Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

clean up the webdav interface to make the code more readable 

in addition, webdav now honours the delete operation separately to upload
improved the HTTP error responses for misconfiguration (500) vs not found on groups


git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@755845 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brett Porter 2009-03-19 06:10:38 +00:00
parent 6095cf8484
commit 584031f68f
13 changed files with 642 additions and 611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
View File

@ -62,27 +62,19 @@ public class ArchivaServletAuthenticator
} }
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) String permission )
throws AuthorizationException, UnauthorizedException throws AuthorizationException, UnauthorizedException
{ {
// TODO: also check for permission to proxy the resource when MRM-579 is implemented // TODO: also check for permission to proxy the resource when MRM-579 is implemented
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId ); AuthorizationResult authzResult = securitySystem.authorize( securitySession, permission, repositoryId );
if ( !authzResult.isAuthorized() ) if ( !authzResult.isAuthorized() )
{ {
if ( authzResult.getException() != null ) if ( authzResult.getException() != null )
{ {
log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",isWriteRequest=" + isWriteRequest + log.info( "Authorization Denied [ip=" + request.getRemoteAddr() + ",permission=" + permission
",permission=" + permission + ",repo=" + repositoryId + "] : " + + ",repo=" + repositoryId + "] : " + authzResult.getException().getMessage() );
authzResult.getException().getMessage() );
throw new UnauthorizedException( "Access denied for repository " + repositoryId ); throw new UnauthorizedException( "Access denied for repository " + repositoryId );
} }
@ -92,18 +84,11 @@ public class ArchivaServletAuthenticator
return true; return true;
} }
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
try try
{ {
String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
if ( isWriteRequest )
{
permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
User user = securitySystem.getUserManager().findUser( principal ); User user = securitySystem.getUserManager().findUser( principal );
if ( user == null ) if ( user == null )
{ {

4
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
View File

@ -59,7 +59,7 @@ public interface ServletAuthenticator
* @throws UnauthorizedException * @throws UnauthorizedException
*/ */
public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId, public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException; String permission ) throws AuthorizationException, UnauthorizedException;
/** /**
* Authorization check specific for user guest, which doesn't go through * Authorization check specific for user guest, which doesn't go through
@ -74,6 +74,6 @@ public interface ServletAuthenticator
* @return * @return
* @throws UnauthorizedException * @throws UnauthorizedException
*/ */
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException; throws UnauthorizedException;
} }

27
archiva-modules/archiva-web/archiva-security/src/test/java/org/apache/maven/archiva/security/ArchivaServletAuthenticatorTest.java
View File

@ -51,10 +51,10 @@ public class ArchivaServletAuthenticatorTest
{ {
super.setUp(); super.setUp();
servletAuth = ( ServletAuthenticator ) lookup( ServletAuthenticator.class, "default" ); servletAuth = (ServletAuthenticator) lookup( ServletAuthenticator.class, "default" );
httpServletRequestControl = MockControl.createControl( HttpServletRequest.class ); httpServletRequestControl = MockControl.createControl( HttpServletRequest.class );
request = ( HttpServletRequest ) httpServletRequestControl.getMock(); request = (HttpServletRequest) httpServletRequestControl.getMock();
setupRepository( "corporate" ); setupRepository( "corporate" );
} }
@ -108,7 +108,8 @@ public class ArchivaServletAuthenticatorTest
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -133,7 +134,7 @@ public class ArchivaServletAuthenticatorTest
try try
{ {
servletAuth.isAuthorized( request, session, "corporate", true ); servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
fail( "UnauthorizedException should have been thrown." ); fail( "UnauthorizedException should have been thrown." );
} }
catch ( UnauthorizedException e ) catch ( UnauthorizedException e )
@ -144,7 +145,6 @@ public class ArchivaServletAuthenticatorTest
httpServletRequestControl.verify(); httpServletRequestControl.verify();
} }
public void testIsAuthorizedUserHasReadAccess() public void testIsAuthorizedUserHasReadAccess()
throws Exception throws Exception
{ {
@ -158,7 +158,8 @@ public class ArchivaServletAuthenticatorTest
AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null ); AuthenticationResult result = new AuthenticationResult( true, USER_ALPACA, null );
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
boolean isAuthorized = servletAuth.isAuthorized( request, session, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -176,7 +177,7 @@ public class ArchivaServletAuthenticatorTest
SecuritySession session = new DefaultSecuritySession( result, user ); SecuritySession session = new DefaultSecuritySession( result, user );
try try
{ {
servletAuth.isAuthorized( request, session, "corporate", false ); servletAuth.isAuthorized( request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
fail( "UnauthorizedException should have been thrown." ); fail( "UnauthorizedException should have been thrown." );
} }
catch ( UnauthorizedException e ) catch ( UnauthorizedException e )
@ -189,7 +190,8 @@ public class ArchivaServletAuthenticatorTest
throws Exception throws Exception
{ {
assignRepositoryManagerRole( USER_GUEST, "corporate" ); assignRepositoryManagerRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -199,7 +201,8 @@ public class ArchivaServletAuthenticatorTest
{ {
assignRepositoryObserverRole( USER_GUEST, "corporate" ); assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", true ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
assertFalse( isAuthorized ); assertFalse( isAuthorized );
} }
@ -208,7 +211,8 @@ public class ArchivaServletAuthenticatorTest
{ {
assignRepositoryObserverRole( USER_GUEST, "corporate" ); assignRepositoryObserverRole( USER_GUEST, "corporate" );
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertTrue( isAuthorized ); assertTrue( isAuthorized );
} }
@ -216,7 +220,8 @@ public class ArchivaServletAuthenticatorTest
public void testIsAuthorizedGuestUserHasNoReadAccess() public void testIsAuthorizedGuestUserHasNoReadAccess()
throws Exception throws Exception
{ {
boolean isAuthorized = servletAuth.isAuthorized( USER_GUEST, "corporate", false ); boolean isAuthorized =
servletAuth.isAuthorized( USER_GUEST, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
assertFalse( isAuthorized ); assertFalse( isAuthorized );
} }

