cubicweb: cubicweb/server/test/unittest_security.py@26744ad37953 (annotated)

11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	1	# copyright 2003-2016 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	20	from logilab.common.testlib import unittest_main
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	21
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	22	from cubicweb.devtools.testlib import CubicWebTC
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	23	from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	24	from cubicweb.schema import ERQLExpression
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	25	from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	26	from cubicweb.server.utils import _CRYPTO_CTX
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	27
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	28
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	29	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	30
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	31	def setup_database(self):
bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	32	super(BaseSecurityTC, self).setup_database()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	33	with self.admin_access.client_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	34	self.create_user(cnx, u'iaminusersgrouponly')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	35	hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	36	self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii')))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	37
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	38
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	39	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	40
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	41	def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	42	rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	43	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	44	nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	45	with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	46	with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	47	self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	48	check_relations_read_access(cnx, rqlst, {})
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	49	with self.new_access(u'anon').repo_cnx() as cnx:
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	50	self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	51	check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	52	cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	53	self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	54
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	55	def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	56	rql = u'Personne U WHERE U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	57	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	58	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	59	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	60	self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	61	solution = rqlst.solutions[0]
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	62	localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	63	self.assertEqual({}, localchecks)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	64	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	65	self.assertRaises(Unauthorized,
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	66	get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	67	cnx, rqlst, solution)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	68	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	69
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	70	def test_upassword_not_selectable(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	71	with self.admin_access.repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	72	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	73	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	74	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	75	self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	76	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	77
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	78	def test_update_password(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	79	"""Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	80	it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	81	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	82	with self.repo.internal_cnx() as cnx:
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	83	oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	84	"WHERE cw_login = 'oldpassword'").fetchone()[0]
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	85	oldhash = self.repo.system_source.binary_to_str(oldhash)
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	86	self.repo.authenticate_user(cnx, 'oldpassword', password='oldpassword')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	87	newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	88	"WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	89	newhash = self.repo.system_source.binary_to_str(newhash)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	90	self.assertNotEqual(oldhash, newhash)
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	91	self.assertTrue(newhash.startswith(b'$6$'))
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	92	self.repo.authenticate_user(cnx, 'oldpassword', password='oldpassword')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	93	newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	94	"cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	95	newnewhash = self.repo.system_source.binary_to_str(newnewhash)
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	96	self.assertEqual(newhash, newnewhash)
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	97
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	98
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	99	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	100	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	101	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	102	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	103	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	104	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	105
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	106	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	107	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	108	super(SecurityRewritingTC, self).tearDown()
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	109
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	110	def test_not_relation_read_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	111	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
11699 b48020a80dc3 Store user groups and properties as session data Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11348 diff changeset	112	cnx.user.groups # fill the cache before screwing syntax_tree_search
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	113	self.hijack_source_execute()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	114	cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	115	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	116	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	117	cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	118	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	119	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	120
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	121
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	122	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	123
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	124	def setUp(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	125	super(SecurityTC, self).setUp()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	126	# implicitly test manager can add some entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	127	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	128	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	129	cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	130	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	131	cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	132	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	133
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	134	def test_insert_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	135	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	136	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	137	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	138	self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	139
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	140	def test_insert_security_2(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	141	with self.new_access(u'anon').repo_cnx() as cnx:
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	142	cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	143	self.assertRaises(Unauthorized, cnx.commit)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	144	# anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	145	# rowcount == 0
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	146	self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	147
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	148	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	149	# test user can only add une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	150	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	151	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	152	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	153	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	154	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	155	self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	156	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	157	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	158	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	159	cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	160	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	161
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	162	def test_update_security_1(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	163	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	164	# local security check
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	165	cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	166	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	167	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	168	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	169
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	170	def test_update_security_2(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	171	with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	172	'add': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	173	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	174	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	175	"SET X nom 'bidulechouette' WHERE X is Personne")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	176	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	177	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	178	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	179
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	180	def test_update_security_3(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	181	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	182	cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	183	cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	184	cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	185
10114 6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	186	def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	187	with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	188	cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	189	cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	190	# this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	191	o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	192	o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	193	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	194
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	195	def test_update_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	196	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	197	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	198	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	199	# test user can only update une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	200	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	201	cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	202	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	203	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	204	# to actually get Unauthorized exception, try to update an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	205	cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	206	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	207	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	208	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	209	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	210	cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	211	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	212
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	213	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	214	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	215	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	216	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	217	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	218	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	219	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	# check local security
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	221	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	222	self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	223
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	224	def test_delete_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	225	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	226	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	227	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	228	# test user can only dele une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	229	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	230	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	231	cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	232	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	233	# to actually get Unauthorized exception, try to delete an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	234	self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	235	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	236	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	237	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	238	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	239	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	240	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	241	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	242	## # and the other not
