View Javadoc
1   package org.apache.archiva.webdav;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   *  http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  
23  import junit.framework.TestCase;
24  import net.sf.ehcache.CacheManager;
25  import org.apache.archiva.configuration.ArchivaConfiguration;
26  import org.apache.archiva.configuration.Configuration;
27  import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
28  import org.apache.archiva.redback.authentication.AuthenticationException;
29  import org.apache.archiva.redback.authentication.AuthenticationResult;
30  import org.apache.archiva.redback.authorization.UnauthorizedException;
31  import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
32  import org.apache.archiva.redback.system.DefaultSecuritySession;
33  import org.apache.archiva.redback.system.SecuritySession;
34  import org.apache.archiva.redback.users.User;
35  import org.apache.archiva.redback.users.memory.SimpleUser;
36  import org.apache.archiva.repository.audit.TestAuditListener;
37  import org.apache.archiva.security.ServletAuthenticator;
38  import org.apache.archiva.security.common.ArchivaRoleConstants;
39  import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
40  import org.apache.archiva.webdav.util.MavenIndexerCleaner;
41  import org.apache.commons.io.FileUtils;
42  import org.apache.commons.io.IOUtils;
43  import org.apache.jackrabbit.webdav.DavSessionProvider;
44  import org.easymock.EasyMock;
45  import org.easymock.IMocksControl;
46  import org.junit.After;
47  import org.junit.Before;
48  import org.junit.Test;
49  import org.junit.runner.RunWith;
50  import org.springframework.context.ApplicationContext;
51  import org.springframework.mock.web.MockHttpServletRequest;
52  import org.springframework.mock.web.MockHttpServletResponse;
53  import org.springframework.mock.web.MockServletConfig;
54  import org.springframework.mock.web.MockServletContext;
55  import org.springframework.test.context.ContextConfiguration;
56  import org.springframework.web.context.WebApplicationContext;
57  
58  import javax.inject.Inject;
59  import javax.servlet.ServletContext;
60  import javax.servlet.http.HttpServletRequest;
61  import javax.servlet.http.HttpServletResponse;
62  import javax.servlet.http.HttpSession;
63  import java.io.File;
64  import java.io.InputStream;
65  import java.nio.charset.Charset;
66  import java.util.ArrayList;
67  import java.util.List;
68  
69  import static org.easymock.EasyMock.anyObject;
70  import static org.easymock.EasyMock.eq;
71  import org.junit.Rule;
72  
73  /**
74   * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
75   * perform redback security checking.
76   */
77  @RunWith( ArchivaSpringJUnit4ClassRunner.class )
78  @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
79  public class RepositoryServletSecurityTest
80      extends TestCase
81  {
82      protected static final String REPOID_INTERNAL = "internal";
83  
84      @Inject
85      protected ArchivaConfiguration archivaConfiguration;
86  
87      private DavSessionProvider davSessionProvider;
88  
89      private IMocksControl servletAuthControl;
90  
91      private ServletAuthenticator servletAuth;
92  
93      private IMocksControl httpAuthControl;
94  
95      private HttpAuthenticator httpAuth;
96  
97      private RepositoryServlet servlet;
98  
99      @Inject
100     ApplicationContext applicationContext;
101    
102 
103     @Rule
104     public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();
105     
106     @Before
107     @Override
108     public void setUp()
109         throws Exception
110     {
111         
112         super.setUp();
113 
114         String appserverBase =
115             System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
116 
117         File testConf = new File( "src/test/resources/repository-archiva.xml" );
118         File testConfDest = new File( appserverBase, "conf/archiva.xml" );
119         FileUtils.copyFile( testConf, testConfDest );
120         
121         
122  
123         Configuration config = archivaConfiguration.getConfiguration();
124         // clear managed repository
125         List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());
126         for (ManagedRepositoryConfiguration f: f1 ) {
127             config.removeManagedRepository(f);
128         }
129         assertEquals(0,config.getManagedRepositories().size());
130         // add internal repo
131         config.addManagedRepository(
132                 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );
133         
134         saveConfiguration( archivaConfiguration );
135 
136         CacheManager.getInstance().clearAll();
137 
138 
139         servletAuthControl = EasyMock.createControl();
140 
141         servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
142 
143         httpAuthControl = EasyMock.createControl();
144 
145         httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
146 
147         davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
148 
149         final MockServletContext mockServletContext = new MockServletContext();
150 
151         WebApplicationContext webApplicationContext =
152             new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
153 
154         mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
155                                          webApplicationContext );
156 
157         MockServletConfig mockServletConfig = new MockServletConfig()
158         {
159             @Override
160             public ServletContext getServletContext()
161             {
162                 return mockServletContext;
163             }
164         };
165 
166         servlet = new RepositoryServlet();
167 
168         servlet.init( mockServletConfig );
169     }
170 
171     protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
172     {
173         ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
174         repo.setId( id );
175         repo.setName( name );
176         repo.setLocation( location.getAbsolutePath() );
177         return repo;
178     }
179 
180     /*protected void saveConfiguration()
181         throws Exception
182     {
183         saveConfiguration( archivaConfiguration );
184     }*/
185 
186     protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
187         throws Exception
188     {
189         archivaConfiguration.save( archivaConfiguration.getConfiguration() );        
190     }
191 
192     /*protected void setupCleanRepo( File repoRootDir )
193         throws IOException
194     {
195     }*/
196 
197     @Override
198     @After
199     public void tearDown()
200         throws Exception
201     {
202 
203        /* if ( repoRootInternal.exists() )
204         {
205             FileUtils.deleteDirectory( repoRootInternal );
206         }*/
207 
208         applicationContext.getBean( MavenIndexerCleaner.class ).cleanupIndex();
209 
210         super.tearDown();
