renamed project to "Remote Cache Build Server" (RBCS)

rbcs-server/src/test/java/net/woggioni/rbcs/server/test/utils/CertificateUtils.java

@@ -0,0 +1,224 @@
+package net.woggioni.rbcs.server.test.utils;
+
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+
+public class CertificateUtils {
+
+    public record X509Credentials(
+            KeyPair keyPair,
+            X509Certificate certificate
+    ){ }
+    public static class CertificateAuthority {
+        private final PrivateKey privateKey;
+        private final X509Certificate certificate;
+
+        public CertificateAuthority(PrivateKey privateKey, X509Certificate certificate) {
+            this.privateKey = privateKey;
+            this.certificate = certificate;
+        }
+
+        public PrivateKey getPrivateKey() { return privateKey; }
+        public X509Certificate getCertificate() { return certificate; }
+    }
+
+    /**
+     * Creates a new Certificate Authority (CA)
+     * @param commonName The CA's common name
+     * @param validityDays How long the CA should be valid for
+     * @return The generated CA containing both private key and certificate
+     */
+    public static X509Credentials createCertificateAuthority(String commonName, int validityDays)
+            throws Exception {
+        // Generate key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(4096);
+        KeyPair keyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name("CN=" + commonName);
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                issuerName,
+                keyPair.getPublic()
+        );
+
+        // Add CA extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(true)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(keyPair.getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+        return new X509Credentials(keyPair, cert);
+    }
+
+    /**
+     * Creates a server certificate signed by the CA
+     * @param ca The Certificate Authority to sign with
+     * @param subjectName The server's common name
+     * @param validityDays How long the certificate should be valid for
+     * @return KeyPair containing the server's private key and certificate
+     */
+    public static X509Credentials createServerCertificate(X509Credentials ca, X500Name subjectName, int validityDays)
+            throws Exception {
+        // Generate server key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(2048);
+        KeyPair serverKeyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name(ca.certificate().getSubjectX500Principal().getName());
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                subjectName,
+                serverKeyPair.getPublic()
+        );
+
+        // Add server certificate extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(false)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)
+        );
+        certBuilder.addExtension(
+                Extension.extendedKeyUsage,
+                true,
+                new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth})
+        );
+        GeneralNames subjectAltNames = GeneralNames.getInstance(
+            new DERSequence(
+                new GeneralName[] {
+                    new GeneralName(GeneralName.iPAddress, "127.0.0.1")
+                }
+            )
+        );
+        certBuilder.addExtension(
+                Extension.subjectAlternativeName,
+                true,
+                subjectAltNames
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(ca.keyPair().getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+
+        return new X509Credentials(serverKeyPair, cert);
+    }
+
+    /**
+     * Creates a client certificate signed by the CA
+     * @param ca The Certificate Authority to sign with
+     * @param subjectName The client's common name
+     * @param validityDays How long the certificate should be valid for
+     * @return KeyPair containing the client's private key and certificate
+     */
+    public static X509Credentials createClientCertificate(X509Credentials ca, X500Name subjectName, int validityDays)
+            throws Exception {
+        // Generate client key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(2048);
+        KeyPair clientKeyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name(ca.certificate().getSubjectX500Principal().getName());
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                subjectName,
+                clientKeyPair.getPublic()
+        );
+
+        // Add client certificate extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(false)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.digitalSignature)
+        );
+        certBuilder.addExtension(
+                Extension.extendedKeyUsage,
+                true,
+                new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth})
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(ca.keyPair().getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+        return new X509Credentials(clientKeyPair, cert);
+    }
+}

rbcs-server/src/test/java/net/woggioni/rbcs/server/test/utils/NetworkUtils.java

@@ -0,0 +1,30 @@
+package net.woggioni.rbcs.server.test.utils;
+
+import net.woggioni.jwo.JWO;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+
+public class NetworkUtils {
+
+    private static final int MAX_ATTEMPTS = 50;
+
+    public static int getFreePort() {
+        int count = 0;
+        while(count < MAX_ATTEMPTS) {
+            try (ServerSocket serverSocket = new ServerSocket(0, 50, InetAddress.getLocalHost())) {
+                final var candidate = serverSocket.getLocalPort();
+                if (candidate > 0) {
+                    return candidate;
+                } else {
+                    JWO.newThrowable(RuntimeException.class, "Got invalid port number: %d", candidate);
+                    throw new RuntimeException("Error trying to find an open port");
+                }
+            } catch (IOException ignored) {
+                ++count;
+            }
+        }
+        throw new RuntimeException("Error trying to find an open port");
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/AbstractBasicAuthServerTest.kt

