Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

merged from archiva-security-fix trunk 

changes:
-fix security issue
-added RepositoryServletSecurityTest and ArchivaServletAuthenticatorTest test cases


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@702027 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Maria Odea B. Ching 2008-10-06 09:05:09 +00:00
parent edf5c67247
commit 2262565505
14 changed files with 1285 additions and 275 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
View File

@ -93,11 +93,18 @@ public class ArchivaServletAuthenticator
return true;
}
public boolean isAuthorized( String principal, String repoId )
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
throws UnauthorizedException
{
try
{
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
User user = securitySystem.getUserManager().findUser( principal );
if ( user.isLocked() )
{
@ -107,8 +114,7 @@ public class ArchivaServletAuthenticator
AuthenticationResult authn = new AuthenticationResult( true, principal, null );
SecuritySession securitySession = new DefaultSecuritySession( authn, user );
return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS,
repoId );
return securitySystem.isAuthorized( securitySession, permission, repoId );
}
catch ( UserNotFoundException e )
{

5
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaXworkUser.java
View File

@ -85,4 +85,9 @@ public class ArchivaXworkUser
return guest;
}
public void setGuest( String guesT )
{
guest = guesT;
}
}

36
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
View File

@ -35,12 +35,46 @@ import org.codehaus.plexus.redback.system.SecuritySession;
*/
public interface ServletAuthenticator
{
/**
* Authentication check for users.
*
* @param request
* @param result
* @return
* @throws AuthenticationException
* @throws AccountLockedException
* @throws MustChangePasswordException
*/
public boolean isAuthenticated( HttpServletRequest request, AuthenticationResult result )
throws AuthenticationException, AccountLockedException, MustChangePasswordException;
/**
* Authorization check for valid users.
*
* @param request
* @param securitySession
* @param repositoryId
* @param isWriteRequest
* @return
* @throws AuthorizationException
* @throws UnauthorizedException
*/
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException;
public boolean isAuthorized( String principal, String repoId )
/**
* Authorization check specific for user guest, which doesn't go through
* HttpBasicAuthentication#getAuthenticationResult( HttpServletRequest request, HttpServletResponse response )
* since no credentials are attached to the request.
*
* See also MRM-911
*
* @param principal
* @param repoId
* @param isWriteRequest
* @return
* @throws UnauthorizedException
*/
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
throws UnauthorizedException;
}

126
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/AbstractSecurityTest.java Normal file
View File

@ -0,0 +1,126 @@
package org.apache.maven.archiva.security;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import java.io.File;
import org.apache.commons.io.FileUtils;
import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.codehaus.plexus.redback.rbac.RBACManager;
import org.codehaus.plexus.redback.role.RoleManager;
import org.codehaus.plexus.redback.system.SecuritySystem;
import org.codehaus.plexus.redback.users.User;
import org.codehaus.plexus.redback.users.UserManager;
import org.codehaus.plexus.spring.PlexusInSpringTestCase;
/**
* AbstractSecurityTest
*
* @author <a href="mailto:oching@apache.org">Maria Odea Ching</a>
* @version $Id: AbstractSecurityTest
*/
public abstract class AbstractSecurityTest
extends PlexusInSpringTestCase
{
protected static final String USER_GUEST = "guest";
protected static final String USER_ADMIN = "admin";
protected static final String USER_ALPACA = "alpaca";
protected SecuritySystem securitySystem;
private RBACManager rbacManager;
protected RoleManager roleManager;
private ArchivaConfiguration archivaConfiguration;
protected UserRepositories userRepos;
protected void setupRepository( String repoId )
throws Exception
{
// Add repo to configuration.
ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration();
repoConfig.setId( repoId );
repoConfig.setName( "Testable repo <" + repoId + ">" );
repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) );
archivaConfiguration.getConfiguration().addManagedRepository( repoConfig );
// Add repo roles to security.
userRepos.createMissingRepositoryRoles( repoId );
}
protected void assignRepositoryObserverRole( String principal, String repoId )
throws Exception
{
roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal );
}
protected User createUser( String principal, String fullname )
{
UserManager userManager = securitySystem.getUserManager();
User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" );
securitySystem.getPolicy().setEnabled( false );
userManager.addUser( user );
securitySystem.getPolicy().setEnabled( true );
return user;
}
@Override
public void setUp()
throws Exception
{
super.setUp();
File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" );
File destConfig = getTestFile( "target/test-conf/archiva.xml" );
destConfig.getParentFile().mkdirs();
destConfig.delete();
FileUtils.copyFile( srcConfig, destConfig );
securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" );
rbacManager = (RBACManager) lookup( RBACManager.class, "memory" );
roleManager = (RoleManager) lookup( RoleManager.class, "default" );
userRepos = (UserRepositories) lookup( UserRepositories.class, "default" );
archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
// Some basic asserts.
assertNotNull( securitySystem );
assertNotNull( rbacManager );
assertNotNull( roleManager );
assertNotNull( userRepos );
assertNotNull( archivaConfiguration );
// Setup Admin User.
User adminUser = createUser( USER_ADMIN, "Admin User" );
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() );
// Setup Guest User.
User guestUser = createUser( USER_GUEST, "Guest User" );
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() );
}
}

