cubicweb: cubicweb/server/test/unittest_security.py@2dd0dcb2e5f9 (annotated)

11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	1	# copyright 2003-2016 LOGILAB S.A. (Paris, FRANCE), all rights reserved.
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	2	# contact http://www.logilab.fr/ -- mailto:contact@logilab.fr
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	3	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	4	# This file is part of CubicWeb.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	5	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	6	# CubicWeb is free software: you can redistribute it and/or modify it under the
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	7	# terms of the GNU Lesser General Public License as published by the Free
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	8	# Software Foundation, either version 2.1 of the License, or (at your option)
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	9	# any later version.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	10	#
5424 8ecbcbff9777 replace logilab-common by CubicWeb in disclaimer Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5421 diff changeset	11	# CubicWeb is distributed in the hope that it will be useful, but WITHOUT
5421 8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	12	# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	13	# FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	14	# details.
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	15	#
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	16	# You should have received a copy of the GNU Lesser General Public License along
8167de96c523 proper licensing information (LGPL-2.1). Hope I get it right this time. Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5419 diff changeset	17	# with CubicWeb. If not, see <http://www.gnu.org/licenses/>.
5886 00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	18	"""functional tests for server'security"""
00a78298d30d cleanups Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5426 diff changeset	19
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	20	from six.moves import range
e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	21
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	22	from logilab.common.testlib import unittest_main
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	23
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	24	from cubicweb.devtools.testlib import CubicWebTC
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	25	from cubicweb import Unauthorized, ValidationError, QueryError, Binary
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	26	from cubicweb.schema import ERQLExpression
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	27	from cubicweb.server.querier import get_local_checks, check_relations_read_access
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	28	from cubicweb.server.utils import _CRYPTO_CTX
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	29
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	30
2773 b2530e3e0afb [testlib] #345052 and #344207: major test lib refactoring/cleanup + update usage Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2608 diff changeset	31	class BaseSecurityTC(CubicWebTC):
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	32
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	33	def setup_database(self):
bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	34	super(BaseSecurityTC, self).setup_database()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	35	with self.admin_access.client_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	36	self.create_user(cnx, u'iaminusersgrouponly')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	37	hash = _CRYPTO_CTX.encrypt('oldpassword', scheme='des_crypt')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	38	self.create_user(cnx, u'oldpassword', password=Binary(hash.encode('ascii')))
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	39
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	40
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	41	class LowLevelSecurityFunctionTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	42
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	43	def test_check_relation_read_access(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	44	rql = u'Personne U WHERE U nom "managers"'
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	45	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	46	nom = self.repo.schema['Personne'].rdef('nom')
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	47	with self.temporary_permissions((nom, {'read': ('users', 'managers')})):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	48	with self.admin_access.repo_cnx() as cnx:
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	49	self.repo.vreg.solutions(cnx, rqlst, None)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	50	check_relations_read_access(cnx, rqlst, {})
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	51	with self.new_access(u'anon').repo_cnx() as cnx:
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	52	self.assertRaises(Unauthorized,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	53	check_relations_read_access,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	54	cnx, rqlst, {})
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	55	self.assertRaises(Unauthorized, cnx.execute, rql)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	56
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	57	def test_get_local_checks(self):
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	58	rql = u'Personne U WHERE U nom "managers"'
3252 c0e10da6f1cf tests update Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2920 diff changeset	59	rqlst = self.repo.vreg.rqlhelper.parse(rql).children[0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	60	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	61	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	62	self.repo.vreg.solutions(cnx, rqlst, None)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	63	solution = rqlst.solutions[0]
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	64	localchecks = get_local_checks(cnx, rqlst, solution)
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	65	self.assertEqual({}, localchecks)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	66	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	67	self.assertRaises(Unauthorized,
9954 79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	68	get_local_checks,
79d34ba48612 [CWEP002] refactor rql read security checking Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 9782 diff changeset	69	cnx, rqlst, solution)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	70	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	71
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	72	def test_upassword_not_selectable(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	73	with self.admin_access.repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	74	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	75	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	76	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	77	self.assertRaises(Unauthorized,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	78	cnx.execute, 'Any X,P WHERE X is CWUser, X upassword P')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	79
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	80	def test_update_password(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	81	"""Ensure that if a user's password is stored with a deprecated hash,
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	82	it will be updated on next login
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	83	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	84	with self.repo.internal_cnx() as cnx:
