Source code

001/*
002 * Licensed to DuraSpace under one or more contributor license agreements.
003 * See the NOTICE file distributed with this work for additional information
004 * regarding copyright ownership.
005 *
006 * DuraSpace licenses this file to you under the Apache License,
007 * Version 2.0 (the "License"); you may not use this file except in
008 * compliance with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.fcrepo.auth.integration;
019
020import static org.mockito.Matchers.any;
021import static org.mockito.Mockito.atLeastOnce;
022import static org.mockito.Mockito.times;
023import static org.mockito.Mockito.verify;
024import static org.mockito.Mockito.when;
025import static org.slf4j.LoggerFactory.getLogger;
026
027import org.apache.http.auth.BasicUserPrincipal;
028
029import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
030import org.fcrepo.auth.common.ServletContainerAuthenticationProvider;
031import org.fcrepo.kernel.api.exception.RepositoryRuntimeException;
032import org.fcrepo.kernel.api.services.ContainerService;
033import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;
034
035import org.junit.Assert;
036import org.junit.Before;
037import org.junit.Test;
038import org.junit.runner.RunWith;
039import org.mockito.Mockito;
040import org.modeshape.jcr.api.ServletCredentials;
041import org.modeshape.jcr.value.Path;
042import org.slf4j.Logger;
043import org.springframework.test.context.ContextConfiguration;
044import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
045
046import javax.inject.Inject;
047import javax.jcr.AccessDeniedException;
048import javax.jcr.Repository;
049import javax.jcr.RepositoryException;
050import javax.jcr.Session;
051import javax.jcr.security.Privilege;
052import javax.servlet.http.HttpServletRequest;
053
054/**
055 * @author Gregory Jansen
056 */
057@RunWith(SpringJUnit4ClassRunner.class)
058@ContextConfiguration(locations = {"/spring-test/mocked-fad-repo.xml"})
059public class ModeShapeHonorsFADResponseIT {
060
061    private static Logger logger =
062            getLogger(ModeShapeHonorsFADResponseIT.class);
063
064    @Inject
065    Repository repo;
066
067    @Inject
068    FedoraAuthorizationDelegate fad;
069
070    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
071
072    @Before
073    public void setUp() {
074        // final Map<String, String> config = new HashMap<String, String>();
075        // config.put(JcrRepositoryFactory.URL,
076        // "file:src/test/resources/repository.json");
077        // config.put(JcrRepositoryFactory.REPOSITORY_NAME,
078        // "fcrepo-secured-repo");
079        // repo = new JcrRepositoryFactory().getRepository(config);
080    }
081
082    @Test
083    public void testFADFactory() {
084        Assert.assertNotNull(
085                "AuthenticationProvider must return a AuthenticationProvider",
086                ServletContainerAuthenticationProvider.getInstance());
087    }
088
089    @Test
090    public void testPermissiveFAD() throws RepositoryException {
091        when(request.getRemoteUser()).thenReturn("fred");
092        when(request.getUserPrincipal()).thenReturn(
093                new BasicUserPrincipal("fred"));
094        when(
095                request.isUserInRole(Mockito
096                        .eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
097                .thenReturn(true);
098        Mockito.reset(fad);
099        when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true);
100
101        final ServletCredentials credentials =
102                new ServletCredentials(request);
103        final Session session = repo.login(credentials);
104        final Privilege[] rootPrivs =
105                session.getAccessControlManager().getPrivileges("/");
106        for (final Privilege p : rootPrivs) {
107            logger.debug("got priv: " + p.getName());
108        }
109        final ContainerService os = new ContainerServiceImpl();
110        os.findOrCreate(session, "/myobject");
111        verify(fad, atLeastOnce()).hasPermission(any(Session.class), any(Path.class), any(String[].class));
112    }
113
114    @Test(expected = AccessDeniedException.class)
115    public void testRestrictiveFAD() throws Throwable {
116        when(request.getRemoteUser()).thenReturn("fred");
117        when(request.getUserPrincipal()).thenReturn(
118                new BasicUserPrincipal("fred"));
119        when(
120                request.isUserInRole(Mockito
121                        .eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
122                .thenReturn(true);
123
124        // first permission check is for login
125        Mockito.reset(fad);
126        when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true, false);
127
128        final ServletCredentials credentials = new ServletCredentials(request);
129        final Session session = repo.login(credentials);
130        final ContainerService os = new ContainerServiceImpl();
131        try {
132            os.findOrCreate(session, "/myobject");
133        } catch (final RepositoryRuntimeException e) {
134            throw e.getCause();
135        }
136        verify(fad, times(5)).hasPermission(any(Session.class), any(Path.class), any(String[].class));
137    }
138}