Search in sources :

Example 1 with SecuritySession

use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.

the class RepositoryServletSecurityTest method testPutWithValidUserWithWriteAccess.

// test deploy with a valid user with write access
@Test
public void testPutWithValidUserWithWriteAccess() throws Exception {
    assertTrue(Files.exists(repoRootInternal.getRoot()));
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
    InputStream is = getClass().getResourceAsStream("/artifact.jar");
    assertNotNull("artifact.jar inputstream", is);
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    TestAuditListener listener = new TestAuditListener();
    archivaDavResourceFactory.addAuditListener(listener);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
    User user = new SimpleUser();
    user.setUsername("admin");
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(mockHttpServletRequest.getSession())).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(mockHttpServletRequest.getSession())).andReturn(user);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD))).andReturn(true);
    httpAuthControl.replay();
    servletAuthControl.replay();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("PUT");
    mockHttpServletRequest.setRequestURI("/repository/internal/path/to/artifact.jar");
    mockHttpServletRequest.setContent(IOUtils.toByteArray(is));
    mockHttpServletRequest.setContentType("application/octet-stream");
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus());
    assertEquals("admin", listener.getEvents().get(0).getUserId());
}
Also used : TestAuditListener(org.apache.archiva.repository.audit.TestAuditListener) User(org.apache.archiva.redback.users.User) SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser) SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) InputStream(java.io.InputStream) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 2 with SecuritySession

use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.

the class RepositoryServletSecurityTest method testGetWithAValidUserWithNoReadAccess.

// test get with valid user with no read access to repo
@Test
public void testGetWithAValidUserWithNoReadAccess() throws Exception {
    String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
    String expectedArtifactContents = "dummy-commons-lang-artifact";
    Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
    Files.createDirectories(artifactFile.getParent());
    org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andThrow(new UnauthorizedException("User not authorized to read repository."));
    httpAuthControl.replay();
    servletAuthControl.replay();
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("GET");
    mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_UNAUTHORIZED, mockHttpServletResponse.getStatus());
}
Also used : Path(java.nio.file.Path) SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) HttpSession(javax.servlet.http.HttpSession) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) UnauthorizedException(org.apache.archiva.redback.authorization.UnauthorizedException) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 3 with SecuritySession

use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.

the class RepositoryServletSecurityTest method testPutWithInvalidUserAndGuestHasWriteAccess.

// test deploy with invalid user, but guest has write access to repo
@Test
public void testPutWithInvalidUserAndGuestHasWriteAccess() throws Exception {
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andThrow(new AuthenticationException("Authentication error"));
    EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD)).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andThrow(new AuthenticationException("Authentication error"));
    EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(null);
    // check if guest has write access
    EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD)).andReturn(true);
    httpAuthControl.replay();
    servletAuthControl.replay();
    InputStream is = getClass().getResourceAsStream("/artifact.jar");
    assertNotNull("artifact.jar inputstream", is);
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("PUT");
    mockHttpServletRequest.setRequestURI("/repository/internal/path/to/artifact.jar");
    mockHttpServletRequest.setContent(IOUtils.toByteArray(is));
    mockHttpServletRequest.setContentType("application/octet-stream");
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_CREATED, mockHttpServletResponse.getStatus());
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) HttpSession(javax.servlet.http.HttpSession) InputStream(java.io.InputStream) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) Test(org.junit.Test)

Example 4 with SecuritySession

use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.

the class RepositoryServletSecurityTest method testGetWithInvalidUserAndGuestHasReadAccess.

// test get with invalid user, and guest has read access to repo
@Test
public void testGetWithInvalidUserAndGuestHasReadAccess() throws Exception {
    String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
    String expectedArtifactContents = "dummy-commons-lang-artifact";
    Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
    Files.createDirectories(artifactFile.getParent());
    org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andThrow(new AuthenticationException("Authentication error"));
    EasyMock.expect(servletAuth.isAuthorized("guest", "internal", ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS)).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(null);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andReturn(true);
    httpAuthControl.replay();
    servletAuthControl.replay();
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("GET");
    mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus());
    assertEquals("Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString());
}
Also used : Path(java.nio.file.Path) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticationException(org.apache.archiva.redback.authentication.AuthenticationException) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) HttpSession(javax.servlet.http.HttpSession) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) Test(org.junit.Test)

Example 5 with SecuritySession

use of org.apache.archiva.redback.system.SecuritySession in project archiva by apache.

the class RepositoryServletSecurityTest method testGetWithAValidUserWithReadAccess.

