues( USER_ALPACA );
153     }
154 
155     @Test
156     public void testIsAuthorizedUserHasReadAccess()
157         throws Exception
158     {
159         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
160 
161         assignRepositoryObserverRole( USER_ALPACA, "corporate" );
162 
163         UserManager userManager = securitySystem.getUserManager();
164         User user = userManager.findUser( USER_ALPACA );
165 
166         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
167 
168         SecuritySession session = new DefaultSecuritySession( result, user );
169         boolean isAuthorized =
170             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
171 
172         assertTrue( isAuthorized );
173 
174         restoreGuestInitialValues( USER_ALPACA );
175     }
176 
177     @Test
178     public void testIsAuthorizedUserHasNoReadAccess()
179         throws Exception
180     {
181         createUser( USER_ALPACA, "Al 'Archiva' Paca" );
182 
183         UserManager userManager = securitySystem.getUserManager();
184         User user = userManager.findUser( USER_ALPACA );
185 
186         AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
187 
188         SecuritySession session = new DefaultSecuritySession( result, user );
189         try
190         {
191             servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
192             fail( "UnauthorizedException should have been thrown." );
193         }
194         catch ( UnauthorizedException e )
195         {
196             assertEquals( "Access denied for repository corporate", e.getMessage() );
197         }
198 
199         restoreGuestInitialValues( USER_ALPACA );
200     }
201 
202     @Test
203     public void testIsAuthorizedGuestUserHasWriteAccess()
204         throws Exception
205     {
206         assignRepositoryManagerRole( USER_GUEST, "corporate" );
207         boolean isAuthorized =
208             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
209 
210         assertTrue( isAuthorized );
211 
212         // cleanup previously add karma
213         restoreGuestInitialValues(USER_GUEST);
214 
215     }
216 
217     @Test
218     public void testIsAuthorizedGuestUserHasNoWriteAccess()
219         throws Exception
220     {
221         assignRepositoryObserverRole( USER_GUEST, "corporate" );
222 
223         boolean isAuthorized =
224             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
225         assertFalse( isAuthorized );
226 
227         // cleanup previously add karma
228         restoreGuestInitialValues(USER_GUEST);
229 
230     }
231 
232     @Test
233     public void testIsAuthorizedGuestUserHasReadAccess()
234         throws Exception
235     {
236         assignRepositoryObserverRole( USER_GUEST, "corporate" );
237 
238         boolean isAuthorized =
239             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
240 
241         assertTrue( isAuthorized );
242 
243         // cleanup previously add karma
244         restoreGuestInitialValues(USER_GUEST);
245     }
246 
247     @Test
248     public void testIsAuthorizedGuestUserHasNoReadAccess()
249         throws Exception
250     {
251         boolean isAuthorized =
252             servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
253 
254         assertFalse( isAuthorized );
255     }
256 
257 }