@@ -0,0 +1,86 @@
+package net.woggioni.rbcs.server.test
+
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.api.Role
+import net.woggioni.rbcs.common.Xml
+import net.woggioni.rbcs.server.cache.FileSystemCacheConfiguration
+import net.woggioni.rbcs.server.configuration.Serializer
+import net.woggioni.rbcs.server.test.utils.NetworkUtils
+import java.net.URI
+import java.net.http.HttpRequest
+import java.nio.charset.StandardCharsets
+import java.nio.file.Path
+import java.time.Duration
+import java.time.temporal.ChronoUnit
+import java.util.Base64
+import java.util.zip.Deflater
+import kotlin.random.Random
+
+
+abstract class AbstractBasicAuthServerTest : AbstractServerTest() {
+
+    private lateinit var cacheDir : Path
+
+    protected val random = Random(101325)
+    protected val keyValuePair = newEntry(random)
+    protected val serverPath = "rbcs"
+    protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader), null, null)
+    protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer), null, null)
+
+    abstract protected val users : List<Configuration.User>
+
+    override fun setUp() {
+        this.cacheDir = testDir.resolve("cache")
+        cfg = Configuration.of(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            50,
+            serverPath,
+            Configuration.EventExecutor(false),
+            Configuration.Connection(
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(60, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                0x1000
+            ),
+            users.asSequence().map { it.name to it}.toMap(),
+            sequenceOf(writersGroup, readersGroup).map { it.name to it}.toMap(),
+            FileSystemCacheConfiguration(this.cacheDir,
+                maxAge = Duration.ofSeconds(3600 * 24),
+                digestAlgorithm = "MD5",
+                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+                compressionEnabled = false
+            ),
+            Configuration.BasicAuthentication(),
+            null,
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    protected fun buildAuthorizationHeader(user : Configuration.User, password : String) : String {
+        val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let{
+            String(it, StandardCharsets.UTF_8)
+        }
+        return "Basic $b64"
+    }
+
+    protected fun newRequestBuilder(key : String) = HttpRequest.newBuilder()
+        .uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
+
+
+    protected fun newEntry(random : Random) : Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/AbstractServerTest.kt

@@ -0,0 +1,50 @@
+package net.woggioni.rbcs.server.test
+
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.server.RemoteBuildCacheServer
+import org.junit.jupiter.api.AfterAll
+import org.junit.jupiter.api.BeforeAll
+import org.junit.jupiter.api.MethodOrderer
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.TestMethodOrder
+import org.junit.jupiter.api.io.TempDir
+import java.nio.file.Path
+
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@TestMethodOrder(MethodOrderer.OrderAnnotation::class)
+abstract class AbstractServerTest {
+
+    protected lateinit var cfg : Configuration
+
+    protected lateinit var testDir : Path
+
+    private var serverHandle : RemoteBuildCacheServer.ServerHandle? = null
+
+    @BeforeAll
+    fun setUp0(@TempDir tmpDir : Path) {
+        this.testDir = tmpDir
+        setUp()
+        startServer(cfg)
+    }
+
+    @AfterAll
+    fun tearDown0() {
+        tearDown()
+        stopServer()
+    }
+
+    abstract fun setUp()
+
+    abstract fun tearDown()
+
+    private fun startServer(cfg : Configuration) {
+        this.serverHandle = RemoteBuildCacheServer(cfg).run()
+    }
+
+    private fun stopServer() {
+        this.serverHandle?.use {
+            it.shutdown()
+        }
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/AbstractTlsServerTest.kt