6
archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/rss/RssFeedServlet.java
View File

@ -38,6 +38,7 @@ import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.database.ArchivaDatabaseException; import org.apache.maven.archiva.database.ArchivaDatabaseException;
import org.apache.maven.archiva.security.AccessDeniedException; import org.apache.maven.archiva.security.AccessDeniedException;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaSecurityException; import org.apache.maven.archiva.security.ArchivaSecurityException;
import org.apache.maven.archiva.security.PrincipalNotFoundException; import org.apache.maven.archiva.security.PrincipalNotFoundException;
import org.apache.maven.archiva.security.ServletAuthenticator; import org.apache.maven.archiva.security.ServletAuthenticator;
@ -293,8 +294,9 @@ public class RssFeedServlet
AuthenticationResult result = httpAuth.getAuthenticationResult( req, null ); AuthenticationResult result = httpAuth.getAuthenticationResult( req, null );
SecuritySession securitySession = httpAuth.getSecuritySession( req.getSession( true ) ); SecuritySession securitySession = httpAuth.getSecuritySession( req.getSession( true ) );
if ( servletAuth.isAuthenticated( req, result ) && if ( servletAuth.isAuthenticated( req, result )
servletAuth.isAuthorized( req, securitySession, repoId, false ) ) && servletAuth.isAuthorized( req, securitySession, repoId,
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ) )
{ {
return true; return true;
} }