// test get with valid user with read access to repo
@Test
public void testGetWithAValidUserWithReadAccess() throws Exception {
    String commonsLangJar = "commons-lang/commons-lang/2.1/commons-lang-2.1.jar";
    String expectedArtifactContents = "dummy-commons-lang-artifact";
    Path artifactFile = repoRootInternal.getRoot().resolve(commonsLangJar);
    Files.createDirectories(artifactFile.getParent());
    org.apache.archiva.common.utils.FileUtils.writeStringToFile(artifactFile, Charset.defaultCharset(), expectedArtifactContents);
    servlet.setDavSessionProvider(davSessionProvider);
    ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory) servlet.getResourceFactory();
    archivaDavResourceFactory.setHttpAuth(httpAuth);
    archivaDavResourceFactory.setServletAuth(servletAuth);
    servlet.setResourceFactory(archivaDavResourceFactory);
    AuthenticationResult result = new AuthenticationResult();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), anyObject(AuthenticationResult.class))).andReturn(true);
    // ArchivaDavResourceFactory#isAuthorized()
    SecuritySession session = new DefaultSecuritySession();
    EasyMock.expect(httpAuth.getAuthenticationResult(anyObject(HttpServletRequest.class), anyObject(HttpServletResponse.class))).andReturn(result);
    EasyMock.expect(httpAuth.getSecuritySession(anyObject(HttpSession.class))).andReturn(session);
    EasyMock.expect(httpAuth.getSessionUser(anyObject(HttpSession.class))).andReturn(new SimpleUser());
    EasyMock.expect(servletAuth.isAuthenticated(anyObject(HttpServletRequest.class), eq(result))).andReturn(true);
    EasyMock.expect(servletAuth.isAuthorized(anyObject(HttpServletRequest.class), eq(session), eq("internal"), eq(ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS))).andReturn(true);
    httpAuthControl.replay();
    servletAuthControl.replay();
    MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
    mockHttpServletRequest.addHeader("User-Agent", "foo");
    mockHttpServletRequest.setMethod("GET");
    mockHttpServletRequest.setRequestURI("/repository/internal/" + commonsLangJar);
    MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
    servlet.service(mockHttpServletRequest, mockHttpServletResponse);
    httpAuthControl.verify();
    servletAuthControl.verify();
    assertEquals(HttpServletResponse.SC_OK, mockHttpServletResponse.getStatus());
    assertEquals("Expected file contents", expectedArtifactContents, mockHttpServletResponse.getContentAsString());
}
Also used : Path(java.nio.file.Path) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) SimpleUser(org.apache.archiva.redback.users.memory.SimpleUser) SecuritySession(org.apache.archiva.redback.system.SecuritySession) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) HttpSession(javax.servlet.http.HttpSession) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) HttpServletResponse(javax.servlet.http.HttpServletResponse) DefaultSecuritySession(org.apache.archiva.redback.system.DefaultSecuritySession) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) AuthenticationResult(org.apache.archiva.redback.authentication.AuthenticationResult) Test(org.junit.Test)

Aggregations

SecuritySession (org.apache.archiva.redback.system.SecuritySession)16 AuthenticationResult (org.apache.archiva.redback.authentication.AuthenticationResult)15 DefaultSecuritySession (org.apache.archiva.redback.system.DefaultSecuritySession)14 Test (org.junit.Test)10 User (org.apache.archiva.redback.users.User)8 UnauthorizedException (org.apache.archiva.redback.authorization.UnauthorizedException)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)6 HttpServletResponse (javax.servlet.http.HttpServletResponse)6 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)6 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)6 AuthorizationException (org.apache.archiva.redback.authorization.AuthorizationException)5 Path (java.nio.file.Path)4 HttpSession (javax.servlet.http.HttpSession)4 UserManager (org.apache.archiva.redback.users.UserManager)4 SimpleUser (org.apache.archiva.redback.users.memory.SimpleUser)4 InputStream (java.io.InputStream)3 AuthenticationException (org.apache.archiva.redback.authentication.AuthenticationException)3 ArrayList (java.util.ArrayList)2 RepositoryAdminException (org.apache.archiva.admin.model.RepositoryAdminException)2 ManagedRepository (org.apache.archiva.admin.model.beans.ManagedRepository)2