Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

clean up the webdav interface to make the code more readable 

in addition, webdav now honours the delete operation separately to upload
improved the HTTP error responses for misconfiguration (500) vs not found on groups


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@755845 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brett Porter 2009-03-19 06:10:38 +00:00
parent 6095cf8484
commit 584031f68f
13 changed files with 642 additions and 611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
View File

@ -62,27 +62,19 @@ public class ArchivaServletAuthenticator
}
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest )
String permission )
throws AuthorizationException, UnauthorizedException
{
// TODO: also check for permission to proxy the resource when MRM-579 is implemented
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId );
if ( !authzResult.isAuthorized() )
{
if ( authzResult.getException() != null )
{
log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",isWriteRequest=" + isWriteRequest +
",permission=" + permission + ",repo=" + repositoryId + "] : " +
authzResult.getException().getMessage() );
log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",permission=" + permission
+ ",repo=" + repositoryId + "] : " + authzResult.getException().getMessage() );
throw new UnauthorizedException( "Access denied for repository " + repositoryId );
}
@ -92,18 +84,11 @@ public class ArchivaServletAuthenticator
return true;
}
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException
{
try
{
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
User user = securitySystem.getUserManager().findUser( principal );
if ( user == null )
{

4
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
View File

@ -59,7 +59,7 @@ public interface ServletAuthenticator
* @throws UnauthorizedException
*/
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException;
String permission ) throws AuthorizationException, UnauthorizedException;
/**
* Authorization check specific for user guest, which doesn't go through
@ -74,6 +74,6 @@ public interface ServletAuthenticator
* @return
* @throws UnauthorizedException
*/
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException;
}

195
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java
View File

@ -27,7 +27,7 @@ import org.codehaus.plexus.redback.authorization.UnauthorizedException;
import org.codehaus.plexus.redback.system.DefaultSecuritySession;
import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.users.User;
import org.codehaus.plexus.redback.users.UserManager;
import org.codehaus.plexus.redback.users.UserManager;
import org.easymock.MockControl;
@ -38,48 +38,48 @@ import org.easymock.MockControl;
*/
public class ArchivaServletAuthenticatorTest
extends AbstractSecurityTest
{
{
private ServletAuthenticator servletAuth;
private MockControl httpServletRequestControl;
private HttpServletRequest request;
@Override
public void setUp()
throws Exception
{
super.setUp();
servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" );
servletAuth = (ServletAuthenticator) lookup( ServletAuthenticator.class, "default" );
httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
request = ( HttpServletRequest ) httpServletRequestControl.getMock();
request = (HttpServletRequest) httpServletRequestControl.getMock();
setupRepository( "corporate" );
}
@Override
protected String getPlexusConfigLocation()
{
return "org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.xml";
}
protected void assignRepositoryManagerRole( String principal, String repoId )
throws Exception
{
roleManager.assignTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId, principal );
}
public void testIsAuthenticatedUserExists()
throws Exception
{
AuthenticationResult result = new AuthenticationResult( true, "user", null );
boolean isAuthenticated = servletAuth.isAuthenticated( request, result );
assertTrue( isAuthenticated );
}
public void testIsAuthenticatedUserDoesNotExist()
throws Exception
{
@ -92,132 +92,137 @@ public class ArchivaServletAuthenticatorTest
catch ( AuthenticationException e )
{
assertEquals( "User Credentials Invalid", e.getMessage() );
}
}
}
public void testIsAuthorizedUserHasWriteAccess()
throws Exception
{
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryManagerRole( USER_ALPACA, "corporate" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true );
boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized );
}
public void testIsAuthorizedUserHasNoWriteAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryObserverRole( USER_ALPACA, "corporate" );
httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
httpServletRequestControl.replay();
try
{
servletAuth.isAuthorized( request, session, "corporate", true );
fail( "UnauthorizedException should have been thrown." );
}
catch ( UnauthorizedException e )
{
assertEquals( "Access denied for repository corporate", e.getMessage() );
}
httpServletRequestControl.verify();
}
public void testIsAuthorizedUserHasReadAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryObserverRole( USER_ALPACA, "corporate" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false );
assertTrue( isAuthorized );
}
public void testIsAuthorizedUserHasNoReadAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
try
{
servletAuth.isAuthorized( request, session, "corporate", false );
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
fail( "UnauthorizedException should have been thrown." );
}
catch ( UnauthorizedException e )
{
assertEquals( "Access denied for repository corporate", e.getMessage() );
}
}
httpServletRequestControl.verify();
}
public void testIsAuthorizedGuestUserHasWriteAccess()
public void testIsAuthorizedUserHasReadAccess()
throws Exception
{
assignRepositoryManagerRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
assignRepositoryObserverRole( USER_ALPACA, "corporate" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized );
}
public void testIsAuthorizedUserHasNoReadAccess()
throws Exception
{
createUser( USER_ALPACA, "Al 'Archiva' Paca" );
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser( USER_ALPACA );
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user );
try
{
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
fail( "UnauthorizedException should have been thrown." );
}
catch ( UnauthorizedException e )
{
assertEquals( "Access denied for repository corporate", e.getMessage() );
}
}
public void testIsAuthorizedGuestUserHasWriteAccess()
throws Exception
{
assignRepositoryManagerRole( USER_GUEST, "corporate" );
boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized );
}
public void testIsAuthorizedGuestUserHasNoWriteAccess()
throws Exception
{
{
assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true );
boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertFalse( isAuthorized );
}
public void testIsAuthorizedGuestUserHasReadAccess()
throws Exception
{
assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
assertTrue( isAuthorized );
boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized );
}
public void testIsAuthorizedGuestUserHasNoReadAccess()
throws Exception
{
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false );
{
boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertFalse( isAuthorized );
}
}