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	85	oldhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	86	"WHERE cw_login = 'oldpassword'").fetchone()[0]
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	87	oldhash = self.repo.system_source.binary_to_str(oldhash)
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	88	self.repo.authenticate_user(cnx, 'oldpassword', password='oldpassword')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	89	newhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	90	"WHERE cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	91	newhash = self.repo.system_source.binary_to_str(newhash)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	92	self.assertNotEqual(oldhash, newhash)
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	93	self.assertTrue(newhash.startswith(b'$6$'))
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	94	self.repo.authenticate_user(cnx, 'oldpassword', password='oldpassword')
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	95	newnewhash = cnx.system_sql("SELECT cw_upassword FROM cw_CWUser WHERE "
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	96	"cw_login = 'oldpassword'").fetchone()[0]
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	97	newnewhash = self.repo.system_source.binary_to_str(newnewhash)
c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	98	self.assertEqual(newhash, newnewhash)
8546 3d2038d6f20d [sources/native] automatically update passwords using deprecated hashes on login Julien Cristau <julien.cristau@logilab.fr> parents: 8488 diff changeset	99
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	100
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	101	class SecurityRewritingTC(BaseSecurityTC):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	102	def hijack_source_execute(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	103	def syntax_tree_search(args, *kwargs):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	104	self.query = (args, kwargs)
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	105	return []
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	106	self.repo.system_source.syntax_tree_search = syntax_tree_search
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	107
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	108	def tearDown(self):
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	109	self.repo.system_source.__dict__.pop('syntax_tree_search', None)
7072 bcf96f2a4c5d [test] properly close connections Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 6410 diff changeset	110	super(SecurityRewritingTC, self).tearDown()
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	111
3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	112	def test_not_relation_read_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	113	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
11699 b48020a80dc3 Store user groups and properties as session data Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11348 diff changeset	114	cnx.user.groups # fill the cache before screwing syntax_tree_search
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	115	self.hijack_source_execute()
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	116	cnx.execute('Any U WHERE NOT A todo_by U, A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	117	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	118	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	119	cnx.execute('Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	120	self.assertEqual(self.query[0][1].as_string(),
11348 70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	121	'Any U WHERE NOT EXISTS(A todo_by U), A is Affaire')
70337ad23145 pep8 + docstrings and comments improvments Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 11195 diff changeset	122
5888 3ee80d487f11 [security] fix read rql expression insertion: we should not insert rql expr on variables only referenced in neged relation Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 5886 diff changeset	123
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	124	class SecurityTC(BaseSecurityTC):
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	125
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	126	def setUp(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	127	super(SecurityTC, self).setUp()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	128	# implicitly test manager can add some entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	129	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	130	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	131	cnx.execute("INSERT Societe X: X nom 'logilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	132	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	133	cnx.execute('INSERT CWGroup X: X name "staff"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	134	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	135
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	136	def test_insert_security(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	137	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	138	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	139	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	140	self.assertEqual(cnx.execute('Personne X').rowcount, 1)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	141
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	142	def test_insert_security_2(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	143	with self.new_access(u'anon').repo_cnx() as cnx:
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	144	cnx.execute("INSERT Affaire X")
efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	145	self.assertRaises(Unauthorized, cnx.commit)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	146	# anon has no read permission on Affaire entities, so
85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	147	# rowcount == 0
10158 efc8645ece43 [server/test] convert new test to 3.19 API Julien Cristau <julien.cristau@logilab.fr> parents: 10156 diff changeset	148	self.assertEqual(cnx.execute('Affaire X').rowcount, 0)
10153 85cbf16fbb57 [security] Test case and fix for an INSERT security hole Julien Cristau <julien.cristau@logilab.fr> parents: 9981 diff changeset	149
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	150	def test_insert_rql_permission(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	151	# test user can only add une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	152	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	153	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	154	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	155	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	156	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	157	self.assertEqual(cnx.execute('Affaire X').rowcount, 1)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	158	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	159	cnx.execute("INSERT Affaire X: X sujet 'cool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	160	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	161	cnx.execute("SET A concerne S WHERE A sujet 'cool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	162	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	163
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	164	def test_update_security_1(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	165	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	166	# local security check
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	167	cnx.execute( "SET X nom 'bidulechouette' WHERE X is Personne")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	168	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	169	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	170	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	171
