1 package org.apache.archiva.webdav;
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23 import junit.framework.TestCase;
24 import net.sf.ehcache.CacheManager;
25 import org.apache.archiva.configuration.ArchivaConfiguration;
26 import org.apache.archiva.configuration.Configuration;
27 import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
28 import org.apache.archiva.redback.authentication.AuthenticationException;
29 import org.apache.archiva.redback.authentication.AuthenticationResult;
30 import org.apache.archiva.redback.authorization.UnauthorizedException;
31 import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
32 import org.apache.archiva.redback.system.DefaultSecuritySession;
33 import org.apache.archiva.redback.system.SecuritySession;
34 import org.apache.archiva.redback.users.User;
35 import org.apache.archiva.redback.users.memory.SimpleUser;
36 import org.apache.archiva.repository.audit.TestAuditListener;
37 import org.apache.archiva.security.ServletAuthenticator;
38 import org.apache.archiva.security.common.ArchivaRoleConstants;
39 import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
40 import org.apache.archiva.webdav.util.MavenIndexerCleaner;
41 import org.apache.commons.io.FileUtils;
42 import org.apache.commons.io.IOUtils;
43 import org.apache.jackrabbit.webdav.DavSessionProvider;
44 import org.easymock.EasyMock;
45 import org.easymock.IMocksControl;
46 import org.junit.After;
47 import org.junit.Before;
48 import org.junit.Test;
49 import org.junit.runner.RunWith;
50 import org.springframework.context.ApplicationContext;
51 import org.springframework.mock.web.MockHttpServletRequest;
52 import org.springframework.mock.web.MockHttpServletResponse;
53 import org.springframework.mock.web.MockServletConfig;
54 import org.springframework.mock.web.MockServletContext;
55 import org.springframework.test.context.ContextConfiguration;
56 import org.springframework.web.context.WebApplicationContext;
57
58 import javax.inject.Inject;
59 import javax.servlet.ServletContext;
60 import javax.servlet.http.HttpServletRequest;
61 import javax.servlet.http.HttpServletResponse;
62 import javax.servlet.http.HttpSession;
63 import java.io.File;
64 import java.io.InputStream;
65 import java.nio.charset.Charset;
66 import java.util.ArrayList;
67 import java.util.List;
68
69 import static org.easymock.EasyMock.anyObject;
70 import static org.easymock.EasyMock.eq;
71 import org.junit.Rule;
72
73
74
75
76
77 @RunWith( ArchivaSpringJUnit4ClassRunner.class )
78 @ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
79 public class RepositoryServletSecurityTest
80 extends TestCase
81 {
82 protected static final String REPOID_INTERNAL = "internal";
83
84 @Inject
85 protected ArchivaConfiguration archivaConfiguration;
86
87 private DavSessionProvider davSessionProvider;
88
89 private IMocksControl servletAuthControl;
90
91 private ServletAuthenticator servletAuth;
92
93 private IMocksControl httpAuthControl;
94
95 private HttpAuthenticator httpAuth;
96
97 private RepositoryServlet servlet;
98
99 @Inject
100 ApplicationContext applicationContext;
101
102
103 @Rule
104 public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();
105
106 @Before
107 @Override
108 public void setUp()
109 throws Exception
110 {
111
112 super.setUp();
113
114 String appserverBase =
115 System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
116
117 File testConf = new File( "src/test/resources/repository-archiva.xml" );
118 File testConfDest = new File( appserverBase, "conf/archiva.xml" );
119 FileUtils.copyFile( testConf, testConfDest );
120
121
122
123 Configuration config = archivaConfiguration.getConfiguration();
124
125 List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());
126 for (ManagedRepositoryConfiguration f: f1 ) {
127 config.removeManagedRepository(f);
128 }
129 assertEquals(0,config.getManagedRepositories().size());
130
131 config.addManagedRepository(
132 createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );
133
134 saveConfiguration( archivaConfiguration );
135
136 CacheManager.getInstance().clearAll();
137
138
139 servletAuthControl = EasyMock.createControl();
140
141 servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
142
143 httpAuthControl = EasyMock.createControl();
144
145 httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
146
147 davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
148
149 final MockServletContext mockServletContext = new MockServletContext();
150
151 WebApplicationContext webApplicationContext =
152 new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
153
154 mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
155 webApplicationContext );
156
157 MockServletConfig mockServletConfig = new MockServletConfig()
158 {
159 @Override
160 public ServletContext getServletContext()
161 {
162 return mockServletContext;
163 }
164 };
165
166 servlet = new RepositoryServlet();
167
168 servlet.init( mockServletConfig );
169 }
170
171 protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
172 {
173 ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
174 repo.setId( id );
175 repo.setName( name );
176 repo.setLocation( location.getAbsolutePath() );
177 return repo;
178 }
179
180
181
182
183
184
185
186 protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
187 throws Exception
188 {
189 archivaConfiguration.save( archivaConfiguration.getConfiguration() );
190 }
191
192
193
194
195
196
197 @Override
198 @After
199 public void tearDown()
200 throws Exception
201 {
202
203
204
205
206
207
208 applicationContext.getBean( MavenIndexerCleaner.class ).cleanupIndex();