224
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java Normal file
View File

@ -0,0 +1,224 @@
package org.apache.maven.archiva.security;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import javax.servlet.http.HttpServletRequest;
import org.codehaus.plexus.redback.authentication.AuthenticationException;
import org.codehaus.plexus.redback.authentication.AuthenticationResult;
import org.codehaus.plexus.redback.authorization.UnauthorizedException;
import org.codehaus.plexus.redback.system.DefaultSecuritySession;
import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.users.User;
import org.codehaus.plexus.redback.users.UserManager;
import org.easymock.MockControl;
/**
* ArchivaServletAuthenticatorTest
*
* @author <a href="mailto:oching@apache.org">Maria Odea Ching</a>
* @version
*/
public class ArchivaServletAuthenticatorTest
extends AbstractSecurityTest
{
private ServletAuthenticator servletAuth;
private MockControl httpServletRequestControl;
private HttpServletRequest request;
@Override
public void setUp()
throws Exception
{
super.setUp();
servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" );
httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
request = ( HttpServletRequest ) httpServletRequestControl.getMock();
setupRepository( "corporate" );
}
@Override
protected String getPlexusConfigLocation()
{
return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
}
protected void assignRepositoryManagerRole( String principal, String repoId )
throws Exception
{
roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
}
public void testIsAuthenticatedUserExists()
throws Exception
{
AuthenticationResult result = new AuthenticationResult( true, "user", null );
boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
assertTrue( isAuthenticated );
}
public void testIsAuthenticatedUserDoesNotExist()
throws Exception
{
AuthenticationResult result = new AuthenticationResult( false, "non-existing-user", null );
try
{
servletAuth.isAuthenticated( request, result );
fail( "Authentication exception should have been thrown." );
}
catch ( AuthenticationException e )
{
assertEquals( "User Credentials Invalid", e.getMessage() );
}
}
public void testIsAuthorizedUserHasWriteAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryManagerRole( USER_ALPACA, "corporate" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true );
assertTrue( isAuthorized );
}
public void testIsAuthorizedUserHasNoWriteAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryObserverRole( USER_ALPACA, "corporate" );
httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
httpServletRequestControl.replay();
try
{
servletAuth.isAuthorized( request, session, "corporate", true );
fail( "UnauthorizedException should have been thrown." );
}
catch ( UnauthorizedException e )
{
assertEquals( "Access denied for repository corporate", e.getMessage() );
}
httpServletRequestControl.verify();
}
public void testIsAuthorizedUserHasReadAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryObserverRole( USER_ALPACA, "corporate" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false );
assertTrue( isAuthorized );
}
public void testIsAuthorizedUserHasNoReadAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
try
{
servletAuth.isAuthorized( request, session, "corporate", false );
fail( "UnauthorizedException should have been thrown." );
}
catch ( UnauthorizedException e )
{
assertEquals( "Access denied for repository corporate", e.getMessage() );
}
}
public void testIsAuthorizedGuestUserHasWriteAccess()
throws Exception
{
assignRepositoryManagerRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
assertTrue( isAuthorized );
}
public void testIsAuthorizedGuestUserHasNoWriteAccess()
throws Exception
{
assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
assertFalse( isAuthorized );
}
public void testIsAuthorizedGuestUserHasReadAccess()
throws Exception
{
assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
assertTrue( isAuthorized );
}
public void testIsAuthorizedGuestUserHasNoReadAccess()
throws Exception
{
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
assertFalse( isAuthorized );
}
}

