OO-4515: better check denied and add unit tests

src/main/java/org/olat/core/commons/services/webdav/manager/WebDAVManagerImpl.java

@@ -293,7 +293,7 @@ public class WebDAVManagerImpl implements WebDAVManager, InitializingBean {
 
 	protected UserSession handleDigestAuthentication(DigestAuthentication digestAuth, HttpServletRequest request) {
 		Identity identity = webDAVAuthManager.digestAuthentication(request.getMethod(), digestAuth);
-		if(identity != null) {
+		if(identity != null && securityManager.isIdentityVisible(identity)) {
 			log.info("WebDAV Digest authentication of: {}", identity);
 			return afterAuthorization(identity, request);
 		}
@@ -315,7 +315,7 @@ public class WebDAVManagerImpl implements WebDAVManager, InitializingBean {
 			// In this example, we simply check
 			// that neither field is blank
 			Identity identity = webDAVAuthManager.authenticate(null, userID, password);
-			if (identity != null) {
+			if (identity != null && securityManager.isIdentityVisible(identity)) {
 				log.debug("WebDAV Basic authentication of: {}", identity);
 				return afterAuthorization(identity, request);
 			}

src/main/java/org/olat/login/auth/OLATAuthManager.java

@@ -144,7 +144,7 @@ public class OLATAuthManager implements AuthenticationSPI {
 		}
 
 		if (authentication == null) {
-			log.info(Tracing.M_AUDIT, "Cannot authenticate user " + login + " via provider OLAT");
+			log.info(Tracing.M_AUDIT, "Cannot authenticate user {} via provider OLAT", login);
 			return null;
 		}
 		
@@ -156,12 +156,15 @@ public class OLATAuthManager implements AuthenticationSPI {
 				authentication = securityManager.updateCredentials(authentication, password, defAlgorithm);
 			}
 			Identity identity = authentication.getIdentity();
+			if(!securityManager.isIdentityVisible(identity)) {
+				return null;
+			}
 			if(identity != null && webDAVAuthManager != null) {
 				webDAVAuthManager.upgradePassword(identity, login, password);
 			}
 			return identity;
 		}
-		log.info(Tracing.M_AUDIT, "Cannot authenticate user " + login + " via provider OLAT");
+		log.info(Tracing.M_AUDIT, "Cannot authenticate user {} via provider OLAT", login);
 		return null;
 	}
 	

src/test/java/org/olat/core/commons/services/webdav/manager/WebDAVAuthManagerTest.java

@@ -50,6 +50,8 @@ public class WebDAVAuthManagerTest extends OlatTestCase {
 	@Autowired
 	private UserManager userManager;
 	@Autowired
+	private OLATAuthManager authManager;
+	@Autowired
 	private BaseSecurity securityManager;
 	@Autowired
 	private WebDAVAuthManager webdavAuthManager;
@@ -154,4 +156,49 @@ public class WebDAVAuthManagerTest extends OlatTestCase {
 		Assert.assertNotNull(id2);
 		dbInstance.commit();
 	}
+	
+	@Test
+	public void authenticationByName() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-user-1");
+		Identity reloadedUser = authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNotNull(reloadedUser);
+		dbInstance.commitAndCloseSession();
+
+		// login successful
+		Identity authenticatedByLogin = webdavAuthManager.authenticate(null, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNotNull(authenticatedByLogin);
+		Assert.assertEquals(id, authenticatedByLogin);
+	}
+	
+	@Test
+	public void authenticationByName_failed() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-usser-2");
+		Identity reloadedUser = authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNotNull(reloadedUser);
+		dbInstance.commitAndCloseSession();
+		
+		// login successful
+		Identity authenticatedId = webdavAuthManager.authenticate(null, id.getName(), "ooops");
+		Assert.assertNull(authenticatedId);
+	}
+	
+	@Test
+	public void authenticationByName_denied() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("webdav-usser-2");
+		Identity reloadedUser = authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNotNull(reloadedUser);
+		dbInstance.commitAndCloseSession();
+		
+		// login successful
+		Identity authenticatedId = webdavAuthManager.authenticate(null, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNotNull(authenticatedId);
+		
+		// denied login
+		securityManager.saveIdentityStatus(authenticatedId, Identity.STATUS_LOGIN_DENIED, id);
+		dbInstance.commitAndCloseSession();
+		
+		// login failed
+		Identity deniedId = webdavAuthManager.authenticate(null, id.getName(), JunitTestHelper.PWD);
+		Assert.assertNull(deniedId);
+	}
 }

src/test/java/org/olat/core/commons/services/webdav/manager/WebDAVManagerTest.java