@@ -0,0 +1,202 @@
+package net.woggioni.rbcs.server.test
+
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.api.Role
+import net.woggioni.rbcs.common.Xml
+import net.woggioni.rbcs.server.cache.FileSystemCacheConfiguration
+import net.woggioni.rbcs.server.configuration.Serializer
+import net.woggioni.rbcs.server.test.utils.CertificateUtils
+import net.woggioni.rbcs.server.test.utils.CertificateUtils.X509Credentials
+import net.woggioni.rbcs.server.test.utils.NetworkUtils
+import org.bouncycastle.asn1.x500.X500Name
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.nio.charset.StandardCharsets
+import java.nio.file.Files
+import java.nio.file.Path
+import java.security.KeyStore
+import java.security.KeyStore.PasswordProtection
+import java.time.Duration
+import java.time.temporal.ChronoUnit
+import java.util.Base64
+import java.util.zip.Deflater
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
+import kotlin.random.Random
+
+
+abstract class AbstractTlsServerTest : AbstractServerTest() {
+
+    companion object {
+        private const val CA_CERTIFICATE_ENTRY = "rbcs-ca"
+        private const val CLIENT_CERTIFICATE_ENTRY = "rbcs-client"
+        private const val SERVER_CERTIFICATE_ENTRY = "rbcs-server"
+        private const val PASSWORD = "password"
+    }
+
+    private lateinit var cacheDir: Path
+    private lateinit var serverKeyStoreFile: Path
+    private lateinit var clientKeyStoreFile: Path
+    private lateinit var trustStoreFile: Path
+    private lateinit var serverKeyStore: KeyStore
+    private lateinit var clientKeyStore: KeyStore
+    private lateinit var trustStore: KeyStore
+    protected lateinit var ca: X509Credentials
+
+    protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader), null, null)
+    protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer), null, null)
+    protected val random = Random(101325)
+    protected val keyValuePair = newEntry(random)
+    private val serverPath : String? = null
+
+    protected abstract val users : List<Configuration.User>
+
+    protected fun createKeyStoreAndTrustStore() {
+        ca = CertificateUtils.createCertificateAuthority(CA_CERTIFICATE_ENTRY, 30)
+        val serverCert = CertificateUtils.createServerCertificate(ca, X500Name("CN=$SERVER_CERTIFICATE_ENTRY"), 30)
+        val clientCert = CertificateUtils.createClientCertificate(ca, X500Name("CN=$CLIENT_CERTIFICATE_ENTRY"), 30)
+
+        serverKeyStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+            setEntry(
+                SERVER_CERTIFICATE_ENTRY,
+                KeyStore.PrivateKeyEntry(
+                    serverCert.keyPair().private,
+                    arrayOf(serverCert.certificate(), ca.certificate)
+                ),
+                PasswordProtection(PASSWORD.toCharArray())
+            )
+        }
+        Files.newOutputStream(this.serverKeyStoreFile).use {
+            serverKeyStore.store(it, null)
+        }
+
+        clientKeyStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+            setEntry(
+                CLIENT_CERTIFICATE_ENTRY,
+                KeyStore.PrivateKeyEntry(
+                    clientCert.keyPair().private,
+                    arrayOf(clientCert.certificate(), ca.certificate)
+                ),
+                PasswordProtection(PASSWORD.toCharArray())
+            )
+        }
+        Files.newOutputStream(this.clientKeyStoreFile).use {
+            clientKeyStore.store(it, null)
+        }
+
+        trustStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+        }
+        Files.newOutputStream(this.trustStoreFile).use {
+            trustStore.store(it, null)
+        }
+    }
+
+    protected fun getClientKeyStore(ca: X509Credentials, subject: X500Name) = KeyStore.getInstance("PKCS12").apply {
+        val clientCert = CertificateUtils.createClientCertificate(ca, subject, 30)
+
+        load(null, null)
+        setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+        setEntry(
+            CLIENT_CERTIFICATE_ENTRY,
+            KeyStore.PrivateKeyEntry(clientCert.keyPair().private, arrayOf(clientCert.certificate(), ca.certificate)),
+            PasswordProtection(PASSWORD.toCharArray())
+        )
+    }
+
+    protected fun getHttpClient(clientKeyStore: KeyStore?): HttpClient {
+        val kmf = clientKeyStore?.let {
+            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply {
+                init(it, PASSWORD.toCharArray())
+            }
+        }
+
+
+        // Set up trust manager factory with the truststore
+        val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+        tmf.init(trustStore)
+
+        // Create SSL context with the key and trust managers
+        val sslContext = SSLContext.getInstance("TLS").apply {
+            init(kmf?.keyManagers ?: emptyArray(), tmf.trustManagers, null)
+        }
+        return HttpClient.newBuilder().sslContext(sslContext).build()
+    }
+
+    override fun setUp() {
+        this.clientKeyStoreFile = testDir.resolve("client-keystore.p12")
+        this.serverKeyStoreFile = testDir.resolve("server-keystore.p12")
+        this.trustStoreFile = testDir.resolve("truststore.p12")
+        this.cacheDir = testDir.resolve("cache")
+        createKeyStoreAndTrustStore()
+        cfg = Configuration(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            100,
+            serverPath,
+            Configuration.EventExecutor(false),
+            Configuration.Connection(
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(60, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                0x1000
+            ),
+            users.asSequence().map { it.name to it }.toMap(),
+            sequenceOf(writersGroup, readersGroup).map { it.name to it }.toMap(),
+            FileSystemCacheConfiguration(this.cacheDir,
+                maxAge = Duration.ofSeconds(3600 * 24),
+                compressionEnabled = true,
+                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+                digestAlgorithm = "MD5"
+            ),
+//            InMemoryCacheConfiguration(
+//                maxAge = Duration.ofSeconds(3600 * 24),
+//                compressionEnabled = true,
+//                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+//                digestAlgorithm = "MD5"
+//            ),
+            Configuration.ClientCertificateAuthentication(
+                Configuration.TlsCertificateExtractor("CN", "(.*)"),
+                null
+            ),
+            Configuration.Tls(
+                Configuration.KeyStore(this.serverKeyStoreFile, null, SERVER_CERTIFICATE_ENTRY, PASSWORD),
+                Configuration.TrustStore(this.trustStoreFile, null, false, false),
+            )
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    protected fun newRequestBuilder(key: String) = HttpRequest.newBuilder()
+        .uri(URI.create("https://${cfg.host}:${cfg.port}/${serverPath ?: ""}/$key"))
+
+    private fun buildAuthorizationHeader(user: Configuration.User, password: String): String {
+        val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let {
+            String(it, StandardCharsets.UTF_8)
+        }
+        return "Basic $b64"
+    }
+
+    protected fun newEntry(random: Random): Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/BasicAuthServerTest.kt