741
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
View File

@ -172,45 +172,171 @@ public class ArchivaDavResourceFactory
final DavServletResponse response ) final DavServletResponse response )
throws DavException throws DavException
{ {
checkLocatorIsInstanceOfRepositoryLocator( locator ); ArchivaDavResourceLocator archivaLocator = checkLocatorIsInstanceOfRepositoryLocator( locator );
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
RepositoryGroupConfiguration repoGroupConfig = RepositoryGroupConfiguration repoGroupConfig =
archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() ); archivaConfiguration.getConfiguration().getRepositoryGroupsAsMap().get( archivaLocator.getRepositoryId() );
List<String> repositories = new ArrayList<String>();
boolean isGet = WebdavMethodUtil.isReadMethod( request.getMethod() ); String activePrincipal = getActivePrincipal( request );
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
List<String> resourcesInAbsolutePath = new ArrayList<String>();
boolean readMethod = WebdavMethodUtil.isReadMethod( request.getMethod() );
DavResource resource;
if ( repoGroupConfig != null ) if ( repoGroupConfig != null )
{ {
if( WebdavMethodUtil.isWriteMethod( request.getMethod() ) ) if ( !readMethod )
{ {
throw new DavException( HttpServletResponse.SC_METHOD_NOT_ALLOWED, throw new DavException( HttpServletResponse.SC_METHOD_NOT_ALLOWED,
"Write method not allowed for repository groups." ); "Write method not allowed for repository groups." );
} }
repositories.addAll( repoGroupConfig.getRepositories() );
// handle browse requests for virtual repos // handle browse requests for virtual repos
if ( RepositoryPathUtil.getLogicalResource( archivaLocator.getOrigResourcePath() ).endsWith( "/" ) ) if ( RepositoryPathUtil.getLogicalResource( archivaLocator.getOrigResourcePath() ).endsWith( "/" ) )
{ {
return getResource( request, repositories, archivaLocator ); return getResource( request, repoGroupConfig.getRepositories(), archivaLocator );
}
else
{
resource =
processRepositoryGroup( locator, request, archivaLocator, repoGroupConfig.getRepositories(),
activePrincipal, readMethod, resourcesInAbsolutePath );
} }
} }
else else
{ {
repositories.add( archivaLocator.getRepositoryId() ); ManagedRepositoryContent managedRepository = null;
try
{
managedRepository = repositoryFactory.getManagedRepositoryContent( archivaLocator.getRepositoryId() );
}
catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid repository: "
+ archivaLocator.getRepositoryId() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
}
resource =
processRepository( locator, request, archivaLocator, readMethod, activePrincipal,
archivaLocator.getRepositoryId(), managedRepository );
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
} }
//MRM-419 - Windows Webdav support. Should not 404 if there is no content. String requestedResource = request.getRequestURI();
if (StringUtils.isEmpty(archivaLocator.getRepositoryId()))
// MRM-872 : merge all available metadata
// merge metadata only when requested via the repo group
if ( ( repositoryRequest.isMetadata( requestedResource ) || ( requestedResource.endsWith( "metadata.xml.sha1" ) || requestedResource.endsWith( "metadata.xml.md5" ) ) )
&& repoGroupConfig != null )
{ {
throw new DavException(HttpServletResponse.SC_NO_CONTENT); // this should only be at the project level not version level!
if ( isProjectReference( requestedResource ) )
{
String artifactId = StringUtils.substringBeforeLast( requestedResource.replace( '\\', '/' ), "/" );
artifactId = StringUtils.substringAfterLast( artifactId, "/" );
ArchivaDavResource res = (ArchivaDavResource) resource;
String filePath =
StringUtils.substringBeforeLast( res.getLocalResource().getAbsolutePath().replace( '\\', '/' ), "/" );
filePath = filePath + "/maven-metadata-" + repoGroupConfig.getId() + ".xml";
// for MRM-872 handle checksums of the merged metadata files
if ( repositoryRequest.isSupportFile( requestedResource ) )
{
File metadataChecksum =
new File( filePath + "." + StringUtils.substringAfterLast( requestedResource, "." ) );
if ( metadataChecksum.exists() )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
resource =
new ArchivaDavResource( metadataChecksum.getAbsolutePath(), logicalResource.getPath(),
null, request.getRemoteAddr(), activePrincipal,
request.getDavSession(), archivaLocator, this, mimeTypes,
auditListeners, consumers );
}
}
else
{
if ( resourcesInAbsolutePath != null && resourcesInAbsolutePath.size() > 1 )
{
// merge the metadata of all repos under group
ArchivaRepositoryMetadata mergedMetadata = new ArchivaRepositoryMetadata();
for ( String resourceAbsPath : resourcesInAbsolutePath )
{
try
{
File metadataFile = new File( resourceAbsPath );
ArchivaRepositoryMetadata repoMetadata = RepositoryMetadataReader.read( metadataFile );
mergedMetadata = RepositoryMetadataMerge.merge( mergedMetadata, repoMetadata );
}
catch ( RepositoryMetadataException r )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while reading metadata file." );
}
}
try
{
File resourceFile = writeMergedMetadataToFile( mergedMetadata, filePath );
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
null, request.getRemoteAddr(), activePrincipal,
request.getDavSession(), archivaLocator, this, mimeTypes,
auditListeners, consumers );
}
catch ( RepositoryMetadataException r )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while writing metadata file." );
}
catch ( IOException ie )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while generating checksum files." );
}
catch ( DigesterException de )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while generating checksum files." );
}
}
}
}
} }
List<DavResource> availableResources = new ArrayList<DavResource>(); setHeaders( response, locator, resource );
List<String> resourcesInAbsolutePath = new ArrayList<String>();
DavException e = null; // compatibility with MRM-440 to ensure browsing the repository works ok
if ( resource.isCollection() && !request.getRequestURI().endsWith( "/" ) )
{
throw new BrowserRedirectException( resource.getHref() );
}
resource.addLockManager( lockManager );
return resource;
}
private DavResource processRepositoryGroup( final DavResourceLocator locator, final DavServletRequest request,
ArchivaDavResourceLocator archivaLocator, List<String> repositories,
String activePrincipal, boolean readMethod,
List<String> resourcesInAbsolutePath )
throws DavException
{
DavResource resource = null;
DavException storedException = null;
for ( String repositoryId : repositories ) for ( String repositoryId : repositories )
{ {
@ -218,293 +344,180 @@ public class ArchivaDavResourceFactory
try try
{ {
managedRepository = getManagedRepository( repositoryId ); managedRepository = repositoryFactory.getManagedRepositoryContent( repositoryId );
} }
catch ( DavException de ) catch ( RepositoryNotFoundException e )
{ {
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid managed repository <" + throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
repositoryId + ">" ); }
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
} }
DavResource resource = null; try
if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) )
{ {
if ( managedRepository != null ) DavResource resource1 =
processRepository( locator, request, archivaLocator, readMethod, activePrincipal, repositoryId,
managedRepository );
if ( resource == null )
{ {
try resource = resource1;
{
if( isAuthorized( request, repositoryId ) )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
if ( isGet )
{
resource = doGet( managedRepository, request, archivaLocator, logicalResource );
}
if ( isPut )
{
resource = doPut( managedRepository, request, archivaLocator, logicalResource );
}
}
}
catch ( DavException de )
{
e = de;
continue;
}
if( resource == null )
{
e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
}
else
{
availableResources.add( resource );
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