6
archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java
View File

@ -38,6 +38,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.database.ArchivaDatabaseException;
import org.apache.maven.archiva.security.AccessDeniedException;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaSecurityException;
import org.apache.maven.archiva.security.PrincipalNotFoundException;
import org.apache.maven.archiva.security.ServletAuthenticator;
@ -293,8 +294,9 @@ public class RssFeedServlet
AuthenticationResult result = httpAuth.getAuthenticationResult( req, null );
SecuritySession securitySession = httpAuth.getSecuritySession( req.getSession( true ) );
if ( servletAuth.isAuthenticated( req, result ) &&
servletAuth.isAuthorized( req, securitySession, repoId, false ) )
if ( servletAuth.isAuthenticated( req, result )
&& servletAuth.isAuthorized( req, securitySession, repoId,
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) )
{
return true;
}

833
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
View File

File diff suppressed because it is too large Load Diff

9
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
View File

@ -66,16 +66,15 @@ public class ArchivaDavSessionProvider
}
catch ( AuthenticationException e )
{
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911
String guest = UserManager.GUEST_USERNAME;
try
{
if( servletAuth.isAuthorized( guest,
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) )
if ( servletAuth.isAuthorized( guest,
( (ArchivaDavResourceLocator) request.getRequestLocator() ).getRepositoryId(),
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{
request.setDavSession(new ArchivaDavSession());
request.setDavSession( new ArchivaDavSession() );
return true;
}
}

2
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaVirtualDavResource.java
View File

@ -59,8 +59,6 @@ import org.joda.time.format.ISODateTimeFormat;
public class ArchivaVirtualDavResource
implements DavResource
{
public static final String HIDDEN_PATH_PREFIX = ".";
private static final String COMPLIANCE_CLASS = "1";
private ArchivaDavResourceLocator locator;

41
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/util/WebdavMethodUtil.java
View File

@ -20,13 +20,15 @@ package org.apache.maven.archiva.webdav.util;
*/
import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
/**
* WebdavMethodUtil
*
* WebdavMethodUtil
*
* @version $Id: WebdavMethodUtil.java 5412 2007-01-13 01:18:47Z joakime $
*/
public class WebdavMethodUtil
@ -43,23 +45,32 @@ public class WebdavMethodUtil
READ_METHODS.add( "REPORT" );
}
public static String getMethodPermission( String method )
{
if ( StringUtils.isBlank( method ) )
{
throw new IllegalArgumentException( "WebDAV method is empty" );
}
if ( READ_METHODS.contains( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
}
else if ( "DELETE".equals( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE;
}
else
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
}
public static boolean isReadMethod( String method )
{
if ( StringUtils.isBlank( method ) )
{
return false;
throw new IllegalArgumentException( "WebDAV method is empty" );
}
return READ_METHODS.contains( method.toUpperCase() );
}
public static boolean isWriteMethod( String method )
{
if ( StringUtils.isBlank( method ) )
{
return false;
}
return !READ_METHODS.contains( method.toUpperCase() );
return READ_METHODS.contains( method.toUpperCase( Locale.US ) );
}
}

7
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/AbstractRepositoryServletTestCase.java
View File

@ -97,6 +97,13 @@ public abstract class AbstractRepositoryServletTestCase
.getResponseCode() );
}
protected void assertResponseInternalServerError( WebResponse response )
{
assertNotNull( "Should have recieved a response", response );
Assert.assertEquals( "Should have been an 500/Internal Server Error response code.", HttpServletResponse.SC_INTERNAL_SERVER_ERROR, response
.getResponseCode() );
}
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{
ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