@@ -30,15 +30,19 @@ import java.util.concurrent.TimeUnit;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.logging.log4j.Logger;
 import org.junit.Assert;
 import org.junit.Test;
+import org.olat.basesecurity.BaseSecurity;
 import org.olat.core.commons.persistence.DB;
 import org.olat.core.commons.persistence.DBFactory;
 import org.olat.core.id.Identity;
-import org.apache.logging.log4j.Logger;
 import org.olat.core.logging.Tracing;
+import org.olat.core.util.Encoder;
+import org.olat.core.util.Encoder.Algorithm;
 import org.olat.core.util.StringHelper;
 import org.olat.core.util.UserSession;
+import org.olat.login.auth.OLATAuthManager;
 import org.olat.test.JunitTestHelper;
 import org.olat.test.OlatTestCase;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -57,23 +61,104 @@ public class WebDAVManagerTest extends OlatTestCase {
 	@Autowired
 	private DB dbInstance;
 	@Autowired
+	private OLATAuthManager authManager;
+	@Autowired
+	private BaseSecurity securityManager;
+	@Autowired
 	private WebDAVManagerImpl webDAVManager;
 	
 	@Test
 	public void handleBasicAuthentication() {
-		Identity id = JunitTestHelper.createAndPersistIdentityAsUser("dav-user-" + UUID.randomUUID().toString());
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("dav-user-1");
+
+		String credentialsClearText = id.getName() + ":" + JunitTestHelper.PWD;
+		String credentials = StringHelper.encodeBase64(credentialsClearText);
+		HttpServletRequest request = new MockHttpServletRequest();
+		UserSession usess = webDAVManager.handleBasicAuthentication(credentials, request);
+		Assert.assertNotNull(usess);
+		dbInstance.commit();
+	}
+	
+	@Test
+	public void handleBasicAuthentication_denied() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("dav-user-2");
+		authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		dbInstance.commitAndCloseSession();// derived WebDAV authentications saved
 
+		// login successful
 		String credentialsClearText = id.getName() + ":" + JunitTestHelper.PWD;
 		String credentials = StringHelper.encodeBase64(credentialsClearText);
 		HttpServletRequest request = new MockHttpServletRequest();
 		UserSession usess = webDAVManager.handleBasicAuthentication(credentials, request);
 		Assert.assertNotNull(usess);
+		
+		id = securityManager.saveIdentityStatus(id, Identity.STATUS_LOGIN_DENIED, id);
+		dbInstance.commitAndCloseSession();
+		
+		UserSession usessDenied = webDAVManager.handleBasicAuthentication(credentials, request);
+		Assert.assertNull(usessDenied);
+	}
+	
+	@Test
+	public void handleDigestAuthentication() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("dav-user-3");
+		authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		dbInstance.commitAndCloseSession();// derived WebDAV authentications saved
+		
+		HttpServletRequest request = new MockHttpServletRequest();
+		String username = id.getUser().getEmail();
+		String nonce = UUID.randomUUID().toString();
+		String uri = "https://www.openolat.com";
+		String cnonce = UUID.randomUUID().toString();
+		String nc = "nc";
+		String qop = "auth";
+		String token = username + ":" + WebDAVManagerImpl.BASIC_AUTH_REALM + ":" + JunitTestHelper.PWD;
+		String digestedToken = Encoder.encrypt(token, null, Algorithm.md5_iso_8859_1);
+		String ha2 = Encoder.md5hash( ":" + uri);
+		String response = digestedToken + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2;
+		String digestedReponse = Encoder.md5hash(response);
+		
+		DigestAuthentication digested = new DigestAuthentication(username, WebDAVManagerImpl.BASIC_AUTH_REALM, nonce, uri, cnonce, nc, digestedReponse, qop);
+		UserSession usess = webDAVManager.handleDigestAuthentication(digested, request);
+		Assert.assertNotNull(usess);
+		dbInstance.commit();
+	}
+	
+	@Test
+	public void handleDigestAuthentication_denied() {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("dav-user-3");
+		authManager.authenticate(id, id.getName(), JunitTestHelper.PWD);
+		dbInstance.commitAndCloseSession();// derived WebDAV authentications saved
+		
+		HttpServletRequest request = new MockHttpServletRequest("POST", "https://www.openolat.col");
+		String username = id.getUser().getEmail();
+		String nonce = UUID.randomUUID().toString();
+		String uri = "https://www.openolat.com";
+		String cnonce = UUID.randomUUID().toString();
+		String nc = "nc";
+		String qop = "auth";
+		String token = username + ":" + WebDAVManagerImpl.BASIC_AUTH_REALM + ":" + JunitTestHelper.PWD;
+		String digestedToken = Encoder.encrypt(token, null, Algorithm.md5_iso_8859_1);
+		String ha2 = Encoder.md5hash("POST:" + uri);
+		String response = digestedToken + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + ha2;
+		String digestedReponse = Encoder.md5hash(response);
+		
+		// login successful
+		DigestAuthentication digested = new DigestAuthentication(username, WebDAVManagerImpl.BASIC_AUTH_REALM, nonce, uri, cnonce, nc, digestedReponse, qop);
+		UserSession usess = webDAVManager.handleDigestAuthentication(digested, request);
+		Assert.assertNotNull(usess);
 		dbInstance.commit();
+		
+		id = securityManager.saveIdentityStatus(id, Identity.STATUS_LOGIN_DENIED, id);
+		dbInstance.commitAndCloseSession();
+		
+		UserSession deniedSession = webDAVManager.handleDigestAuthentication(digested, request);
+		Assert.assertNull(deniedSession);
 	}
 	