@@ -0,0 +1,192 @@
+package net.woggioni.rbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.api.Role
+import net.woggioni.rbcs.common.PasswordSecurity.hashPassword
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+import java.time.Duration
+import java.time.temporal.ChronoUnit
+
+
+class BasicAuthServerTest : AbstractBasicAuthServerTest() {
+
+    companion object {
+        private const val PASSWORD = "password"
+    }
+
+    override val users = listOf(
+        Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup), null),
+        Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup), null),
+        Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup), null),
+        Configuration.User("", null, setOf(readersGroup), null),
+        Configuration.User("user4", hashPassword(PASSWORD), setOf(readersGroup),
+            Configuration.Quota(1, Duration.of(1, ChronoUnit.DAYS), 0, 1)
+        ),
+        Configuration.User("user5", hashPassword(PASSWORD), setOf(readersGroup),
+            Configuration.Quota(1, Duration.of(5, ChronoUnit.SECONDS), 0, 1)
+        )
+    )
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun putAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles && Role.Writer !in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(3)
+    fun getAsAWriterUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(4)
+    fun putAsAWriterUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(5)
+    fun getAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(6)
+    fun getAsAnonymousUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(7)
+    fun getMissingKeyAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = newEntry(random)
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(6)
+    fun getAsAThrottledUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            it.name == "user4"
+        } ?: throw RuntimeException("user4 not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.TOO_MANY_REQUESTS.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(7)
+    fun getAsAThrottledUser2() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            it.name == "user5"
+        } ?: throw RuntimeException("user5 not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/ConfigurationTest.kt

