Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

clean up the webdav interface to make the code more readable 

in addition, webdav now honours the delete operation separately to upload
improved the HTTP error responses for misconfiguration (500) vs not found on groups


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@755845 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brett Porter 2009-03-19 06:10:38 +00:00
parent 6095cf8484
commit 584031f68f
13 changed files with 642 additions and 611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
View File

@ -62,27 +62,19 @@ public class ArchivaServletAuthenticator
} }
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) String permission )
throws AuthorizationException, UnauthorizedException throws AuthorizationException, UnauthorizedException
{ {
// TODO: also check for permission to proxy the resource when MRM-579 is implemented // TODO: also check for permission to proxy the resource when MRM-579 is implemented
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId ); AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId );
if ( !authzResult.isAuthorized() ) if ( !authzResult.isAuthorized() )
{ {
if ( authzResult.getException() != null ) if ( authzResult.getException() != null )
{ {
log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",isWriteRequest=" + isWriteRequest + log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",permission=" + permission
",permission=" + permission + ",repo=" + repositoryId + "] : " + + ",repo=" + repositoryId + "] : " + authzResult.getException().getMessage() );
authzResult.getException().getMessage() );
throw new UnauthorizedException( "Access denied for repository " + repositoryId ); throw new UnauthorizedException( "Access denied for repository " + repositoryId );
} }
@ -92,18 +84,11 @@ public class ArchivaServletAuthenticator
return true; return true;
} }
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
try try
{ {
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
User user = securitySystem.getUserManager().findUser( principal ); User user = securitySystem.getUserManager().findUser( principal );
if ( user == null ) if ( user == null )
{ {

4
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
View File

@ -59,7 +59,7 @@ public interface ServletAuthenticator
* @throws UnauthorizedException * @throws UnauthorizedException
*/ */
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException; String permission ) throws AuthorizationException, UnauthorizedException;
/** /**
* Authorization check specific for user guest, which doesn't go through * Authorization check specific for user guest, which doesn't go through
@ -74,6 +74,6 @@ public interface ServletAuthenticator
* @return * @return
* @throws UnauthorizedException * @throws UnauthorizedException
*/ */
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException; throws UnauthorizedException;
} }

27
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java
View File

@ -51,10 +51,10 @@ public class ArchivaServletAuthenticatorTest
{ {
super.setUp(); super.setUp();
servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" ); servletAuth = (ServletAuthenticator) lookup( ServletAuthenticator.class, "default" );
httpServletRequestControl = MockControl.createControl( HttpServletRequest.class ); httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
request = ( HttpServletRequest ) httpServletRequestControl.getMock(); request = (HttpServletRequest) httpServletRequestControl.getMock();
setupRepository( "corporate" ); setupRepository( "corporate" );
} }
@ -108,7 +108,8 @@ public class ArchivaServletAuthenticatorTest
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -133,7 +134,7 @@ public class ArchivaServletAuthenticatorTest
try try
{ {
servletAuth.isAuthorized( request, session, "corporate", true ); servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
fail( "UnauthorizedException should have been thrown." ); fail( "UnauthorizedException should have been thrown." );
} }
catch ( UnauthorizedException e ) catch ( UnauthorizedException e )
@ -144,7 +145,6 @@ public class ArchivaServletAuthenticatorTest
httpServletRequestControl.verify(); httpServletRequestControl.verify();
} }
public void testIsAuthorizedUserHasReadAccess() public void testIsAuthorizedUserHasReadAccess()
throws Exception throws Exception
{ {
@ -158,7 +158,8 @@ public class ArchivaServletAuthenticatorTest
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -176,7 +177,7 @@ public class ArchivaServletAuthenticatorTest
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
try try
{ {
servletAuth.isAuthorized( request, session, "corporate", false ); servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
fail( "UnauthorizedException should have been thrown." ); fail( "UnauthorizedException should have been thrown." );
} }
catch ( UnauthorizedException e ) catch ( UnauthorizedException e )
@ -189,7 +190,8 @@ public class ArchivaServletAuthenticatorTest
throws Exception throws Exception
{ {
assignRepositoryManagerRole( USER_GUEST, "corporate" ); assignRepositoryManagerRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -199,7 +201,8 @@ public class ArchivaServletAuthenticatorTest
{ {
assignRepositoryObserverRole( USER_GUEST, "corporate" ); assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertFalse( isAuthorized ); assertFalse( isAuthorized );
} }
@ -208,7 +211,8 @@ public class ArchivaServletAuthenticatorTest
{ {
assignRepositoryObserverRole( USER_GUEST, "corporate" ); assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -216,7 +220,8 @@ public class ArchivaServletAuthenticatorTest
public void testIsAuthorizedGuestUserHasNoReadAccess() public void testIsAuthorizedGuestUserHasNoReadAccess()
throws Exception throws Exception
{ {
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertFalse( isAuthorized ); assertFalse( isAuthorized );
} }