101
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/DefaultUserRepositoriesTest.java
View File

@ -19,19 +19,9 @@ package org.apache.maven.archiva.security;
* under the License.
*/
import java.io.File;
import java.util.List;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.codehaus.plexus.spring.PlexusInSpringTestCase;
import org.codehaus.plexus.redback.rbac.RBACManager;
import org.codehaus.plexus.redback.role.RoleManager;
import org.codehaus.plexus.redback.system.SecuritySystem;
import org.codehaus.plexus.redback.users.User;
import org.codehaus.plexus.redback.users.UserManager;
/**
* DefaultUserRepositoriesTest
@ -40,23 +30,13 @@ import org.codehaus.plexus.redback.users.UserManager;
* @version $Id$
*/
public class DefaultUserRepositoriesTest
extends PlexusInSpringTestCase
extends AbstractSecurityTest
{
private static final String USER_GUEST = "guest";
private static final String USER_ADMIN = "admin";
private static final String USER_ALPACA = "alpaca";
private SecuritySystem securitySystem;
private RBACManager rbacManager;
private RoleManager roleManager;
private ArchivaConfiguration archivaConfiguration;
private UserRepositories userRepos;
@Override
protected String getPlexusConfigLocation()
{
return "org/apache/maven/archiva/security/DefaultUserRepositoriesTest.xml";
}
public void testGetObservableRepositoryIds()
throws Exception
@ -98,78 +78,9 @@ public class DefaultUserRepositoriesTest
}
}
private void setupRepository( String repoId )
throws Exception
{
// Add repo to configuration.
ManagedRepositoryConfiguration repoConfig = new ManagedRepositoryConfiguration();
repoConfig.setId( repoId );
repoConfig.setName( "Testable repo <" + repoId + ">" );
repoConfig.setLocation( getTestPath( "target/test-repo/" + repoId ) );
archivaConfiguration.getConfiguration().addManagedRepository( repoConfig );
// Add repo roles to security.
userRepos.createMissingRepositoryRoles( repoId );
}
private void assignGlobalRepositoryObserverRole( String principal )
throws Exception
{
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GLOBAL_REPOSITORY_OBSERVER, principal );
}
private void assignRepositoryObserverRole( String principal, String repoId )
throws Exception
{
roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId, principal );
}
private User createUser( String principal, String fullname )
{
UserManager userManager = securitySystem.getUserManager();
User user = userManager.createUser( principal, fullname, principal + "@testable.archiva.apache.org" );
securitySystem.getPolicy().setEnabled( false );
userManager.addUser( user );
securitySystem.getPolicy().setEnabled( true );
return user;
}
@Override
protected void setUp()
throws Exception
{
super.setUp();
File srcConfig = getTestFile( "src/test/resources/repository-archiva.xml" );
File destConfig = getTestFile( "target/test-conf/archiva.xml" );
destConfig.getParentFile().mkdirs();
destConfig.delete();
FileUtils.copyFile( srcConfig, destConfig );
securitySystem = (SecuritySystem) lookup( SecuritySystem.class, "testable" );
rbacManager = (RBACManager) lookup( RBACManager.class, "memory" );
roleManager = (RoleManager) lookup( RoleManager.class, "default" );
userRepos = (UserRepositories) lookup( UserRepositories.class, "default" );
archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
// Some basic asserts.
assertNotNull( securitySystem );
assertNotNull( rbacManager );
assertNotNull( roleManager );
assertNotNull( userRepos );
assertNotNull( archivaConfiguration );
// Setup Admin User.
User adminUser = createUser( USER_ADMIN, "Admin User" );
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_SYSTEM_ADMIN, adminUser.getPrincipal().toString() );
// Setup Guest User.
User guestUser = createUser( USER_GUEST, "Guest User" );
roleManager.assignRole( ArchivaRoleConstants.TEMPLATE_GUEST, guestUser.getPrincipal().toString() );
}
}

