@Test
public void testContentClassComponentListPlexusResource() throws Exception {
String role = "repo_content_classes";
// do admin
List<PlexusComponentListResource> result1 =
this.getResult(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertThat(getHints(result1), IsCollectionContaining.hasItems("maven1", "maven2"));
// 403 test
this.overwriteUserRole(TEST_USER_NAME, "login-only" + role, "2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response = sendMessage(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertTrue(
"Expected Error: Status was: " + response.getStatus().getCode(),
response.getStatus().isClientError());
Assert.assertEquals(403, response.getStatus().getCode());
// only content class priv
this.overwriteUserRole(TEST_USER_NAME, "content-classes" + role, "70");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
response = sendMessage(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertTrue(response.getStatus().isSuccess());
}
@Test
public void withoutPermission() throws Exception {
overwriteUserRole(
TEST_USER_NAME,
"anonymous-with-login-but-setpw",
"1",
"2" /* login */,
"6",
"14",
"17",
"19",
"44",
"54",
"55",
"57",
"58",
"59", /* "72" set pw, */
"T1",
"T2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
// NOT Should be able to forgot my own username
Status status = ChangePasswordUtils.changePassword("test-user", "123admin");
Assert.assertEquals(403, status.getCode());
// NOT Should be able to forgot anyone username
status = ChangePasswordUtils.changePassword("admin", "123admin");
Assert.assertEquals(403, status.getCode());
}
@Test
public void testScheduledTaskTypeComonentListPlexusResource() throws Exception {
String role = "schedule_types";
// do admin
List<PlexusComponentListResource> result1 =
this.getResult(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertTrue("Expected list larger then 1.", result1.size() > 1);
// 403 test
this.overwriteUserRole(TEST_USER_NAME, "login-only" + role, "2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response = sendMessage(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertTrue(
"Expected Error: Status was: " + response.getStatus().getCode(),
response.getStatus().isClientError());
Assert.assertEquals(403, response.getStatus().getCode());
// only content class priv
this.overwriteUserRole(TEST_USER_NAME, "schedule_types" + role, "71");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
response = sendMessage(role, this.getXMLXStream(), MediaType.APPLICATION_XML);
Assert.assertTrue(response.getStatus().isSuccess());
}
@Test
public void withoutPermission() throws Exception {
overwriteUserRole(
TEST_USER_NAME,
"anonymous-with-login-but-forgot",
"1",
"2" /* login */,
"6",
"14",
"17",
"19",
"44",
"54",
"55", /* "57" forgot, */
"58",
"59",
"T1",
"T2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
// NOT Should be able to forgot anyone password
Response response =
ForgotPasswordUtils.get(this).recoverUserPassword("anonymous", "*****@*****.**");
Assert.assertEquals("Status", response.getStatus().getCode(), 403);
// NOT Should be able to forgot my own password
response =
ForgotPasswordUtils.get(this)
.recoverUserPassword(TEST_USER_NAME, "*****@*****.**");
Assert.assertEquals("Status", response.getStatus().getCode(), 403);
}
/**
* Sets the exposed flag of repository.
*
* @param exposed
* @throws IOException
*/
protected void setExposed(final boolean exposed) throws IOException {
TestContainer.getInstance().getTestContext().useAdminForRequests();
TestContainer.getInstance().getTestContext().setSecureTest(true);
final RepositoryBaseResource releasesRepository =
getRepositoryMessageUtil().getRepository(REPO_TEST_HARNESS_RELEASE_REPO);
releasesRepository.setExposed(exposed);
getRepositoryMessageUtil().updateRepo(releasesRepository);
}
@Test
public void getGroupNoAccessTest() throws Exception {
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
String repoId = "public";
RequestFacade.doGet(GroupMessageUtil.SERVICE_PART + "/" + repoId, respondsWithStatusCode(403));
}
@Test
public void getRepositoryNoAccessTest() throws Exception {
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
RequestFacade.doGet(
"service/local/repositories/" + getTestRepositoryId(), respondsWithStatusCode(403));
}
@Test
public void getRepositoriesListNoAccessTest() throws Exception {
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
List<RepositoryListResource> repoList = repoUtil.getList();
Assert.assertEquals(0, repoList.size());
}
@Test
public void updateRepositoryNoAccessTest() throws Exception {
RepositoryBaseResource repo = repoUtil.getRepository(getTestRepositoryId());
repo.setName("new name");
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response = this.repoUtil.sendMessage(Method.PUT, repo);
Assert.assertEquals("Status: " + response.getStatus(), response.getStatus().getCode(), 403);
}
@Test