209
210 super.tearDown();
211 }
212
213
214
215
216
217 @Test
218 public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
219 throws Exception
220 {
221
222 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
223 assertNotNull( "artifact.jar inputstream", is );
224
225 servlet.setDavSessionProvider( davSessionProvider );
226
227 AuthenticationResult result = new AuthenticationResult();
228
229 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
230 anyObject( HttpServletResponse.class ) ) ).andReturn(
231 result );
232
233 servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
234 EasyMock.anyObject( AuthenticationResult.class ) );
235 EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
236
237 servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
238
239 EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
240
241 httpAuthControl.replay();
242 servletAuthControl.replay();
243 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
244 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
245 mockHttpServletRequest.setMethod( "PUT" );
246 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
247 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
248 mockHttpServletRequest.setContentType( "application/octet-stream" );
249
250 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
251
252 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
253
254 httpAuthControl.verify();
255 servletAuthControl.verify();
256
257 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
258 }
259
260
261 @Test
262 public void testPutWithInvalidUserAndGuestHasWriteAccess()
263 throws Exception
264 {
265
266 servlet.setDavSessionProvider( davSessionProvider );
267
268 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
269 archivaDavResourceFactory.setHttpAuth( httpAuth );
270 archivaDavResourceFactory.setServletAuth( servletAuth );
271
272 servlet.setResourceFactory( archivaDavResourceFactory );
273
274 AuthenticationResult result = new AuthenticationResult();
275
276 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
277 anyObject( HttpServletResponse.class ) ) ).andReturn(
278 result );
279
280 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
281 anyObject( AuthenticationResult.class ) ) ).andThrow(
282 new AuthenticationException( "Authentication error" ) );
283
284 EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
285 ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
286 true );
287
288
289 SecuritySession session = new DefaultSecuritySession();
290
291 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
292 anyObject( HttpServletResponse.class ) ) ).andReturn(
293 result );
294
295 EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
296
297 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(
298 new AuthenticationException( "Authentication error" ) );
299
300 EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
301
302
303 EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
304 ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
305 true );
306
307 httpAuthControl.replay();
308 servletAuthControl.replay();
309
310 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
311 assertNotNull( "artifact.jar inputstream", is );
312
313 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
314 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
315 mockHttpServletRequest.setMethod( "PUT" );
316 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
317 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
318 mockHttpServletRequest.setContentType( "application/octet-stream" );
319
320 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
321
322 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
323
324 httpAuthControl.verify();
325 servletAuthControl.verify();
326
327 assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
328 }
329
330
331 @Test
332 public void testPutWithValidUserWithNoWriteAccess()
333 throws Exception
334 {
335
336 servlet.setDavSessionProvider( davSessionProvider );
337
338 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
339 archivaDavResourceFactory.setHttpAuth( httpAuth );
340 archivaDavResourceFactory.setServletAuth( servletAuth );
341 servlet.setResourceFactory( archivaDavResourceFactory );
342
343 AuthenticationResult result = new AuthenticationResult();
344
345 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
346 anyObject( HttpServletResponse.class ) ) ).andReturn(
347 result );
348
349 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
350 anyObject( AuthenticationResult.class ) ) ).andReturn( true );
351
352
353 SecuritySession session = new DefaultSecuritySession();
354
355 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
356 anyObject( HttpServletResponse.class ) ) ).andReturn(
357 result );
358
359 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
360
361 EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(
362 session );
363
364 EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );
365
366 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
367 true );
368
369 EasyMock.expect(
370 servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
371 eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(
372 new UnauthorizedException( "User not authorized" ) );
373 httpAuthControl.replay();
374 servletAuthControl.replay();
375
376 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
377 assertNotNull( "artifact.jar inputstream", is );
378
379 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
380 mockHttpServletRequest.setMethod( "PUT" );
381 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
