archiva-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From och...@apache.org
Subject svn commit: r701801 - in /archiva/branches/archiva-security-fix/archiva-modules/archiva-web: archiva-security/src/main/java/org/apache/maven/archiva/security/ archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ archiva-webdav/src/test/java/or...
Date Sun, 05 Oct 2008 14:39:23 GMT
Author: oching
Date: Sun Oct  5 07:39:22 2008
New Revision: 701801

URL: http://svn.apache.org/viewvc?rev=701801&view=rev
Log:
-fix security issue
-updated tests

Modified:
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
    archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaServletAuthenticator.java
Sun Oct  5 07:39:22 2008
@@ -93,11 +93,18 @@
         return true;
     }
 
-    public boolean isAuthorized( String principal, String repoId )
+    public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest
)
         throws UnauthorizedException
     {
         try
         {
+            String permission = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
+
+            if ( isWriteRequest )
+            {
+                permission = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
+            }
+            
             User user = securitySystem.getUserManager().findUser( principal );
             if ( user.isLocked() )
             {
@@ -107,8 +114,7 @@
             AuthenticationResult authn = new AuthenticationResult( true, principal, null
);
             SecuritySession securitySession = new DefaultSecuritySession( authn, user );
 
-            return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS,
-                                                repoId );
+            return securitySystem.isAuthorized( securitySession, permission, repoId );
         }
         catch ( UserNotFoundException e )
         {

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ServletAuthenticator.java
Sun Oct  5 07:39:22 2008
@@ -41,6 +41,6 @@
     public boolean isAuthorized( HttpServletRequest request, SecuritySession securitySession,
String repositoryId,
         boolean isWriteRequest ) throws AuthorizationException, UnauthorizedException;
     
-    public boolean isAuthorized( String principal, String repoId )
+    public boolean isAuthorized( String principal, String repoId, boolean isWriteRequest
)
         throws UnauthorizedException;
 }

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavResourceFactory.java
Sun Oct  5 07:39:22 2008
@@ -263,8 +263,7 @@
                         }
                     }
                     catch ( DavException de ) 
-                    {
-                        de.printStackTrace();
+                    {                        
                         e = de;
                         continue;
                     }
@@ -288,6 +287,7 @@
             }
         }        
         
+        System.out.println( "Available resources --> " + availableResources );
         if ( availableResources.isEmpty() )
         {
             throw e;
@@ -735,12 +735,14 @@
         }
         catch ( AuthenticationException e )
         {            
+            boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+            
             // safety check for MRM-911            
             String guest = archivaXworkUser.getGuest();
             try
             {
                 if( servletAuth.isAuthorized( guest, 
-                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId()
) )
+                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(),
isPut ) )
                 {   
                     return true;
                 }
@@ -797,6 +799,8 @@
 
         if( allow )
         {
+            boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+            
             for( String repository : repositories )
             {
                 // for prompted authentication
@@ -819,7 +823,7 @@
                     // for the current user logged in
                     try
                     {
-                        if( servletAuth.isAuthorized( activePrincipal, repository ) )
+                        if( servletAuth.isAuthorized( activePrincipal, repository, isPut
) )
                         {
                             getResource( locator, mergedRepositoryContents, logicalResource,
repository );
                         }
@@ -911,11 +915,12 @@
         }
         else
         {
+            boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
             for( String repository : repositories )
             {
                 try
-                {
-                    if( servletAuth.isAuthorized( activePrincipal, repository ) )
+                {   
+                    if( servletAuth.isAuthorized( activePrincipal, repository, isPut ) )
                     {
                         allow = true;
                         break;

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/main/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProvider.java
Sun Oct  5 07:39:22 2008
@@ -24,6 +24,7 @@
 import org.apache.jackrabbit.webdav.DavException;
 import org.apache.jackrabbit.webdav.DavServletRequest;
 import org.apache.maven.archiva.webdav.util.RepositoryPathUtil;
+import org.apache.maven.archiva.webdav.util.WebdavMethodUtil;
 import org.apache.maven.archiva.security.ArchivaXworkUser;
 import org.apache.maven.archiva.security.ServletAuthenticator;
 import org.codehaus.plexus.redback.authentication.AuthenticationException;
@@ -72,12 +73,14 @@
         }
         catch ( AuthenticationException e )
         {   
+            boolean isPut = WebdavMethodUtil.isWriteMethod( request.getMethod() );
+            
             // safety check for MRM-911            
             String guest = archivaXworkUser.getGuest();
             try
             {
                 if( servletAuth.isAuthorized( guest, 
-                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId()
) )
+                      ( ( ArchivaDavResourceLocator ) request.getRequestLocator() ).getRepositoryId(),
isPut ) )
                 {
                     request.setDavSession(new ArchivaDavSession());
                     return true;