202
archiva-modules/archiva-web/archiva-security/src/test/resources/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml Normal file
View File

@ -0,0 +1,202 @@
<?xml version="1.0" ?>
<component-set>
<components>
<component>
<role>org.apache.maven.archiva.security.ServletAuthenticator</role>
<role-hint>default</role-hint>
<implementation>org.apache.maven.archiva.security.ArchivaServletAuthenticator</implementation>
<description>ArchivaServletAuthenticator</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.system.SecuritySystem</role>
<role-hint>testable</role-hint>
<field-name>securitySystem</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.apache.maven.archiva.security.UserRepositories</role>
<role-hint>default</role-hint>
<implementation>org.apache.maven.archiva.security.DefaultUserRepositories</implementation>
<description>DefaultUserRepositories</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.system.SecuritySystem</role>
<role-hint>testable</role-hint>
<field-name>securitySystem</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.RoleManager</role>
<role-hint>default</role-hint>
<field-name>roleManager</field-name>
</requirement>
<requirement>
<role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
<field-name>archivaConfiguration</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.system.SecuritySystem</role>
<role-hint>testable</role-hint>
<implementation>org.codehaus.plexus.redback.system.DefaultSecuritySystem</implementation>
<description>DefaultSecuritySystem:</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.authentication.AuthenticationManager</role>
<field-name>authnManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.authorization.Authorizer</role>
<role-hint>rbac</role-hint>
<field-name>authorizer</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.keys.KeyManager</role>
<role-hint>memory</role-hint>
<field-name>keyManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
<field-name>policy</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authorization.Authorizer</role>
<role-hint>rbac</role-hint>
<implementation>org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer</implementation>
<description>RbacAuthorizer:</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>manager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
<role-hint>default</role-hint>
<field-name>evaluator</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.configuration.UserConfiguration</role>
<role-hint>default</role-hint>
<field-name>config</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.RoleManager</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.DefaultRoleManager</implementation>
<description>RoleProfileManager:</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.role.validator.RoleModelValidator</role>
<role-hint>default</role-hint>
<field-name>modelValidator</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
<role-hint>default</role-hint>
<field-name>modelProcessor</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
<role-hint>default</role-hint>
<field-name>templateProcessor</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor</implementation>
<description>DefaultRoleModelProcessor: inserts the components of the model that can be populated into the rbac manager</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor</implementation>
<description>DefaultRoleTemplateProcessor: inserts the components of a template into the rbac manager</description>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
<implementation>org.apache.maven.archiva.configuration.DefaultArchivaConfiguration</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.registry.Registry</role>
<role-hint>configured</role-hint>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.registry.Registry</role>
<role-hint>configured</role-hint>
<implementation>org.codehaus.plexus.registry.commons.CommonsConfigurationRegistry</implementation>
<configuration>
<properties>
<system/>
<xml fileName="${basedir}/target/test-conf/archiva.xml"
config-name="org.apache.maven.archiva.base" config-at="org.apache.maven.archiva"/>
</properties>
</configuration>
</component>
</components>
</component-set>