}
}
else
{
e = new DavException( HttpServletResponse.SC_NOT_FOUND, "Repository does not exist" );
} }
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
resourcesInAbsolutePath.add( managedRepository.getRepoRoot() + logicalResource );
}
catch ( DavException e )
{
storedException = e;
} }
} }
if ( availableResources.isEmpty() ) if ( resource == null )
{ {
throw e; if ( storedException != null )
}
String requestedResource = request.getRequestURI();
// MRM-872 : merge all available metadata
// merge metadata only when requested via the repo group
if ( ( repositoryRequest.isMetadata( requestedResource ) || ( requestedResource.endsWith( "metadata.xml.sha1" ) || requestedResource.endsWith( "metadata.xml.md5" ) ) ) &&
repoGroupConfig != null )
{
// this should only be at the project level not version level!
if( isProjectReference( requestedResource ) )
{ {
String artifactId = StringUtils.substringBeforeLast( requestedResource.replace( '\\', '/' ), "/" ); throw storedException;
artifactId = StringUtils.substringAfterLast( artifactId, "/" ); }
else
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND );
}
}
return resource;
}
ArchivaDavResource res = ( ArchivaDavResource ) availableResources.get( 0 ); private DavResource processRepository( final DavResourceLocator locator, final DavServletRequest request,
String filePath = StringUtils.substringBeforeLast( res.getLocalResource().getAbsolutePath().replace( '\\', '/' ), "/" ); ArchivaDavResourceLocator archivaLocator, boolean readMethod,
filePath = filePath + "/maven-metadata-" + repoGroupConfig.getId() + ".xml"; String activePrincipal, String repositoryId,
ManagedRepositoryContent managedRepository )
throws DavException
{
DavResource resource = null;
if ( isAuthorized( request, repositoryId ) )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
// for MRM-872 handle checksums of the merged metadata files File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
if( repositoryRequest.isSupportFile( requestedResource ) ) resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal,
request.getDavSession(), archivaLocator, this, mimeTypes, auditListeners,
consumers );
if ( readMethod )
{
if ( archivaLocator.getHref( false ).endsWith( "/" ) && !resourceFile.isDirectory() )
{ {
File metadataChecksum = new File( filePath + "." // force a resource not found
+ StringUtils.substringAfterLast( requestedResource, "." ) ); throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
if( metadataChecksum.exists() )
{
LogicalResource logicalResource =
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) );
String activePrincipal = getActivePrincipal( request );
ArchivaDavResource metadataChecksumResource =
new ArchivaDavResource( metadataChecksum.getAbsolutePath(), logicalResource.getPath(),
null, request.getRemoteAddr(), activePrincipal,
request.getDavSession(), archivaLocator, this, mimeTypes,
auditListeners, consumers );
availableResources.add( 0, metadataChecksumResource );
}
} }
else else
{ // merge the metadata of all repos under group {
ArchivaRepositoryMetadata mergedMetadata = new ArchivaRepositoryMetadata(); if ( !resource.isCollection() )
for ( String resourceAbsPath : resourcesInAbsolutePath )
{ {
boolean previouslyExisted = resourceFile.exists();
// Attempt to fetch the resource from any defined proxy.
boolean fromProxy = fetchContentFromProxies( managedRepository, request, logicalResource );
// At this point the incoming request can either be in default or
// legacy layout format.
try try
{ {
File metadataFile = new File( resourceAbsPath ); // Perform an adjustment of the resource to the managed
ArchivaRepositoryMetadata repoMetadata = RepositoryMetadataReader.read( metadataFile ); // repository expected path.
mergedMetadata = RepositoryMetadataMerge.merge( mergedMetadata, repoMetadata ); String localResourcePath =
repositoryRequest.toNativePath( logicalResource.getPath(), managedRepository );
resourceFile = new File( managedRepository.getRepoRoot(), localResourcePath );
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(),
activePrincipal, request.getDavSession(), archivaLocator, this,
mimeTypes, auditListeners, consumers );
} }
catch ( RepositoryMetadataException r ) catch ( LayoutException e1 )
{ {
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, if ( !resourceFile.exists() )
"Error occurred while reading metadata file." ); {
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e1 );
}
} }
}
try if ( fromProxy )
{ {
File resourceFile = writeMergedMetadataToFile( mergedMetadata, filePath ); String repositoryId1 = archivaLocator.getRepositoryId();
String event =
( previouslyExisted ? AuditEvent.MODIFY_FILE : AuditEvent.CREATE_FILE )
+ PROXIED_SUFFIX;
triggerAuditEvent( request.getRemoteAddr(), repositoryId1, logicalResource.getPath(),
event, activePrincipal );
}
LogicalResource logicalResource = if ( !resourceFile.exists() )
new LogicalResource( RepositoryPathUtil.getLogicalResource( locator.getResourcePath() ) ); {
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Resource does not exist" );
String activePrincipal = getActivePrincipal( request ); }
ArchivaDavResource metadataResource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(), null,
request.getRemoteAddr(), activePrincipal, request.getDavSession(),
archivaLocator, this, mimeTypes, auditListeners, consumers );
availableResources.add( 0, metadataResource );
}
catch ( RepositoryMetadataException r )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while writing metadata file." );
}
catch ( IOException ie )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while generating checksum files." );
}
catch ( DigesterException de )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Error occurred while generating checksum files." );
} }
} }
} }
}
DavResource resource = availableResources.get( 0 ); if ( request.getMethod().equals( HTTP_PUT_METHOD ) )
setHeaders(response, locator, resource ); {
/*
* Create parent directories that don't exist when writing a file This actually makes this
* implementation not compliant to the WebDAV RFC - but we have enough knowledge about how the
* collection is being used to do this reasonably and some versions of Maven's WebDAV don't correctly
* create the collections themselves.
*/
// compatibility with MRM-440 to ensure browsing the repository works ok File rootDirectory = new File( managedRepository.getRepoRoot() );
if ( resource.isCollection() && !request.getRequestURI().endsWith("/" ) ) File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile();
{
throw new BrowserRedirectException( resource.getHref() ); if ( !destDir.exists() )
{
destDir.mkdirs();
String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir );
triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath,
AuditEvent.CREATE_DIR, activePrincipal );
}
}
} }
resource.addLockManager(lockManager);
return resource; return resource;
} }
public DavResource createResource( final DavResourceLocator locator, final DavSession davSession ) public DavResource createResource( final DavResourceLocator locator, final DavSession davSession )
throws DavException throws DavException
{ {
checkLocatorIsInstanceOfRepositoryLocator( locator ); ArchivaDavResourceLocator archivaLocator = checkLocatorIsInstanceOfRepositoryLocator( locator );
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
DavResource resource = null; ManagedRepositoryContent managedRepository;
if ( !locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) ) try
{ {
ManagedRepositoryContent managedRepository = getManagedRepository( archivaLocator.getRepositoryId() ); managedRepository = repositoryFactory.getManagedRepositoryContent( archivaLocator.getRepositoryId() );
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource );
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource,
managedRepository.getRepository(), davSession, archivaLocator, this, mimeTypes,
auditListeners, consumers );
} }