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	172	def test_update_security_2(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	173	with self.temporary_permissions(Personne={'read': ('users', 'managers'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	174	'add': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	175	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	176	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	177	"SET X nom 'bidulechouette' WHERE X is Personne")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	178	# test nothing has actually been inserted
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	179	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	180	self.assertEqual(cnx.execute('Personne X WHERE X nom "bidulechouette"').rowcount, 0)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	181
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	182	def test_update_security_3(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	183	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	184	cnx.execute("INSERT Personne X: X nom 'biduuule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	185	cnx.execute("INSERT Societe X: X nom 'looogilab'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	186	cnx.execute("SET X travaille S WHERE X nom 'biduuule', S nom 'looogilab'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	187
10114 6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	188	def test_insert_immutable_attribute_update(self):
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	189	with self.admin_access.repo_cnx() as cnx:
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	190	cnx.create_entity('Old', name=u'Babar')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	191	cnx.commit()
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	192	# this should be equivalent
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	193	o = cnx.create_entity('Old')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	194	o.cw_set(name=u'Celeste')
6f4b4567b77d [security] check attributes: dispatch on the "add" action if entity was just created Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9984 diff changeset	195	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	196
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	197	def test_update_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	198	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	199	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	200	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	201	# test user can only update une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	202	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	203	cnx.execute("SET X sujet 'pascool' WHERE X is Affaire")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	204	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	205	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	206	# to actually get Unauthorized exception, try to update an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	207	cnx.execute("SET X nom 'toto' WHERE X is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	208	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	209	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	210	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	211	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	212	cnx.execute("SET X sujet 'habahsicestcool' WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	213	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	214
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	215	def test_delete_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	216	# FIXME: sample below fails because we don't detect "owner" can't delete
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	217	# user anyway, and since no user with login == 'bidule' exists, no
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	218	# exception is raised
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	219	#user._groups = {'guests':1}
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	220	#self.assertRaises(Unauthorized,
1398 5fe84a5f7035 rename internal entity types to have CW prefix instead of E sylvain.thenault@logilab.fr parents: 389 diff changeset	221	# self.o.execute, user, "DELETE CWUser X WHERE X login 'bidule'")
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	222	# check local security
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	223	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	224	self.assertRaises(Unauthorized, cnx.execute, "DELETE CWGroup Y WHERE Y name 'staff'")
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	225
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	226	def test_delete_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	227	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	228	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	229	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	230	# test user can only dele une affaire related to a societe he owns
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	231	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	232	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	233	cnx.execute("DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	234	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	235	# to actually get Unauthorized exception, try to delete an entity we can read
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	236	self.assertRaises(Unauthorized, cnx.execute, "DELETE Societe S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	237	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	238	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	239	cnx.execute("INSERT Affaire X: X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	240	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	241	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	242	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	243	## # this one should fail since it will try to delete two affaires, one authorized
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	244	## # and the other not
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	245	## self.assertRaises(Unauthorized, cnx.execute, "DELETE Affaire X")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	246	cnx.execute("DELETE Affaire X WHERE X sujet 'pascool'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	247	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	248
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	249	def test_insert_relation_rql_permission(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	250	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	251	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	252	# should raise Unauthorized since user don't own S though this won't
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	253	# actually do anything since the selection query won't return
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	254	# anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	255	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	256	# to actually get Unauthorized exception, try to insert a relation
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	257	# were we can read both entities