6
archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java
View File

@ -38,6 +38,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.database.ArchivaDatabaseException; import org.apache.maven.archiva.database.ArchivaDatabaseException;
import org.apache.maven.archiva.security.AccessDeniedException; import org.apache.maven.archiva.security.AccessDeniedException;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaSecurityException; import org.apache.maven.archiva.security.ArchivaSecurityException;
import org.apache.maven.archiva.security.PrincipalNotFoundException; import org.apache.maven.archiva.security.PrincipalNotFoundException;
import org.apache.maven.archiva.security.ServletAuthenticator; import org.apache.maven.archiva.security.ServletAuthenticator;
@ -293,8 +294,9 @@ public class RssFeedServlet
AuthenticationResult result = httpAuth.getAuthenticationResult( req, null ); AuthenticationResult result = httpAuth.getAuthenticationResult( req, null );
SecuritySession securitySession = httpAuth.getSecuritySession( req.getSession( true ) ); SecuritySession securitySession = httpAuth.getSecuritySession( req.getSession( true ) );
if ( servletAuth.isAuthenticated( req, result ) && if ( servletAuth.isAuthenticated( req, result )
servletAuth.isAuthorized( req, securitySession, repoId, false ) ) && servletAuth.isAuthorized( req, securitySession, repoId,
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) )
{ {
return true; return true;
} }

