SLING-11254 Make additional authorization on HTTP scan endpoint mandatory
diff --git a/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServlet.java b/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServlet.java
index 6b4b5e6..7fb2c35 100644
--- a/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServlet.java
+++ b/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServlet.java
@@ -123,17 +123,15 @@
@SuppressWarnings({"checkstyle:IllegalCatch", "checkstyle:ReturnCount", "checkstyle:ExecutableStatementCount"})
protected void doPost(@NotNull final SlingHttpServletRequest request, @NotNull final SlingHttpServletResponse response) throws ServletException, IOException {
final List<String> groups = Arrays.asList(configuration.scan_authorized_groups());
- if (!groups.isEmpty()) {
- boolean isAuthorized = false;
- try {
- isAuthorized = isAuthorized(request, groups);
- } catch (Exception e) {
- logger.error(e.getMessage(), e);
- }
- if (!isAuthorized) {
- handleError(response, HttpServletResponse.SC_FORBIDDEN, null);
- return;
- }
+ boolean isAuthorized = false;
+ try {
+ isAuthorized = isAuthorized(request, groups);
+ } catch (Exception e) {
+ logger.error(e.getMessage(), e);
+ }
+ if (!isAuthorized) {
+ handleError(response, HttpServletResponse.SC_FORBIDDEN, null);
+ return;
}
final String path;
diff --git a/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServletConfiguration.java b/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServletConfiguration.java
index 4eadf0a..be42e58 100644
--- a/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServletConfiguration.java
+++ b/src/main/java/org/apache/sling/clam/http/internal/ClamJcrScanServletConfiguration.java
@@ -45,7 +45,7 @@
name = "scan authorized groups",
description = "User groups authorized for scanning"
)
- String[] scan_authorized_groups() default {};
+ String[] scan_authorized_groups() default {"sling-clam-scan"};
@AttributeDefinition(
name = "default property types",
diff --git a/src/test/java/org/apache/sling/clam/it/tests/ClamJcrScanServletIT.java b/src/test/java/org/apache/sling/clam/it/tests/ClamJcrScanServletIT.java
index 38f3942..99377fa 100644
--- a/src/test/java/org/apache/sling/clam/it/tests/ClamJcrScanServletIT.java
+++ b/src/test/java/org/apache/sling/clam/it/tests/ClamJcrScanServletIT.java
@@ -21,6 +21,7 @@
import java.io.IOException;
import javax.inject.Inject;
+import javax.servlet.http.HttpServletResponse;
import org.apache.sling.clam.it.support.RecordingJcrPropertyScanResultHandler;
import org.apache.sling.clam.result.JcrPropertyScanResultHandler;
@@ -73,7 +74,33 @@
.when()
.post(url)
.then()
- .statusCode(401);
+ .statusCode(HttpServletResponse.SC_UNAUTHORIZED);
+ }
+
+ @Test
+ public void testNonAuthorized() throws Exception {
+ final String url = String.format(URL_TEMPLATE, httpPort());
+ given()
+ .auth()
+ .basic(ADMIN_USERNAME, ADMIN_PASSWORD)
+ .param("path", "/content/starter")
+ .when()
+ .post(url)
+ .then()
+ .statusCode(HttpServletResponse.SC_FORBIDDEN);
+ }
+
+ @Test
+ public void testAuthorized() throws Exception {
+ final String url = String.format(URL_TEMPLATE, httpPort());
+ given()
+ .auth()
+ .basic(USER_USERNAME, USER_PASSWORD)
+ .param("path", "/content/starter")
+ .when()
+ .post(url)
+ .then()
+ .statusCode(HttpServletResponse.SC_OK);
}
@Test
@@ -84,12 +111,12 @@
final String url = String.format(URL_TEMPLATE, httpPort());
given()
.auth()
- .basic(ADMIN_USERNAME, ADMIN_PASSWORD)
+ .basic(USER_USERNAME, USER_PASSWORD)
.param("path", "/content/starter")
.when()
.post(url)
.then()
- .statusCode(200);
+ .statusCode(HttpServletResponse.SC_OK);
with()
.pollInterval(10, SECONDS)
diff --git a/src/test/java/org/apache/sling/clam/it/tests/ClamTestSupport.java b/src/test/java/org/apache/sling/clam/it/tests/ClamTestSupport.java
index f9e3a8f..b7b5bd0 100644
--- a/src/test/java/org/apache/sling/clam/it/tests/ClamTestSupport.java
+++ b/src/test/java/org/apache/sling/clam/it/tests/ClamTestSupport.java
@@ -74,6 +74,10 @@
static final String ADMIN_PASSWORD = "admin";
+ static final String USER_USERNAME = "bob";
+
+ static final String USER_PASSWORD = "foo";
+
protected ModifiableCompositeOption baseConfiguration() {
SlingOptions.versionResolver.setVersionFromProject(SLING_GROUP_ID, "org.apache.sling.commons.threads");
return composite(
@@ -89,6 +93,9 @@
factoryConfiguration("org.apache.sling.jcr.repoinit.RepositoryInitializer")
.put("scripts", new String[]{"create service user sling-clam\ncreate path (sling:Folder) /var/clam/results\nset ACL for sling-clam\nallow jcr:all on /var/clam\nend"})
.asOption(),
+ factoryConfiguration("org.apache.sling.jcr.repoinit.RepositoryInitializer")
+ .put("scripts", new String[]{"create user bob with password foo\ncreate group sling-clam-scan\nadd bob to group sling-clam-scan"})
+ .asOption(),
factoryConfiguration("org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended")
.put("user.mapping", new String[]{"org.apache.sling.clam=sling-clam", "org.apache.sling.clam:result-writer=sling-clam"})
.asOption(),