resource.addLockManager(lockManager); catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid repository: "
+ archivaLocator.getRepositoryId() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, e );
}
String logicalResource = RepositoryPathUtil.getLogicalResource( locator.getResourcePath() );
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource );
DavResource resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource, managedRepository.getRepository(),
davSession, archivaLocator, this, mimeTypes, auditListeners, consumers );
resource.addLockManager( lockManager );
return resource; return resource;
} }
private DavResource doGet( ManagedRepositoryContent managedRepository, DavServletRequest request,
ArchivaDavResourceLocator locator, LogicalResource logicalResource )
throws DavException
{
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
//MRM-893, dont send back a file when user intentionally wants a directory
if ( locator.getHref( false ).endsWith( "/" ) )
{
if ( ! resourceFile.isDirectory() )
{
//force a resource not found
return null;
}
}
String activePrincipal = getActivePrincipal( request );
ArchivaDavResource resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal,
request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers );
if ( !resource.isCollection() )
{
boolean previouslyExisted = resourceFile.exists();
// At this point the incoming request can either be in default or
// legacy layout format.
boolean fromProxy = fetchContentFromProxies( managedRepository, request, logicalResource );
try
{
// Perform an adjustment of the resource to the managed
// repository expected path.
String localResourcePath =
repositoryRequest.toNativePath( logicalResource.getPath(), managedRepository );
resourceFile = new File( managedRepository.getRepoRoot(), localResourcePath );
}
catch ( LayoutException e )
{
if ( previouslyExisted )
{
return resource;
}
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
}
// Attempt to fetch the resource from any defined proxy.
if ( fromProxy )
{
String repositoryId = locator.getRepositoryId();
String event = ( previouslyExisted ? AuditEvent.MODIFY_FILE : AuditEvent.CREATE_FILE ) + PROXIED_SUFFIX;
triggerAuditEvent( request.getRemoteAddr(), repositoryId, logicalResource.getPath(), event,
activePrincipal );
}
if ( !resourceFile.exists() )
{
resource = null;
}
else
{
resource =
new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(),
activePrincipal, request.getDavSession(), locator, this, mimeTypes,
auditListeners, consumers );
}
}
return resource;
}
private DavResource doPut( ManagedRepositoryContent managedRepository, DavServletRequest request,
ArchivaDavResourceLocator locator, LogicalResource logicalResource )
throws DavException
{
/*
* Create parent directories that don't exist when writing a file This actually makes this implementation not
* compliant to the WebDAV RFC - but we have enough knowledge about how the collection is being used to do this
* reasonably and some versions of Maven's WebDAV don't correctly create the collections themselves.
*/
File rootDirectory = new File( managedRepository.getRepoRoot() );
File destDir = new File( rootDirectory, logicalResource.getPath() ).getParentFile();
String activePrincipal = getActivePrincipal( request );
if ( request.getMethod().equals(HTTP_PUT_METHOD) && !destDir.exists() )
{
destDir.mkdirs();
String relPath = PathUtil.getRelative( rootDirectory.getAbsolutePath(), destDir );
triggerAuditEvent( request.getRemoteAddr(), logicalResource.getPath(), relPath, AuditEvent.CREATE_DIR,
activePrincipal );
}
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
return new ArchivaDavResource( resourceFile.getAbsolutePath(), logicalResource.getPath(),
managedRepository.getRepository(), request.getRemoteAddr(), activePrincipal,
request.getDavSession(), locator, this, mimeTypes, auditListeners, consumers );
}
private boolean fetchContentFromProxies( ManagedRepositoryContent managedRepository, DavServletRequest request, private boolean fetchContentFromProxies( ManagedRepositoryContent managedRepository, DavServletRequest request,
LogicalResource resource ) LogicalResource resource )
throws DavException throws DavException
@ -519,7 +532,7 @@ public class ArchivaDavResourceFactory
// Is it a Metadata resource? // Is it a Metadata resource?
if ( repositoryRequest.isDefault( resource.getPath() ) && repositoryRequest.isMetadata( resource.getPath() ) ) if ( repositoryRequest.isDefault( resource.getPath() ) && repositoryRequest.isMetadata( resource.getPath() ) )
{ {
return connectors.fetchMetatadaFromProxies(managedRepository, resource.getPath()) != null; return connectors.fetchMetatadaFromProxies( managedRepository, resource.getPath() ) != null;
} }
// Not any of the above? Then it's gotta be an artifact reference. // Not any of the above? Then it's gotta be an artifact reference.
@ -596,7 +609,7 @@ public class ArchivaDavResourceFactory
} }
finally finally
{ {
if (reader != null) if ( reader != null )
{ {
reader.close(); reader.close();
} }
@ -676,44 +689,38 @@ public class ArchivaDavResourceFactory
response.addHeader( "Cache-Control", "no-cache" ); response.addHeader( "Cache-Control", "no-cache" );
} }
//We need to specify this so connecting wagons can work correctly // We need to specify this so connecting wagons can work correctly
response.addDateHeader("last-modified", resource.getModificationTime()); response.addDateHeader( "last-modified", resource.getModificationTime() );
// TODO: [MRM-524] determine http caching options for other types of files (artifacts, sha1, md5, snapshots) // TODO: [MRM-524] determine http caching options for other types of files (artifacts, sha1, md5, snapshots)
} }
private ManagedRepositoryContent getManagedRepository( String respositoryId ) private ArchivaDavResourceLocator checkLocatorIsInstanceOfRepositoryLocator( DavResourceLocator locator )
throws DavException throws DavException
{ {
if ( respositoryId != null ) if ( !( locator instanceof ArchivaDavResourceLocator ) )
{
try
{
return repositoryFactory.getManagedRepositoryContent( respositoryId );
}
catch ( RepositoryNotFoundException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, e );
}
}
return null;
}
private void checkLocatorIsInstanceOfRepositoryLocator( DavResourceLocator locator )
throws DavException
{
if ( !( locator instanceof RepositoryLocator ) )
{ {
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR, throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Locator does not implement RepositoryLocator" ); "Locator does not implement RepositoryLocator" );
} }
// Hidden paths
if ( locator.getResourcePath().startsWith( ArchivaDavResource.HIDDEN_PATH_PREFIX ) )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND );
}
ArchivaDavResourceLocator archivaLocator = (ArchivaDavResourceLocator) locator;
// MRM-419 - Windows Webdav support. Should not 404 if there is no content.
if ( StringUtils.isEmpty( archivaLocator.getRepositoryId() ) )
{
throw new DavException( HttpServletResponse.SC_NO_CONTENT );
}
return archivaLocator;
} }
class LogicalResource private static class LogicalResource
{ {
private String path; private String path;
@ -741,20 +748,20 @@ public class ArchivaDavResourceFactory
AuthenticationResult result = httpAuth.getAuthenticationResult( request, null ); AuthenticationResult result = httpAuth.getAuthenticationResult( request, null );
SecuritySession securitySession = httpAuth.getSecuritySession( request.getSession( true ) ); SecuritySession securitySession = httpAuth.getSecuritySession( request.getSession( true ) );
return servletAuth.isAuthenticated( request, result ) && return servletAuth.isAuthenticated( request, result )
servletAuth.isAuthorized( request, securitySession, repositoryId, && servletAuth.isAuthorized( request, securitySession, repositoryId,
WebdavMethodUtil.isWriteMethod( request.getMethod() ) ); WebdavMethodUtil.getMethodPermission( request.getMethod() ) );
} }
