Search in sources :

Example 1 with UnauthorizedException

use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.

the class RepositoryServletSecurityTest method testGetWithAValidUserWithNoReadAccess.

// test get with valid user with no read access to repo
@Test
public void testGetWithAValidUserWithNoReadAccess() throws Exception {
    String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
    String expectedArtifactContents = "dummy-commons-lang-artifact";
    Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
    Files.createDirectories(artifactFile.getParent());
    org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andThrow(new UnauthorizedException("User not authorized to read repository."));
    httpAuthControl.replay();
    servletAuthControl.replay();
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("GET");
    mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
}
Also used : Path(java.nio.file.Path) SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) HttpSession(javax.servlet.http.HttpSession) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 2 with UnauthorizedException

use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.

the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasNoWriteAccess.

@Test
public void testIsAuthorizedUserHasNoWriteAccess() throws Exception {
    createUser(USER_ALPACA, "Al 'Archiva' Paca");
    assignRepositoryObserverRole(USER_ALPACA, "corporate");
    // httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
    EasyMock.expect(request.getRemoteAddr()).andReturn("192.168.111.111");
    UserManager userManager = securitySystem.getUserManager();
    User user = userManager.findUser(USER_ALPACA);
    AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
    SecuritySession session = new DefaultSecuritySession(result, user);
    httpServletRequestControl.replay();
    try {
        servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD);
        fail("UnauthorizedException should have been thrown.");
    } catch (UnauthorizedException e) {
        assertEquals("Access denied for repository corporate", e.getMessage());
    }
    httpServletRequestControl.verify();
    restoreGuestInitialValues(USER_ALPACA);
}
Also used : User(org.apache.archiva.redback.users.User) UserManager(org.apache.archiva.redback.users.UserManager) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) Test(org.junit.Test)

Example 3 with UnauthorizedException

use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.

the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasNoReadAccess.

@Test
public void testIsAuthorizedUserHasNoReadAccess() throws Exception {
    createUser(USER_ALPACA, "Al 'Archiva' Paca");
    UserManager userManager = securitySystem.getUserManager();
    User user = userManager.findUser(USER_ALPACA);
    AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
    SecuritySession session = new DefaultSecuritySession(result, user);
    try {
        servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS);
        fail("UnauthorizedException should have been thrown.");
    } catch (UnauthorizedException e) {
        assertEquals("Access denied for repository corporate", e.getMessage());
    }
    restoreGuestInitialValues(USER_ALPACA);
}
Also used : User(org.apache.archiva.redback.users.User) UserManager(org.apache.archiva.redback.users.UserManager) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) Test(org.junit.Test)

Example 4 with UnauthorizedException

use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.

the class ArchivaServletAuthenticator method isAuthorized.

@Override
public boolean isAuthorized(String principal, String repoId, String permission) throws UnauthorizedException {
    try {
        User user = securitySystem.getUserManager().findUser(principal);
        if (user == null) {
            throw new UnauthorizedException("The security system had an internal error - please check your system logs");
        }
        if (user.isLocked()) {
            throw new UnauthorizedException("User account is locked.");
        }
        AuthenticationResult authn = new AuthenticationResult(true, principal, null);
        SecuritySession securitySession = new DefaultSecuritySession(authn, user);
        return securitySystem.isAuthorized(securitySession, permission, repoId);
    } catch (UserNotFoundException e) {
        throw new UnauthorizedException(e.getMessage(), e);
    } catch (AuthorizationException e) {
        throw new UnauthorizedException(e.getMessage(), e);
    } catch (UserManagerException e) {
        throw new UnauthorizedException(e.getMessage(), e);
    }
}
Also used : UserNotFoundException(org.apache.archiva.redback.users.UserNotFoundException) User(org.apache.archiva.redback.users.User) AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException) UserManagerException(org.apache.archiva.redback.users.UserManagerException) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)

Example 5 with UnauthorizedException

use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.

the class ArchivaDavResourceFactory method isAuthorized.

protected boolean isAuthorized(DavServletRequest request, String repositoryId) throws DavException {
    try {
        AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
        SecuritySession securitySession = httpAuth.getSecuritySession(request.getSession(true));
        return // 
        servletAuth.isAuthenticated(request, result) && // 
        servletAuth.isAuthorized(// 
        request, // 
        securitySession, // 
        repositoryId, WebdavMethodUtil.getMethodPermission(request.getMethod()));
    } catch (AuthenticationException e) {
        // safety check for MRM-911
        String guest = UserManager.GUEST_USERNAME;
        try {
            if (servletAuth.isAuthorized(guest, ((ArchivaDavResourceLocator) request.getRequestLocator()).getRepositoryId(), WebdavMethodUtil.getMethodPermission(request.getMethod()))) {
                return true;
            }
        } catch (UnauthorizedException ae) {
            throw new UnauthorizedDavException(repositoryId, "You are not authenticated and authorized to access any repository.");
        }
        throw new UnauthorizedDavException(repositoryId, "You are not authenticated");
    } catch (MustChangePasswordException e) {
        throw new UnauthorizedDavException(repositoryId, "You must change your password.");
    } catch (AccountLockedException e) {
        throw new UnauthorizedDavException(repositoryId, "User account is locked.");
    } catch (AuthorizationException e) {
        throw new DavException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Fatal Authorization Subsystem Error.");
    } catch (UnauthorizedException e) {
        throw new UnauthorizedDavException(repositoryId, e.getMessage());
    }
}
Also used : MustChangePasswordException(org.apache.archiva.redback.policy.MustChangePasswordException) AccountLockedException(org.apache.archiva.redback.policy.AccountLockedException) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) AuthorizationException(org.apache.archiva.redback.authorization.AuthorizationException) DavException(org.apache.jackrabbit.webdav.DavException) SecuritySession(org.apache.archiva.redback.system.SecuritySession) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)

Aggregations

UnauthorizedException (org.apache.archiva.redback.authorization.UnauthorizedException)12 AuthenticationResult (org.apache.archiva.redback.authentication.AuthenticationResult)9 SecuritySession (org.apache.archiva.redback.system.SecuritySession)7 DefaultSecuritySession (org.apache.archiva.redback.system.DefaultSecuritySession)5 Test (org.junit.Test)5 AuthenticationException (org.apache.archiva.redback.authentication.AuthenticationException)4 Path (java.nio.file.Path)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)3 HttpServletResponse (javax.servlet.http.HttpServletResponse)3 AuthorizationException (org.apache.archiva.redback.authorization.AuthorizationException)3 AccountLockedException (org.apache.archiva.redback.policy.AccountLockedException)3 MustChangePasswordException (org.apache.archiva.redback.policy.MustChangePasswordException)3 User (org.apache.archiva.redback.users.User)3 DavException (org.apache.jackrabbit.webdav.DavException)3 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)3 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)3 IOException (java.io.IOException)2 InputStream (java.io.InputStream)2 ArrayList (java.util.ArrayList)2 HashMap (java.util.HashMap)2