package org.apache.archiva.webdav;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import junit.framework.TestCase;
import net.sf.ehcache.CacheManager;
import org.apache.archiva.configuration.ArchivaConfiguration;
import org.apache.archiva.configuration.Configuration;
import org.apache.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.archiva.redback.authentication.AuthenticationException;
import org.apache.archiva.redback.authentication.AuthenticationResult;
import org.apache.archiva.redback.authorization.UnauthorizedException;
import org.apache.archiva.redback.integration.filter.authentication.HttpAuthenticator;
import org.apache.archiva.redback.system.DefaultSecuritySession;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.users.User;
import org.apache.archiva.redback.users.memory.SimpleUser;
import org.apache.archiva.repository.audit.TestAuditListener;
import org.apache.archiva.security.ServletAuthenticator;
import org.apache.archiva.security.common.ArchivaRoleConstants;
import org.apache.archiva.test.utils.ArchivaSpringJUnit4ClassRunner;
import org.apache.archiva.webdav.util.MavenIndexerCleaner;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.jackrabbit.webdav.DavSessionProvider;
import org.easymock.EasyMock;
import org.easymock.IMocksControl;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.context.ApplicationContext;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.mock.web.MockServletConfig;
import org.springframework.mock.web.MockServletContext;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.web.context.WebApplicationContext;
import javax.inject.Inject;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.File;
import java.io.InputStream;
import java.nio.charset.Charset;
import java.util.ArrayList;
import java.util.List;
import static org.easymock.EasyMock.anyObject;
import static org.easymock.EasyMock.eq;
import org.junit.Rule;
/**
* RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
* perform redback security checking.
*/
@RunWith( ArchivaSpringJUnit4ClassRunner.class )
@ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context-servlet-security-test.xml" } )
public class RepositoryServletSecurityTest
extends TestCase
{
protected static final String REPOID_INTERNAL = "internal";
@Inject
protected ArchivaConfiguration archivaConfiguration;
private DavSessionProvider davSessionProvider;
private IMocksControl servletAuthControl;
private ServletAuthenticator servletAuth;
private IMocksControl httpAuthControl;
private HttpAuthenticator httpAuth;
private RepositoryServlet servlet;
@Inject
ApplicationContext applicationContext;
@Rule
public ArchivaTemporaryFolderRule repoRootInternal = new ArchivaTemporaryFolderRule();
@Before
@Override
public void setUp()
throws Exception
{
super.setUp();
String appserverBase =
System.getProperty( "appserver.base", new File( "target/appserver-base" ).getAbsolutePath() );
File testConf = new File( "src/test/resources/repository-archiva.xml" );
File testConfDest = new File( appserverBase, "conf/archiva.xml" );
FileUtils.copyFile( testConf, testConfDest );
Configuration config = archivaConfiguration.getConfiguration();
// clear managed repository
List<ManagedRepositoryConfiguration> f1 = new ArrayList<>(config.getManagedRepositories());
for (ManagedRepositoryConfiguration f: f1 ) {
config.removeManagedRepository(f);
}
assertEquals(0,config.getManagedRepositories().size());
// add internal repo
config.addManagedRepository(
createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal.getRoot() ) );
saveConfiguration( archivaConfiguration );
CacheManager.getInstance().clearAll();
servletAuthControl = EasyMock.createControl();
servletAuth = servletAuthControl.createMock( ServletAuthenticator.class );
httpAuthControl = EasyMock.createControl();
httpAuth = httpAuthControl.createMock( HttpAuthenticator.class );
davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth );
final MockServletContext mockServletContext = new MockServletContext();
WebApplicationContext webApplicationContext =
new AbstractRepositoryServletTestCase.TestWebapplicationContext( applicationContext, mockServletContext );
mockServletContext.setAttribute( WebApplicationContext.ROOT_WEB_APPLICATION_CONTEXT_ATTRIBUTE,
webApplicationContext );
MockServletConfig mockServletConfig = new MockServletConfig()
{
@Override
public ServletContext getServletContext()
{
return mockServletContext;
}
};
servlet = new RepositoryServlet();
servlet.init( mockServletConfig );
}
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{
ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
repo.setId( id );
repo.setName( name );
repo.setLocation( location.getAbsolutePath() );
return repo;
}
/*protected void saveConfiguration()
throws Exception
{
saveConfiguration( archivaConfiguration );
}*/
protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
throws Exception
{
archivaConfiguration.save( archivaConfiguration.getConfiguration() );
}
/*protected void setupCleanRepo( File repoRootDir )
throws IOException
{
}*/
@Override
@After
public void tearDown()
throws Exception
{
/* if ( repoRootInternal.exists() )
{
FileUtils.deleteDirectory( repoRootInternal );
}*/
applicationContext.getBean( MavenIndexerCleaner.class ).cleanupIndex();
super.tearDown();
}
// test deploy with invalid user, and guest has no write access to repo
// 401 must be returned
@Test
public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
throws Exception
{
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
servlet.setDavSessionProvider( davSessionProvider );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
servletAuth.isAuthenticated( EasyMock.anyObject( HttpServletRequest.class ),
EasyMock.anyObject( AuthenticationResult.class ) );
EasyMock.expectLastCall().andThrow( new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
EasyMock.expectLastCall().andThrow( new UnauthorizedException( "'guest' has no write access to repository" ) );
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "PUT" );
mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
mockHttpServletRequest.setContentType( "application/octet-stream" );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
}
// test deploy with invalid user, but guest has write access to repo