catch ( AuthenticationException e ) catch ( AuthenticationException e )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911 // safety check for MRM-911
String guest = UserManager.GUEST_USERNAME; String guest = UserManager.GUEST_USERNAME;
try try
{ {
if( servletAuth.isAuthorized( guest, if ( servletAuth.isAuthorized(
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) guest,
( (ArchivaDavResourceLocator) request.getRequestLocator() ).getRepositoryId(),
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
return true; return true;
} }
@ -762,7 +769,7 @@ public class ArchivaDavResourceFactory
catch ( UnauthorizedException ae ) catch ( UnauthorizedException ae )
{ {
throw new UnauthorizedDavException( repositoryId, throw new UnauthorizedDavException( repositoryId,
"You are not authenticated and authorized to access any repository." ); "You are not authenticated and authorized to access any repository." );
} }
throw new UnauthorizedDavException( repositoryId, "You are not authenticated" ); throw new UnauthorizedDavException( repositoryId, "You are not authenticated" );
@ -786,7 +793,8 @@ public class ArchivaDavResourceFactory
} }
} }
private DavResource getResource( DavServletRequest request, List<String> repositories, ArchivaDavResourceLocator locator ) private DavResource getResource( DavServletRequest request, List<String> repositories,
ArchivaDavResourceLocator locator )
throws DavException throws DavException
{ {
List<File> mergedRepositoryContents = new ArrayList<File>(); List<File> mergedRepositoryContents = new ArrayList<File>();
@ -802,40 +810,64 @@ public class ArchivaDavResourceFactory
boolean allow = isAllowedToContinue( request, repositories, activePrincipal ); boolean allow = isAllowedToContinue( request, repositories, activePrincipal );
if( allow ) if ( allow )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); for ( String repository : repositories )
for( String repository : repositories )
{ {
// for prompted authentication ManagedRepositoryContent managedRepository = null;
if( httpAuth.getSecuritySession( request.getSession( true ) ) != null )
try
{ {
try managedRepository = repositoryFactory.getManagedRepositoryContent( repository );
{
if( isAuthorized( request, repository ) )
{
getResource( locator, mergedRepositoryContents, logicalResource, repository );
}
}
catch ( DavException e )
{
continue;
}
} }
else catch ( RepositoryNotFoundException e )
{ {
// for the current user logged in throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
try "Invalid managed repository <" + repository + ">: " + e.getMessage() );
}
catch ( RepositoryException e )
{
throw new DavException( HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"Invalid managed repository <" + repository + ">: " + e.getMessage() );
}
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
if ( resourceFile.exists() )
{
// for prompted authentication
if ( httpAuth.getSecuritySession( request.getSession( true ) ) != null )
{ {
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) try
{ {
getResource( locator, mergedRepositoryContents, logicalResource, repository ); if ( isAuthorized( request, repository ) )
{
mergedRepositoryContents.add( resourceFile );
}
}
catch ( DavException e )
{
// TODO: review exception handling
log.debug( "Skipping repository '" + managedRepository + "' for user '" + activePrincipal
+ "': " + e.getMessage() );
} }
} }
catch ( UnauthorizedException e ) else
{ {
continue; // for the current user logged in
try
{
if ( servletAuth.isAuthorized( activePrincipal, repository,
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{
mergedRepositoryContents.add( resourceFile );
}
}
catch ( UnauthorizedException e )
{
// TODO: review exception handling
log.debug( "Skipping repository '" + managedRepository + "' for user '" + activePrincipal
+ "': " + e.getMessage() );
}
} }
} }
} }
@ -846,10 +878,11 @@ public class ArchivaDavResourceFactory
} }
ArchivaVirtualDavResource resource = ArchivaVirtualDavResource resource =
new ArchivaVirtualDavResource( mergedRepositoryContents, logicalResource.getPath(), mimeTypes, locator, this ); new ArchivaVirtualDavResource( mergedRepositoryContents, logicalResource.getPath(), mimeTypes, locator,
this );
// compatibility with MRM-440 to ensure browsing the repository group works ok // compatibility with MRM-440 to ensure browsing the repository group works ok
if ( resource.isCollection() && !request.getRequestURI().endsWith("/" ) ) if ( resource.isCollection() && !request.getRequestURI().endsWith( "/" ) )
{ {
throw new BrowserRedirectException( resource.getHref() ); throw new BrowserRedirectException( resource.getHref() );
} }
@ -863,35 +896,6 @@ public class ArchivaDavResourceFactory
return sessionUser != null ? sessionUser.getUsername() : UserManager.GUEST_USERNAME; return sessionUser != null ? sessionUser.getUsername() : UserManager.GUEST_USERNAME;
} }
private void getResource( ArchivaDavResourceLocator locator, List<File> mergedRepositoryContents,
LogicalResource logicalResource, String repository )
throws DavException
{
ManagedRepositoryContent managedRepository = null;
try
{
managedRepository = getManagedRepository( repository );
}
catch ( DavException de )
{
throw new DavException( HttpServletResponse.SC_NOT_FOUND, "Invalid managed repository <" +
repository + ">" );
}
if ( !locator.getResourcePath().startsWith( ArchivaVirtualDavResource.HIDDEN_PATH_PREFIX ) )
{
if( managedRepository != null )
{
File resourceFile = new File( managedRepository.getRepoRoot(), logicalResource.getPath() );
if( resourceFile.exists() )
{
mergedRepositoryContents.add( resourceFile );
}
}
}
}
/** /**
* Check if the current user is authorized to access any of the repos * Check if the current user is authorized to access any of the repos
* *
@ -904,21 +908,20 @@ public class ArchivaDavResourceFactory
{ {
boolean allow = false; boolean allow = false;
// if securitySession != null, it means that the user was prompted for authentication // if securitySession != null, it means that the user was prompted for authentication
if( httpAuth.getSecuritySession( request.getSession() ) != null ) if ( httpAuth.getSecuritySession( request.getSession() ) != null )
{ {
for( String repository : repositories ) for ( String repository : repositories )
{ {
try try
{ {
if( isAuthorized( request, repository ) ) if ( isAuthorized( request, repository ) )
{ {
allow = true; allow = true;
break; break;
} }
} }
catch( DavException e ) catch ( DavException e )
{ {
continue; continue;
} }
@ -926,12 +929,12 @@ public class ArchivaDavResourceFactory
} }
else else
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() ); for ( String repository : repositories )
for( String repository : repositories )
{ {
try try
{ {
if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) ) if ( servletAuth.isAuthorized( activePrincipal, repository,
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
allow = true; allow = true;
break; break;
@ -951,7 +954,7 @@ public class ArchivaDavResourceFactory
throws RepositoryMetadataException, DigesterException, IOException throws RepositoryMetadataException, DigesterException, IOException
{ {
File outputFile = new File( outputFilename ); File outputFile = new File( outputFilename );
if( outputFile.exists() ) if ( outputFile.exists() )
{ {
FileUtils.deleteQuietly( outputFile ); FileUtils.deleteQuietly( outputFile );
} }
@ -982,15 +985,15 @@ public class ArchivaDavResourceFactory
private boolean isProjectReference( String requestedResource ) private boolean isProjectReference( String requestedResource )
{ {
try try
{ {
metadataTools.toVersionedReference( requestedResource ); metadataTools.toVersionedReference( requestedResource );
return false; return false;
} }
catch ( RepositoryMetadataException re ) catch ( RepositoryMetadataException re )
{ {
return true; return true;
} }
} }
public void setServletAuth( ServletAuthenticator servletAuth ) public void setServletAuth( ServletAuthenticator servletAuth )