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	243	## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	244	cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	245	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	246
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	247	def test_insert_relation_rql_permission(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	248	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	249	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	250	# should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	251	# actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	252	# anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	253	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	254	# to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	255	# were we can read both entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	256	rset = cnx.execute('Personne P')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	257	self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	258	ent = rset.get_entity(0, 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	259	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	260	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	261	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	262	cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	263	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	264	cnx.rollback()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	265	# test nothing has actually been inserted:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	266	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	267	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	268	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	269	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	270
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	271	def test_delete_relation_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	272	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	273	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	274	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	275	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	276	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	277	cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	278	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	279	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	280	# to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	281	eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	282	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	283	{'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	284	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	285	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	286	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	287	self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	288	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	289	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	290	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	291	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	292	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	293	cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	294	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	295
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	296
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	297	def test_user_can_change_its_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	298	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	299	ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	300	with self.new_access(u'user').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	301	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	302	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	303	cnx.commit()
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	304	with self.repo.internal_cnx() as cnx:
70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	305	self.repo.authenticate_user(cnx, 'user', password='newpwd')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	306
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	307	def test_user_cant_change_other_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	308	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	309	ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	310	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	311	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	312	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	313	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	314
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	315	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	316
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	317	def test_read_base(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	318	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	319	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	320	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	321	cnx.execute, 'Personne U where U nom "managers"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	322
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	323	def test_read_erqlexpr_base(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	324	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	325	eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	326	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	327	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	328	rset = cnx.execute('Affaire X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	329	self.assertEqual(rset.rows, [])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	330	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	331	# cache test
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	332	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	333	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	334	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	335	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	336	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	337	rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	338	self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	339	# more cache test w/ NOT eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	340	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	341	self.assertEqual(rset.rows, [[aff2]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	342	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	343	self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	344	# test can't update an attribute of an entity that can't be readen
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	345	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	346	'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	347
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	348
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	349	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	350	affschema = self.schema['Affaire']
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	351	with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	352	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	353	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	354	# entity created in transaction are readable by eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	355	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	356	# XXX would be nice if it worked
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	357	rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	358	self.assertEqual(len(rset), 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	359	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	360
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	361	def test_read_erqlexpr_has_text1(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	362	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	363	aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	364	card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	365	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	366	{'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	367	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	368	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	369	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	370	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	371	cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	372	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	373	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	374	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	375	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	376	rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	377	self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	378	[card1, aff2])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	379
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	380	def test_read_erqlexpr_has_text2(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	381	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	382	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	383	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	384	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	385	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	386	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	387	rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	388	self.assertEqual(len(rset.rows), 1, rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	389	rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	390	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	391
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	392	def test_read_erqlexpr_optional_rel(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	393	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	394	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	395	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	396	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	397	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	398	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	399	rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	400	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	401
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	402	def test_read_erqlexpr_aggregat(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	403	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	404	cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	405	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	406	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	407	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	408	self.assertEqual(rset.rows, [[0]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	409	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	410	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	411	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	412	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	413	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	414	self.assertEqual(rset.rows, [[1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	415	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	416	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	417	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	418	self.assertEqual(values['Societe'], 2)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	419	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	420	'WITH X BEING ((Affaire X) UNION (Societe X))')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	421	self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	422	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	423	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	424	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	425
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	426
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	427	def test_attribute_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	428	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	429	# only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	430	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	431	"X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	432	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	433	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	434	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	435	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	436	"X web 'http://www.debian.org', X test TRUE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	437	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	438	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	439	"X web 'http://www.debian.org', X test FALSE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	440	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	441	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	442	"X web 'http://www.debian.org'")[0][0]
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	443	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	444	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	445	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	446	cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	447	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	448	cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	449	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	450	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	451	cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	452	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	453	cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	454	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	455	cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	456	cnx.execute('SET F frozen True WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	457	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	458	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	459	cnx.rollback()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	460	cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	461	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	462	cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	463	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	464	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	465
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	466	def test_attribute_security_rqlexpr(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	467	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	468	# Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	469	note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	470	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	471	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	472	cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	473	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	474	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	475	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	476	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	477	note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	478	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	479	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	480	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	481	self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	482	{'x': note2.eid})),