22
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
View File

@ -491,6 +491,7 @@ public class ArchivaDavResourceFactory
File rootDirectory = new File( managedRepository.getRepoRoot() );
File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile();
if ( request.getMethod().equals(HTTP_PUT_METHOD) && !destDir.exists() )
{
destDir.mkdirs();
@ -733,12 +734,14 @@ public class ArchivaDavResourceFactory
}
catch ( AuthenticationException e )
{
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911
String guest = archivaXworkUser.getGuest();
try
{
if( servletAuth.isAuthorized( guest,
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) )
{
return true;
}
@ -795,6 +798,8 @@ public class ArchivaDavResourceFactory
if( allow )
{
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
for( String repository : repositories )
{
// for prompted authentication
@ -817,7 +822,7 @@ public class ArchivaDavResourceFactory
// for the current user logged in
try
{
if( servletAuth.isAuthorized( activePrincipal, repository ) )
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) )
{
getResource( locator, mergedRepositoryContents, logicalResource, repository );
}
@ -909,11 +914,12 @@ public class ArchivaDavResourceFactory
}
else
{
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
for( String repository : repositories )
{
try
{
if( servletAuth.isAuthorized( activePrincipal, repository ) )
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) )
{
allow = true;
break;
@ -974,4 +980,14 @@ public class ArchivaDavResourceFactory
return true;
}
}
public void setServletAuth( ServletAuthenticator servletAuth )
{
this.servletAuth = servletAuth;
}
public void setHttpAuth( HttpAuthenticator httpAuth )
{
this.httpAuth = httpAuth;
}
}

5
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
View File

@ -24,6 +24,7 @@ import org.apache.jackrabbit.webdav.WebdavRequest;
import org.apache.jackrabbit.webdav.DavException;
import org.apache.jackrabbit.webdav.DavServletRequest;
import org.apache.maven.archiva.webdav.util.RepositoryPathUtil;
import org.apache.maven.archiva.webdav.util.WebdavMethodUtil;
import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException;
@ -72,12 +73,14 @@ public class ArchivaDavSessionProvider
}
catch ( AuthenticationException e )
{
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911
String guest = archivaXworkUser.getGuest();
try
{
if( servletAuth.isAuthorized( guest,
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId() ) )
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) )
{
request.setDavSession(new ArchivaDavSession());
return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
View File

@ -362,7 +362,7 @@ public class ArchivaDavSessionProviderTest extends TestCase
return true;
}
public boolean isAuthorized(String arg0, String arg1)
public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest)
throws UnauthorizedException
{
return true;