382 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
383 mockHttpServletRequest.setContentType( "application/octet-stream" );
384
385 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
386
387 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
388
389 httpAuthControl.verify();
390 servletAuthControl.verify();
391
392 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
393 }
394
395
396 @Test
397 public void testPutWithValidUserWithWriteAccess()
398 throws Exception
399 {
400 assertTrue( repoRootInternal.getRoot().exists() );
401
402 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
403 String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
404 InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
405 assertNotNull( "artifact.jar inputstream", is );
406
407 servlet.setDavSessionProvider( davSessionProvider );
408
409 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
410 archivaDavResourceFactory.setHttpAuth( httpAuth );
411 archivaDavResourceFactory.setServletAuth( servletAuth );
412
413 TestAuditListener listener = new TestAuditListener();
414 archivaDavResourceFactory.addAuditListener( listener );
415 servlet.setResourceFactory( archivaDavResourceFactory );
416
417 AuthenticationResult result = new AuthenticationResult();
418
419 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
420 anyObject( HttpServletResponse.class ) ) ).andReturn(
421 result );
422
423 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
424 anyObject( AuthenticationResult.class ) ) ).andReturn( true );
425
426 User user = new SimpleUser();
427 user.setUsername( "admin" );
428
429
430 SecuritySession session = new DefaultSecuritySession();
431
432 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
433 anyObject( HttpServletResponse.class ) ) ).andReturn(
434 result );
435
436 EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );
437
438 EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );
439
440 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
441 true );
442
443 EasyMock.expect(
444 servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
445 eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );
446
447 httpAuthControl.replay();
448 servletAuthControl.replay();
449
450 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
451 mockHttpServletRequest.setMethod( "PUT" );
452 mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
453 mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
454 mockHttpServletRequest.setContentType( "application/octet-stream" );
455
456 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
457
458 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
459
460 httpAuthControl.verify();
461 servletAuthControl.verify();
462
463 assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
464
465 assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
466 }
467
468
469 @Test
470 public void testGetWithInvalidUserAndGuestHasReadAccess()
471 throws Exception
472 {
473 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
474 String expectedArtifactContents = "dummy-commons-lang-artifact";
475
476 File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
477 artifactFile.getParentFile().mkdirs();
478
479 FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
480
481 servlet.setDavSessionProvider( davSessionProvider );
482
483 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
484 archivaDavResourceFactory.setHttpAuth( httpAuth );
485 archivaDavResourceFactory.setServletAuth( servletAuth );
486
487 servlet.setResourceFactory( archivaDavResourceFactory );
488
489 AuthenticationResult result = new AuthenticationResult();
490
491 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
492 anyObject( HttpServletResponse.class ) ) ).andReturn(
493 result );
494
495 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
496 anyObject( AuthenticationResult.class ) ) ).andThrow(
497 new AuthenticationException( "Authentication error" ) );
498
499 EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
500 ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
501 true );
502
503
504 SecuritySession session = new DefaultSecuritySession();
505
506 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
507 anyObject( HttpServletResponse.class ) ) ).andReturn(
508 result );
509
510 EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
511
512 EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
513
514 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
515 true );
516
517 EasyMock.expect(
518 servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
519 eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
520 httpAuthControl.replay();
521 servletAuthControl.replay();
522
523 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
524 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
525 mockHttpServletRequest.setMethod( "GET" );
526 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
527
528 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
529
530 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
531
532 httpAuthControl.verify();
533 servletAuthControl.verify();
534
535 assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
536
537 assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
538 }
539
540
541 @Test
542 public void testGetWithInvalidUserAndGuestHasNoReadAccess()
543 throws Exception
544 {
545 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
546 String expectedArtifactContents = "dummy-commons-lang-artifact";
547
548 File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
549 artifactFile.getParentFile().mkdirs();
550