@@ -0,0 +1,56 @@
+package net.woggioni.rbcs.server.test
+
+import net.woggioni.rbcs.common.RBCS.toUrl
+import net.woggioni.rbcs.common.RbcsUrlStreamHandlerFactory
+import net.woggioni.rbcs.common.Xml
+import net.woggioni.rbcs.server.configuration.Parser
+import net.woggioni.rbcs.server.configuration.Serializer
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.io.TempDir
+import org.junit.jupiter.params.ParameterizedTest
+import org.junit.jupiter.params.provider.ValueSource
+import org.xml.sax.SAXParseException
+import java.nio.file.Files
+import java.nio.file.Path
+
+class ConfigurationTest {
+
+    @ValueSource(
+        strings = [
+            "classpath:net/woggioni/rbcs/server/test/valid/rbcs-default.xml",
+            "classpath:net/woggioni/rbcs/server/test/valid/rbcs-memcached.xml",
+            "classpath:net/woggioni/rbcs/server/test/valid/rbcs-tls.xml",
+            "classpath:net/woggioni/rbcs/server/test/valid/rbcs-memcached-tls.xml",
+        ]
+    )
+    @ParameterizedTest
+    fun test(configurationUrl: String, @TempDir testDir: Path) {
+        RbcsUrlStreamHandlerFactory.install()
+        val doc = Xml.parseXml(configurationUrl.toUrl())
+        val cfg = Parser.parse(doc)
+        val configFile = testDir.resolve("rbcs.xml")
+        Files.newOutputStream(configFile).use {
+            Xml.write(Serializer.serialize(cfg), it)
+        }
+        Xml.write(Serializer.serialize(cfg), System.out)
+
+        val parsed = Parser.parse(Xml.parseXml(configFile.toUri().toURL()))
+        Assertions.assertEquals(cfg, parsed)
+    }
+
+    @ValueSource(
+        strings = [
+            "classpath:net/woggioni/rbcs/server/test/invalid/invalid-user-ref.xml",
+            "classpath:net/woggioni/rbcs/server/test/invalid/duplicate-anonymous-user.xml",
+            "classpath:net/woggioni/rbcs/server/test/invalid/duplicate-anonymous-user2.xml",
+            "classpath:net/woggioni/rbcs/server/test/invalid/multiple-user-quota.xml",
+        ]
+    )
+    @ParameterizedTest
+    fun invalidConfigurationTest(configurationUrl: String) {
+        RbcsUrlStreamHandlerFactory.install()
+        Assertions.assertThrows(SAXParseException::class.java) {
+            Xml.parseXml(configurationUrl.toUrl())
+        }
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/NoAnonymousUserBasicAuthServerTest.kt

@@ -0,0 +1,52 @@
+package net.woggioni.rbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.common.PasswordSecurity.hashPassword
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+
+class NoAnonymousUserBasicAuthServerTest : AbstractBasicAuthServerTest() {
+
+    companion object {
+        private const val PASSWORD = "anotherPassword"
+    }
+
+    override val users = listOf(
+        Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup), null),
+        Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup), null),
+        Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup), null),
+    )
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/NoAnonymousUserTlsServerTest.kt

@@ -0,0 +1,47 @@
+package net.woggioni.rbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.rbcs.api.Configuration
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+class NoAnonymousUserTlsServerTest : AbstractTlsServerTest() {
+
+    override val users = listOf(
+        Configuration.User("user1", null, setOf(readersGroup), null),
+        Configuration.User("user2", null, setOf(writersGroup), null),
+        Configuration.User("user3", null, setOf(readersGroup, writersGroup), null),
+    )
+
+    @Test
+    @Order(1)
+    fun getAsAnonymousUser() {
+        val (key, _) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun putAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/NoAuthServerTest.kt