505
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
View File

@ -172,153 +172,103 @@ public class ArchivaDavResourceFactory
final DavServletResponse response ) final DavServletResponse response )
throws DavException throws DavException
{ {
checkLocatorIsInstanceOfRepositoryLocator( locator ); ArchivaDavResourceLocator archivaLocator = checkLocatorIsInstanceOfRepositoryLocator( locator );
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
RepositoryGroupConfiguration repoGroupConfig = RepositoryGroupConfiguration repoGroupConfig =
archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() ); archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() );
List<String> repositories = new ArrayList<String>();
boolean isGet = WebdavMethodUtil.isReadMethod( request.getMethod() ); String activePrincipal = getActivePrincipal( request );
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
List<String> resourcesInAbsolutePath = new ArrayList<String>();
boolean readMethod = WebdavMethodUtil.isReadMethod( request.getMethod() );
DavResource resource;
if ( repoGroupConfig != null ) if ( repoGroupConfig != null )
{ {
if( WebdavMethodUtil.isWriteMethod( request.getMethod() ) ) if ( !readMethod )
{ {
throw new DavException( HttpServletResponse.SC_METHOD_NOT_ALLOWED, throw new DavException( HttpServletResponse.SC_METHOD_NOT_ALLOWED,
"Write method not allowed for repository groups." ); "Write method not allowed for repository groups." );
} }
repositories.addAll( repoGroupConfig.getRepositories() );
// handle browse requests for virtual repos // handle browse requests for virtual repos
if ( RepositoryPathUtil.getLogicalResource( archivaLocator.getOrigResourcePath() ).endsWith( "/" ) ) if ( RepositoryPathUtil.getLogicalResource( archivaLocator.getOrigResourcePath() ).endsWith( "/" ) )
{ {
return getResource( request, repositories, archivaLocator ); return getResource( request, repoGroupConfig.getRepositories(), archivaLocator );
}
} }
else else
{ {
repositories.add( archivaLocator.getRepositoryId() ); resource =
processRepositoryGroup( locator, request, archivaLocator, repoGroupConfig.getRepositories(),
activePrincipal, readMethod, resourcesInAbsolutePath );
} }
//MRM-419 - Windows Webdav support. Should not 404 if there is no content.
if (StringUtils.isEmpty(archivaLocator.getRepositoryId()))
{
throw new DavException(HttpServletResponse.SC_NO_CONTENT);
} }
else
List<DavResource> availableResources = new ArrayList<DavResource>();
List<String> resourcesInAbsolutePath = new ArrayList<String>();
DavException e = null;
for ( String repositoryId : repositories )
{ {
ManagedRepositoryContent managedRepository = null; ManagedRepositoryContent managedRepository = null;
try try
{ {
managedRepository = getManagedRepository( repositoryId ); managedRepository = repositoryFactory.getManagedRepositoryContent( archivaLocator.getRepositoryId() );
} }
catch ( DavException de ) catch ( RepositoryNotFoundException e )
{ {
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid managed repository <" + throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid repository: "
repositoryId + ">" ); + archivaLocator.getRepositoryId() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
} }
DavResource resource = null; resource =
processRepository( locator, request, archivaLocator, readMethod, activePrincipal,
if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) ) archivaLocator.getRepositoryId(), managedRepository );
{
if ( managedRepository != null )
{
try
{
if( isAuthorized( request, repositoryId ) )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
if ( isGet )
{
resource = doGet( managedRepository, request, archivaLocator, logicalResource );
}
if ( isPut )
{
resource = doPut( managedRepository, request, archivaLocator, logicalResource );
}
}
}
catch ( DavException de )
{
e = de;
continue;
}
if( resource == null )
{
e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
}
else
{
availableResources.add( resource );
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ); String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource ); resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
} }
}
else
{
e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Repository does not exist" );
}
}
}
if ( availableResources.isEmpty() )
{
throw e;
}
String requestedResource = request.getRequestURI(); String requestedResource = request.getRequestURI();
// MRM-872 : merge all available metadata // MRM-872 : merge all available metadata
// merge metadata only when requested via the repo group // merge metadata only when requested via the repo group
if ( ( repositoryRequest.isMetadata( requestedResource ) || ( requestedResource.endsWith( "metadata.xml.sha1" ) || requestedResource.endsWith( "metadata.xml.md5" ) ) ) && if ( ( repositoryRequest.isMetadata( requestedResource ) || ( requestedResource.endsWith( "metadata.xml.sha1" ) || requestedResource.endsWith( "metadata.xml.md5" ) ) )
repoGroupConfig != null ) && repoGroupConfig != null )
{ {
// this should only be at the project level not version level! // this should only be at the project level not version level!
if( isProjectReference( requestedResource ) ) if ( isProjectReference( requestedResource ) )
{ {
String artifactId = StringUtils.substringBeforeLast( requestedResource.replace( '\\', '/' ), "/" ); String artifactId = StringUtils.substringBeforeLast( requestedResource.replace( '\\', '/' ), "/" );
artifactId = StringUtils.substringAfterLast( artifactId, "/" ); artifactId = StringUtils.substringAfterLast( artifactId, "/" );
ArchivaDavResource res = ( ArchivaDavResource ) availableResources.get( 0 ); ArchivaDavResource res = (ArchivaDavResource) resource;
