Merge pull request #745 from sonatype/catch-all-fix

Catch-All fix
sonatype · Feb 14, 2013 · d56d59b · d56d59b
2 parents 03f5e6e + 0431194
commit d56d59b
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 4 deletions.
diff --git a/...tlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/NexusApplication.java b/...tlet1x/nexus-restlet1x-plugin/src/main/java/org/sonatype/nexus/rest/NexusApplication.java
@@ -14,6 +14,7 @@
 
 import java.util.List;
 
+import org.apache.shiro.util.AntPathMatcher;
 import org.codehaus.plexus.component.annotations.Component;
 import org.codehaus.plexus.component.annotations.Requirement;
 import org.restlet.Application;
@@ -228,11 +229,9 @@ protected void doCreateRoot( Router root, boolean isStarted )
         this.protectedPathManager.addProtectedResource( "/content"
             + contentResource.getResourceProtection().getPathPattern(), "noSessionCreation,"
             + contentResource.getResourceProtection().getFilterExpression() );
-
-        // protecting service resources with "wall" permission
-        this.protectedPathManager.addProtectedResource( "/service/local/**",
-            "noSessionCreation,authcBasic,perms[nexus:permToCatchAllUnprotecteds]" );
     }
+
+    private final AntPathMatcher shiroAntPathMatcher = new AntPathMatcher();
 
     @Override
     protected void handlePlexusResourceSecurity( PlexusResource resource )
@@ -244,6 +243,15 @@ protected void handlePlexusResourceSecurity( PlexusResource resource )
             return;
         }
 
+        // sanity check: path protection descriptor path and resource URI must align
+        if ( !shiroAntPathMatcher.match( descriptor.getPathPattern(), resource.getResourceUri() ) )
+        {
+            throw new IllegalStateException( String.format(
+                "Plexus resource %s would attach to URI=%s but protect path=%s that does not matches URI!",
+                resource.getClass().getName(), resource.getResourceUri(),
+                descriptor.getPathPattern() ) );
+        }
+
         String filterExpression = descriptor.getFilterExpression();
         if ( filterExpression != null && !filterExpression.contains( "authcNxBasic" ) )
         {

diff --git a/...c/test/java/org/sonatype/nexus/rest/NexusApplicationHandlePlexusResourceSecurityTest.java b/...c/test/java/org/sonatype/nexus/rest/NexusApplicationHandlePlexusResourceSecurityTest.java
@@ -0,0 +1,62 @@
+/*
+ * Sonatype Nexus (TM) Open Source Version
+ * Copyright (c) 2007-2012 Sonatype, Inc.
+ * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
+ *
+ * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
+ * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
+ *
+ * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
+ * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
+ * Eclipse Foundation. All other trademarks are the property of their respective owners.
+ */
+package org.sonatype.nexus.rest;
+
+import org.junit.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.sonatype.plexus.rest.resource.PathProtectionDescriptor;
+import org.sonatype.plexus.rest.resource.PlexusResource;
+import org.sonatype.security.web.ProtectedPathManager;
+import org.sonatype.sisu.litmus.testsupport.TestSupport;
+
+public class NexusApplicationHandlePlexusResourceSecurityTest
+    extends TestSupport
+{
+    @Mock
+    private PlexusResource mockResource;
+
+    @Mock( name = "protectedPathManager" )
+    private ProtectedPathManager mockProtectedPathManager;
+
+    @InjectMocks
+    private NexusApplication nexusApplication = new NexusApplication();
+
+    @Test( expected = IllegalStateException.class )
+    public void handlePlexusResourceSecurityWithMismatch()
+    {
+        final PathProtectionDescriptor descriptor = new PathProtectionDescriptor( "/foo/bar/*", "" );
+        Mockito.when( mockResource.getResourceProtection() ).thenReturn( descriptor );
+        Mockito.when( mockResource.getResourceUri() ).thenReturn( "/foo/baz" );
+        nexusApplication.handlePlexusResourceSecurity( mockResource );
+    }
+
+    @Test
+    public void handlePlexusResourceSecurityWithoutMismatch()
+    {
+        final PathProtectionDescriptor descriptor = new PathProtectionDescriptor( "/foo/bar/*", "" );
+        Mockito.when( mockResource.getResourceProtection() ).thenReturn( descriptor );
+        Mockito.when( mockResource.getResourceUri() ).thenReturn( "/foo/bar/{pattern}" );
+        nexusApplication.handlePlexusResourceSecurity( mockResource );
+    }
+
+    @Test
+    public void handlePlexusResourceSecurityWithoutMismatchWithRestletPatterns()
+    {
+        final PathProtectionDescriptor descriptor = new PathProtectionDescriptor( "/repositories/*", "" );
+        Mockito.when( mockResource.getResourceProtection() ).thenReturn( descriptor );
+        Mockito.when( mockResource.getResourceUri() ).thenReturn( "/repositories/{repoId}" );
+        nexusApplication.handlePlexusResourceSecurity( mockResource );
+    }
+}