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	258	rset = cnx.execute('Personne P')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	259	self.assertEqual(len(rset), 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	260	ent = rset.get_entity(0, 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	261	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	262	self.assertRaises(Unauthorized, ent.cw_check_perm, 'update')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	263	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	264	cnx.execute, "SET P travaille S WHERE P is Personne, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	265	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	266	cnx.rollback()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	267	# test nothing has actually been inserted:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	268	self.assertFalse(cnx.execute('Any P,S WHERE P travaille S,P is Personne, S is Societe'))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	269	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	270	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	271	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	272
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	273	def test_delete_relation_rql_permission(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	274	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	275	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	276	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	277	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	278	# this won't actually do anything since the selection query won't return anything
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	279	cnx.execute("DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	280	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	281	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	282	# to actually get Unauthorized exception, try to delete a relation we can read
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	283	eid = cnx.execute("INSERT Affaire X: X sujet 'pascool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	284	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	285	{'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	286	cnx.execute("SET A concerne S WHERE A sujet 'pascool', S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	287	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	288	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	289	self.assertRaises(Unauthorized, cnx.execute, "DELETE A concerne S")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	290	self.assertRaises(QueryError, cnx.commit) # can't commit anymore
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	291	cnx.rollback()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	292	cnx.execute("INSERT Societe X: X nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	293	cnx.execute("SET A concerne S WHERE A is Affaire, S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	294	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	295	cnx.execute("DELETE A concerne S WHERE S nom 'chouette'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	296	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	297
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	298
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	299	def test_user_can_change_its_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	300	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	301	ueid = self.create_user(cnx, u'user').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	302	with self.new_access(u'user').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	303	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	304	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	305	cnx.commit()
12044 70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	306	with self.repo.internal_cnx() as cnx:
70bb46dfa87b [repo] Drop repo.new_session method Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12027 diff changeset	307	self.repo.authenticate_user(cnx, 'user', password='newpwd')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	308
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	309	def test_user_cant_change_other_upassword(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	310	with self.admin_access.repo_cnx() as cnx:
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	311	ueid = self.create_user(cnx, u'otheruser').eid
131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	312	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	313	cnx.execute('SET X upassword %(passwd)s WHERE X eid %(x)s',
10769 c45f4bcff3aa [server] fix unittest_security for py3k Julien Cristau <julien.cristau@logilab.fr> parents: 10609 diff changeset	314	{'x': ueid, 'passwd': b'newpwd'})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	315	self.assertRaises(Unauthorized, cnx.commit)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	316
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	317	# read security test
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	318
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	319	def test_read_base(self):
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	320	with self.temporary_permissions(Personne={'read': ('users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	321	with self.new_access(u'anon').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	322	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	323	cnx.execute, 'Personne U where U nom "managers"')
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	324
321 247947250382 fix security bug w/ query using 'NOT X eid 123' Sylvain Thenault <sylvain.thenault@logilab.fr> parents: 0 diff changeset	325	def test_read_erqlexpr_base(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	326	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	327	eid = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	328	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	329	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	330	rset = cnx.execute('Affaire X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	331	self.assertEqual(rset.rows, [])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	332	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	333	# cache test
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	334	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	335	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	336	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	337	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	338	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	339	rset = cnx.execute('Any X WHERE X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	340	self.assertEqual(rset.rows, [[aff2]])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	341	# more cache test w/ NOT eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	342	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': eid})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	343	self.assertEqual(rset.rows, [[aff2]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	344	rset = cnx.execute('Affaire X WHERE NOT X eid %(x)s', {'x': aff2})
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	345	self.assertEqual(rset.rows, [])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	346	# test can't update an attribute of an entity that can't be readen
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	347	self.assertRaises(Unauthorized, cnx.execute,
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	348	'SET X sujet "hacked" WHERE X eid %(x)s', {'x': eid})
4765 c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	349
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	350
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	351	def test_entity_created_in_transaction(self):
c33d12865641 more tests Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 4711 diff changeset	352	affschema = self.schema['Affaire']
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	353	with self.temporary_permissions(Affaire={'read': affschema.permissions['add']}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	354	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	355	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	356	# entity created in transaction are readable by eid