String filePath = StringUtils.substringBeforeLast( res.getLocalResource().getAbsolutePath().replace( '\\', '/' ), "/" ); String filePath =
StringUtils.substringBeforeLast( res.getLocalResource().getAbsolutePath().replace( '\\', '/' ), "/" );
filePath = filePath + "/maven-metadata-" + repoGroupConfig.getId() + ".xml"; filePath = filePath + "/maven-metadata-" + repoGroupConfig.getId() + ".xml";
// for MRM-872 handle checksums of the merged metadata files // for MRM-872 handle checksums of the merged metadata files
if( repositoryRequest.isSupportFile( requestedResource ) ) if ( repositoryRequest.isSupportFile( requestedResource ) )
{ {
File metadataChecksum = new File( filePath + "." File metadataChecksum =
+ StringUtils.substringAfterLast( requestedResource, "." ) ); new File( filePath + "." + StringUtils.substringAfterLast( requestedResource, "." ) );
if( metadataChecksum.exists() ) if ( metadataChecksum.exists() )
{ {
LogicalResource logicalResource = LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) ); new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
String activePrincipal = getActivePrincipal( request ); resource =
ArchivaDavResource metadataChecksumResource =
new ArchivaDavResource( metadataChecksum.getAbsolutePath(), logicalResource.getPath(), new ArchivaDavResource( metadataChecksum.getAbsolutePath(), logicalResource.getPath(),
null, request.getRemoteAddr(), activePrincipal, null, request.getRemoteAddr(), activePrincipal,
request.getDavSession(), archivaLocator, this, mimeTypes, request.getDavSession(), archivaLocator, this, mimeTypes,
auditListeners, consumers ); auditListeners, consumers );
availableResources.add( 0, metadataChecksumResource );
} }
} }
else else
{ // merge the metadata of all repos under group {
if ( resourcesInAbsolutePath != null && resourcesInAbsolutePath.size() > 1 )
{
// merge the metadata of all repos under group
ArchivaRepositoryMetadata mergedMetadata = new ArchivaRepositoryMetadata(); ArchivaRepositoryMetadata mergedMetadata = new ArchivaRepositoryMetadata();
for ( String resourceAbsPath : resourcesInAbsolutePath ) for ( String resourceAbsPath : resourcesInAbsolutePath )
{ {
@ -342,13 +292,11 @@ public class ArchivaDavResourceFactory
LogicalResource logicalResource = LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) ); new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
String activePrincipal = getActivePrincipal( request ); resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
ArchivaDavResource metadataResource = null, request.getRemoteAddr(), activePrincipal,
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(), null, request.getDavSession(), archivaLocator, this, mimeTypes,
request.getRemoteAddr(), activePrincipal, request.getDavSession(), auditListeners, consumers );
archivaLocator, this, mimeTypes, auditListeners, consumers );
availableResources.add( 0, metadataResource );
} }
catch ( RepositoryMetadataException r ) catch ( RepositoryMetadataException r )
{ {
@ -368,71 +316,115 @@ public class ArchivaDavResourceFactory
} }
} }
} }
}
DavResource resource = availableResources.get( 0 ); setHeaders( response, locator, resource );
setHeaders(response, locator, resource );
// compatibility with MRM-440 to ensure browsing the repository works ok // compatibility with MRM-440 to ensure browsing the repository works ok
if ( resource.isCollection() && !request.getRequestURI().endsWith("/" ) ) if ( resource.isCollection() && !request.getRequestURI().endsWith( "/" ) )
{ {
throw new BrowserRedirectException( resource.getHref() ); throw new BrowserRedirectException( resource.getHref() );
} }
resource.addLockManager(lockManager); resource.addLockManager( lockManager );
return resource; return resource;
} }
public DavResource createResource( final DavResourceLocator locator, final DavSession davSession ) private DavResource processRepositoryGroup( final DavResourceLocator locator, final DavServletRequest request,
ArchivaDavResourceLocator archivaLocator, List<String> repositories,
String activePrincipal, boolean readMethod,
List<String> resourcesInAbsolutePath )
throws DavException throws DavException
{ {
checkLocatorIsInstanceOfRepositoryLocator( locator );
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
DavResource resource = null; DavResource resource = null;
if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) ) DavException storedException = null;
for ( String repositoryId : repositories )
{ {
ManagedRepositoryContent managedRepository = getManagedRepository( archivaLocator.getRepositoryId() ); ManagedRepositoryContent managedRepository = null;
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource ); try
resource = {
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource, managedRepository = repositoryFactory.getManagedRepositoryContent( repositoryId );
managedRepository.getRepository(), davSession, archivaLocator, this, mimeTypes, }
auditListeners, consumers ); catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
}
try
{
DavResource resource1 =
processRepository( locator, request, archivaLocator, readMethod, activePrincipal, repositoryId,
managedRepository );
if ( resource == null )
{
resource = resource1;
}
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
}
catch ( DavException e )
{
storedException = e;
}
}
if ( resource == null )
{
if ( storedException != null )
{
throw storedException;
}
else
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND );
}
} }
resource.addLockManager(lockManager);
return resource; return resource;
} }
private DavResource doGet( ManagedRepositoryContent managedRepository, DavServletRequest request, private DavResource processRepository( final DavResourceLocator locator, final DavServletRequest request,