5
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
View File

@ -360,13 +360,14 @@ public class ArchivaDavSessionProviderTest extends TestCase
return true;
}
public boolean isAuthorized(HttpServletRequest arg0, SecuritySession arg1, String arg2, boolean arg3)
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
String permission )
throws AuthorizationException, UnauthorizedException
{
return true;
}
public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest)
public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException
{
return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/MockServletAuthenticator.java
View File

@ -26,7 +26,7 @@ public class MockServletAuthenticator
extends ArchivaServletAuthenticator
{
@Override
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest )
public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException
{
return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletRepositoryGroupTest.java
View File

@ -193,7 +193,7 @@ public class RepositoryServletRepositoryGroupTest
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/" + REPO_GROUP_WITH_INVALID_REPOS + "/" + resourceName );
WebResponse response = sc.getResponse( request );
assertResponseNotFound( response );
assertResponseInternalServerError( response );
}
/*

124
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
View File

@ -32,6 +32,7 @@ import org.apache.jackrabbit.webdav.DavSessionProvider;
import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.Configuration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException;
@ -56,9 +57,7 @@ import com.meterware.servletunit.ServletRunner;
import com.meterware.servletunit.ServletUnitClient;
/**
* RepositoryServletSecurityTest
*
* Test the flow of the authentication and authorization checks. This does not necessarily
* RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
* perform redback security checking.
*
* @version $Id$
@ -87,7 +86,7 @@ public class RepositoryServletSecurityTest
private HttpAuthenticator httpAuth;
private RepositoryServlet servlet;
public void setUp()
throws Exception
{
@ -126,7 +125,7 @@ public class RepositoryServletSecurityTest
ArchivaXworkUser archivaXworkUser = (ArchivaXworkUser) lookup( ArchivaXworkUser.class );
davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );
davSessionProvider = new ArchivaDavSessionProvider( servletAuth, httpAuth, archivaXworkUser );
}
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
@ -182,11 +181,11 @@ public class RepositoryServletSecurityTest
if ( repoRootInternal.exists() )
{
FileUtils.deleteDirectory(repoRootInternal);
FileUtils.deleteDirectory( repoRootInternal );
}
servlet = null;
super.tearDown();
}
@ -209,21 +208,21 @@ public class RepositoryServletSecurityTest
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true );
new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
//assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
// assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
}
// test deploy with invalid user, but guest has write access to repo
@ -247,30 +246,30 @@ public class RepositoryServletSecurityTest
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true );
servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true );
// ArchivaDavResourceFactory#isAuthorized()
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
new AuthenticationException( "Authentication error" ) );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
// check if guest has write access
servletAuth.isAuthorized( "guest", "internal", true );
servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true );
httpAuthControl.replay();
servletAuthControl.replay();
@ -291,13 +290,13 @@ public class RepositoryServletSecurityTest
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
assertNotNull( "artifact.jar inputstream", is );
WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream" );
InvocationContext ic = sc.newInvocation( request );
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
@ -306,23 +305,26 @@ public class RepositoryServletSecurityTest
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized" ) );
httpAuthControl.replay();
servletAuthControl.replay();
servlet.service( ic.getRequest(), ic.getResponse() );
httpAuthControl.verify();
servletAuthControl.verify();
// assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
}
@ -359,7 +361,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay();
servletAuthControl.replay();
@ -388,7 +393,7 @@ public class RepositoryServletSecurityTest
InvocationContext ic = sc.newInvocation( request );
servlet = (RepositoryServlet) ic.getServlet();
servlet.setDavSessionProvider( davSessionProvider );
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth( httpAuth );
archivaDavResourceFactory.setServletAuth( servletAuth );
@ -399,15 +404,21 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true );
// ArchivaDavResourceFactory#isAuthorized()
servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
true );
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay();
servletAuthControl.replay();
@ -442,7 +453,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false );
servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
false );
httpAuthControl.replay();
servletAuthControl.replay();
@ -477,24 +491,27 @@ public class RepositoryServletSecurityTest
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true );
servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
@ -524,27 +541,30 @@ public class RepositoryServletSecurityTest
archivaDavResourceFactory.setServletAuth( servletAuth );
servlet.setResourceFactory( archivaDavResourceFactory );
AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized()
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ),
servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized to read repository." ) );
httpAuthControl.replay();
servletAuthControl.replay();
WebResponse response = sc.getResponse( request );
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals( HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode() );
}
}