@Test
public void testPutWithInvalidUserAndGuestHasWriteAccess()
throws Exception
{
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andThrow(
new AuthenticationException( "Authentication error" ) );
EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andThrow(
new AuthenticationException( "Authentication error" ) );
EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
// check if guest has write access
EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ).andReturn(
true );
httpAuthControl.replay();
servletAuthControl.replay();
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "PUT" );
mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
mockHttpServletRequest.setContentType( "application/octet-stream" );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
}
// test deploy with a valid user with no write access
@Test
public void testPutWithValidUserWithNoWriteAccess()
throws Exception
{
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andReturn( true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession( true ) ) ).andReturn(
session );
EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( new SimpleUser() );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
true );
EasyMock.expect(
servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andThrow(
new UnauthorizedException( "User not authorized" ) );
httpAuthControl.replay();
servletAuthControl.replay();
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "PUT" );
mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
mockHttpServletRequest.setContentType( "application/octet-stream" );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
}
// test deploy with a valid user with write access
@Test
public void testPutWithValidUserWithWriteAccess()
throws Exception
{
assertTrue( repoRootInternal.getRoot().exists() );
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
TestAuditListener listener = new TestAuditListener();
archivaDavResourceFactory.addAuditListener( listener );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andReturn( true );
User user = new SimpleUser();
user.setUsername( "admin" );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( httpAuth.getSecuritySession( mockHttpServletRequest.getSession() ) ).andReturn( session );
EasyMock.expect( httpAuth.getSessionUser( mockHttpServletRequest.getSession() ) ).andReturn( user );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
true );
EasyMock.expect(
servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
eq( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ) ) ).andReturn( true );
httpAuthControl.replay();
servletAuthControl.replay();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "PUT" );
mockHttpServletRequest.setRequestURI( "/repository/internal/path/to/artifact.jar" );
mockHttpServletRequest.setContent( IOUtils.toByteArray( is ) );
mockHttpServletRequest.setContentType( "application/octet-stream" );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus() );
assertEquals( "admin", listener.getEvents().get( 0 ).getUserId() );
}
// test get with invalid user, and guest has read access to repo
@Test
public void testGetWithInvalidUserAndGuestHasReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andThrow(
new AuthenticationException( "Authentication error" ) );
EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( null );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
true );
EasyMock.expect(
servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "GET" );
mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
}
// test get with invalid user, and guest has no read access to repo
@Test
public void testGetWithInvalidUserAndGuestHasNoReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
servlet.setDavSessionProvider( davSessionProvider );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andThrow(
new AuthenticationException( "Authentication error" ) );
EasyMock.expect( servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ).andReturn(
false );
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "GET" );
mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
}
// test get with valid user with read access to repo
@Test
public void testGetWithAValidUserWithReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andReturn( true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
true );
EasyMock.expect(
servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andReturn( true );
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "GET" );
mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus() );
assertEquals( "Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString() );
}
// test get with valid user with no read access to repo
@Test
public void testGetWithAValidUserWithNoReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal.getRoot(), commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, Charset.defaultCharset() );
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ),
anyObject( AuthenticationResult.class ) ) ).andReturn( true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect( httpAuth.getAuthenticationResult( anyObject( HttpServletRequest.class ),
anyObject( HttpServletResponse.class ) ) ).andReturn(
result );
EasyMock.expect( httpAuth.getSecuritySession( anyObject( HttpSession.class ) ) ).andReturn( session );
EasyMock.expect( httpAuth.getSessionUser( anyObject( HttpSession.class ) ) ).andReturn( new SimpleUser() );
EasyMock.expect( servletAuth.isAuthenticated( anyObject( HttpServletRequest.class ), eq( result ) ) ).andReturn(
true );
EasyMock.expect(
servletAuth.isAuthorized( anyObject( HttpServletRequest.class ), eq( session ), eq( "internal" ),
eq( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) ) ).andThrow(
new UnauthorizedException( "User not authorized to read repository." ) );
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader( "User-Agent", "foo" );
mockHttpServletRequest.setMethod( "GET" );
mockHttpServletRequest.setRequestURI( "/repository/internal/" + commonsLangJar );
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service( mockHttpServletRequest, mockHttpServletResponse );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus() );
}
}