ArchivaDavResourceLocator locator, LogicalResource logicalResource ) ArchivaDavResourceLocator archivaLocator, boolean readMethod,
String activePrincipal, String repositoryId,
ManagedRepositoryContent managedRepository )
throws DavException throws DavException
{ {
DavResource resource = null;
if ( isAuthorized( request, repositoryId ) )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() ); File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
resource =
//MRM-893, dont send back a file when user intentionally wants a directory
if ( locator.getHref( false ).endsWith( "/" ) )
{
if ( ! resourceFile.isDirectory() )
{
//force a resource not found
return null;
}
}
String activePrincipal = getActivePrincipal( request );
ArchivaDavResource resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(), new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal, managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal,
request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers ); request.getDavSession(), archivaLocator, this, mimeTypes, auditListeners,
consumers );
if ( readMethod )
{
if ( archivaLocator.getHref( false ).endsWith( "/" ) && !resourceFile.isDirectory() )
{
// force a resource not found
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
}
else
{
if ( !resource.isCollection() ) if ( !resource.isCollection() )
{ {
boolean previouslyExisted = resourceFile.exists(); boolean previouslyExisted = resourceFile.exists();
// At this point the incoming request can either be in default or // Attempt to fetch the resource from any defined proxy.
// legacy layout format.
boolean fromProxy = fetchContentFromProxies( managedRepository, request, logicalResource ); boolean fromProxy = fetchContentFromProxies( managedRepository, request, logicalResource );
// At this point the incoming request can either be in default or
// legacy layout format.
try try
{ {
// Perform an adjustment of the resource to the managed // Perform an adjustment of the resource to the managed
@ -440,69 +432,90 @@ public class ArchivaDavResourceFactory
String localResourcePath = String localResourcePath =
repositoryRequest.toNativePath( logicalResource.getPath(), managedRepository ); repositoryRequest.toNativePath( logicalResource.getPath(), managedRepository );
resourceFile = new File( managedRepository.getRepoRoot(), localResourcePath ); resourceFile = new File( managedRepository.getRepoRoot(), localResourcePath );
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(),
activePrincipal, request.getDavSession(), archivaLocator, this,
mimeTypes, auditListeners, consumers );
} }
catch ( LayoutException e ) catch ( LayoutException e1 )
{ {
if ( previouslyExisted ) if ( !resourceFile.exists() )
{ {
return resource; throw new DavException( HttpServletResponse.SC_NOT_FOUND, e1 );
} }
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
} }
// Attempt to fetch the resource from any defined proxy.
if ( fromProxy ) if ( fromProxy )
{ {
String repositoryId = locator.getRepositoryId(); String repositoryId1 = archivaLocator.getRepositoryId();
String event = ( previouslyExisted ? AuditEvent.MODIFY_FILE : AuditEvent.CREATE_FILE ) + PROXIED_SUFFIX; String event =
triggerAuditEvent( request.getRemoteAddr(), repositoryId, logicalResource.getPath(), event, ( previouslyExisted ? AuditEvent.MODIFY_FILE : AuditEvent.CREATE_FILE )
activePrincipal ); + PROXIED_SUFFIX;
triggerAuditEvent( request.getRemoteAddr(), repositoryId1, logicalResource.getPath(),
event, activePrincipal );
} }
if ( !resourceFile.exists() ) if ( !resourceFile.exists() )
{ {
resource = null; throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
} }
else
{
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(),
activePrincipal, request.getDavSession(), locator, this, mimeTypes,
auditListeners, consumers );
} }
} }
return resource;
} }
private DavResource doPut( ManagedRepositoryContent managedRepository, DavServletRequest request, if ( request.getMethod().equals( HTTP_PUT_METHOD ) )
ArchivaDavResourceLocator locator, LogicalResource logicalResource )
throws DavException
{ {
/* /*
* Create parent directories that don't exist when writing a file This actually makes this implementation not * Create parent directories that don't exist when writing a file This actually makes this
* compliant to the WebDAV RFC - but we have enough knowledge about how the collection is being used to do this * implementation not compliant to the WebDAV RFC - but we have enough knowledge about how the
* reasonably and some versions of Maven's WebDAV don't correctly create the collections themselves. * collection is being used to do this reasonably and some versions of Maven's WebDAV don't correctly
* create the collections themselves.
*/ */
File rootDirectory = new File( managedRepository.getRepoRoot() ); File rootDirectory = new File( managedRepository.getRepoRoot() );
File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile(); File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile();
String activePrincipal = getActivePrincipal( request ); if ( !destDir.exists() )
if ( request.getMethod().equals(HTTP_PUT_METHOD) && !destDir.exists() )
{ {
destDir.mkdirs(); destDir.mkdirs();
String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir ); String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir );
triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath, AuditEvent.CREATE_DIR, triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath,
activePrincipal ); AuditEvent.CREATE_DIR, activePrincipal );
}
}
}
return resource;
} }
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() ); public DavResource createResource( final DavResourceLocator locator, final DavSession davSession )