@@ -0,0 +1,134 @@
+package net.woggioni.rbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.common.Xml
+import net.woggioni.rbcs.server.cache.InMemoryCacheConfiguration
+import net.woggioni.rbcs.server.configuration.Serializer
+import net.woggioni.rbcs.server.test.utils.NetworkUtils
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+import java.nio.file.Path
+import java.time.Duration
+import java.time.temporal.ChronoUnit
+import java.util.Base64
+import java.util.zip.Deflater
+import kotlin.random.Random
+
+
+class NoAuthServerTest : AbstractServerTest() {
+
+    private lateinit var cacheDir: Path
+
+    private val random = Random(101325)
+    private val keyValuePair = newEntry(random)
+    private val serverPath = "/some/nested/path"
+
+    override fun setUp() {
+        this.cacheDir = testDir.resolve("cache")
+        cfg = Configuration(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            100,
+            serverPath,
+            Configuration.EventExecutor(false),
+            Configuration.Connection(
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(10, ChronoUnit.SECONDS),
+                Duration.of(60, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                Duration.of(30, ChronoUnit.SECONDS),
+                0x1000
+            ),
+            emptyMap(),
+            emptyMap(),
+            InMemoryCacheConfiguration(
+                maxAge = Duration.ofSeconds(3600 * 24),
+                compressionEnabled = true,
+                digestAlgorithm = "MD5",
+                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+                maxSize = 0x1000000
+            ),
+            null,
+            null,
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    fun newRequestBuilder(key: String) = HttpRequest.newBuilder()
+        .uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
+
+    fun newEntry(random: Random): Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(3)
+    fun getMissingKey() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = newEntry(random)
+        val requestBuilder = newRequestBuilder(key).GET()
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(4)
+    fun traceTest() {
+        val client: HttpClient = HttpClient.newBuilder().version(HttpClient.Version.HTTP_1_1).build()
+        val requestBuilder = newRequestBuilder("").method(
+            "TRACE",
+            HttpRequest.BodyPublishers.ofByteArray("sfgsdgfaiousfiuhsd".toByteArray())
+        )
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        println(String(response.body()))
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/TlsServerTest.kt

@@ -0,0 +1,151 @@
+package net.woggioni.rbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.rbcs.api.Configuration
+import net.woggioni.rbcs.api.Role
+import org.bouncycastle.asn1.x500.X500Name
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+
+class TlsServerTest : AbstractTlsServerTest() {
+
+    override val users = listOf(
+        Configuration.User("user1", null, setOf(readersGroup), null),
+        Configuration.User("user2", null, setOf(writersGroup), null),
+        Configuration.User("user3", null, setOf(readersGroup, writersGroup), null),
+        Configuration.User("", null, setOf(readersGroup), null)
+    )
+
+    @Test
+    @Order(1)
+    fun putAsAReaderUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles && Role.Writer !in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getAsAWriterUser() {
+        val (key, _) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(3)
+    fun putAsAWriterUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(4)
+    fun getAsAReaderUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(5)
+    fun getMissingKeyAsAReaderUser() {
+        val (key, _) = newEntry(random)
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(6)
+    fun getAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(7)
+    fun putAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(8)
+    fun traceAsAnonymousUser() {
+        val client: HttpClient = getHttpClient(null)
+        val requestBuilder = newRequestBuilder("").method(
+            "TRACE",
+            HttpRequest.BodyPublishers.ofByteArray("sfgsdgfaiousfiuhsd".toByteArray())
+        )
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        println(String(response.body()))
+    }
+}

rbcs-server/src/test/kotlin/net/woggioni/rbcs/server/test/X500NameTest.kt

@@ -0,0 +1,19 @@
+package net.woggioni.rbcs.server.test
+
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Test
+import javax.naming.ldap.LdapName
+
+class X500NameTest {
+
+    @Test
+    fun test() {
+        val name =
+            "C=SG, L=Bugis, CN=woggioni@f6aa5663ef26, emailAddress=oggioni.walter@gmail.com, street=1 Fraser Street\\, Duo Residences #23-05, postalCode=189350, GN=Walter, SN=Oggioni, pseudonym=woggioni"
+        val ldapName = LdapName(name)
+        val value = ldapName.rdns.asSequence().find {
+            it.type == "CN"
+        }!!.value
+        Assertions.assertEquals("woggioni@f6aa5663ef26", value)
+    }
+}