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/ArchivaDavSessionProviderTest.java
Sun Oct  5 07:39:22 2008
@@ -362,7 +362,7 @@
             return true;
         }
 
-        public boolean isAuthorized(String arg0, String arg1)
+        public boolean isAuthorized(String arg0, String arg1, boolean isWriteRequest)
             throws UnauthorizedException
         {
             return true;

Modified: archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
URL: http://svn.apache.org/viewvc/archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java?rev=701801&r1=701800&r2=701801&view=diff
==============================================================================
--- archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
(original)
+++ archiva/branches/archiva-security-fix/archiva-modules/archiva-web/archiva-webdav/src/test/java/org/apache/maven/archiva/webdav/RepositoryServletSecurityTest.java
Sun Oct  5 07:39:22 2008
@@ -28,7 +28,6 @@
 import net.sf.ehcache.CacheManager;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.jackrabbit.webdav.DavException;
 import org.apache.jackrabbit.webdav.DavResourceFactory;
 import org.apache.jackrabbit.webdav.DavSessionProvider;
 import org.apache.maven.archiva.configuration.ArchivaConfiguration;
@@ -50,7 +49,6 @@
 
 import com.meterware.httpunit.GetMethodWebRequest;
 import com.meterware.httpunit.HttpUnitOptions;
-import com.meterware.httpunit.PostMethodWebRequest;
 import com.meterware.httpunit.PutMethodWebRequest;
 import com.meterware.httpunit.WebRequest;
 import com.meterware.httpunit.WebResponse;
@@ -61,6 +59,9 @@
 /**
  * RepositoryServletSecurityTest
  * 
+ * Test the flow of the authentication and authorization checks. This does not necessarily
+ * perform redback security checking.
+ * 
  * @author <a href="mailto:joakime@apache.org">Joakim Erdfelt</a>
  * @version $Id$
  */
@@ -123,12 +124,12 @@
         sc = sr.newClient();
 
         servletAuthControl = MockControl.createControl( ServletAuthenticator.class );
-        servletAuthControl.setDefaultMatcher( new AlwaysMatcher() );
+        servletAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
         servletAuth = (ServletAuthenticator) servletAuthControl.getMock();
 
         httpAuthControl =
             MockClassControl.createControl( HttpBasicAuthentication.class, HttpBasicAuthentication.class.getMethods()
);
-        httpAuthControl.setDefaultMatcher( new AlwaysMatcher() );
+        httpAuthControl.setDefaultMatcher( MockControl.ALWAYS_MATCHER );
         httpAuth = (HttpAuthenticator) httpAuthControl.getMock();
 
         archivaXworkUser = new ArchivaXworkUser();
@@ -209,7 +210,11 @@
     {
         setupCleanRepo( repoRootInternal );
 
-        WebRequest request = new PostMethodWebRequest( "http://machine.com/repository/internal/path/to/artifact.jar"
);
+        String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+        InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+        assertNotNull( "artifact.jar inputstream", is );
+
+        WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream"
);
         InvocationContext ic = sc.newInvocation( request );
         servlet = (RepositoryServlet) ic.getServlet();
         servlet.setDavSessionProvider( davSessionProvider );
@@ -217,18 +222,22 @@
         AuthenticationResult result = new AuthenticationResult();
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
-                                           new AuthenticationException( "Authentication error"
) );
-        // servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), false );
+                           new AuthenticationException( "Authentication error" ) );
+        
+        servletAuth.isAuthorized( "guest", "internal", true );        
+        servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+        servletAuthControl.setThrowable( new UnauthorizedException( "'guest' has no write
access to repository" ) );
 
         httpAuthControl.replay();
         servletAuthControl.replay();
 
-        WebResponse response = sc.getResponse( request );
-
+        //WebResponse response = sc.getResponse( request );
+        servlet.service( ic.getRequest(), ic.getResponse() );
+        
         httpAuthControl.verify();
         servletAuthControl.verify();
 
-        // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
+        //assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
     }
 
     // test deploy with invalid user, but guest has write access to repo
@@ -257,7 +266,11 @@
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
                                            new AuthenticationException( "Authentication error"
) );
-        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), true );
+        
+        servletAuth.isAuthorized( "guest", "internal", true );
+        servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+        servletAuthControl.setReturnValue( true );
+        //servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal",
true ), true );
         
      // ArchivaDavResourceFactory#isAuthorized()
         SecuritySession session = new DefaultSecuritySession();
@@ -267,7 +280,10 @@
                                            new AuthenticationException( "Authentication error"
) );
         