211     }
212 
213 
214 
215     // test deploy with invalid user, and guest has no write access to repo
216     // 401 must be returned
217     @Test
218     public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
219         throws Exception
220     {
221         
222         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
223         assertNotNull( "artifact.jar inputstream", is );
224 
225         servlet.setDavSessionProvider( davSessionProvider );
226 
227         AuthenticationResult result = new AuthenticationResult();
228 
229         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
230                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
231             result );
232 
233         servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
234                                      EasyMock.anyObject( AuthenticationResult.class ) );
235         EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
236 
237         servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
238 
239         EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
240 
241         httpAuthControl.replay();
242         servletAuthControl.replay();
243         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
244         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
245         mockHttpServletRequest.setMethod( "PUT" );
246         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
247         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
248         mockHttpServletRequest.setContentType( "application/octet-stream" );
249 
250         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
251 
252         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
253 
254         httpAuthControl.verify();
255         servletAuthControl.verify();
256 
257         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
258     }
259 
260     // test deploy with invalid user, but guest has write access to repo
261     @Test
262     public void testPutWithInvalidUserAndGuestHasWriteAccess()
263         throws Exception
264     {
265         
266         servlet.setDavSessionProvider( davSessionProvider );
267 
268         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
269         archivaDavResourceFactory.setHttpAuth( httpAuth );
270         archivaDavResourceFactory.setServletAuth( servletAuth );
271 
272         servlet.setResourceFactory( archivaDavResourceFactory );
273 
274         AuthenticationResult result = new AuthenticationResult();
275 
276         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
277                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
278             result );
279 
280         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
281                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
282             new AuthenticationException( "Authentication error" ) );
283 
284         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
285                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
286             true );
287 
288         // ArchivaDavResourceFactory#isAuthorized()
289         SecuritySession session = new DefaultSecuritySession();
290 
291         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
292                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
293             result );
294 
295         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
296 
297         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(
298             new AuthenticationException( "Authentication error" ) );
299 
300         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
301 
302         // check if guest has write access
303         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
304                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
305             true );
306 
307         httpAuthControl.replay();
308         servletAuthControl.replay();
309 
310         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
311         assertNotNull( "artifact.jar inputstream", is );
312 
313         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
314         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
315         mockHttpServletRequest.setMethod( "PUT" );
316         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
317         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
318         mockHttpServletRequest.setContentType( "application/octet-stream" );
319 
320         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
321 
322         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
323 
324         httpAuthControl.verify();
325         servletAuthControl.verify();
326 
327         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
328     }
329 
330     // test deploy with a valid user with no write access
331     @Test
332     public void testPutWithValidUserWithNoWriteAccess()
333         throws Exception
334     {
335         
336         servlet.setDavSessionProvider( davSessionProvider );
337 
338         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
339         archivaDavResourceFactory.setHttpAuth( httpAuth );
340         archivaDavResourceFactory.setServletAuth( servletAuth );
341         servlet.setResourceFactory( archivaDavResourceFactory );
342 
343         AuthenticationResult result = new AuthenticationResult();
344 
345         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
346                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
347             result );
348 
349         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
350                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
351 
352         // ArchivaDavResourceFactory#isAuthorized()
353         SecuritySession session = new DefaultSecuritySession();
354 
355         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
356                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
357             result );
358 
359         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
360 
361         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(
362             session );
363 
364         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );
365 
366         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
367             true );
368 
369         EasyMock.expect(
370             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
371                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(
372             new UnauthorizedException( "User not authorized" ) );
373         httpAuthControl.replay();
374         servletAuthControl.replay();
375 
376         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
377         assertNotNull( "artifact.jar inputstream", is );
378 
379         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
380         mockHttpServletRequest.setMethod( "PUT" );