rbcs-server/src/test/resources/logback.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE configuration>
+
+<configuration>
+    <import class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"/>
+    <import class="ch.qos.logback.core.ConsoleAppender"/>
+
+    <appender name="console" class="ConsoleAppender">
+        <target>System.err</target>
+        <encoder class="PatternLayoutEncoder">
+            <pattern>%d [%highlight(%-5level)] \(%thread\) %logger{36} -%kvp- %msg %n</pattern>
+        </encoder>
+    </appender>
+
+    <root level="info">
+        <appender-ref ref="console"/>
+    </root>
+    <logger name="io.netty" level="debug"/>
+    <logger name="com.google.code.yanf4j" level="warn"/>
+    <logger name="net.rubyeye.xmemcached" level="warn"/>
+</configuration>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/invalid/duplicate-anonymous-user.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="rbcs:fileSystemCacheType" path="/tmp/rbcs" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1"/>
+            <user name="user2" password="password2"/>
+            <anonymous>
+                <quota calls="10" period="P3D"/>
+            </anonymous>
+            <anonymous>
+                <quota calls="15" period="P3D"/>
+            </anonymous>
+        </users>
+    </authorization>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/invalid/duplicate-anonymous-user2.xml

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="rbcs:fileSystemCacheType" path="/tmp/rbcs" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1"/>
+            <user name="user2" password="password2"/>
+        </users>
+        <groups>
+            <group name="group1">
+                <users>
+                    <anonymous/>
+                    <user ref="user1"/>
+                    <anonymous/>
+                </users>
+                <roles>
+                    <reader/>
+                </roles>
+            </group>
+        </groups>
+    </authorization>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/invalid/invalid-user-ref.xml

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="rbcs:fileSystemCacheType" path="/tmp/rbcs" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1"/>
+            <user name="user2" password="password2"/>
+        </users>
+        <groups>
+            <group name="readers">
+                <users>
+                    <user ref="user1"/>
+                    <user ref="user5"/>
+                </users>
+                <roles>
+                    <reader/>
+                </roles>
+            </group>
+        </groups>
+    </authorization>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/invalid/multiple-user-quota.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="rbcs:fileSystemCacheType" path="/tmp/rbcs" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1">
+                <quota calls="10" period="PT20S"/>
+                <quota calls="20" period="PT20S"/>
+            </user>
+        </users>
+    </authorization>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/valid/rbcs-default.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="22"/>
+    <connection
+            write-timeout="PT25M"
+            read-timeout="PT20M"
+            read-idle-timeout="PT10M"
+            write-idle-timeout="PT11M"
+            idle-timeout="PT30M"
+            max-request-size="101325"/>
+    <event-executor use-virtual-threads="false"/>
+    <cache xs:type="rbcs:fileSystemCacheType" path="/tmp/rbcs" max-age="P7D"/>
+    <authentication>
+        <none/>
+    </authentication>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/valid/rbcs-memcached-tls.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xmlns:rbcs-memcache="urn:net.woggioni.rbcs.server.memcache"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server.memcache jpms://net.woggioni.rbcs.server.memcache/net/woggioni/rbcs/server/memcache/schema/rbcs-memcache.xsd urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd"
+>
+    <bind host="0.0.0.0" port="8443" incoming-connections-backlog-size="4096"/>
+    <connection
+            max-request-size="67108864"
+            idle-timeout="PT30S"
+            read-idle-timeout="PT60S"
+            write-idle-timeout="PT60S"
+            read-timeout="PT5M"
+            write-timeout="PT5M"/>
+    <event-executor use-virtual-threads="true"/>
+    <cache xs:type="rbcs-memcache:memcacheCacheType" max-age="P7D" max-size="16777216" compression-mode="deflate">
+        <server host="memcached" port="11211"/>
+    </cache>
+    <authorization>
+        <users>
+            <user name="woggioni">
+                <quota calls="1000" period="PT1S"/>
+            </user>
+            <user name="gitea">
+                <quota calls="10" period="PT1S" initial-available-calls="100" max-available-calls="100"/>
+            </user>
+            <anonymous>
+                <quota calls="2" period="PT5S"/>
+            </anonymous>
+        </users>
+        <groups>
+            <group name="writers">
+                <users>
+                    <user ref="woggioni"/>
+                    <user ref="gitea"/>
+                </users>
+                <roles>
+                    <reader/>
+                    <writer/>
+                </roles>
+            </group>
+        </groups>
+    </authorization>
+    <authentication>
+        <client-certificate>
+            <user-extractor attribute-name="CN" pattern="(.*)"/>
+        </client-certificate>
+    </authentication>
+    <tls>
+        <keystore file="/home/luser/ssl/rbcs.woggioni.net.pfx" key-alias="rbcs.woggioni.net" password="KEYSTORE_PASSWOR" key-password="KEY_PASSWORD"/>
+        <truststore file="/home/luser/ssl/woggioni.net.pfx" check-certificate-status="false" password="TRUSTSTORE_PASSWORD"/>
+    </tls>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/valid/rbcs-memcached.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xmlns:rbcs-memcache="urn:net.woggioni.rbcs.server.memcache"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server.memcache jpms://net.woggioni.rbcs.server.memcache/net/woggioni/rbcs/server/memcache/schema/rbcs-memcache.xsd urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="50"/>
+    <connection
+            write-timeout="PT25M"
+            read-timeout="PT20M"
+            read-idle-timeout="PT10M"
+            write-idle-timeout="PT11M"
+            idle-timeout="PT30M"
+            max-request-size="101325"/>
+    <event-executor use-virtual-threads="false"/>
+    <cache xs:type="rbcs-memcache:memcacheCacheType" max-age="P7D" max-size="101325" digest="SHA-256">
+        <server host="127.0.0.1" port="11211" max-connections="10" connection-timeout="PT20S"/>
+    </cache>
+    <authentication>
+        <none/>
+    </authentication>
+</rbcs:server>