throws DavException
{
ArchivaDavResourceLocator archivaLocator = checkLocatorIsInstanceOfRepositoryLocator( locator );
return new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(), ManagedRepositoryContent managedRepository;
managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal, try
request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers ); {
managedRepository = repositoryFactory.getManagedRepositoryContent( archivaLocator.getRepositoryId() );
}
catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid repository: "
+ archivaLocator.getRepositoryId() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
}
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource );
DavResource resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource, managedRepository.getRepository(),
davSession, archivaLocator, this, mimeTypes, auditListeners, consumers );
resource.addLockManager( lockManager );
return resource;
} }
private boolean fetchContentFromProxies( ManagedRepositoryContent managedRepository, DavServletRequest request, private boolean fetchContentFromProxies( ManagedRepositoryContent managedRepository, DavServletRequest request,
@ -519,7 +532,7 @@ public class ArchivaDavResourceFactory
// Is it a Metadata resource? // Is it a Metadata resource?
if ( repositoryRequest.isDefault( resource.getPath() ) && repositoryRequest.isMetadata( resource.getPath() ) ) if ( repositoryRequest.isDefault( resource.getPath() ) && repositoryRequest.isMetadata( resource.getPath() ) )
{ {
return connectors.fetchMetatadaFromProxies(managedRepository, resource.getPath()) != null; return connectors.fetchMetatadaFromProxies( managedRepository, resource.getPath() ) != null;
} }
// Not any of the above? Then it's gotta be an artifact reference. // Not any of the above? Then it's gotta be an artifact reference.
@ -596,7 +609,7 @@ public class ArchivaDavResourceFactory
} }
finally finally
{ {
if (reader != null) if ( reader != null )
{ {
reader.close(); reader.close();
} }
@ -676,44 +689,38 @@ public class ArchivaDavResourceFactory
response.addHeader( "Cache-Control", "no-cache" ); response.addHeader( "Cache-Control", "no-cache" );
} }
//We need to specify this so connecting wagons can work correctly // We need to specify this so connecting wagons can work correctly
response.addDateHeader("last-modified", resource.getModificationTime()); response.addDateHeader( "last-modified", resource.getModificationTime() );
// TODO: [MRM-524] determine http caching options for other types of files (artifacts, sha1, md5, snapshots) // TODO: [MRM-524] determine http caching options for other types of files (artifacts, sha1, md5, snapshots)
} }
private ManagedRepositoryContent getManagedRepository( String respositoryId ) private ArchivaDavResourceLocator checkLocatorIsInstanceOfRepositoryLocator( DavResourceLocator locator )
throws DavException throws DavException
{ {
if ( respositoryId != null ) if ( !( locator instanceof ArchivaDavResourceLocator ) )
{
try
{
return repositoryFactory.getManagedRepositoryContent( respositoryId );
}
catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
}
}
return null;
}
private void checkLocatorIsInstanceOfRepositoryLocator( DavResourceLocator locator )
throws DavException
{
if ( !( locator instanceof RepositoryLocator ) )
{ {
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Locator does not implement RepositoryLocator" ); "Locator does not implement RepositoryLocator" );
} }
// Hidden paths
if ( locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND );
} }
class LogicalResource ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
// MRM-419 - Windows Webdav support. Should not 404 if there is no content.
if ( StringUtils.isEmpty( archivaLocator.getRepositoryId() ) )
{
throw new DavException( HttpServletResponse.SC_NO_CONTENT );
}
return archivaLocator;
}
private static class LogicalResource
{ {
private String path; private String path;
@ -741,20 +748,20 @@ public class ArchivaDavResourceFactory
AuthenticationResult result = httpAuth.getAuthenticationResult( request, null ); AuthenticationResult result = httpAuth.getAuthenticationResult( request, null );
SecuritySession securitySession = httpAuth.getSecuritySession( request.getSession( true ) ); SecuritySession securitySession = httpAuth.getSecuritySession( request.getSession( true ) );
return servletAuth.isAuthenticated( request, result ) && return servletAuth.isAuthenticated( request, result )
servletAuth.isAuthorized( request, securitySession, repositoryId, && servletAuth.isAuthorized( request, securitySession, repositoryId,
WebdavMethodUtil.isWriteMethod( request.getMethod() ) ); WebdavMethodUtil.getMethodPermission( request.getMethod() ) );
} }
catch ( AuthenticationException e ) catch ( AuthenticationException e )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911 // safety check for MRM-911
String guest = UserManager.GUEST_USERNAME; String guest = UserManager.GUEST_USERNAME;
try try
{ {
if( servletAuth.isAuthorized( guest, if ( servletAuth.isAuthorized(
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) guest,
( (ArchivaDavResourceLocator) request.getRequestLocator() ).getRepositoryId(),
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
return true; return true;
} }
@ -786,7 +793,8 @@ public class ArchivaDavResourceFactory
} }
} }
private DavResource getResource( DavServletRequest request, List<String> repositories, ArchivaDavResourceLocator locator ) private DavResource getResource( DavServletRequest request, List<String> repositories,
ArchivaDavResourceLocator locator )
throws DavException throws DavException
{ {
List<File> mergedRepositoryContents = new ArrayList<File>(); List<File> mergedRepositoryContents = new ArrayList<File>();