381         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
382         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
383         mockHttpServletRequest.setContentType( "application/octet-stream" );
384 
385         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
386 
387         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
388 
389         httpAuthControl.verify();
390         servletAuthControl.verify();
391 
392         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
393     }
394 
395     // test deploy with a valid user with write access
396     @Test
397     public void testPutWithValidUserWithWriteAccess()
398         throws Exception
399     {
400         assertTrue( repoRootInternal.getRoot().exists() );
401 
402         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
403         String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
404         InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
405         assertNotNull( "artifact.jar inputstream", is );
406 
407         servlet.setDavSessionProvider( davSessionProvider );
408 
409         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
410         archivaDavResourceFactory.setHttpAuth( httpAuth );
411         archivaDavResourceFactory.setServletAuth( servletAuth );
412 
413         TestAuditListener listener = new TestAuditListener();
414         archivaDavResourceFactory.addAuditListener( listener );
415         servlet.setResourceFactory( archivaDavResourceFactory );
416 
417         AuthenticationResult result = new AuthenticationResult();
418 
419         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
420                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
421             result );
422 
423         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
424                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
425 
426         User user = new SimpleUser();
427         user.setUsername( "admin" );
428 
429         // ArchivaDavResourceFactory#isAuthorized()
430         SecuritySession session = new DefaultSecuritySession();
431 
432         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
433                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
434             result );
435 
436         EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );
437 
438         EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );
439 
440         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
441             true );
442 
443         EasyMock.expect(
444             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
445                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );
446 
447         httpAuthControl.replay();
448         servletAuthControl.replay();
449 
450         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
451         mockHttpServletRequest.setMethod( "PUT" );
452         mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
453         mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
454         mockHttpServletRequest.setContentType( "application/octet-stream" );
455 
456         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
457 
458         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
459 
460         httpAuthControl.verify();
461         servletAuthControl.verify();
462 
463         assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
464 
465         assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
466     }
467 
468     // test get with invalid user, and guest has read access to repo
469     @Test
470     public void testGetWithInvalidUserAndGuestHasReadAccess()
471         throws Exception
472     {
473         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
474         String expectedArtifactContents = "dummy-commons-lang-artifact";
475 
476         File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
477         artifactFile.getParentFile().mkdirs();
478 
479         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
480 
481         servlet.setDavSessionProvider( davSessionProvider );
482 
483         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
484         archivaDavResourceFactory.setHttpAuth( httpAuth );
485         archivaDavResourceFactory.setServletAuth( servletAuth );
486 
487         servlet.setResourceFactory( archivaDavResourceFactory );
488 
489         AuthenticationResult result = new AuthenticationResult();
490 
491         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
492                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
493             result );
494 
495         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
496                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
497             new AuthenticationException( "Authentication error" ) );
498 
499         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
500                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
501             true );
502 
503         // ArchivaDavResourceFactory#isAuthorized()
504         SecuritySession session = new DefaultSecuritySession();
505 
506         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
507                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
508             result );
509 
510         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
511 
512         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
513 
514         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
515             true );
516 
517         EasyMock.expect(
518             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
519                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
520         httpAuthControl.replay();
521         servletAuthControl.replay();
522 
523         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
524         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
525         mockHttpServletRequest.setMethod( "GET" );
526         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
527 
528         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
529 
530         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
531 
532         httpAuthControl.verify();
533         servletAuthControl.verify();
534 
535         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
536 
537         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
538     }
539 
540     // test get with invalid user, and guest has no read access to repo
541     @Test
542     public void testGetWithInvalidUserAndGuestHasNoReadAccess()
543         throws Exception
544     {
545         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
546         String expectedArtifactContents = "dummy-commons-lang-artifact";
547 
548         File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
549         artifactFile.getParentFile().mkdirs();
550 
551         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