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	357	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	358	# XXX would be nice if it worked
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	359	rset = cnx.execute("Affaire X WHERE X sujet 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	360	self.assertEqual(len(rset), 0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	361	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	362
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	363	def test_read_erqlexpr_has_text1(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	364	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	365	aff1 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	366	card1 = cnx.execute("INSERT Card X: X title 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	367	cnx.execute('SET X owned_by U WHERE X eid %(x)s, U login "iaminusersgrouponly"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	368	{'x': card1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	369	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	370	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	371	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	372	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	373	cnx.execute("SET A concerne S WHERE A eid %(a)s, S eid %(s)s", {'a': aff2, 's': soc1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	374	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	375	self.assertRaises(Unauthorized, cnx.execute, 'Any X WHERE X eid %(x)s', {'x':aff1})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	376	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':aff2}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	377	self.assertTrue(cnx.execute('Any X WHERE X eid %(x)s', {'x':card1}))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	378	rset = cnx.execute("Any X WHERE X has_text 'cool'")
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	379	self.assertEqual(sorted(eid for eid, in rset.rows),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	380	[card1, aff2])
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	381
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	382	def test_read_erqlexpr_has_text2(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	383	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	384	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	385	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	386	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	387	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	388	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	389	rset = cnx.execute('Any N WHERE N has_text "bidule"')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	390	self.assertEqual(len(rset.rows), 1, rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	391	rset = cnx.execute('Any N WITH N BEING (Any N WHERE N has_text "bidule")')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	392	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	393
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	394	def test_read_erqlexpr_optional_rel(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	395	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	396	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	397	cnx.execute("INSERT Societe X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	398	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	399	with self.temporary_permissions(Personne={'read': ('managers',)}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	400	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	401	rset = cnx.execute('Any N,U WHERE N has_text "bidule", N owned_by U?')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	402	self.assertEqual(len(rset.rows), 1, rset.rows)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	403
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	404	def test_read_erqlexpr_aggregat(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	405	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	406	cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	407	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	408	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	409	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	410	self.assertEqual(rset.rows, [[0]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	411	aff2 = cnx.execute("INSERT Affaire X: X sujet 'cool'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	412	soc1 = cnx.execute("INSERT Societe X: X nom 'chouette'")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	413	cnx.execute("SET A concerne S WHERE A is Affaire, S is Societe")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	414	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	415	rset = cnx.execute('Any COUNT(X) WHERE X is Affaire')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	416	self.assertEqual(rset.rows, [[1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	417	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	418	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	419	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	420	self.assertEqual(values['Societe'], 2)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	421	rset = cnx.execute('Any ETN, COUNT(X) GROUPBY ETN WHERE X is ET, ET name ETN '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	422	'WITH X BEING ((Affaire X) UNION (Societe X))')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	423	self.assertEqual(len(rset), 2)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	424	values = dict(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	425	self.assertEqual(values['Affaire'], 1)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	426	self.assertEqual(values['Societe'], 2)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	427
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	428
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	429	def test_attribute_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	430	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	431	# only managers should be able to edit the 'test' attribute of Personne entities
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	432	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	433	"X web 'http://www.debian.org', X test TRUE")[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	434	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	435	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	436	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	437	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	438	"X web 'http://www.debian.org', X test TRUE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	439	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	440	cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	441	"X web 'http://www.debian.org', X test FALSE")
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	442	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	443	eid = cnx.execute("INSERT Personne X: X nom 'bidule', "
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	444	"X web 'http://www.debian.org'")[0][0]
