Source Code of com.sonatype.nexus.testsuite.ssl.SSLSecurityIT

/*
 * Sonatype Nexus (TM) Open Source Version
 * Copyright (c) 2007-2014 Sonatype, Inc.
 * All rights reserved. Includes the third-party code listed at http://links.sonatype.com/products/nexus/oss/attributions.
 *
 * This program and the accompanying materials are made available under the terms of the Eclipse Public License Version 1.0,
 * which accompanies this distribution and is available at http://www.eclipse.org/legal/epl-v10.html.
 *
 * Sonatype Nexus (TM) Professional Version is available from Sonatype, Inc. "Sonatype" and "Sonatype Nexus" are trademarks
 * of Sonatype, Inc. Apache Maven is a trademark of the Apache Software Foundation. M2eclipse is a trademark of the
 * Eclipse Foundation. All other trademarks are the property of their respective owners.
 */

package com.sonatype.nexus.testsuite.ssl;

import java.util.Collection;

import com.sonatype.nexus.ssl.client.Certificate;
import com.sonatype.nexus.ssl.client.TrustStore;

import org.sonatype.nexus.client.core.NexusClient;
import org.sonatype.nexus.client.core.subsystem.security.Role;
import org.sonatype.nexus.client.core.subsystem.security.Roles;
import org.sonatype.nexus.client.core.subsystem.security.User;
import org.sonatype.nexus.client.core.subsystem.security.Users;

import com.sun.jersey.api.client.ClientResponse.Status;
import com.sun.jersey.api.client.UniformInterfaceException;
import org.apache.commons.io.FileUtils;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.Test;

import static org.hamcrest.MatcherAssert.*;

/**
 * ITs related to trusted keys management.
 *
 * @since 1.0
 */
public class SSLSecurityIT
    extends SSLITSupport
{

  private static final String TEST_USER_PASSWORD = "xyz123";

  private NexusClient clientForTestUser;

  private Role role;

  public SSLSecurityIT(final String nexusBundleCoordinates) {
    super(nexusBundleCoordinates);
  }

  @Before
  public void prepare() {
    final String roleName = uniqueName("r");
    role = client().getSubsystem(Roles.class).create(roleName)
        .withName(roleName)
        .withRole("anonymous")
        .save();

    final User user = client().getSubsystem(Users.class).create(uniqueName("u"))
        .withEmail("foo_bar@sonatype.org")
        .withFirstName("bar")
        .withLastName("foo")
        .withPassword(TEST_USER_PASSWORD)
        .withRole(role.id())
        .save();

    clientForTestUser = createNexusClient(nexus(), user.id(), TEST_USER_PASSWORD);

    // remove all trusted keys
    final Collection<Certificate> trustedKeys = truststore().get();
    for (final Certificate trustedKey : trustedKeys) {
      trustedKey.remove();
    }
  }

  /**
   * Verify that trusted keys can be read only when user has "ssl-truststore-read" or "ssl-truststore-create" or
   * "ssl-truststore-delete" permission.
   */
  @Test
  public void read() {
    try {
      clientForTestUser.getSubsystem(TrustStore.class).get();
      assertThat("Expected to fail with 403 Forbidden", false);
    }
    catch (UniformInterfaceException e) {
      // expected as user does not have the necessary permissions
      assertThat(e.getResponse().getClientResponseStatus(), Matchers.is(Status.FORBIDDEN));
    }

    role.withPrivilege("ssl-truststore-read").save();
    clientForTestUser.getSubsystem(TrustStore.class).get();
    role.removePrivilege("ssl-truststore-read").save();

    role.withPrivilege("ssl-truststore-create").save();
    clientForTestUser.getSubsystem(TrustStore.class).get();
    role.removePrivilege("ssl-truststore-create").save();

    role.withPrivilege("ssl-truststore-delete").save();
    clientForTestUser.getSubsystem(TrustStore.class).get();
    role.removePrivilege("ssl-truststore-delete").save();
  }

  /**
   * Verify that trusted keys can be created only when user has "ssl-truststore-create" permission.
   */
  @Test
  public void create()
      throws Exception
  {
    try {
      clientForTestUser.getSubsystem(TrustStore.class).create()
          .withPem(FileUtils.readFileToString(testData().resolveFile("pem.txt")))
          .save();
      assertThat("Expected to fail with 403 Forbidden", false);
    }
    catch (UniformInterfaceException e) {
      // expected as user does not have the necessary permissions
      assertThat(e.getResponse().getClientResponseStatus(), Matchers.is(Status.FORBIDDEN));
    }

    role.withPrivilege("ssl-truststore-create").save();
    clientForTestUser.getSubsystem(TrustStore.class).create()
        .withPem(FileUtils.readFileToString(testData().resolveFile("pem.txt")))
        .save();
  }

  /**
   * Verify that trusted keys can be deleted only when user has "ssl-truststore-delete" permission.
   */
  @Test
  public void delete()
      throws Exception
  {
    role.withPrivilege("ssl-truststore-create").save();
    final Certificate trustedKey = clientForTestUser.getSubsystem(TrustStore.class).create()
        .withPem(FileUtils.readFileToString(testData().resolveFile("pem.txt")))
        .save();

    try {
      trustedKey.remove();
      assertThat("Expected to fail with 403 Forbidden", false);
    }
    catch (UniformInterfaceException e) {
      // expected as user does not have the necessary permissions
      assertThat(e.getResponse().getClientResponseStatus(), Matchers.is(Status.FORBIDDEN));
    }

    role.withPrivilege("ssl-truststore-delete").save();
    trustedKey.remove();
  }

}