 	@Test
 	public void testSetIdentityAsActiv() {
-		Identity id = JunitTestHelper.createAndPersistIdentityAsUser("dav-user-" + UUID.randomUUID().toString());
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("dav-user-4");
 		String credentialsClearText = id.getName() + ":" + JunitTestHelper.PWD;
 		String credentials = StringHelper.encodeBase64(credentialsClearText);
 		

src/test/java/org/olat/restapi/AuthenticationTest.java

@@ -49,10 +49,15 @@ import org.apache.http.util.EntityUtils;
 import org.apache.logging.log4j.Logger;
 import org.junit.Assert;
 import org.junit.Test;
+import org.olat.basesecurity.BaseSecurity;
+import org.olat.core.commons.persistence.DB;
+import org.olat.core.id.Identity;
 import org.olat.core.logging.Tracing;
 import org.olat.core.util.StringHelper;
 import org.olat.restapi.security.RestSecurityHelper;
+import org.olat.test.JunitTestHelper;
 import org.olat.test.OlatRestTestCase;
+import org.springframework.beans.factory.annotation.Autowired;
 
 /**
  * 
@@ -66,6 +71,11 @@ import org.olat.test.OlatRestTestCase;
 public class AuthenticationTest extends OlatRestTestCase {
 	
 	private static final Logger log = Tracing.createLoggerFor(AuthenticationTest.class);
+	
+	@Autowired
+	private DB dbInstance;
+	@Autowired
+	private BaseSecurity securityManager;
 
 	@Test
 	public void testSessionCookieLogin() throws IOException, URISyntaxException {
@@ -160,6 +170,23 @@ public class AuthenticationTest extends OlatRestTestCase {
 		conn.shutdown();
 	}
 	
+	@Test
+	public void testAuthenticationDenied() throws IOException, URISyntaxException {
+		Identity id = JunitTestHelper.createAndPersistIdentityAsRndUser("rest-denied");
+		dbInstance.commitAndCloseSession();
+		
+		RestConnection conn = new RestConnection();
+		assertTrue(conn.login(id.getName(), JunitTestHelper.PWD));
+		conn.shutdown();
+		
+		id = securityManager.saveIdentityStatus(id, Identity.STATUS_LOGIN_DENIED, id);
+		dbInstance.commitAndCloseSession();
+		
+		RestConnection conn2 = new RestConnection();
+		Assert.assertFalse(conn2.login(id.getName(), JunitTestHelper.PWD));
+		conn2.shutdown();
+	}
+	
 	@Test
 	public void testBasicAuthentication_concurrent() throws IOException, URISyntaxException {