diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java index 7d8ea76a7..3ad9a8714 100644 --- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java +++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/RepositoriesService.java @@ -121,5 +121,11 @@ public interface RepositoriesService Boolean deleteArtifact( @QueryParam( "" ) Artifact artifact, @QueryParam( "repositoryId" ) String repositoryId ) throws ArchivaRestServiceException; + @Path( "isAuthorizedToDeleteArtifacts/{repositoryId}" ) + @GET + @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML, MediaType.TEXT_PLAIN } ) + @RedbackAuthorization( noPermission = true, noRestriction = true) + Boolean isAuthorizedToDeleteArtifacts( @PathParam( "repositoryId" ) String repoId ) + throws ArchivaRestServiceException; } diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java index df6a28744..e5517dd5a 100644 --- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java +++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/main/java/org/apache/archiva/rest/services/DefaultRepositoriesService.java @@ -65,6 +65,7 @@ import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexException; import org.apache.archiva.scheduler.indexing.DownloadRemoteIndexScheduler; import org.apache.archiva.scheduler.repository.RepositoryArchivaTaskScheduler; import org.apache.archiva.scheduler.repository.RepositoryTask; +import org.apache.archiva.security.ArchivaSecurityException; import org.apache.archiva.security.common.ArchivaRoleConstants; import org.apache.archiva.xml.XMLException; import org.apache.commons.io.FilenameUtils; @@ -85,6 +86,7 @@ import org.springframework.stereotype.Service; import javax.inject.Inject; import javax.inject.Named; +import javax.ws.rs.core.Response; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; @@ -624,13 +626,17 @@ public class DefaultRepositoriesService public Boolean deleteArtifact( Artifact artifact, String repositoryId ) throws ArchivaRestServiceException { - String userName = (String) getAuditInformation().getUser().getUsername(); - if ( StringUtils.isBlank( userName ) ) - { - // TODO use constants from a class instead of magic number - throw new ArchivaRestServiceException( "deleteArtifact call: userName not found", 403 ); + if ( StringUtils.isEmpty( repositoryId ) ) + { + throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 ); } + + if ( !isAuthorizedToDeleteArtifacts( repositoryId ) ) + { + throw new ArchivaRestServiceException( "not authorized to delete artifacts", 403 ); + } + if ( artifact == null ) { throw new ArchivaRestServiceException( "artifact cannot be null", 400 ); @@ -646,11 +652,6 @@ public class DefaultRepositoriesService throw new ArchivaRestServiceException( "artifact.artifactId cannot be null", 400 ); } - if ( StringUtils.isEmpty( repositoryId ) ) - { - throw new ArchivaRestServiceException( "repositoryId cannot be null", 400 ); - } - // TODO more control on artifact fields RepositorySession repositorySession = repositorySessionFactory.createSession(); @@ -771,6 +772,24 @@ public class DefaultRepositoriesService return Boolean.TRUE; } + public Boolean isAuthorizedToDeleteArtifacts( String repoId ) + throws ArchivaRestServiceException + { + String userName = + getAuditInformation().getUser() == null ? "guest" : getAuditInformation().getUser().getUsername(); + + try + { + boolean res = userRepositories.isAuthorizedToDeleteArtifacts( userName, repoId ); + return res; + } + catch ( ArchivaSecurityException e ) + { + throw new ArchivaRestServiceException( e.getMessage(), + Response.Status.INTERNAL_SERVER_ERROR.getStatusCode() ); + } + } + public RepositoryScanStatistics scanRepositoryDirectoriesNow( String repositoryId ) throws ArchivaRestServiceException { diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java index d9c120c89..c0ad360aa 100644 --- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java +++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-services/src/test/java/org/apache/archiva/rest/services/RepositoriesServiceTest.java @@ -152,12 +152,52 @@ public class RepositoriesServiceTest } } + @Test + public void authorizedToDeleteArtifacts() + throws Exception + { + ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" ); + try + { + getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository ); + RepositoriesService repositoriesService = getRepositoriesService( authorizationHeader ); + assertTrue( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) ); + } + finally + { + getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(), + true ); + } + } + + @Test + public void notAuthorizedToDeleteArtifacts() + throws Exception + { + ManagedRepository managedRepository = getTestManagedRepository( "SOURCE_REPO_ID", "SOURCE_REPO_ID" ); + try + { + getManagedRepositoriesService( authorizationHeader ).addManagedRepository( managedRepository ); + RepositoriesService repositoriesService = getRepositoriesService( guestAuthzHeader ); + assertFalse( repositoriesService.isAuthorizedToDeleteArtifacts( managedRepository.getId() ) ); + } + finally + { + getManagedRepositoriesService( authorizationHeader ).deleteManagedRepository( managedRepository.getId(), + true ); + } + } + + protected ManagedRepository getTestManagedRepository( String id, String path ) + { + String location = new File( FileUtil.getBasedir(), "target/" + path ).getAbsolutePath(); + return new ManagedRepository( id, id, location, "default", true, true, true, "2 * * * * ?", null, false, 80, 80, + true, false ); + } protected ManagedRepository getTestManagedRepository() { - String location = new File( FileUtil.getBasedir(), "target/test-repo" ).getAbsolutePath(); - return new ManagedRepository( "TEST", "test", location, "default", true, true, true, "2 * * * * ?", null, false, - 80, 80, true, false ); + return getTestManagedRepository( "TEST", "test-repo" ); } } diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java index cfd6da5c8..53dc150d8 100644 --- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java +++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/archiva/security/DefaultUserRepositories.java @@ -205,7 +205,7 @@ public class DefaultUserRepositories } public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) - throws AccessDeniedException, ArchivaSecurityException + throws ArchivaSecurityException { try {