public void deleteGroupNoAccessTest() throws Exception {
String repoId = "public";
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response =
RequestFacade.sendMessage(GroupMessageUtil.SERVICE_PART + "/" + repoId, Method.DELETE);
Assert.assertEquals("Status: " + response.getStatus(), response.getStatus().getCode(), 403);
}
@Test
public void deleteRepositoryNoAccessTest() throws Exception {
String repoId = this.getTestRepositoryId();
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response =
RequestFacade.sendMessage("service/local/repositories/" + repoId, Method.DELETE);
Assert.assertEquals("Status: " + response.getStatus(), response.getStatus().getCode(), 403);
}
@Test(expectedExceptions = FileNotFoundException.class)
public void checkMetadataOnGroup() throws Exception {
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
downloadFile(
new URL(
nexusBaseUrl
+ GROUP_REPOSITORY_RELATIVE_URL
+ NEXUS1560_GROUP
+ "/nexus1560/artifact/maven-metadata.xml"),
"./target/downloads/nexus1560/repo-maven-metadata.xml");
}
@Test
public void createRepositoryNoAccessTest() throws Exception {
String repoId = "test-repo";
RepositoryBaseResource repo = this.repoUtil.getRepository(this.getTestRepositoryId());
repo.setId(repoId);
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response = this.repoUtil.sendMessage(Method.POST, repo, repoId);
Assert.assertEquals("Status: " + response.getStatus(), response.getStatus().getCode(), 403);
}
@Test
public void updateGroupNoAccessTest() throws Exception {
String repoId = "public";
RepositoryGroupResource repo = this.groupUtil.getGroup(repoId);
repo.setName("new name");
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
Response response = this.groupUtil.sendMessage(Method.PUT, repo);
Assert.assertEquals("Status: " + response.getStatus(), response.getStatus().getCode(), 403);
}
@Test
public void getRepositoriesListWithAccessTest() throws Exception {
// give the user view access to
String repoId = this.getTestRepositoryId();
String viewPriv = "repository-" + repoId;
this.addPrivilege(TEST_USER_NAME, viewPriv);
// use test user
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
List<RepositoryListResource> repoList = repoUtil.getList();
Assert.assertEquals(1, repoList.size());
Assert.assertEquals(repoList.get(0).getId(), repoId);
}
@Test
public void test() throws Exception {
// use admin
TestContext testContext = TestContainer.getInstance().getTestContext();
// user is created at security.xml
testContext.setUsername(NEXUS504_USER);
testContext.setPassword(TEST_USER_PASSWORD);
assertThat(UserCreationUtil.login(), hasStatusCode(403));
// add login privilege to role
testContext.useAdminForRequests();
RoleResource role = roleUtil.getRole(NEXUS504_ROLE);
role.addPrivilege("2" /* login */);
assertThat(
"Unable to add login privilege to role "
+ NEXUS504_ROLE
+ "\n"
+ RoleMessageUtil.update(role).getDescription(),
RoleMessageUtil.update(role),
isSuccess());
// try to login again
testContext.setUsername(NEXUS504_USER);
testContext.setPassword(TEST_USER_PASSWORD);
Status status2 = UserCreationUtil.login();
assertThat(status2, hasStatusCode(200));
}
/**
* To me this seems like a bad hack around this problem. I don't have any other thoughts though.
* <br>
* If you see this and think: "Wow, why did he to that instead of XYZ, please let me know." <br>
* The issue is that we want to init the tests once (to start/stop the app) and the <code>
* @BeforeClass</code> is static, so we don't have access to the package name of the running
* tests. We are going to use the package name to find resources for additional setup. NOTE: With
* this setup running multiple Test at the same time is not possible.
*
* @throws Exception
*/
@Before
public void oncePerClassSetUp() throws Exception {
synchronized (AbstractNexusIntegrationTest.class) {
log.debug("oncePerClassSetUp is init: " + NEEDS_INIT);
if (NEEDS_INIT) {
// this will trigger PlexusContainer creation when test is instantiated, but only if needed
getITPlexusContainer(getClass());
// tell the console what we are doing, now that there is no output its
log.info("Running Test: " + getClass().getSimpleName());
setupLog4j();
// clean common work dir
beforeStartClean();
copyTestResources();
HashMap<String, String> variables = new HashMap<String, String>();
variables.put("test-harness-id", getTestId());
this.copyConfigFiles();
// At this point we have the final log4j config for the IT, switch log4j to use it.
PropertyConfigurator.configure(WORK_CONF_DIR + "/log4j.properties");
// TODO: Below, Nexus configuration upgrade happens! But this is insane, since it is the IT
// that
// upgrades
// nexus config, not the tested product! If, by any chance, we start to test another
// product, that is
// not in this buildtree (hence, the configuration classes will not be equal like
// currently), this is
// make hell loose!