rbcs-server/src/test/resources/net/woggioni/rbcs/server/test/valid/rbcs-tls.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs.xsd">
+    <bind host="127.0.0.1" port="11443" incoming-connections-backlog-size="180"/>
+    <connection
+            write-timeout="PT25M"
+            read-timeout="PT20M"
+            read-idle-timeout="PT10M"
+            write-idle-timeout="PT11M"
+            idle-timeout="PT30M"
+            max-request-size="4096"/>
+    <event-executor use-virtual-threads="false"/>
+    <cache xs:type="rbcs:inMemoryCacheType" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1">
+                <quota calls="3600" period="PT1H"/>
+            </user>
+            <user name="user2" password="password2"/>
+            <user name="user3" password="password3"/>
+            <anonymous>
+                <quota calls="10" period="PT1M"/>
+            </anonymous>
+        </users>
+        <groups>
+            <group name="readers">
+                <users>
+                    <user ref="user1"/>
+                    <anonymous/>
+                </users>
+                <roles>
+                    <reader/>
+                </roles>
+                <user-quota calls="30" period="PT1M"/>
+                <group-quota calls="10" period="PT1S"/>
+            </group>
+            <group name="writers">
+                <users>
+                    <user ref="user2"/>
+                </users>
+                <roles>
+                    <writer/>
+                </roles>
+            </group>
+            <group name="readers-writers">
+                <users>
+                    <user ref="user3"/>
+                </users>
+                <roles>
+                    <reader/>
+                    <writer/>
+                </roles>
+                <group-quota calls="1000" period="P1D"/>
+            </group>
+        </groups>
+    </authorization>
+    <authentication>
+        <client-certificate>
+            <group-extractor pattern="group-pattern" attribute-name="O"/>
+            <user-extractor pattern="user-pattern" attribute-name="CN"/>
+        </client-certificate>
+    </authentication>
+    <tls>
+        <keystore file="keystore.pfx" key-alias="key1" password="password" key-password="key-password"/>
+        <truststore file="truststore.pfx" password="password" check-certificate-status="true" require-client-certificate="true"/>
+    </tls>
+</rbcs:server>