537
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
View File

@ -1,21 +1,550 @@
package org.apache.maven.archiva.webdav;
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import javax.servlet.http.HttpServletResponse;
import net.sf.ehcache.CacheManager;
import org.apache.commons.io.FileUtils;
import org.apache.jackrabbit.webdav.DavResourceFactory;
import org.apache.jackrabbit.webdav.DavSessionProvider;
import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.Configuration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException;
import org.codehaus.plexus.redback.authentication.AuthenticationResult;
import org.codehaus.plexus.redback.authorization.UnauthorizedException;
import org.codehaus.plexus.redback.system.DefaultSecuritySession;
import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator;
import org.codehaus.plexus.redback.xwork.filter.authentication.basic.HttpBasicAuthentication;
import org.codehaus.plexus.spring.PlexusInSpringTestCase;
import org.easymock.MockControl;
import org.easymock.classextension.MockClassControl;
import org.easymock.internal.AlwaysMatcher;
import com.meterware.httpunit.GetMethodWebRequest;
import com.meterware.httpunit.HttpUnitOptions;
import com.meterware.httpunit.PutMethodWebRequest;
import com.meterware.httpunit.WebRequest;
import com.meterware.httpunit.WebResponse;
import com.meterware.servletunit.InvocationContext;
import com.meterware.servletunit.ServletRunner;
import com.meterware.servletunit.ServletUnitClient;
/**
* RepositoryServletSecurityTest
*
* Test the flow of the authentication and authorization checks. This does not necessarily
* perform redback security checking.
*
* @author <a href="mailto:joakime@apache.org">Joakim Erdfelt</a>
* @version $Id$
*/
public class RepositoryServletSecurityTest
extends AbstractRepositoryServletTestCase
extends PlexusInSpringTestCase
{
public void testSecuredGet()
{
protected static final String REPOID_INTERNAL = "internal";
protected ServletUnitClient sc;
protected File repoRootInternal;
private ServletRunner sr;
protected ArchivaConfiguration archivaConfiguration;
private DavSessionProvider davSessionProvider;
private MockControl servletAuthControl;
private ServletAuthenticator servletAuth;
private MockClassControl httpAuthControl;
private HttpAuthenticator httpAuth;
private ArchivaXworkUser archivaXworkUser;
private RepositoryServlet servlet;
public void setUp()
throws Exception
{
super.setUp();
String appserverBase = getTestFile( "target/appserver-base" ).getAbsolutePath();
System.setProperty( "appserver.base", appserverBase );
File testConf = getTestFile( "src/test/resources/repository-archiva.xml" );
File testConfDest = new File( appserverBase, "conf/archiva.xml" );
FileUtils.copyFile( testConf, testConfDest );
archivaConfiguration = (ArchivaConfiguration) lookup( ArchivaConfiguration.class );
repoRootInternal = new File( appserverBase, "data/repositories/internal" );
Configuration config = archivaConfiguration.getConfiguration();
config.addManagedRepository( createManagedRepository( REPOID_INTERNAL, "Internal Test Repo", repoRootInternal ) );
saveConfiguration( archivaConfiguration );
CacheManager.getInstance().removeCache( "url-failures-cache" );
HttpUnitOptions.setExceptionsThrownOnErrorStatus( false );
sr = new ServletRunner( getTestFile( "src/test/resources/WEB-INF/repository-servlet-security-test/web.xml" ) );
sr.registerServlet( "/repository/*", RepositoryServlet.class.getName() );
sc = sr.newClient();
servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
httpAuthControl =
MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods() );
httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
archivaXworkUser = new ArchivaXworkUser();
archivaXworkUser.setGuest( "guest" );
davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );
}
public void testSecuredBrowse()
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{
ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();