// we need to make sure the config is valid, so we don't need to hunt through log files
if (this.verifyNexusConfigBeforeStart) {
getNexusConfigUtil().validateConfig();
}
// the validation needs to happen before we enable security it triggers an upgrade.
getNexusConfigUtil()
.enableSecurity(
TestContainer.getInstance().getTestContext().isSecureTest()
|| Boolean.valueOf(System.getProperty("secure.test")));
// start nexus
startNexus();
// deploy artifacts
deployArtifacts();
runOnce();
// TODO: we can remove this now that we have the soft restart
NEEDS_INIT = false;
}
}
}
@Test(groups = SECURITY)
public void testCreatePermission() throws IOException {
this.giveUserPrivilege(TEST_USER_NAME, "repository-all");
RepositoryGroupResource group = new RepositoryGroupResource();
group.setId("testCreatePermission");
group.setName("testCreatePermission");
group.setFormat("maven2");
group.setProvider("maven2");
RepositoryGroupMemberRepository member = new RepositoryGroupMemberRepository();
member.setId("nexus-test-harness-repo");
group.addRepository(member);
TestContainer.getInstance().getTestContext().setUsername("test-user");
TestContainer.getInstance().getTestContext().setPassword("admin123");
Response response = this.groupUtil.sendMessage(Method.POST, group);
Assert.assertEquals(response.getStatus().getCode(), 403, "Response status: ");
// use admin
TestContainer.getInstance().getTestContext().useAdminForRequests();
// now give create
this.giveUserPrivilege("test-user", "13");
// now.... it should work...
TestContainer.getInstance().getTestContext().setUsername("test-user");
TestContainer.getInstance().getTestContext().setPassword("admin123");
response = this.groupUtil.sendMessage(Method.POST, group);
Assert.assertEquals(response.getStatus().getCode(), 201, "Response status: ");
group = this.groupUtil.getGroup(group.getId());
// read should succeed (inherited)
response = this.groupUtil.sendMessage(Method.GET, group);
Assert.assertEquals(response.getStatus().getCode(), 200, "Response status: ");
// update should fail
response = this.groupUtil.sendMessage(Method.PUT, group);
Assert.assertEquals(response.getStatus().getCode(), 403, "Response status: ");
// delete should fail
response = this.groupUtil.sendMessage(Method.DELETE, group);
Assert.assertEquals(response.getStatus().getCode(), 403, "Response status: ");
}
@BeforeClass
public void setSecureTest() throws Exception {
// get a test container for the test
TestContainer.getInstance().getTestContext().setSecureTest(true);
// set log level of Nexus to debug
System.setProperty("it.nexus.log.level", "DEBUG");
}
@Test
@Category(SECURITY.class)
public void withPermission() throws Exception {
overwriteUserRole(
TEST_USER_NAME,
"anonymous-with-login-changepw",
"1",
"2" /* login */,
"6",
"14",
"17",
"19",
"44",
"54",
"55",
"57",
"58",
"59",
"64" /* change pw */,
"T1",
"T2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
// Should be able to change my own password
Status status = ChangePasswordUtils.changePassword("test-user", "admin123", "123admin");
Assert.assertTrue(status.isSuccess());
// password changed ! should fail
status = ChangePasswordUtils.changePassword("test-user", "admin123", "123admin");
Assert.assertEquals(401, status.getCode());
status = ChangePasswordUtils.changePassword("test-user", "123admin", "admin123");
Assert.assertEquals(401, status.getCode());
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword("123admin");
// should pass
status = ChangePasswordUtils.changePassword("test-user", "123admin", "admin123");
Assert.assertTrue(status.isSuccess());
// should NOT be able to change another users password
}
@Test
public void downloadWithPermition() throws Exception {
AbstractMavenNexusIT.cleanRepository(
new File(TestProperties.getString("maven.local.repo")), getTestId());
TestContainer.getInstance().getTestContext().useAdminForRequests();
replaceUserRole(TEST_USER_NAME, "nx-admin");
download();
}
@Test
public void wrongAnonymousAccount() throws Exception {
TestContainer.getInstance().getTestContext().useAdminForRequests();
GlobalConfigurationResource globalConfig = SettingsMessageUtil.getCurrentSettings();
globalConfig.setSecurityAnonymousUsername("zigfrid");
Status status = SettingsMessageUtil.save(globalConfig);
Assert.assertEquals(status.getCode(), 400, "Can't set an invalid user as anonymous");
}