552 
553         servlet.setDavSessionProvider( davSessionProvider );
554 
555         AuthenticationResult result = new AuthenticationResult();
556 
557         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
558                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
559             result );
560 
561         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
562                                                       anyObject( AuthenticationResult.class ) ) ).andThrow(
563             new AuthenticationException( "Authentication error" ) );
564 
565         EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
566                                                    ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
567             false );
568         httpAuthControl.replay();
569         servletAuthControl.replay();
570 
571         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
572         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
573         mockHttpServletRequest.setMethod( "GET" );
574         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
575 
576         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
577 
578         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
579 
580         httpAuthControl.verify();
581         servletAuthControl.verify();
582 
583         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
584     }
585 
586     // test get with valid user with read access to repo
587     @Test
588     public void testGetWithAValidUserWithReadAccess()
589         throws Exception
590     {
591         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
592         String expectedArtifactContents = "dummy-commons-lang-artifact";
593 
594         File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
595         artifactFile.getParentFile().mkdirs();
596 
597         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
598 
599         servlet.setDavSessionProvider( davSessionProvider );
600 
601         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
602         archivaDavResourceFactory.setHttpAuth( httpAuth );
603         archivaDavResourceFactory.setServletAuth( servletAuth );
604 
605         servlet.setResourceFactory( archivaDavResourceFactory );
606 
607         AuthenticationResult result = new AuthenticationResult();
608 
609         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
610                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
611             result );
612 
613         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
614                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
615         // ArchivaDavResourceFactory#isAuthorized()
616         SecuritySession session = new DefaultSecuritySession();
617 
618         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
619                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
620             result );
621 
622         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
623 
624         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
625 
626         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
627             true );
628 
629         EasyMock.expect(
630             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
631                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
632 
633         httpAuthControl.replay();
634         servletAuthControl.replay();
635 
636         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
637         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
638         mockHttpServletRequest.setMethod( "GET" );
639         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
640 
641         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
642 
643         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
644 
645         httpAuthControl.verify();
646         servletAuthControl.verify();
647 
648         assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
649         assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
650     }
651 
652     // test get with valid user with no read access to repo
653     @Test
654     public void testGetWithAValidUserWithNoReadAccess()
655         throws Exception
656     {
657         String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
658         String expectedArtifactContents = "dummy-commons-lang-artifact";
659 
660         File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
661         artifactFile.getParentFile().mkdirs();
662 
663         FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
664 
665         servlet.setDavSessionProvider( davSessionProvider );
666 
667         ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
668         archivaDavResourceFactory.setHttpAuth( httpAuth );
669         archivaDavResourceFactory.setServletAuth( servletAuth );
670 
671         servlet.setResourceFactory( archivaDavResourceFactory );
672 
673         AuthenticationResult result = new AuthenticationResult();
674 
675         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
676                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
677             result );
678 
679         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
680                                                       anyObject( AuthenticationResult.class ) ) ).andReturn( true );
681 
682         // ArchivaDavResourceFactory#isAuthorized()
683         SecuritySession session = new DefaultSecuritySession();
684 
685         EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
686                                                            anyObject( HttpServletResponse.class ) ) ).andReturn(
687             result );
688 
689         EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
690 
691         EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
692 
693         EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
694             true );
695 
696         EasyMock.expect(
697             servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
698                                       eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(
699             new UnauthorizedException( "User not authorized to read repository." ) );
700         httpAuthControl.replay();
701         servletAuthControl.replay();
702 
703         MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
704         mockHttpServletRequest.addHeader( "User-Agent", "foo" );
705         mockHttpServletRequest.setMethod( "GET" );
706         mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
707 
708 
709         MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
710 
711         servlet.service( mockHttpServletRequest, mockHttpServletResponse );
712 
713         httpAuthControl.verify();
714         servletAuthControl.verify();
715 
716         assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
717     }
718 
719 }