repo.setId( id );
repo.setName( name );
repo.setLocation( location.getAbsolutePath() );
return repo;
}
protected void saveConfiguration()
throws Exception
{
saveConfiguration( archivaConfiguration );
}
protected void saveConfiguration( ArchivaConfiguration archivaConfiguration )
throws Exception
{
archivaConfiguration.save( archivaConfiguration.getConfiguration() );
}
protected void setupCleanRepo( File repoRootDir )
throws IOException
{
FileUtils.deleteDirectory( repoRootDir );
if ( !repoRootDir.exists() )
{
repoRootDir.mkdirs();
}
}
@Override
protected String getPlexusConfigLocation()
{
return "org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml";
}
@Override
protected void tearDown()
throws Exception
{
if ( sc != null )
{
sc.clearContents();
}
if ( sr != null )
{
sr.shutDown();
}
if ( repoRootInternal.exists() )
{
FileUtils.deleteDirectory(repoRootInternal);
}
servlet = null;
super.tearDown();
}
// test deploy with invalid user, and guest has no write access to repo
// 401 must be returned
public void testPutWithInvalidUserAndGuestHasNoWriteAccess()
throws Exception
{
setupCleanRepo( repoRootInternal );
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
//assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
}
// test deploy with invalid user, but guest has write access to repo
public void testPutWithInvalidUserAndGuestHasWriteAccess()
throws Exception
{
setupCleanRepo( repoRootInternal );
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
new AuthenticationException( "Authentication error" ) );
// check if guest has write access
servletAuth.isAuthorized( "guest", "internal", true );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
// assertEquals( HttpServletResponse.SC_CREATED, response.getResponseCode() );
}
// test deploy with a valid user with no write access
public void testPutWithValidUserWithNoWriteAccess()
throws Exception
{
setupCleanRepo( repoRootInternal );
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
new UnauthorizedException( "User not authorized" ) );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
// assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
}
// test deploy with a valid user with write access
public void testPutWithValidUserWithWriteAccess()
throws Exception
{
setupCleanRepo( repoRootInternal );
assertTrue( repoRootInternal.exists() );
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
// assertEquals(HttpServletResponse.SC_CREATED, response.getResponseCode());
}
// test get with invalid user, and guest has read access to repo
public void testGetWithInvalidUserAndGuestHasReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal, commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
}
// test get with invalid user, and guest has no read access to repo
public void testGetWithInvalidUserAndGuestHasNoReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal, commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
}
// test get with valid user with read access to repo
public void testGetWithAValidUserWithReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal, commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_OK, response.getResponseCode() );
assertEquals( "Expected file contents", expectedArtifactContents, response.getText() );
}
// test get with valid user with no read access to repo
public void testGetWithAValidUserWithNoReadAccess()
throws Exception
{
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
File artifactFile = new File( repoRootInternal, commonsLangJar );
artifactFile.getParentFile().mkdirs();
FileUtils.writeStringToFile( artifactFile, expectedArtifactContents, null );
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/internal/" + commonsLangJar );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
new UnauthorizedException( "User not authorized to read repository." ) );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
}
}