         // check if guest has write access
-        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), true );
+        servletAuth.isAuthorized( "guest", "internal", true );
+        servletAuthControl.setMatcher( MockControl.EQUALS_MATCHER );
+        servletAuthControl.setReturnValue( true );
+        //servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal",
true ), true );
         
         httpAuthControl.replay();
         servletAuthControl.replay();
@@ -287,33 +303,42 @@
     {
         setupCleanRepo( repoRootInternal );
 
-        WebRequest request = new PostMethodWebRequest( "http://machine.com/repository/internal/path/to/artifact.jar"
);
-        InvocationContext ic = sc.newInvocation( request );
+        String putUrl = "http://machine.com/repository/internal/path/to/artifact.jar";
+        InputStream is = getClass().getResourceAsStream( "/artifact.jar" );
+        assertNotNull( "artifact.jar inputstream", is );
+        
+        WebRequest request = new PutMethodWebRequest( putUrl, is, "application/octet-stream"
);
+        
+        InvocationContext ic = sc.newInvocation( request ); 
         servlet = (RepositoryServlet) ic.getServlet();
         servlet.setDavSessionProvider( davSessionProvider );
-        servlet.setResourceFactory( davResourceFactory );
+        
+        ArchivaDavResourceFactory archivaDavResourceFactory = (ArchivaDavResourceFactory)
servlet.getResourceFactory();
+        archivaDavResourceFactory.setHttpAuth( httpAuth );
+        archivaDavResourceFactory.setServletAuth( servletAuth );
+        servlet.setResourceFactory( archivaDavResourceFactory );
 
         AuthenticationResult result = new AuthenticationResult();
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true
);
-        // servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
-        // new AuthenticationException( "Authentication error" ) );
-        // servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), true );
-
-        DavException e = new DavException( 401, "User not authorized." );
-        davResourceFactoryControl.expectAndThrow( davResourceFactory.createResource( null,
null, null ),
-                                                  new UnauthorizedDavException( "internal",
"User not authorized" ) );
-
+        
+     // ArchivaDavResourceFactory#isAuthorized()
+        SecuritySession session = new DefaultSecuritySession();
+        httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
+        httpAuthControl.expectAndReturn( httpAuth.getSecuritySession(), session );
+        servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ),
true );
+        servletAuthControl.expectAndThrow( servletAuth.isAuthorized( null, session, "internal",
true ),
+                                           new UnauthorizedException( "User not authorized"
) );
+                
         httpAuthControl.replay();
         servletAuthControl.replay();
-        davResourceFactoryControl.replay();
-
-        WebResponse response = sc.getResponse( request );
+        
+        //WebResponse response = sc.getResponse( request );
+        servlet.service( ic.getRequest(), ic.getResponse() );
 
         httpAuthControl.verify();
         servletAuthControl.verify();
-        davResourceFactoryControl.verify();
-
+        
         // assertEquals(HttpServletResponse.SC_UNAUTHORIZED, response.getResponseCode());
     }
 
@@ -351,10 +376,6 @@
         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, result ),
true );
         servletAuthControl.expectAndReturn( servletAuth.isAuthorized( null, session, "internal",
true ), true );
 
-        // servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
-        // new AuthenticationException( "Authentication error" ) );
-        // servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), true );
-
         httpAuthControl.replay();
         servletAuthControl.replay();
 
@@ -396,7 +417,7 @@
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
                                            new AuthenticationException( "Authentication error"
) );
-        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), true );
+        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal",
false ), true );
         
      // ArchivaDavResourceFactory#isAuthorized()
         SecuritySession session = new DefaultSecuritySession();
@@ -438,7 +459,7 @@
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndThrow( servletAuth.isAuthenticated( null, null ),
                                            new AuthenticationException( "Authentication error"
) );
-        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal"
), false );
+        servletAuthControl.expectAndReturn( servletAuth.isAuthorized( "guest", "internal",
false ), false );
 
         httpAuthControl.replay();
         servletAuthControl.replay();
@@ -519,7 +540,7 @@
         httpAuthControl.expectAndReturn( httpAuth.getAuthenticationResult( null, null ),
result );
         servletAuthControl.expectAndReturn( servletAuth.isAuthenticated( null, null ), true
);
 
-        DavException e = new DavException( 401, "User not authorized." );
+        //TODO remove davResourceFactoryControl!
         davResourceFactoryControl.expectAndThrow( davResourceFactory.createResource( null,
null, null ),
                                                   new UnauthorizedDavException( "internal",
"User not authorized" ) );
 



Mime
View raw message