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	445	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	446	cnx.execute('SET X test FALSE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	447	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	448	cnx.execute('SET X test TRUE WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	449	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	450	cnx.execute('SET X web "http://www.logilab.org" WHERE X eid %(x)s', {'x': eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	451	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	452	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	453	cnx.execute('INSERT Frozable F: F name "Foo"')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	454	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	455	cnx.execute('SET F name "Bar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	456	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	457	cnx.execute('SET F name "BaBar" WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	458	cnx.execute('SET F frozen True WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	459	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	460	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	461	cnx.rollback()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	462	cnx.execute('SET F frozen True WHERE F is Frozable')
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	463	cnx.commit()
793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	464	cnx.execute('SET F name "Bar" WHERE F is Frozable')
9981 7099bbd685aa [hooks/security] allow edition of attributes with permissive permissions Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	465	with self.assertRaises(Unauthorized):
9984 793377697c81 merge 3.18.6 into 3.19 Julien Cristau <julien.cristau@logilab.fr> parents: 9782 9981 diff changeset	466	cnx.commit()
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	467
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	468	def test_attribute_security_rqlexpr(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	469	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	470	# Note.para attribute editable by managers or if the note is in "todo" state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	471	note = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	472	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	473	note.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	474	cnx.execute('SET X para "truc" WHERE X eid %(x)s', {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	475	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	476	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	477	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	478	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	479	note2 = cnx.execute("INSERT Note X: X para 'bidule'").get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	480	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	481	note2.cw_adapt_to('IWorkflowable').fire_transition('markasdone')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	482	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	483	self.assertEqual(len(cnx.execute('Any X WHERE X in_state S, S name "todo", X eid %(x)s',
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	484	{'x': note2.eid})),
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	485	0)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	486	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	487	self.assertRaises(Unauthorized, cnx.commit)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	488	note2.cw_adapt_to('IWorkflowable').fire_transition('redoit')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	489	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	490	cnx.execute("SET X para 'chouette' WHERE X eid %(x)s", {'x': note2.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	491	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	492	cnx.execute("INSERT Note X: X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	493	self.assertRaises(Unauthorized, cnx.commit)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	494	cnx.execute("INSERT Note X: X para 'zogzog', X something 'A'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	495	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	496	note = cnx.execute("INSERT Note X").get_entity(0,0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	497	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	498	note.cw_set(something=u'B')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	499	cnx.commit()
9395 96dba2efd16d [hooks/security] provide attribute "add" permission Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 8694 diff changeset	500	note.cw_set(something=None, para=u'zogzog')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	501	cnx.commit()
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	502
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	503	def test_attribute_read_security(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	504	# anon not allowed to see users'login, but they can see users
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	505	login_rdef = self.repo.schema['CWUser'].rdef('login')
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	506	with self.temporary_permissions((login_rdef, {'read': ('users', 'managers')}),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	507	CWUser={'read': ('guests', 'users', 'managers')}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	508	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	509	rset = cnx.execute('CWUser X')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	510	self.assertTrue(rset)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	511	x = rset.get_entity(0, 0)
10463 9add9b7f9df7 [server/test] fix random error in unittest_security Julien Cristau <julien.cristau@logilab.fr> parents: 10249 diff changeset	512	x.complete()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	513	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	514	self.assertTrue(x.creation_date)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	515	x = rset.get_entity(1, 0)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	516	x.complete()
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	517	self.assertEqual(x.login, None)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	518	self.assertTrue(x.creation_date)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	519
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	520	def test_yams_inheritance_and_security_bug(self):
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	521	with self.temporary_permissions(Division={'read': ('managers',
b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	522	ERQLExpression('X owned_by U'))}):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	523	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
12060 0cdf5fafd234 [repo] Extract rql cache handling to a dedicated class Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12044 diff changeset	524	rqlst = self.repo.vreg.rqlhelper.parse('Any X WHERE X is_instance_of Societe')
0cdf5fafd234 [repo] Extract rql cache handling to a dedicated class Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 12044 diff changeset	525	self.repo.vreg.solutions(cnx, rqlst, {})
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	526	querier = cnx.repo.querier
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	527	querier._annotate(rqlst)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	528	plan = querier.plan_factory(rqlst, {}, cnx)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	529	plan.preprocess(rqlst)
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	530	self.assertEqual(
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	531	rqlst.as_string(),
10249 e38b8d37c5d8 [rqlrewrite] sort possible types when turning is_instance_of into is Julien Cristau <julien.cristau@logilab.fr> parents: 10248 diff changeset	532	'(Any X WHERE X is IN(Societe, SubDivision)) UNION '
9777 b2e47617a94e [tests/security] break lines > 100 chars Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9586 diff changeset	533	'(Any X WHERE X is Division, EXISTS(X owned_by %(B)s))')
8452 1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	534
1ad42383a9ec [rql security] fix rql bug when using yams inheritance and read permissions (closes #2410156) Florent Cayré <florent.cayre@logilab.fr> parents: 8075 diff changeset	535