9
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
View File

@ -66,16 +66,15 @@ public class ArchivaDavSessionProvider
} }
catch ( AuthenticationException e ) catch ( AuthenticationException e )
{ {
boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
// safety check for MRM-911 // safety check for MRM-911
String guest = UserManager.GUEST_USERNAME; String guest = UserManager.GUEST_USERNAME;
try try
{ {
if( servletAuth.isAuthorized( guest, if ( servletAuth.isAuthorized( guest,
( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(), isPut ) ) ( (ArchivaDavResourceLocator) request.getRequestLocator() ).getRepositoryId(),
WebdavMethodUtil.getMethodPermission( request.getMethod() ) ) )
{ {
request.setDavSession(new ArchivaDavSession()); request.setDavSession( new ArchivaDavSession() );
return true; return true;
} }
} }

2
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaVirtualDavResource.java
View File

@ -59,8 +59,6 @@ import org.joda.time.format.ISODateTimeFormat;
public class ArchivaVirtualDavResource public class ArchivaVirtualDavResource
implements DavResource implements DavResource
{ {
public static final String HIDDEN_PATH_PREFIX = ".";
private static final String COMPLIANCE_CLASS = "1"; private static final String COMPLIANCE_CLASS = "1";
private ArchivaDavResourceLocator locator; private ArchivaDavResourceLocator locator;

37
archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/util/WebdavMethodUtil.java
View File

@ -20,9 +20,11 @@ package org.apache.maven.archiva.webdav.util;
*/ */
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Locale;
/** /**
* WebdavMethodUtil * WebdavMethodUtil
@ -43,23 +45,32 @@ public class WebdavMethodUtil
READ_METHODS.add( "REPORT" ); READ_METHODS.add( "REPORT" );
} }
public static String getMethodPermission( String method )
{
if ( StringUtils.isBlank( method ) )
{
throw new IllegalArgumentException( "WebDAV method is empty" );
}
if ( READ_METHODS.contains( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
}
else if ( "DELETE".equals( method.toUpperCase( Locale.US ) ) )
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE;
}
else
{
return ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
}
}
public static boolean isReadMethod( String method ) public static boolean isReadMethod( String method )
{ {
if ( StringUtils.isBlank( method ) ) if ( StringUtils.isBlank( method ) )
{ {
return false; throw new IllegalArgumentException( "WebDAV method is empty" );
} }
return READ_METHODS.contains( method.toUpperCase( Locale.US ) );
return READ_METHODS.contains( method.toUpperCase() );
}
public static boolean isWriteMethod( String method )
{
if ( StringUtils.isBlank( method ) )
{
return false;
}
return !READ_METHODS.contains( method.toUpperCase() );
} }
} }

7
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/AbstractRepositoryServletTestCase.java
View File