551 FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
552
553 servlet.setDavSessionProvider( davSessionProvider );
554
555 AuthenticationResult result = new AuthenticationResult();
556
557 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
558 anyObject( HttpServletResponse.class ) ) ).andReturn(
559 result );
560
561 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
562 anyObject( AuthenticationResult.class ) ) ).andThrow(
563 new AuthenticationException( "Authentication error" ) );
564
565 EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
566 ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
567 false );
568 httpAuthControl.replay();
569 servletAuthControl.replay();
570
571 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
572 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
573 mockHttpServletRequest.setMethod( "GET" );
574 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
575
576 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
577
578 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
579
580 httpAuthControl.verify();
581 servletAuthControl.verify();
582
583 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
584 }
585
586
587 @Test
588 public void testGetWithAValidUserWithReadAccess()
589 throws Exception
590 {
591 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
592 String expectedArtifactContents = "dummy-commons-lang-artifact";
593
594 File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
595 artifactFile.getParentFile().mkdirs();
596
597 FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
598
599 servlet.setDavSessionProvider( davSessionProvider );
600
601 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
602 archivaDavResourceFactory.setHttpAuth( httpAuth );
603 archivaDavResourceFactory.setServletAuth( servletAuth );
604
605 servlet.setResourceFactory( archivaDavResourceFactory );
606
607 AuthenticationResult result = new AuthenticationResult();
608
609 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
610 anyObject( HttpServletResponse.class ) ) ).andReturn(
611 result );
612
613 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
614 anyObject( AuthenticationResult.class ) ) ).andReturn( true );
615
616 SecuritySession session = new DefaultSecuritySession();
617
618 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
619 anyObject( HttpServletResponse.class ) ) ).andReturn(
620 result );
621
622 EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
623
624 EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
625
626 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
627 true );
628
629 EasyMock.expect(
630 servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
631 eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
632
633 httpAuthControl.replay();
634 servletAuthControl.replay();
635
636 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
637 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
638 mockHttpServletRequest.setMethod( "GET" );
639 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
640
641 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
642
643 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
644
645 httpAuthControl.verify();
646 servletAuthControl.verify();
647
648 assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
649 assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
650 }
651
652
653 @Test
654 public void testGetWithAValidUserWithNoReadAccess()
655 throws Exception
656 {
657 String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
658 String expectedArtifactContents = "dummy-commons-lang-artifact";
659
660 File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
661 artifactFile.getParentFile().mkdirs();
662
663 FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
664
665 servlet.setDavSessionProvider( davSessionProvider );
666
667 ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
668 archivaDavResourceFactory.setHttpAuth( httpAuth );
669 archivaDavResourceFactory.setServletAuth( servletAuth );
670
671 servlet.setResourceFactory( archivaDavResourceFactory );
672
673 AuthenticationResult result = new AuthenticationResult();
674
675 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
676 anyObject( HttpServletResponse.class ) ) ).andReturn(
677 result );
678
679 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
680 anyObject( AuthenticationResult.class ) ) ).andReturn( true );
681
682
683 SecuritySession session = new DefaultSecuritySession();
684
685 EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
686 anyObject( HttpServletResponse.class ) ) ).andReturn(
687 result );
688
689 EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
690
691 EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
692
693 EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
694 true );
695
696 EasyMock.expect(
697 servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
698 eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(
699 new UnauthorizedException( "User not authorized to read repository." ) );
700 httpAuthControl.replay();
701 servletAuthControl.replay();
702
703 MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
704 mockHttpServletRequest.addHeader( "User-Agent", "foo" );
705 mockHttpServletRequest.setMethod( "GET" );
706 mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
707
708
709 MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
710
711 servlet.service( mockHttpServletRequest, mockHttpServletResponse );
712
713 httpAuthControl.verify();
714 servletAuthControl.verify();
715
716 assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
717 }
718
719 }