@ -802,25 +810,45 @@ public class ArchivaDavResourceFactory
boolean allow = isAllowedToContinue( request, repositories, activePrincipal ); boolean allow = isAllowedToContinue( request, repositories, activePrincipal );
if( allow ) if ( allow )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); for ( String repository : repositories )
{
ManagedRepositoryContent managedRepository = null;
for( String repository : repositories ) try
{
managedRepository = repositoryFactory.getManagedRepositoryContent( repository );
}
catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Invalid managed repository <" + repository + ">: " + e.getMessage() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Invalid managed repository <" + repository + ">: " + e.getMessage() );
}
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
if ( resourceFile.exists() )
{ {
// for prompted authentication // for prompted authentication
if( httpAuth.getSecuritySession( request.getSession( true ) ) != null ) if ( httpAuth.getSecuritySession( request.getSession( true ) ) != null )
{ {
try try
{ {
if( isAuthorized( request, repository ) ) if ( isAuthorized( request, repository ) )
{ {
getResource( locator, mergedRepositoryContents, logicalResource, repository ); mergedRepositoryContents.add( resourceFile );
} }
} }
catch ( DavException e ) catch ( DavException e )
{ {
continue; // TODO: review exception handling
log.debug( "Skipping repository '" + managedRepository + "' for user '" + activePrincipal
+ "': " + e.getMessage() );
} }
} }
else else
@ -828,14 +856,18 @@ public class ArchivaDavResourceFactory
// for the current user logged in // for the current user logged in
try try
{ {
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) if ( servletAuth.isAuthorized( activePrincipal, repository,
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
getResource( locator, mergedRepositoryContents, logicalResource, repository ); mergedRepositoryContents.add( resourceFile );
} }
} }
catch ( UnauthorizedException e ) catch ( UnauthorizedException e )
{ {
continue; // TODO: review exception handling
log.debug( "Skipping repository '" + managedRepository + "' for user '" + activePrincipal
+ "': " + e.getMessage() );
}
} }
} }
} }
@ -846,10 +878,11 @@ public class ArchivaDavResourceFactory
} }
ArchivaVirtualDavResource resource = ArchivaVirtualDavResource resource =
new ArchivaVirtualDavResource( mergedRepositoryContents, logicalResource.getPath(), mimeTypes, locator, this ); new ArchivaVirtualDavResource( mergedRepositoryContents, logicalResource.getPath(), mimeTypes, locator,
this );
// compatibility with MRM-440 to ensure browsing the repository group works ok // compatibility with MRM-440 to ensure browsing the repository group works ok
if ( resource.isCollection() && !request.getRequestURI().endsWith("/" ) ) if ( resource.isCollection() && !request.getRequestURI().endsWith( "/" ) )
{ {
throw new BrowserRedirectException( resource.getHref() ); throw new BrowserRedirectException( resource.getHref() );
} }
@ -863,35 +896,6 @@ public class ArchivaDavResourceFactory
return sessionUser != null ? sessionUser.getUsername() : UserManager.GUEST_USERNAME; return sessionUser != null ? sessionUser.getUsername() : UserManager.GUEST_USERNAME;
} }
private void getResource( ArchivaDavResourceLocator locator, List<File> mergedRepositoryContents,
LogicalResource logicalResource, String repository )
throws DavException
{
ManagedRepositoryContent managedRepository = null;
try
{
managedRepository = getManagedRepository( repository );
}
catch ( DavException de )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid managed repository <" +
repository + ">" );
}
if ( !locator.getResourcePath().startsWith( ArchivaVirtualDavResource.HIDDEN_PATH_PREFIX ) )
{
if( managedRepository != null )
{
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
if( resourceFile.exists() )
{
mergedRepositoryContents.add( resourceFile );
}
}
}
}
/** /**
* Check if the current user is authorized to access any of the repos * Check if the current user is authorized to access any of the repos
* *
@ -904,21 +908,20 @@ public class ArchivaDavResourceFactory
{ {
boolean allow = false; boolean allow = false;
// if securitySession != null, it means that the user was prompted for authentication // if securitySession != null, it means that the user was prompted for authentication
if( httpAuth.getSecuritySession( request.getSession() ) != null ) if ( httpAuth.getSecuritySession( request.getSession() ) != null )
{ {
for( String repository : repositories ) for ( String repository : repositories )
{ {
try try
{ {
if( isAuthorized( request, repository ) ) if ( isAuthorized( request, repository ) )
{ {
allow = true; allow = true;
break; break;
} }
} }
catch( DavException e ) catch ( DavException e )
{ {
continue; continue;
} }
@ -926,12 +929,12 @@ public class ArchivaDavResourceFactory
} }
else else
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); for ( String repository : repositories )
for( String repository : repositories )
{ {
try try
{ {
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) if ( servletAuth.isAuthorized( activePrincipal, repository,
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
allow = true; allow = true;
break; break;
@ -951,7 +954,7 @@ public class ArchivaDavResourceFactory
throws RepositoryMetadataException, DigesterException, IOException throws RepositoryMetadataException, DigesterException, IOException
{ {
File outputFile = new File( outputFilename ); File outputFile = new File( outputFilename );
if( outputFile.exists() ) if ( outputFile.exists() )
{ {
FileUtils.deleteQuietly( outputFile ); FileUtils.deleteQuietly( outputFile );
} }