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	483	0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	484	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	485	self.assertRaises(Unauthorized, cnx.commit)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	486	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	487	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	488	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	489	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	490	cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	491	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	492	cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	493	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	494	note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	495	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	496	note.cw_set(something=u'B')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	497	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	498	note.cw_set(something=None, para=u'zogzog')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	499	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	500
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	501	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	502	# anon not allowed to see users'login, but they can see users
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	503	login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	504	with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	505	CWUser={'read': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	506	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	507	rset = cnx.execute('CWUser X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	508	self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	509	x = rset.get_entity(0, 0)
10463 9add9b7f9df7 [server/test] fix random error in unittest_security Julien Cristau <julien.cristau@logilab.fr> parents: 10249 diff changeset	510	x.complete()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	511	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	512	self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	513	x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	514	x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	515	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	516	self.assertTrue(x.creation_date)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	517
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	518	def test_yams_inheritance_and_security_bug(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	519	with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	520	ERQLExpression('X owned_by U'))}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	521	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
12060 0cdf5fafd234 [repo] Extract rql cache handling to a dedicated class Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12044 diff changeset	522	rqlst = self.repo.vreg.rqlhelper.parse('Any X WHERE X is_instance_of Societe')
0cdf5fafd234 [repo] Extract rql cache handling to a dedicated class Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12044 diff changeset	523	self.repo.vreg.solutions(cnx, rqlst, {})
12496 ad995a9905f9 [server/querier] remove useless indirection QuerierHelper._annotate Nicolas Chauvat <nicolas.chauvat@logilab.fr> parents: 12060 diff changeset	524	self.repo.vreg.rqlhelper.annotate(rqlst)
ad995a9905f9 [server/querier] remove useless indirection QuerierHelper._annotate Nicolas Chauvat <nicolas.chauvat@logilab.fr> parents: 12060 diff changeset	525	plan = cnx.repo.querier.plan_factory(rqlst, {}, cnx)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	526	plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	527	self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	528	rqlst.as_string(),
10249 e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is Julien Cristau <julien.cristau@logilab.fr> parents: 10248 diff changeset	529	'(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	530	'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	531
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	532
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	533	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	534	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	535
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	536	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	537	# even if some other user have changed object'state
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	538	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	539	# due to security test, affaire has to concerne a societe the user owns
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	540	cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	541	cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	542	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	543	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	544	affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	545	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	546	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	547	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	548	1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	549	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	550	'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	551	1) # TrInfo at the above state change
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	552	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	553	cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	554	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	555	self.assertFalse(cnx.execute('Affaire X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	556
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	557	def test_users_and_groups_non_readable_by_guests(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	558	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	559	admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	560	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	561	anon = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	562	# anonymous user can only read itself
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	563	rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	564	self.assertEqual([['anon']], rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	565	rset = cnx.execute('CWUser X')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	566	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	567	# anonymous user can read groups (necessary to check allowed transitions for instance)
10600 180aa08cad48 [tests] Replace use of deprecated TestCase.assert_ Rémi Cardona <remi.cardona@logilab.fr> parents: 10463 diff changeset	568	self.assertTrue(cnx.execute('CWGroup X'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	569	# should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	570	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	571	cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	572	rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	573	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	574	# but can't modify it
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	575	cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	576	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	577
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	578	def test_in_group_relation(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	579	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	580	rql = u"DELETE U in_group G WHERE U login 'admin'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	581	self.assertRaises(Unauthorized, cnx.execute, rql)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	582	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	583	self.assertRaises(Unauthorized, cnx.execute, rql)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	584
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	585	def test_owned_by(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	586	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	587	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	588	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	589	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	590	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	591	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	592
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	593	def test_bookmarked_by_guests_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	594	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	595	beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	596	beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	597	'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	598	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	599	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	600	anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	601	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	602	'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	603	[['index', '?vid=index']])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	604	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	605	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	606	[['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	607	# can read others bookmarks as well
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	608	self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	609	[[beid1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	610	self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	611	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	612	cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	613	{'x': anoneid, 'b': beid1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	614
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	615	def test_ambigous_ordered(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	616	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	617	names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	618	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	619
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	620	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	621	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	622	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	623	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	624	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	625	eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	626	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	627	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	628	# needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	629	affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	630	with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	631	'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	632	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	633	affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	634	aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	635	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	636	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	637	# though changing a user state (even logged user) is reserved to managers
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	638	user = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	639	# XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	640	# the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	641	# from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	642	self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	643	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	644
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	645	def test_trinfo_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	646	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	647	aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	648	iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	649	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	650	iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	651	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	652	# can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	653	cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	654	{'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	655	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	656	aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	657	trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	658	self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	659	# but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	660	aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	661	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	662	'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	663	{'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	664	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	665	'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	666	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	667
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	668	def test_emailaddress_security(self):
8649 8fbb2f65721e [test] precheck initial condition Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	669	# check for prexisting email adresse
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	670	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	671	if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	672	rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	673	msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	674	tmpl = ' - "%s" used by user "%s"'
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	675	for i in range(len(rset)):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	676	email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	677	msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	678	raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	679	# actual test
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	680	cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	681	cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	682	'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	683	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	684	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	685	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	686	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	687
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	688	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	689	unittest_main()

author	Denis Laxalde <denis.laxalde@logilab.fr>
	Fri, 05 Apr 2019 17:58:19 +0200
changeset 12567	26744ad37953
parent 12496	ad995a9905f9
permissions	-rw-r--r--