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	536	class BaseSchemaSecurityTC(BaseSecurityTC):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	537	"""tests related to the base schema permission configuration"""
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	538
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	539	def test_user_can_delete_object_he_created(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	540	# even if some other user have changed object'state
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	541	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	542	# due to security test, affaire has to concerne a societe the user owns
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	543	cnx.execute('INSERT Societe X: X nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	544	cnx.execute('INSERT Affaire X: X ref "ARCT01", X concerne S WHERE S nom "ARCTIA"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	545	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	546	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	547	affaire = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	548	affaire.cw_adapt_to('IWorkflowable').fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	549	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	550	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	551	1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	552	self.assertEqual(len(cnx.execute('TrInfo X WHERE X wf_info_for A, A ref "ARCT01",'
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	553	'X owned_by U, U login "admin"')),
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	554	1) # TrInfo at the above state change
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	555	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	556	cnx.execute('DELETE Affaire X WHERE X ref "ARCT01"')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	557	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	558	self.assertFalse(cnx.execute('Affaire X'))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	559
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	560	def test_users_and_groups_non_readable_by_guests(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	561	with self.repo.internal_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	562	admineid = cnx.execute('CWUser U WHERE U login "admin"').rows[0][0]
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	563	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	564	anon = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	565	# anonymous user can only read itself
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	566	rset = cnx.execute('Any L WHERE X owned_by U, U login L')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	567	self.assertEqual([['anon']], rset.rows)
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	568	rset = cnx.execute('CWUser X')
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	569	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	570	# anonymous user can read groups (necessary to check allowed transitions for instance)
10600 180aa08cad48 [tests] Replace use of deprecated TestCase.assert_ Rémi Cardona <remi.cardona@logilab.fr> parents: 10463 diff changeset	571	self.assertTrue(cnx.execute('CWGroup X'))
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	572	# should only be able to read the anonymous user, not another one
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	573	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	574	cnx.execute, 'CWUser X WHERE X eid %(x)s', {'x': admineid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	575	rset = cnx.execute('CWUser X WHERE X eid %(x)s', {'x': anon.eid})
8624 7e415f457155 [test] swap order in assert of `test_users_and_groups_non_readable_by_guests` Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	576	self.assertEqual([[anon.eid]], rset.rows)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	577	# but can't modify it
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	578	cnx.execute('SET X login "toto" WHERE X eid %(x)s', {'x': anon.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	579	self.assertRaises(Unauthorized, cnx.commit)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	580
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	581	def test_in_group_relation(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	582	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	583	rql = u"DELETE U in_group G WHERE U login 'admin'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	584	self.assertRaises(Unauthorized, cnx.execute, rql)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	585	rql = u"SET U in_group G WHERE U login 'admin', G name 'users'"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	586	self.assertRaises(Unauthorized, cnx.execute, rql)
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	587
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	588	def test_owned_by(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	589	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	590	cnx.execute("INSERT Personne X: X nom 'bidule'")
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	591	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	592	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	593	rql = u"SET X owned_by U WHERE U login 'iaminusersgrouponly', X is Personne"
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	594	self.assertRaises(Unauthorized, cnx.execute, rql)
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	595
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	596	def test_bookmarked_by_guests_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	597	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	598	beid1 = cnx.execute('INSERT Bookmark B: B path "?vid=manage", B title "manage"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	599	beid2 = cnx.execute('INSERT Bookmark B: B path "?vid=index", B title "index", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	600	'B bookmarked_by U WHERE U login "anon"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	601	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	602	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	603	anoneid = cnx.user.eid
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	604	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	605	'B bookmarked_by U, U eid %s' % anoneid).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	606	[['index', '?vid=index']])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	607	self.assertEqual(cnx.execute('Any T,P ORDERBY lower(T) WHERE B is Bookmark,B title T,B path P,'
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	608	'B bookmarked_by U, U eid %(x)s', {'x': anoneid}).rows,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	609	[['index', '?vid=index']])
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	610	# can read others bookmarks as well
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	611	self.assertEqual(cnx.execute('Any B where B is Bookmark, NOT B bookmarked_by U').rows,
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	612	[[beid1]])
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	613	self.assertRaises(Unauthorized, cnx.execute,'DELETE B bookmarked_by U')
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	614	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	615	cnx.execute, 'SET B bookmarked_by U WHERE U eid %(x)s, B eid %(b)s',
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	616	{'x': anoneid, 'b': beid1})
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	617
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	618	def test_ambigous_ordered(self):
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	619	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	620	names = [t for t, in cnx.execute('Any N ORDERBY lower(N) WHERE X name N')]
