Examples with AuthenticationResult org.apache.archiva.redback.authentication.AuthenticationResult used on opensource projects

Example 16 with AuthenticationResult

use of org.apache.archiva.redback.authentication.AuthenticationResult in project archiva by apache.

the class ArchivaServletAuthenticatorTest method testIsAuthenticatedUserDoesNotExist.

@Test
public void testIsAuthenticatedUserDoesNotExist() throws Exception {
    AuthenticationResult result = new AuthenticationResult(false, "non-existing-user", null);
    try {
        servletAuth.isAuthenticated(request, result);
        fail("Authentication exception should have been thrown.");
    } catch (AuthenticationException e) {
        assertEquals("User Credentials Invalid", e.getMessage());
    }
}

Example 17 with AuthenticationResult

use of org.apache.archiva.redback.authentication.AuthenticationResult in project archiva by apache.

the class RssFeedServlet method isAllowed.

/**
 * Basic authentication.
 *
 * @param req
 * @param repositoryId TODO
 * @param groupId      TODO
 * @param artifactId   TODO
 * @return
 */
private boolean isAllowed(HttpServletRequest req, String repositoryId, String groupId, String artifactId) throws UserNotFoundException, AccountLockedException, AuthenticationException, MustChangePasswordException, UnauthorizedException {
    String auth = req.getHeader("Authorization");
    List<String> repoIds = new ArrayList<>();
    if (repositoryId != null) {
        repoIds.add(repositoryId);
    } else if (artifactId != null && groupId != null) {
        if (auth != null) {
            if (!auth.toUpperCase().startsWith("BASIC ")) {
                return false;
            }
            Decoder dec = new Base64();
            String usernamePassword = "";
            try {
                usernamePassword = new String((byte[]) dec.decode(auth.substring(6).getBytes()));
            } catch (DecoderException ie) {
                log.warn("Error decoding username and password: {}", ie.getMessage());
            }
            if (usernamePassword == null || usernamePassword.trim().equals("")) {
                repoIds = getObservableRepos(UserManager.GUEST_USERNAME);
            } else {
                String[] userCredentials = usernamePassword.split(":");
                repoIds = getObservableRepos(userCredentials[0]);
            }
        } else {
            repoIds = getObservableRepos(UserManager.GUEST_USERNAME);
        }
    } else {
        return false;
    }
    for (String repoId : repoIds) {
        try {
            AuthenticationResult result = httpAuth.getAuthenticationResult(req, null);
            SecuritySession securitySession = httpAuth.getSecuritySession(req.getSession(true));
            if (// 
            servletAuth.isAuthenticated(req, result) && // 
            servletAuth.isAuthorized(// 
            req, // 
            securitySession, // 
            repoId, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS)) {
                return true;
            }
        } catch (AuthorizationException e) {
            log.debug("AuthorizationException for repoId: {}", repoId);
        } catch (UnauthorizedException e) {
            log.debug("UnauthorizedException for repoId: {}", repoId);
        }
    }
    throw new UnauthorizedException("Access denied.");
}

Example 18 with AuthenticationResult

use of org.apache.archiva.redback.authentication.AuthenticationResult in project archiva by apache.

the class DefaultUserRepositories method createSession.

private SecuritySession createSession(String principal) throws ArchivaSecurityException, AccessDeniedException {
    User user;
    try {
        user = securitySystem.getUserManager().findUser(principal);
        if (user == null) {
            throw new ArchivaSecurityException("The security system had an internal error - please check your system logs");
        }
    } catch (UserNotFoundException e) {
        throw new PrincipalNotFoundException("Unable to find principal " + principal + "", e);
    } catch (UserManagerException e) {
        throw new ArchivaSecurityException(e.getMessage(), e);
    }
    if (user.isLocked()) {
        throw new AccessDeniedException("User " + principal + "(" + user.getFullName() + ") is locked.");
    }
    AuthenticationResult authn = new AuthenticationResult(true, principal, null);
    authn.setUser(user);
    return new DefaultSecuritySession(authn, user);
}

Example 19 with AuthenticationResult

use of org.apache.archiva.redback.authentication.AuthenticationResult in project archiva by apache.

the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasWriteAccess.

@Test
public void testIsAuthorizedUserHasWriteAccess() throws Exception {
    createUser(USER_ALPACA, "Al 'Archiva' Paca");
    assignRepositoryManagerRole(USER_ALPACA, "corporate");
    UserManager userManager = securitySystem.getUserManager();
    User user = userManager.findUser(USER_ALPACA);
    AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
    SecuritySession session = new DefaultSecuritySession(result, user);
    boolean isAuthorized = servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD);
    assertTrue(isAuthorized);
    restoreGuestInitialValues(USER_ALPACA);
}

Example 20 with AuthenticationResult

use of org.apache.archiva.redback.authentication.AuthenticationResult in project archiva by apache.

the class RepositoryServletSecurityTest method testPutWithValidUserWithNoWriteAccess.

// test deploy with a valid user with no write access
@Test
public void testPutWithValidUserWithNoWriteAccess() throws Exception {
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    EasyMock.expect(httpAuth.getSecuritySession(mockHttpServletRequest.getSession(true))).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(mockHttpServletRequest.getSession())).andReturn(new SimpleUser());
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD))).andThrow(new UnauthorizedException("User not authorized"));
    httpAuthControl.replay();
    servletAuthControl.replay();
    InputStream is = getClass().getResourceAsStream("/artifact.jar");
    assertNotNull("artifact.jar inputstream", is);
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("PUT");
    mockHttpServletRequest.setRequestURI("/repository/internal/path/to/artifact.jar");
    mockHttpServletRequest.setContent(IOUtils.toByteArray(is));
    mockHttpServletRequest.setContentType("application/octet-stream");
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
}