Source code

001/*
002 * Licensed to DuraSpace under one or more contributor license agreements.
003 * See the NOTICE file distributed with this work for additional information
004 * regarding copyright ownership.
005 *
006 * DuraSpace licenses this file to you under the Apache License,
007 * Version 2.0 (the "License"); you may not use this file except in
008 * compliance with the License.  You may obtain a copy of the License at
009 *
010 *     http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software
013 * distributed under the License is distributed on an "AS IS" BASIS,
014 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
015 * See the License for the specific language governing permissions and
016 * limitations under the License.
017 */
018package org.fcrepo.auth.integration;
019
020import static org.fcrepo.kernel.modeshape.FedoraSessionImpl.getJcrSession;
021import static org.mockito.Matchers.any;
022import static org.mockito.Mockito.atLeastOnce;
023import static org.mockito.Mockito.times;
024import static org.mockito.Mockito.verify;
025import static org.mockito.Mockito.when;
026import static org.slf4j.LoggerFactory.getLogger;
027
028import org.apache.http.auth.BasicUserPrincipal;
029
030import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
031import org.fcrepo.auth.common.ServletContainerAuthenticationProvider;
032import org.fcrepo.kernel.api.FedoraRepository;
033import org.fcrepo.kernel.api.FedoraSession;
034import org.fcrepo.kernel.api.exception.RepositoryRuntimeException;
035import org.fcrepo.kernel.api.services.ContainerService;
036import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;
037
038import org.junit.Assert;
039import org.junit.Before;
040import org.junit.Test;
041import org.junit.runner.RunWith;
042import org.mockito.Mockito;
043import org.modeshape.jcr.api.ServletCredentials;
044import org.modeshape.jcr.value.Path;
045import org.slf4j.Logger;
046import org.springframework.test.context.ContextConfiguration;
047import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
048
049import javax.inject.Inject;
050import javax.jcr.AccessDeniedException;
051import javax.jcr.RepositoryException;
052import javax.jcr.Session;
053import javax.jcr.security.Privilege;
054import javax.servlet.http.HttpServletRequest;
055
056/**
057 * @author Gregory Jansen
058 */
059@RunWith(SpringJUnit4ClassRunner.class)
060@ContextConfiguration(locations = {"/spring-test/mocked-fad-repo.xml"})
061public class ModeShapeHonorsFADResponseIT {
062
063    private static Logger logger =
064            getLogger(ModeShapeHonorsFADResponseIT.class);
065
066    @Inject
067    FedoraRepository repo;
068
069    @Inject
070    FedoraAuthorizationDelegate fad;
071
072    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
073
074    @Before
075    public void setUp() {
076        // final Map<String, String> config = new HashMap<String, String>();
077        // config.put(JcrRepositoryFactory.URL,
078        // "file:src/test/resources/repository.json");
079        // config.put(JcrRepositoryFactory.REPOSITORY_NAME,
080        // "fcrepo-secured-repo");
081        // repo = new JcrRepositoryFactory().getRepository(config);
082    }
083
084    @Test
085    public void testFADFactory() {
086        Assert.assertNotNull(
087                "AuthenticationProvider must return a AuthenticationProvider",
088                ServletContainerAuthenticationProvider.getInstance());
089    }
090
091    @Test
092    public void testPermissiveFAD() throws RepositoryException {
093        when(request.getRemoteUser()).thenReturn("fred");
094        when(request.getUserPrincipal()).thenReturn(
095                new BasicUserPrincipal("fred"));
096        when(
097                request.isUserInRole(Mockito
098                        .eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
099                .thenReturn(true);
100        Mockito.reset(fad);
101        when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true);
102
103        final ServletCredentials credentials =
104                new ServletCredentials(request);
105        final FedoraSession session = repo.login(credentials);
106        final Session jcrSession = getJcrSession(session);
107        final Privilege[] rootPrivs = jcrSession.getAccessControlManager().getPrivileges("/");
108        for (final Privilege p : rootPrivs) {
109            logger.debug("got priv: " + p.getName());
110        }
111        final ContainerService os = new ContainerServiceImpl();
112        os.findOrCreate(session, "/myobject");
113        verify(fad, atLeastOnce()).hasPermission(any(Session.class), any(Path.class), any(String[].class));
114    }
115
116    @Test(expected = AccessDeniedException.class)
117    public void testRestrictiveFAD() throws Throwable {
118        when(request.getRemoteUser()).thenReturn("fred");
119        when(request.getUserPrincipal()).thenReturn(
120                new BasicUserPrincipal("fred"));
121        when(
122                request.isUserInRole(Mockito
123                        .eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
124                .thenReturn(true);
125
126        // first permission check is for login
127        Mockito.reset(fad);
128        when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true, false);
129
130        final ServletCredentials credentials = new ServletCredentials(request);
131        final FedoraSession session = repo.login(credentials);
132        final ContainerService os = new ContainerServiceImpl();
133        try {
134            os.findOrCreate(session, "/myobject");
135        } catch (final RepositoryRuntimeException e) {
136            throw e.getCause();
137        }
138        verify(fad, times(5)).hasPermission(any(Session.class), any(Path.class), any(String[].class));
139    }
140}