@ -97,6 +97,13 @@ public abstract class AbstractRepositoryServletTestCase
.getResponseCode() ); .getResponseCode() );
} }
protected void assertResponseInternalServerError( WebResponse response )
{
assertNotNull( "Should have recieved a response", response );
Assert.assertEquals( "Should have been an 500/Internal Server Error response code.", HttpServletResponse.SC_INTERNAL_SERVER_ERROR, response
.getResponseCode() );
}
protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location ) protected ManagedRepositoryConfiguration createManagedRepository( String id, String name, File location )
{ {
ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration(); ManagedRepositoryConfiguration repo = new ManagedRepositoryConfiguration();

5
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
View File

@ -360,13 +360,14 @@ public class ArchivaDavSessionProviderTest extends TestCase
return true; return true;
} }
public boolean isAuthorized(HttpServletRequest arg0, SecuritySession arg1, String arg2, boolean arg3) public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession, String repositoryId,
String permission )
throws AuthorizationException, UnauthorizedException throws AuthorizationException, UnauthorizedException
{ {
return true; return true;
} }
public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
return true; return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/MockServletAuthenticator.java
View File

@ -26,7 +26,7 @@ public class MockServletAuthenticator
extends ArchivaServletAuthenticator extends ArchivaServletAuthenticator
{ {
@Override @Override
public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest ) public boolean isAuthorized( String principal, String repoId, String permission )
throws UnauthorizedException throws UnauthorizedException
{ {
return true; return true;

2
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletRepositoryGroupTest.java
View File

@ -193,7 +193,7 @@ public class RepositoryServletRepositoryGroupTest
WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/" + REPO_GROUP_WITH_INVALID_REPOS + "/" + resourceName ); WebRequest request = new GetMethodWebRequest( "http://machine.com/repository/" + REPO_GROUP_WITH_INVALID_REPOS + "/" + resourceName );
WebResponse response = sc.getResponse( request ); WebResponse response = sc.getResponse( request );
assertResponseNotFound( response ); assertResponseInternalServerError( response );
} }
/* /*

64
archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
View File

@ -32,6 +32,7 @@ import org.apache.jackrabbit.webdav.DavSessionProvider;
import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.Configuration; import org.apache.maven.archiva.configuration.Configuration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.maven.archiva.security.ArchivaRoleConstants;
import org.apache.maven.archiva.security.ArchivaXworkUser; import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.ServletAuthenticator; import org.apache.maven.archiva.security.ServletAuthenticator;
import org.codehaus.plexus.redback.authentication.AuthenticationException; import org.codehaus.plexus.redback.authentication.AuthenticationException;
@ -56,9 +57,7 @@ import com.meterware.servletunit.ServletRunner;
import com.meterware.servletunit.ServletUnitClient; import com.meterware.servletunit.ServletUnitClient;
/** /**
* RepositoryServletSecurityTest * RepositoryServletSecurityTest Test the flow of the authentication and authorization checks. This does not necessarily
*
* Test the flow of the authentication and authorization checks. This does not necessarily
* perform redback security checking. * perform redback security checking.
* *
* @version $Id$ * @version $Id$
@ -182,7 +181,7 @@ public class RepositoryServletSecurityTest
if ( repoRootInternal.exists() ) if ( repoRootInternal.exists() )
{ {
FileUtils.deleteDirectory(repoRootInternal); FileUtils.deleteDirectory( repoRootInternal );
} }
servlet = null; servlet = null;
@ -209,9 +208,9 @@ public class RepositoryServletSecurityTest
AuthenticationResult result = new AuthenticationResult(); AuthenticationResult result = new AuthenticationResult();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) ); servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write access to repository" ) );
@ -223,7 +222,7 @@ public class RepositoryServletSecurityTest
httpAuthControl.verify(); httpAuthControl.verify();
servletAuthControl.verify(); servletAuthControl.verify();
//assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode()); // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
} }
// test deploy with invalid user, but guest has write access to repo // test deploy with invalid user, but guest has write access to repo
@ -253,21 +252,21 @@ public class RepositoryServletSecurityTest
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true ); servletAuthControl.setReturnValue( true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, result ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
// check if guest has write access // check if guest has write access
servletAuth.isAuthorized( "guest", "internal", true ); servletAuth.isAuthorized( "guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER ); servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
servletAuthControl.setReturnValue( true ); servletAuthControl.setReturnValue( true );
@ -307,12 +306,15 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized" ) ); new UnauthorizedException( "User not authorized" ) );
httpAuthControl.replay(); httpAuthControl.replay();
@ -359,7 +361,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -399,15 +404,21 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), null );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -442,7 +453,10 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ), servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
new AuthenticationException( "Authentication error" ) ); new AuthenticationException( "Authentication error" ) );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal", false ), false ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( "guest", "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ),
false );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -482,13 +496,16 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() ); httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal", true ), true ); servletAuthControl.expectAndReturn(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
true );
httpAuthControl.replay(); httpAuthControl.replay();
servletAuthControl.replay(); servletAuthControl.replay();
@ -529,12 +546,15 @@ public class RepositoryServletSecurityTest
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true );
// ArchivaDavResourceFactory#isAuthorized() // ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession(); SecuritySession session = new DefaultSecuritySession();
httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result ); httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ), result );
httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session ); httpAuthControl.expectAndReturn( httpAuth.getSecuritySession( ic.getRequest().getSession( true ) ), session );
httpAuthControl.expectAndReturn( httpAuth.getSessionUser( ic.getRequest().getSession() ), new SimpleUser() );
servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true ); servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ), true );
servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal", true ), servletAuthControl.expectAndThrow(
servletAuth.isAuthorized( null, session, "internal",
ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD ),
new UnauthorizedException( "User not authorized to read repository." ) ); new UnauthorizedException( "User not authorized to read repository." ) );
httpAuthControl.replay(); httpAuthControl.replay();