9
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
View File

@ -66,16 +66,15 @@ public class ArchivaDavSessionProvider
} }
catch ( AuthenticationException e ) catch ( AuthenticationException e )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911 // safety check for MRM-911
String guest = UserManager.GUEST_USERNAME; String guest = UserManager.GUEST_USERNAME;
try try
{ {
if( servletAuth.isAuthorized( guest, if ( servletAuth.isAuthorized( guest,
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) ( (ArchivaDavResourceLocator) request.getRequestLocator() ).getRepositoryId(),
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
request.setDavSession(new ArchivaDavSession()); request.setDavSession( new ArchivaDavSession() );
return true; return true;
} }
} }

2
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaVirtualDavResource.java
View File

@ -59,8 +59,6 @@ import org.joda.time.format.ISODateTimeFormat;
public class ArchivaVirtualDavResource public class ArchivaVirtualDavResource
implements DavResource implements DavResource
{ {
public static final String HIDDEN_PATH_PREFIX = ".";
private static final String COMPLIANCE_CLASS = "1"; private static final String COMPLIANCE_CLASS = "1";
private ArchivaDavResourceLocator locator; private ArchivaDavResourceLocator locator;

37
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/util/WebdavMethodUtil.java
View File

@ -20,9 +20,11 @@ package org.apache.maven.archiva.webdav.util;
*/ */
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Locale;
/** /**
* WebdavMethodUtil * WebdavMethodUtil
@ -43,23 +45,32 @@ public class WebdavMethodUtil
READ_METHODS.add( "REPORT" ); READ_METHODS.add( "REPORT" );
} }
public static String getMethodPermission( String method )
{
if ( StringUtils.isBlank( method ) )
{
throw new IllegalArgumentException( "WebDAV method is empty" );
}
if ( READ_METHODS.contains( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
}
else if ( "DELETE".equals( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE;
}
else
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
}
public static boolean isReadMethod( String method ) public static boolean isReadMethod( String method )
{ {
if ( StringUtils.isBlank( method ) ) if ( StringUtils.isBlank( method ) )
{ {
return false; throw new IllegalArgumentException( "WebDAV method is empty" );
} }
return READ_METHODS.contains( method.toUpperCase( Locale.US ) );
return READ_METHODS.contains( method.toUpperCase() );
}
public static boolean isWriteMethod( String method )
{
if ( StringUtils.isBlank( method ) )
{
return false;
}
return !READ_METHODS.contains( method.toUpperCase() );
} }
} }

7
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/AbstractRepositoryServletTestCase.java
View File

@ -97,6 +97,13 @@ public abstract class AbstractRepositoryServletTestCase
.getResponseCode() ); .getResponseCode() );
} }
protected void assertResponseInternalServerError( WebResponse response )
{
assertNotNull( "Should have recieved a response", response );
Assert.assertEquals( "Should have been an 500/Internal Server Error response code.", HttpServletResponse.SC_INTERNAL_SERVER_ERROR, response
.getResponseCode() );
}
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location ) protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{ {
ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration(); ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

5
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
View File

@ -360,13 +360,14 @@ public class ArchivaDavSessionProviderTest extends TestCase
return true; return true;
} }
public boolean isAuthorized(HttpServletRequest arg0, SecuritySession arg1, String arg2, boolean arg3) public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
String permission )
throws AuthorizationException, UnauthorizedException throws AuthorizationException, UnauthorizedException
{ {
return true; return true;
} }
public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
return true; return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/MockServletAuthenticator.java
View File

@ -26,7 +26,7 @@ public class MockServletAuthenticator
extends ArchivaServletAuthenticator extends ArchivaServletAuthenticator
{ {
@Override @Override
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
return true; return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletRepositoryGroupTest.java
View File

@ -193,7 +193,7 @@ public class RepositoryServletRepositoryGroupTest
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/" + REPO_GROUP_WITH_INVALID_REPOS + "/" + resourceName ); WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/" + REPO_GROUP_WITH_INVALID_REPOS + "/" + resourceName );
WebResponse response = sc.getResponse( request ); WebResponse response = sc.getResponse( request );
assertResponseNotFound( response ); assertResponseInternalServerError( response );
} }
/* /*

52
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
View File

@ -32,6 +32,7 @@ import org.apache.jackrabbit.webdav.DavSessionProvider;
import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.Configuration; import org.apache.maven.archiva.configuration.Configuration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaXworkUser; import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator; import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException; import org.codehaus.plexus.redback.authentication.AuthenticationException;
@ -56,9 +57,7 @@ import com.meterware.servletunit.ServletRunner;
import com.meterware.servletunit.ServletUnitClient; import com.meterware.servletunit.ServletUnitClient;
/** /**
* RepositoryServletSecurityTest * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
*
* Test the flow of the authentication and authorization checks. This does not necessarily
* perform redback security checking. * perform redback security checking.
* *
* @version $Id$ * @version $Id$
@ -182,7 +181,7 @@ public class RepositoryServletSecurityTest
if ( repoRootInternal.exists() ) if ( repoRootInternal.exists() )
{ {
FileUtils.deleteDirectory(repoRootInternal); FileUtils.deleteDirectory( repoRootInternal );
} }
servlet = null; servlet = null;
@ -211,7 +210,7 @@ public class RepositoryServletSecurityTest
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) ); servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
@ -223,7 +222,7 @@ public class RepositoryServletSecurityTest
httpAuthControl.verify(); httpAuthControl.verify();
servletAuthControl.verify(); servletAuthControl.verify();
//assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode()); // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
} }
// test deploy with invalid user, but guest has write access to repo // test deploy with invalid user, but guest has write access to repo
@ -253,21 +252,21 @@ public class RepositoryServletSecurityTest
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true ); servletAuthControl.setReturnValue( true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
// check if guest has write access // check if guest has write access
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true ); servletAuthControl.setReturnValue( true );
@ -311,8 +310,11 @@ public class RepositoryServletSecurityTest
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized" ) ); new UnauthorizedException( "User not authorized" ) );
httpAuthControl.replay(); httpAuthControl.replay();
@ -359,7 +361,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -399,7 +404,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
@ -407,7 +415,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -442,7 +453,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
false );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -488,7 +502,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -533,8 +550,11 @@ public class RepositoryServletSecurityTest
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized to read repository." ) ); new UnauthorizedException( "User not authorized to read repository." ) );
httpAuthControl.replay(); httpAuthControl.replay();