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	621	self.assertEqual(names, sorted(names, key=lambda x: x.lower()))
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	622
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	623	def test_in_state_without_update_perm(self):
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	624	"""check a user change in_state without having update permission on the
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	625	subject
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	626	"""
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	627	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	628	eid = cnx.execute('INSERT Affaire X: X ref "ARCT01"')[0][0]
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	629	cnx.commit()
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	630	with self.new_access(u'iaminusersgrouponly').repo_cnx() as cnx:
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	631	# needed to remove rql expr granting update perm to the user
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	632	affschema = self.schema['Affaire']
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	633	with self.temporary_permissions(Affaire={'update': affschema.get_groups('update'),
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	634	'read': ('users',)}):
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	635	self.assertRaises(Unauthorized,
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	636	affschema.check_perm, cnx, 'update', eid=eid)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	637	aff = cnx.execute('Any X WHERE X ref "ARCT01"').get_entity(0, 0)
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	638	aff.cw_adapt_to('IWorkflowable').fire_transition('abort')
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	639	cnx.commit()
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	640	# though changing a user state (even logged user) is reserved to managers
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	641	user = cnx.user
8461 8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	642	# XXX wether it should raise Unauthorized or ValidationError is not clear
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	643	# the best would probably ValidationError if the transition doesn't exist
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	644	# from the current state but Unauthorized if it exists but user can't pass it
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	645	self.assertRaises(ValidationError,
8af7c6d86efb [test] update server security test using login and new temporary_permissions context managers Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8452 diff changeset	646	user.cw_adapt_to('IWorkflowable').fire_transition, 'deactivate')
1802 d628defebc17 delete-trailing-whitespace + some copyright update Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: 1398 diff changeset	647
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	648	def test_trinfo_security(self):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	649	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	650	aff = cnx.execute('INSERT Affaire X: X ref "ARCT01"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	651	iworkflowable = aff.cw_adapt_to('IWorkflowable')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	652	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	653	iworkflowable.fire_transition('abort')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	654	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	655	# can change tr info comment
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	656	cnx.execute('SET TI comment %(c)s WHERE TI wf_info_for X, X ref "ARCT01"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	657	{'c': u'bouh!'})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	658	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	659	aff.cw_clear_relation_cache('wf_info_for', 'object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	660	trinfo = iworkflowable.latest_trinfo()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	661	self.assertEqual(trinfo.comment, 'bouh!')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	662	# but not from_state/to_state
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	663	aff.cw_clear_relation_cache('wf_info_for', role='object')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	664	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	665	'SET TI from_state S WHERE TI eid %(ti)s, S name "ben non"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	666	{'ti': trinfo.eid})
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	667	self.assertRaises(Unauthorized, cnx.execute,
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	668	'SET TI to_state S WHERE TI eid %(ti)s, S name "pitetre"',
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	669	{'ti': trinfo.eid})
2501 fa86d99c2c3a test and fix wf history security Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 2500 diff changeset	670
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	671	def test_emailaddress_security(self):
8649 8fbb2f65721e [test] precheck initial condition Pierre-Yves David <pierre-yves.david@logilab.fr> parents: 8546 diff changeset	672	# check for prexisting email adresse
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	673	with self.admin_access.repo_cnx() as cnx:
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	674	if cnx.execute('Any X WHERE X is EmailAddress'):
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	675	rset = cnx.execute('Any X, U WHERE X is EmailAddress, U use_email X')
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	676	msg = ['Preexisting email readable by anon found!']
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	677	tmpl = ' - "%s" used by user "%s"'
10609 e2d8e81bfe68 [py3k] import range using six.moves Rémi Cardona <remi.cardona@logilab.fr> parents: 10600 diff changeset	678	for i in range(len(rset)):
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	679	email, user = rset.get_entity(i, 0), rset.get_entity(i, 1)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	680	msg.append(tmpl % (email.dc_title(), user.dc_title()))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	681	raise RuntimeError('\n'.join(msg))
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	682	# actual test
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	683	cnx.execute('INSERT EmailAddress X: X address "hop"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	684	cnx.execute('INSERT EmailAddress X: X address "anon", '
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	685	'U use_email X WHERE U login "anon"').get_entity(0, 0)
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	686	cnx.commit()
95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	687	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 2)
10248 131275d6c268 [server/test] use unicode strings for user logins Julien Cristau <julien.cristau@logilab.fr> parents: 10161 diff changeset	688	with self.new_access(u'anon').repo_cnx() as cnx:
9782 95e8fa2c8da8 [tests/security] use the new connection api Aurelien Campeas <aurelien.campeas@logilab.fr> parents: 9777 diff changeset	689	self.assertEqual(len(cnx.execute('Any X WHERE X is EmailAddress')), 1)
8161 6f4229eb8178 [test] fix test broken by 8158:2ee254e74382 and add a test for that change Sylvain Thénault <sylvain.thenault@logilab.fr> parents: 8075 diff changeset	690
0 b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	691	if __name__ == '__main__':
b97547f5f1fa Showtime ! Adrien Di Mascio <Adrien.DiMascio@logilab.fr> parents: diff changeset	692	unittest_main()

author	Sylvain Thénault <sylvain.thenault@logilab.fr>
	Fri, 03 Nov 2017 16:31:59 +0100
changeset 12237	2dd0dcb2e5f9
parent 12060	0cdf5fafd234
child 12496	ad995a9905f9
permissions	-rw-r--r--