protected Status sendMessage(final boolean authenticated, final URL url, Method method)
throws IOException {
Response response = null;
final boolean wasSecureTest = TestContainer.getInstance().getTestContext().isSecureTest();
try {
TestContainer.getInstance().getTestContext().setSecureTest(authenticated);
response = RequestFacade.sendMessage(url, method, null);
return response.getStatus();
} finally {
if (response != null) {
RequestFacade.releaseResponse(response);
}
TestContainer.getInstance().getTestContext().setSecureTest(wasSecureTest);
}
}
@Test
public void checkMetadataOnRepository() throws Exception {
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
File file =
downloadFile(
new URL(
nexusBaseUrl
+ REPOSITORY_RELATIVE_URL
+ REPO_TEST_HARNESS_REPO
+ "/nexus1560/artifact/maven-metadata.xml"),
"./target/downloads/nexus1560/repo-maven-metadata.xml");
Xpp3Dom dom = Xpp3DomBuilder.build(new FileReader(file));
Xpp3Dom[] versions = dom.getChild("versioning").getChild("versions").getChildren("version");
for (Xpp3Dom version : versions) {
Assert.assertEquals(
version.getValue(), "1.0", "Invalid version available on metadata" + dom.toString());
}
}
@Test
public void testAdminPrivileges() throws Exception {
TestContainer.getInstance().getTestContext().useAdminForRequests();
List<ClientPermission> permissions = this.getPermissions();
Assert.assertEquals(this.getExpectedPrivilegeCount(), permissions.size());
for (ClientPermission clientPermission : permissions) {
Assert.assertEquals(15, clientPermission.getValue());
}
}
@AfterClass
public static void oncePerClassTearDown() throws Exception {
// turn off security, of the current IT with security on won't affect the next IT
TestContainer.getInstance().getTestContext().setSecureTest(false);
// stop nexus
stopNexus();
takeSnapshot();
// kill existing container if around
killITPlexusContainer();
}
@Test
public void withPermission() throws Exception {
overwriteUserRole(
TEST_USER_NAME,
"anonymous-with-login-setpw",
"1",
"2" /* login */,
"6",
"14",
"17",
"19",
"44",
"54",
"55",
"57",
"58",
"59",
"72" /* set pw */,
"T1",
"T2");
TestContainer.getInstance().getTestContext().setUsername(TEST_USER_NAME);
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
// Should be able to change my own password
Status status = ChangePasswordUtils.changePassword("test-user", "newPassword");
Assert.assertEquals("Status", 204, status.getCode());
// we need to change the password around for this
TestContainer.getInstance().getTestContext().setPassword("newPassword");
status = ChangePasswordUtils.changePassword("test-user", "newPassword");
Assert.assertEquals("Status", 204, status.getCode());
status = ChangePasswordUtils.changePassword("test-user", TEST_USER_PASSWORD);
Assert.assertEquals("Status", 204, status.getCode());
TestContainer.getInstance().getTestContext().setPassword(TEST_USER_PASSWORD);
}
@BeforeMethod
public void init() throws Exception {
TestContainer.getInstance().getTestContext().useAdminForRequests();
addPriv(
TEST_USER_NAME,
REPO_TEST_HARNESS_REPO + "-priv",
TargetPrivilegeDescriptor.TYPE,
"1",
REPO_TEST_HARNESS_REPO,
null,
"read");
// Now need the view priv as well
addPrivilege(TEST_USER_NAME, "repository-" + REPO_TEST_HARNESS_REPO);
}
public <T> T invokeAsAdministrator(final Callable<T> callable) throws Exception {
final TestContext ctx = TestContainer.getInstance().getTestContext();
final String username = ctx.getUsername();
final String password = ctx.getPassword();
final boolean secure = ctx.isSecureTest();
ctx.useAdminForRequests();
ctx.setSecureTest(true);
try {
return callable.call();
} finally {
ctx.setUsername(username);
ctx.setPassword(password);
ctx.setSecureTest(secure);
}
}
private int getExpectedPrivilegeCount() throws Exception {
TestContainer.getInstance().getTestContext().useAdminForRequests();
Set<String> privIds = new HashSet<String>();
List<PrivilegeStatusResource> privs =
new PrivilegesMessageUtil(this, XStreamFactory.getXmlXStream(), MediaType.APPLICATION_XML)
.getList();
for (PrivilegeStatusResource priv : privs) {
if (priv.getType().equals("method")) {
for (PrivilegeProperty prop : priv.getProperties()) {
if (prop.getKey().equals("permission")) {
privIds.add(prop.getValue());
}
}
}
}
return privIds.size();
// return getUserPrivs( TestContainer.getInstance().getTestContext().getUsername() ).size();
}