45
archiva-modules/archiva-web/archiva-webdav/src/test/resources/WEB-INF/repository-servlet-security-test/web.xml Normal file
View File

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Apache Archiva</display-name>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextClass</param-name>
<param-value>org.codehaus.plexus.spring.PlexusWebApplicationContext</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/META-INF/plexus/components.xml
classpath*:/META-INF/spring-context.xml
target/test-classes/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml
</param-value>
</context-param>
</web-app>

189
archiva-modules/archiva-web/archiva-webdav/src/test/resources/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.xml
View File

@ -68,9 +68,12 @@
<role-hint>default</role-hint>
<implementation>org.apache.maven.archiva.webdav.DefaultDavServerManager</implementation>
<description>DefaultDavServerManager</description>
<configuration>
<provider-hint>proxied</provider-hint>
</configuration>
<requirements>
<requirement>
<role>org.apache.maven.archiva.webdav.DavServerComponent</role>
<role-hint>proxied</role-hint>
</requirement>
</requirements>
</component>
<component>
@ -99,173 +102,73 @@
<component>
<role>org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers</role>
<role-hint>default</role-hint>
<implementation>org.apache.maven.archiva.web.repository.StubRepositoryContentConsumers</implementation>
<implementation>org.apache.maven.archiva.webdav.StubRepositoryContentConsumers</implementation>
</component>
<!-- TODO: shouldn't need so many components just to use in-memory - is flaky since these are auto-generated -->
<component>
<role>org.codehaus.plexus.redback.system.SecuritySystem</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.system.DefaultSecuritySystem</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.authentication.AuthenticationManager</role>
<field-name>authnManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.authorization.Authorizer</role>
<role-hint>rbac</role-hint>
<field-name>authorizer</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.keys.KeyManager</role>
<role-hint>memory</role-hint>
<field-name>keyManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
<field-name>policy</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authentication.Authenticator</role>
<role-hint>user-manager</role-hint>
<implementation>org.codehaus.plexus.redback.authentication.users.UserManagerAuthenticator</implementation>
<component>
<role>org.apache.maven.archiva.webdav.ArchivaDavResourceFactory</role>
<implementation>org.apache.maven.archiva.webdav.ArchivaDavResourceFactory</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
<role>org.apache.maven.archiva.configuration.ArchivaConfiguration</role>
<field-name>archivaConfiguration</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.policy.UserSecurityPolicy</role>
<field-name>securityPolicy</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authentication.Authenticator</role>
<role-hint>keystore</role-hint>
<implementation>org.codehaus.plexus.redback.authentication.keystore.KeyStoreAuthenticator</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.keys.KeyManager</role>
<role-hint>memory</role-hint>
<field-name>keystore</field-name>
<role>org.apache.maven.archiva.repository.RepositoryContentFactory</role>
<field-name>repositoryFactory</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.authorization.rbac.evaluator.DefaultPermissionEvaluator
</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.authorization.Authorizer</role>
<role-hint>rbac</role-hint>
<implementation>org.codehaus.plexus.redback.authorization.rbac.RbacAuthorizer</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>manager</field-name>
<role>org.apache.maven.archiva.repository.content.RepositoryRequest</role>
<field-name>repositoryRequest</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.users.UserManager</role>
<role-hint>memory</role-hint>
<field-name>userManager</field-name>
<role>org.apache.maven.archiva.proxy.RepositoryProxyConnectors</role>
<field-name>connectors</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.authorization.rbac.evaluator.PermissionEvaluator</role>
<role>org.apache.maven.archiva.repository.metadata.MetadataTools</role>
<field-name>metadataTools</field-name>
</requirement>
<requirement>
<role>org.apache.maven.archiva.security.ServletAuthenticator</role>
<field-name>servletAuth</field-name>
</requirement>
<requirement>
<role>org.apache.maven.archiva.webdav.util.MimeTypes</role>
<field-name>mimeTypes</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.xwork.filter.authentication.HttpAuthenticator</role>
<role-hint>basic</role-hint>
<field-name>httpAuth</field-name>
</requirement>
<requirement>
<role>org.apache.maven.archiva.repository.scanner.RepositoryContentConsumers</role>
<role-hint>default</role-hint>
<field-name>evaluator</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.RoleManager</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.DefaultRoleManager</implementation>
<instantiation-strategy>singleton</instantiation-strategy>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.role.merger.RoleModelMerger</role>
<role-hint>default</role-hint>
<field-name>modelMerger</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.validator.RoleModelValidator</role>
<role-hint>default</role-hint>
<field-name>modelValidator</field-name>
<role>org.codehaus.plexus.digest.ChecksumFile</role>
<field-name>checksum</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
<role-hint>default</role-hint>
<field-name>modelProcessor</field-name>
<role>org.codehaus.plexus.digest.Digester</role>
<role-hint>sha1</role-hint>
<field-name>digestSha1</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
<role-hint>default</role-hint>
<field-name>templateProcessor</field-name>
<role>org.codehaus.plexus.digest.Digester</role>
<role-hint>md5</role-hint>
<field-name>digestMd5</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
<requirement>
<role>org.codehaus.plexus.PlexusContainer</role>
<field-name>container</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.processor.RoleModelProcessor</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.processor.DefaultRoleModelProcessor</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
</requirement>
</requirements>
</component>
<component>
<role>org.codehaus.plexus.redback.role.template.RoleTemplateProcessor</role>
<role-hint>default</role-hint>
<implementation>org.codehaus.plexus.redback.role.template.DefaultRoleTemplateProcessor</implementation>
<requirements>
<requirement>
<role>org.codehaus.plexus.redback.rbac.RBACManager</role>
<role-hint>memory</role-hint>
<field-name>rbacManager</field-name>
<role>org.apache.maven.archiva.security.ArchivaXworkUser</role>
<field-name>archivaXworkUser</field-name>
</requirement>
</requirements>
</component>

6
pom.xml
View File

@ -204,6 +204,12 @@
<version>1.2_Java1.3</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>easymock</groupId>
<artifactId>easymockclassextension</artifactId>
<version>1.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl104-over-slf4j</artifactId>