use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.
the class RepositoryServletSecurityTest method testGetWithAValidUserWithNoReadAccess.
// test get with valid user with no read access to repo
@Test
public void testGetWithAValidUserWithNoReadAccess() throws Exception {
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
Files.createDirectories(artifactFile.getParent());
org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andThrow(new UnauthorizedException("User not authorized to read repository."));
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("GET");
mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
}
use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.
the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasNoWriteAccess.
@Test
public void testIsAuthorizedUserHasNoWriteAccess() throws Exception {
createUser(USER_ALPACA, "Al 'Archiva' Paca");
assignRepositoryObserverRole(USER_ALPACA, "corporate");
// httpServletRequestControl.expectAndReturn( request.getRemoteAddr(), "192.168.111.111" );
EasyMock.expect(request.getRemoteAddr()).andReturn("192.168.111.111");
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser(USER_ALPACA);
AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
SecuritySession session = new DefaultSecuritySession(result, user);
httpServletRequestControl.replay();
try {
servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD);
fail("UnauthorizedException should have been thrown.");
} catch (UnauthorizedException e) {
assertEquals("Access denied for repository corporate", e.getMessage());
}
httpServletRequestControl.verify();
restoreGuestInitialValues(USER_ALPACA);
}
use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.
the class ArchivaServletAuthenticatorTest method testIsAuthorizedUserHasNoReadAccess.
@Test
public void testIsAuthorizedUserHasNoReadAccess() throws Exception {
createUser(USER_ALPACA, "Al 'Archiva' Paca");
UserManager userManager = securitySystem.getUserManager();
User user = userManager.findUser(USER_ALPACA);
AuthenticationResult result = new AuthenticationResult(true, USER_ALPACA, null);
SecuritySession session = new DefaultSecuritySession(result, user);
try {
servletAuth.isAuthorized(request, session, "corporate", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS);
fail("UnauthorizedException should have been thrown.");
} catch (UnauthorizedException e) {
assertEquals("Access denied for repository corporate", e.getMessage());
}
restoreGuestInitialValues(USER_ALPACA);
}
use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.
the class ArchivaServletAuthenticator method isAuthorized.
@Override
public boolean isAuthorized(String principal, String repoId, String permission) throws UnauthorizedException {
try {
User user = securitySystem.getUserManager().findUser(principal);
if (user == null) {
throw new UnauthorizedException("The security system had an internal error - please check your system logs");
}
if (user.isLocked()) {
throw new UnauthorizedException("User account is locked.");
}
AuthenticationResult authn = new AuthenticationResult(true, principal, null);
SecuritySession securitySession = new DefaultSecuritySession(authn, user);
return securitySystem.isAuthorized(securitySession, permission, repoId);
} catch (UserNotFoundException e) {
throw new UnauthorizedException(e.getMessage(), e);
} catch (AuthorizationException e) {
throw new UnauthorizedException(e.getMessage(), e);
} catch (UserManagerException e) {
throw new UnauthorizedException(e.getMessage(), e);
}
}
use of org.apache.archiva.redback.authorization.UnauthorizedException in project archiva by apache.
the class ArchivaDavResourceFactory method isAuthorized.
protected boolean isAuthorized(DavServletRequest request, String repositoryId) throws DavException {
try {
AuthenticationResult result = httpAuth.getAuthenticationResult(request, null);
SecuritySession securitySession = httpAuth.getSecuritySession(request.getSession(true));
return //
servletAuth.isAuthenticated(request, result) && //
servletAuth.isAuthorized(//
request, //
securitySession, //
repositoryId, WebdavMethodUtil.getMethodPermission(request.getMethod()));
} catch (AuthenticationException e) {
// safety check for MRM-911
String guest = UserManager.GUEST_USERNAME;
try {
if (servletAuth.isAuthorized(guest, ((ArchivaDavResourceLocator) request.getRequestLocator()).getRepositoryId(), WebdavMethodUtil.getMethodPermission(request.getMethod()))) {
return true;
}
} catch (UnauthorizedException ae) {
throw new UnauthorizedDavException(repositoryId, "You are not authenticated and authorized to access any repository.");
}
throw new UnauthorizedDavException(repositoryId, "You are not authenticated");
} catch (MustChangePasswordException e) {
throw new UnauthorizedDavException(repositoryId, "You must change your password.");
} catch (AccountLockedException e) {
throw new UnauthorizedDavException(repositoryId, "User account is locked.");
} catch (AuthorizationException e) {
throw new DavException(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Fatal Authorization Subsystem Error.");
} catch (UnauthorizedException e) {
throw new UnauthorizedDavException(repositoryId, e.getMessage());
}
}
Aggregations