Example 1 with DefaultSecuritySession
use of org.apache.archiva.redback.system.DefaultSecuritySession in project archiva by apache.
the class RepositoryServletSecurityTest method testPutWithValidUserWithWriteAccess.
// test deploy with a valid user with write access
@Test
public void testPutWithValidUserWithWriteAccess() throws Exception {
assertTrue(Files.exists(repoRootInternal.getRoot()));
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
InputStream is = getClass().getResourceAsStream("/artifact.jar");
assertNotNull("artifact.jar inputstream", is);
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
TestAuditListener listener = new TestAuditListener();
archivaDavResourceFactory.addAuditListener(listener);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
User user = new SimpleUser();
user.setUsername("admin");
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(mockHttpServletRequest.getSession())).andReturn(session);
EasyMock.expect(httpAuth.getSessionUser(mockHttpServletRequest.getSession())).andReturn(user);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD))).andReturn(true);
httpAuthControl.replay();
servletAuthControl.replay();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("PUT");
mockHttpServletRequest.setRequestURI("/repository/internal/path/to/artifact.jar");
mockHttpServletRequest.setContent(IOUtils.toByteArray(is));
mockHttpServletRequest.setContentType("application/octet-stream");
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus());
assertEquals("admin", listener.getEvents().get(0).getUserId());
}
Also used :
TestAuditListener(org.apache.archiva.repository.audit.TestAuditListener)
User(org.apache.archiva.redback.users.User)
SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser)
SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
InputStream(java.io.InputStream)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
Test(org.junit.Test)
Example 2 with DefaultSecuritySession
use of org.apache.archiva.redback.system.DefaultSecuritySession in project archiva by apache.
the class RepositoryServletSecurityTest method testGetWithAValidUserWithNoReadAccess.
// test get with valid user with no read access to repo
@Test
public void testGetWithAValidUserWithNoReadAccess() throws Exception {
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
Files.createDirectories(artifactFile.getParent());
org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andThrow(new UnauthorizedException("User not authorized to read repository."));
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("GET");
mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
}
Also used :
Path(java.nio.file.Path)
SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
HttpSession(javax.servlet.http.HttpSession)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
Test(org.junit.Test)
Example 3 with DefaultSecuritySession
use of org.apache.archiva.redback.system.DefaultSecuritySession in project archiva by apache.
the class RepositoryServletSecurityTest method testPutWithInvalidUserAndGuestHasWriteAccess.
// test deploy with invalid user, but guest has write access to repo
@Test
public void testPutWithInvalidUserAndGuestHasWriteAccess() throws Exception {
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andThrow(new AuthenticationException("Authentication error"));
EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD)).andReturn(true);
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andThrow(new AuthenticationException("Authentication error"));
EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(null);
// check if guest has write access
EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD)).andReturn(true);
httpAuthControl.replay();
servletAuthControl.replay();
InputStream is = getClass().getResourceAsStream("/artifact.jar");
assertNotNull("artifact.jar inputstream", is);
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("PUT");
mockHttpServletRequest.setRequestURI("/repository/internal/path/to/artifact.jar");
mockHttpServletRequest.setContent(IOUtils.toByteArray(is));
mockHttpServletRequest.setContentType("application/octet-stream");
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus());
}
Also used :
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
HttpSession(javax.servlet.http.HttpSession)
InputStream(java.io.InputStream)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Test(org.junit.Test)
Example 4 with DefaultSecuritySession
use of org.apache.archiva.redback.system.DefaultSecuritySession in project archiva by apache.
the class RepositoryServletSecurityTest method testGetWithInvalidUserAndGuestHasReadAccess.
// test get with invalid user, and guest has read access to repo
@Test
public void testGetWithInvalidUserAndGuestHasReadAccess() throws Exception {
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
Files.createDirectories(artifactFile.getParent());
org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andThrow(new AuthenticationException("Authentication error"));
EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS)).andReturn(true);
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(null);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andReturn(true);
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("GET");
mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus());
assertEquals("Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString());
}
Also used :
Path(java.nio.file.Path)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
HttpSession(javax.servlet.http.HttpSession)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Test(org.junit.Test)
Example 5 with DefaultSecuritySession
use of org.apache.archiva.redback.system.DefaultSecuritySession in project archiva by apache.
the class RepositoryServletSecurityTest method testGetWithAValidUserWithReadAccess.
// test get with valid user with read access to repo
@Test
public void testGetWithAValidUserWithReadAccess() throws Exception {
String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
String expectedArtifactContents = "dummy-commons-lang-artifact";
Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
Files.createDirectories(artifactFile.getParent());
org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
servlet.setDavSessionProvider(davSessionProvider);
ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
archivaDavResourceFactory.setHttpAuth(httpAuth);
archivaDavResourceFactory.setServletAuth(servletAuth);
servlet.setResourceFactory(archivaDavResourceFactory);
AuthenticationResult result = new AuthenticationResult();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
// ArchivaDavResourceFactory#isAuthorized()
SecuritySession session = new DefaultSecuritySession();
EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andReturn(true);
httpAuthControl.replay();
servletAuthControl.replay();
MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
mockHttpServletRequest.addHeader("User-Agent", "foo");
mockHttpServletRequest.setMethod("GET");
mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
servlet.service(mockHttpServletRequest, mockHttpServletResponse);
httpAuthControl.verify();
servletAuthControl.verify();
assertEquals(HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus());
assertEquals("Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString());
}
Also used :
Path(java.nio.file.Path)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser)
SecuritySession(org.apache.archiva.redback.system.SecuritySession)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
HttpSession(javax.servlet.http.HttpSession)
MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession)
MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse)
AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult)
Test(org.junit.Test)
Aggregations
AuthenticationResult (org.apache.archiva.redback.authentication.AuthenticationResult)14
DefaultSecuritySession (org.apache.archiva.redback.system.DefaultSecuritySession)14
SecuritySession (org.apache.archiva.redback.system.SecuritySession)13
Test (org.junit.Test)10
User (org.apache.archiva.redback.users.User)9
HttpServletRequest (javax.servlet.http.HttpServletRequest)6
HttpServletResponse (javax.servlet.http.HttpServletResponse)6
MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)6
MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)6
UnauthorizedException (org.apache.archiva.redback.authorization.UnauthorizedException)5
Path (java.nio.file.Path)4
HttpSession (javax.servlet.http.HttpSession)4
UserManager (org.apache.archiva.redback.users.UserManager)4
SimpleUser (org.apache.archiva.redback.users.memory.SimpleUser)4
InputStream (java.io.InputStream)3
UserManagerException (org.apache.archiva.redback.users.UserManagerException)3
UserNotFoundException (org.apache.archiva.redback.users.UserNotFoundException)3
AuthenticationException (org.apache.archiva.redback.authentication.AuthenticationException)2
AuthorizationException (org.apache.archiva.redback.authorization.AuthorizationException)2
IOException (java.io.IOException)1
